[House Report 115-663]
[From the U.S. Government Publishing Office]


115th Congress   }                                     {       Report
                        HOUSE OF REPRESENTATIVES
 2d Session      }                                     {      115-663

======================================================================



 
              AMERICAN CUSTOMER INFORMATION PROTECTION ACT

                                _______
                                

  May 7, 2018.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

Mr. Hensarling, from the Committee on Financial Services, submitted the 
                               following

                              R E P O R T

                             together with

                             MINORITY VIEWS

                        [To accompany H.R. 4785]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Financial Services, to whom was referred 
the bill (H.R. 4785) to prohibit the consolidated audit trail 
from accepting personally identifying information, and for 
other purposes, having considered the same, report favorably 
thereon without amendment and recommend that the bill do pass.

                          PURPOSE AND SUMMARY

    On January 12, 2018, Representative Bill Huizenga 
introduced H.R. 4785, the ``American Customer Information 
Protection Act'' to help protect highly sensitive personal 
information of Americans. H.R. 4785 prohibits the Consolidated 
Audit Trail (CAT) authorized in 2012 by the Securities and 
Exchange Commission (SEC) from accepting Personally 
Identifiable Information (PII), except where such information 
would apply to large traders under the SEC's large trader 
reporting rule. Under the legislation, social security numbers, 
individual taxpayer identification numbers, other customer 
identifying information sufficient to identify an individual, 
such as names, addresses, dates of birth, account numbers, and 
any other information the Commission determines could be 
defined as PII will not be reported to the CAT.

