On December 2, 2020, MFA filed a letter supporting the SEC’s proposal for enhanced data protection measures around the consolidated audit trail (CAT) for national market system securities. MFA also made additional recommendations to further enhance data protection. In particular, MFA made the following recommendations:
- Secure Analytical Workspaces – MFA is supportive the use of secure analytic workspaces (SAW) where CAT data would be accessed and analyzed. We commented that exceptions to the use of SAWs should be granted on an extremely limited basis and be used solely for regulatory purposes; and the standards and processes around granting any exceptions should be robust and as stringent as possible.
- Security Working Group – MFA recommended that the Security Working Group should be expanded to include CISOs from other market participants, including institutional investors, as inclusion of industry representatives can assist in addressing conflicts of interest and can serve as a valuable resource in assisting in the protection of customer data.
- Participants’ Confidentiality Policies and Procedures – In addition to the requirement that exchanges/self-regulatory organizations have confidentiality policies and procedures regarding CAT data, MFA commented these should be subject to a public notice and comment period. This would allow market participants to have real input into the policies, which will be an important tool to safeguard CAT data.
- Limiting Access to CAT Data to Non-Commercial Purposes – MFA supports restrictions on an exchange’s access to CAT Data to data for trading activity conducted on that particular exchange, with limited exceptions for situations in which an exchange has well-defined and articulated regulatory purposes to look at the trading data of another exchange under their rules or the rules of the Commission.
- Application of the Proposed Amendments to Commission Staff – With respect to the security and confidentiality of CAT Data, MFA believes it will be critical for Commission personnel to be subject to stringent and robust data security and confidentiality standards, consistent with those applicable to Plan Participants and their personnel.
