The Securities and Exchange Commission unanimously approved a new database on Tuesday that is intended to help them respond to a sudden and dramatic shift in markets such as the “flash crash” of 2010.
The “consolidated audit trail” (CAT) will create a database of every trade order and execution made so that regulators have access to information that might cause huge market changes that happen at light speed.
“The import of today’s action cannot be overstated,” SEC Chairwoman Mary Jo White said in a statement. “With the approval and ultimate implementation of CAT, the Commission’s regulatory capacity strongly embraces 21st Century technology, enabling the Commission and the (self-regulatory organizations) to harness data and technology to more effectively oversee market participants.”
In the 2010 crash, the Dow Jones lost nearly 1,000 points in minutes before recovering most of those losses. Trading volume also spiked with roughly two billion shares worth $56 billion changing hands in just over 20 minutes.
For months, regulators couldn’t figure out what had caused perhaps the most turbulent day in market history. It spurred the creation of the CAT, which is intended to be a fix.
The CAT will require self-regulatory organizations such as the Financial Industry Regulatory Authority (FINRA) and 1,800 broker-dealers to report data at various stages of an order’s life cycle to a central repository.
The database proposal received a number of criticisms from industry participants when it went out for comment, leading the commission to make several amendments to the final plan.
A majority of comments submitted offered concerns about the security standards protecting sensitive trade data and personal identifiable information.
“Cybersecurity is of paramount importance, as the CAT will be one of the largest financial databases in the world and will contain sensitive customer information,” White said.
The amended plan will require all CAT data at the central repository to be encrypted at-rest and in-transit. In the proposal, only personal identifier information was required to be encrypted at both stages.
In addition, self-regulatory organizations that access CAT data for regulatory purposes must now maintain security programs equal in strength to those applied by the central repository. Moreover, CAT technology and information security protocols must now be assessed on an annual basis.
Due to a host of legal and policy issues, the SEC is not included in the plan’s provisions involving data security. SEC staff are already subject to a range of regulations and rules regarding the confidentiality of information and, “we will be supplementing these important safeguards with additional comprehensive protocols that are specifically tailored to the Commission’s CAT program,” White stated.