                  BACKGROUND AND NEED FOR LEGISLATION

    The goal of H.R. 4785 is to protect customer's personal 
information by preventing the CAT from storing PII where it 
might be susceptible to a cyber breach.
    Largely in response to the 2010 Flash Crash, on July 11, 
2012, the SEC voted to adopt Rule 613 under Regulation National 
Market System to require the national securities exchanges and 
national securities associations listed below to submit a 
National Market System plan to the SEC to create, implement, 
and maintain a consolidated audit trail. At the time the SEC 
adopted the Rule, former SEC Chairman Mary Shapiro stated, ``A 
consolidated audit trail that accurately tracks orders 
throughout their lifecycle and identifies the broker-dealers 
handling them will provide us with an unprecedented ability to 
effectively oversee the markets we regulate.''
    The SEC's press release noted, ``A consolidated audit trail 
will increase the data available to regulators investigating 
illegal activities such as insider trading and market 
manipulation, and it will significantly improve the ability to 
reconstruct broad-based market events in an accurate and timely 
manner. A consolidated audit trail also will significantly 
increase the ability of regulators to monitor overall market 
structure and assess how SEC rules are affecting the markets, 
and will reduce the regulatory data production burdens on SROs 
and broker-dealers by reducing the number of ad hoc requests 
from regulators presently.''
    On November 15, 2016, the SEC approved a plan for the CAT 
system. The CAT will collect and identify every order, 
cancellation, and trade execution for all exchange-listed 
equities and options across all U.S. markets. National Market 
System Plan participants selected Thesys Technologies in 
January 2017 to be the plan processor for the CAT. On November 
15, 2017, SROs were required to start reporting data to the 
CAT, with broker-dealers reporting information beginning in 
November 2018. As part of broker-dealer reporting, information 
collected by the CAT will include American customer PII. To be 
clear, broker-dealers will not be required to submit PII of any 
foreign traders--only the PII of Americans would be reported to 
the CAT and potentially compromised. According to testimony 
from Thesys Technologies CEO Mike Beller, any PII stored in the 
CAT must be stored separately from other data and access to 
such PII must be limited to a ``need-to-know'' basis--
underscoring the sensitivity of the data.
    Hackers have demonstrated a significant interest in 
obtaining PII and information related to financial 
transactions. In April 2016, the GAO identified weaknesses in 
the SEC's information security protocols and noted the SEC's 
failure to implement an agency-wide data security program. In 
May 2017, Chairman Clayton then initiated an assessment of the 
SEC's internal cybersecurity risk profile and their approach to 
cybersecurity from a regulatory and oversight perspective. 
Based on the GAO's April 2016 report and a subsequent July 27, 
2017 report, the SEC's internal assessment was long overdue--
both reports identified inadequate controls and serious cyber 
and data risks. While it is promising to see the SEC, under the 
leadership of Chairman Clayton, finally endeavor to reform and 
update their cyber and data security, the reliability of data 
and cyber security at the SEC remains in question, particularly 
with other major data initiatives such as the CAT coming on 
line.
    On September 20, 2017, Chairman Clayton issued a statement 
on cybersecurity in which he revealed that a cyber breach 
``previously detected in 2016 may have provided illicit gain 
through trading.'' Specifically, a software vulnerability 
existed in the test filing component of the SEC's Electronic 
Data Gathering Analysis and Retrieval (``EDGAR'') system which 
resulted in access to nonpublic information. In addition to 
providing the hackers access to highly sensitive material 
nonpublic information, it later was determined that the PII of 
at least two individuals was compromised, including names, 
dates of birth, and social security numbers. This revelation 
came on the heels of the massive Equifax data breach in which 
sensitive information of 145.5 million Americans is believed to 
have been compromised. Together, they underscore the importance 
of proactively ensuring that any highly sensitive data being 
collected by the SEC or at the SEC's direction (and subject to 
the SEC's oversight) is protected with appropriate safeguards.
    The CAT can serve an important regulatory function to help 
prevent disruptions and keep our capital markets operating 
efficiently, but it is important this system is implemented 
effectively. Given the recent data breach at the SEC and the 
amount of PII and market moving data that the CAT will provide, 
the Commission needs to ensure that they have adequate data 
security controls before implementation. Commissioner Michael 
Piwowar recently commented regarding CAT that ``Deadlines are 
important, but [the SEC has] one chance to get this right. We 
have to make sure we have everything locked down. We can get it 
done, or we can get it done right. We need to get it done 
right.''
    On September 28, 2017, Chairman Hensarling, Chairman 
Huizenga, and Vice-Chairman Hultgren wrote a letter to SEC 
Chairman Jay Clayton to ``encourage the SEC to delay 
implementation of the CAT system until the SEC can implement 
information security safeguards and internal controls to ensure 
the security of confidential and sensitive data.'' In response 
to a similar request for a delay from the SROs tasked with 
implementing the CAT, Chairman Clayton on November 14, 2017 
issued a statement on the status of the CAT, noting that ``I am 
not in a position to support the issuance of the requested 
relief on the terms currently proposed . . . I urge the SROs to 
continue their efforts to work cooperatively with each other 
and to meet their responsibilities as promptly as 
practicable.''
    Many are concerned with the amount of PII that will be 
required to be collected by the CAT and the data security of 
such information, as well as who will have access to such 
information. Last Congress, Members of this Committee wrote 
former SEC Chair White expressing serious concerns about the 
security of PII held within the CAT, especially given that some 
3,000 individuals, including SEC staff members, will have 
access to the CAT data, and the SEC does not have to follow the 
same security protocols as the CAT plan participants. In his 
September 7, 2017 testimony before the Capital Markets 
Subcommittee, FINRA's President and CEO, Robert Cook, 
questioned whether PII even was necessary to be collected for 
the CAT to perform its function. As part of a statement on the 
status of the CAT, Chairman Clayton on November 14, 2017 
stated:

          Commission staff is currently conducting an 
        evaluation of our needs for personally identifiable 
        information (``PII'') in the CAT. It is important that 
        the Commission, the SROs, and the plan processor 
        continuously evaluate the approach to the collection, 
        retention and protection of PII and other sensitive 
        data, as we continue to progress in the development and 
        operation of the CAT.

    Ultimately, this bill will help ensure the CAT can be 
completed more efficiently, as it will reduce some 
complications associated with constructing the CAT; and it will 
help it operate more efficiently once established, as it will 
reduce the likelihood of it being targeted by hackers in an 
effort to steal PII.
    Additionally, nothing in this bill will hinder the SEC's 
ability to monitor trading activity that actually might be 
market-moving. Under the SEC large trader rule, both foreign 
and domestic persons and entities employing such persons, 
including investment advisers, must register with the SEC and 
obtain a Large Trader Identification Number (LTID). Under the 
SEC's rules, a ``large trader'' is defined as a person or 
entity who effects transactions in exchange-listed equities and 
options that equal or exceed 2 million shares or $20 million 
during any calendar day, or 20 million shares or $200 million 
over the course of any calendar month. By having the CAT still 
collect large trader information, individuals that are trading 
at a volume that could distort the market would still have 
their information collected, while retail investor PII would 
not be required to be collected by the CAT. However, if 
suspicious trading activity is detected by a retail investor, 
the SEC could still obtain that individual's information 
through the blue-sheet process. During a November 2017 Capital 
Markets Subcommittee hearing on the CAT, CBOE President and 
Chief Operating Officer Chris Concannon, prompted by questions 
from Chairman Huizenga, stated:

          Among the industry and some regulators, we have 
        talked about a large-trader solution This is a method 
        that's used in the futures market. There's a concept of 
        a large-trader ID. It follows every order into the 
        surveillance system so you can track the large trader 
        based on their activity. So yes, there are solutions 
        that are being kicked around to avoid having that PII 
        information in the database. We will always get access. 
        Regulators have ample access to PII information under 
        the blue-sheet technology that we have.

                                HEARINGS

    The subcommittee on Capital Markets, Securities, and 
Investment held a hearing examining matters relating to H.R. 
4785 on November 30, 2017.

                        COMMITTEE CONSIDERATION

    The Committee on Financial Services met in open session on 
January 17, 2018, and January 18, 2018, and ordered H.R. 4785 
to be reported favorably to the House without amendment by a 
recorded vote of 31 yeas to 25 nays (recorded vote no. FC-149), 
a quorum being present.

                            COMMITTEE VOTES

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the record votes 
on the motion to report legislation and amendments thereto. The 
sole recorded vote was on a motion by Chairman Hensarling to 
report the bill favorably to the House without amendment. The 
motion was agreed to by a recorded vote of 31 yeas to 25 nays 
(Record vote no. FC-149), a quorum being present.


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                      COMMITTEE OVERSIGHT FINDINGS

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the findings and recommendations of 
the Committee based on oversight activities under clause 
2(b)(1) of rule X of the Rules of the House of Representatives, 
are incorporated in the descriptive portions of this report.

                    PERFORMANCE GOALS AND OBJECTIVES

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, the Committee states that H.R. 4785 
will protect sensitive customer information by prohibiting the 
CAT from collecting personal identifiable information from 
individuals not classified as ``large traders.''

   NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee adopts as its 
own the estimate of new budget authority, entitlement 
authority, or tax expenditures or revenues contained in the 
cost estimate prepared by the Director of the Congressional 
Budget Office pursuant to section 402 of the Congressional 
Budget Act of 1974.

                 CONGRESSIONAL BUDGET OFFICE ESTIMATES

    Pursuant to clause 3(c)(3) of rule XIII of the Rules of the 
House of Representatives, the following is the cost estimate 
provided by the Congressional Budget Office pursuant to section 
402 of the Congressional Budget Act of 1974:

                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, April 10, 2018.
Hon. Jeb Hensarling,
Chairman, Committee on Financial Services,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 4785, the American 
Customer Information Protection Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Stephen 
Rabent.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

H.R. 4785--American Customer Information Protection Act

    In 2017 the Securities and Exchange Commission (SEC) 
directed the national securities exchanges and the Financial 
Industry Regulator Authority to develop, implement, and 
maintain a consolidated audit trail (CAT). The CAT is intended 
to enable regulators to better oversee securities markets. H.R. 
4785 would prohibit the CAT from accepting personally 
identifying information except in connection with large 
traders.\1\
---------------------------------------------------------------------------
    \1\The SEC defines a large trader as a person whose transactions in 
national securities markets equal or exceed 2 million shares or $20 
million during any calendar day, or 20 million shares or $200 million 
during any calendar month.
---------------------------------------------------------------------------
    Using information from the SEC, CBO estimates that 
implementing H.R. 4785 would cost less than $500,000 over the 
2019-2023 period for the SEC to amend the CAT plan to implement 
the bill's requirements. However, the SEC is authorized to 
collect fees sufficient to offset its annual appropriation; 
therefore, CBO estimates that the net effect on discretionary 
spending would be negligible, assuming appropriation actions 
consistent with that authority.
    Enacting H.R. 4785 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting H.R. 4785 would not increase 
net direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2029.
    H.R. 4785 contains no intergovernmental mandates as defined 
in the Unfunded Mandates Reform Act (UMRA).
    If the SEC increases fees to offset the associated costs, 
H.R. 4785 would increase the cost of an existing mandate on 
private entities required to pay those fees. Using information 
from the SEC, CBO estimates that the incremental cost of the 
mandate would fall well below the annual threshold for private-
sector mandates established in UMRA ($160 million in 2018, 
adjusted annually for inflation).
    The CBO staff contacts for this estimate are Stephen Rabent 
(for federal costs) and Jon Sperl (for mandates). The estimate 
was approved by H. Samuel Papenfuss, Deputy Assistant Director 
for Budget Analysis.

                       FEDERAL MANDATES STATEMENT

    This information is provided in accordance with section 423 
of the Unfunded Mandates Reform Act of 1995.
    The Committee has determined that the bill does not contain 
Federal mandates on the private sector. The Committee has 
determined that the bill does not impose a Federal 
intergovernmental mandate on State, local, or tribal 
governments.

                      ADVISORY COMMITTEE STATEMENT

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  APPLICABILITY TO LEGISLATIVE BRANCH

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of the section 
102(b)(3) of the Congressional Accountability Act.

                         EARMARK IDENTIFICATION

    With respect to clause 9 of rule XXI of the Rules of the 
House of Representatives, the Committee has carefully reviewed 
the provisions of the bill and states that the provisions of 
the bill do not contain any congressional earmarks, limited tax 
benefits, or limited tariff benefits within the meaning of the 
rule.

                    DUPLICATION OF FEDERAL PROGRAMS

    In compliance with clause 3(c)(5) of rule XIII of the Rules 
of the House of Representatives, the Committee states that no 
provision of the bill establishes or reauthorizes: (1) a 
program of the Federal Government known to be duplicative of 
another Federal program; (2) a program included in any report 
from the Government Accountability Office to Congress pursuant 
to section 21 of Public Law 111-139; or (3) a program related 
to a program identified in the most recent Catalog of Federal 
Domestic Assistance, published pursuant to the Federal Program 
Information Act (Pub. L. No. 95-220, as amended by Pub. L. No. 
98-169).

                   DISCLOSURE OF DIRECTED RULEMAKING

    Pursuant to section 3(i) of H. Res. 5, (115th Congress), 
the following statement is made concerning directed rule 
makings: The Committee estimates that the bill requires no 
directed rule makings within the meaning of such section.

             SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION

Section 1. Short title

    This section cites H.R. 4785 as the ``American Customer 
Information Protection Act''.

Section 2. No Acceptance of personally identifying information

    This section states that the consolidated audit trail may 
not accept personally identifying information from individuals 
that do not meet the definition of a large trader.

         CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    H.R. 4785 does not repeal or amend any section of the 
statute. Therefore, the Office of Legislative Counsel did not 
prepare the report contemplated by clause 3(e)(1)(B) of rule 
XIII of the House of Representatives.

                             MINORITY VIEWS

    H.R. 4785 is a reckless bill that would weaken an important 
and long overdue regulatory tool required by the Securities and 
Exchange Commission (``SEC''). Specifically, the bill would 
prohibit the consolidated audit trail (``CAT'')--a 
comprehensive trade reporting system that will allow regulators 
to monitor all equity and options trading in the U.S. 
securities markets and quickly identify manipulative and 
disruptive conduct--from accepting personally identifying 
information (``PII''), except with respect to companies 
classified as ``large traders''' under existing law. 
Accordingly, the bill would reduce regulators' ability to 
immediately identify bad actors to only a miniscule fraction of 
the millions of traders whose conduct the CAT is intended to 
monitor.
    The CAT was part of the response to the May 2010 ``Flash 
Crash,'' during which the Dow Jones Industrial Average rapidly 
plunged 1,000 points, losing $1 trillion in value, before 
mostly rebounding minutes later. Because there was no uniform 
system for tracking activity in the markets, regulators took 
nearly five months to determine that the Flash Crash was caused 
by a flawed trading algorithm of a large institutional 
investor. This determination proved inaccurate when, five years 
later, the true culprit was revealed to be a single individual 
sending out manipulative futures orders from his parents' 
basement.
    In 2012, the SEC ordered the creation of the CAT to address 
the oversight challenges arising from the use of disparate 
audit trail systems. In doing so, the SEC determined that ``the 
identification of each customer responsible for every order is 
critical to the effectiveriess of a consolidated audit trail.'' 
After years of delay, the national securities exchanges were 
required to begin reporting data on the entire lifecycle of 
each order to the CAT on November 15, 2017. However, they 
failed to meet this deadline due to concerns about security of 
reportable customer information, including PII.
    SEC Chairman Jay Clayton rejected the exchanges' request to 
further delay the CAT, but committed to evaluating the SEC's 
needs for PII while simultaneously working to make the system 
operational. H.R. 4785 ignores the SEC's efforts and takes the 
counterproductive and unjustified step of prohibiting the CAT 
from collecting information used to identify bad actors. 
Although the bill includes an exception for PII related to 
``large traders,'' the classification would only apply to the 
6,000 or so traders who conduct an exceptionally high number of 
securities transactions (at least 2 million shares or $20 
million a day, or 20 million shares or $200 million a month). 
H.R. 4785 would thus prohibit the CAT from identifying millions 
of traders, including bad actors known as ``spoofers,'' who, 
like the individual responsible for the Flash Crash, attempt to 
manipulate securities prices by illegally posting orders that 
they never intend to execute.
    Investor advocacy groups like Consumer Federation of 
America (``CFA'') and Americans for Financial Reform (``AFR'') 
oppose H.R. 4785 because it would undermine effective policing 
of U.S. securities markets. In a letter to the Committee, CFA 
wrote, ``[s]ummarily prohibiting the retrieval of [PIT] without 
any thoughtful analysis or evidence-based justification flies 
in the face of smart and effective governance and would 
hamstring the SEC from effectively carrying out its mission.'' 
Similarly, AFR opposed the bill because it ``would prevent the 
CAT from identifying customers and brokers who were potentially 
involved in fraud, or in manipulative or destabilizing 
trading.''
    Even the bill's sponsor, Rep. Huizenga, acknowledged that 
the purpose of the CAT is to ``collect and accurately identify 
every order from origination through its entire lifecycle, 
including any cancellation, modification, and trade execution 
for all exchange-listed equities and options across the U.S. 
markets,'' (emphasis added). H.R. 4785 would undermine that 
purpose by eliminating identifying information for the vast 
majority of securities traders.
    For these reasons, we oppose H.R. 4785.

                                   Maxine Waters.
                                   Daniel T. Kildee.
                                   Michael E. Capuano.
                                   Nydia M. Velazquez.
                                   Joyce Beatty.
                                   Juan Vargas.
                                   Carolyn B. Maloney.
                                   Al Green.
                                   Stephen F. Lynch.
                                   Gwen Moore.
                                   Keith Ellison.

                                  [all]