[Federal Register Volume 85, Number 55 (Friday, March 20, 2020)]
[Notices]
[Pages 16152-16157]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-05935]



[[Page 16152]]

=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-88393]


Order Granting Conditional Exemptive Relief, Pursuant to Section 
36 and Rule 608(e) of the Securities Exchange Act of 1934, From Section 
6.4(d)(ii)(C) and Appendix D Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 
9.4, 10.1, and 10.3 of the National Market System Plan Governing the 
Consolidated Audit Trail

March 17, 2020.

I. Introduction

    By letter dated January 29, 2020,\1\ BOX Exchange LLC, Cboe BYX 
Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe 
EDGX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe Exchange, Inc., 
Financial Industry Regulatory Authority, Inc., Investors Exchange LLC, 
Long Term Stock Exchange, Inc., Miami International Securities Exchange 
LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, NASDAQ BX, Inc., Nasdaq GEMX, 
LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, NASDAQ PHLX LLC, The NASDAQ 
Stock Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE 
Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc. (collectively, 
the ``Participants'') to the National Market System Plan Governing the 
Consolidated Audit Trail (``CAT NMS Plan'' or ``Plan''),\2\ requested 
that the Securities and Exchange Commission (``Commission'' or ``SEC'') 
grant exemptive relief from certain requirements in the CAT NMS Plan 
pursuant to Section 36 of the Securities Exchange Act (``Exchange 
Act'') \3\ and Rule 608(e) of Regulation NMS.\4\ Specifically, the 
Participants seek exemptive relief from Section 6.4(d)(ii)(C) and 
Appendix D, Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 
10.3 of the CAT NMS Plan (1) to allow for an alternative approach to 
generating a CAT Customer ID (``CCID'') \5\ without requiring Industry 
Members \6\ to report individual social security numbers or tax payer 
identification numbers (collectively, ``SSNs'') to the consolidated 
audit trail (``CAT'') (the ``CCID Alternative''); and (2) to allow for 
an alternative approach which would exempt the reporting of dates of 
birth and account numbers associated with natural person retail 
Customers \7\ to the CAT (``Modified PII Approach''), and instead would 
require Industry Members to report the year of birth associated with 
natural person retail Customers and the Firm Designated ID \8\ for each 
trading account associated with the Customers.\9\
---------------------------------------------------------------------------

    \1\ See letter from the Participants to Vanessa Countryman, 
Secretary, Commission, dated January 29, 2020 (the ``January 29, 
2020 Exemption Request'').
    \2\ The CAT NMS Plan was approved by the Commission, as 
modified, on November 15, 2016. See Securities Exchange Act Release 
No. 79318 (November 15, 2016), 81 FR 84696 (November 23, 2016).
    \3\ 15 U.S.C. 78mm(a)(1).
    \4\ 17 CFR 242.608(e).
    \5\ The ``Customer-ID'' means ``with respect to a customer, a 
code that uniquely and consistently identifies such customer for 
purposes of providing data to the central repository.'' See CAT NMS 
Plan, Article I, Section 1.1, referring to Rule 613(j)(5). 17 CFR 
242.613(j)(5). The Participants also use the term ``CCID'' to refer 
to ``CAT Customer ID.'' See January 29, 2020 Exemption Request at 4-
5. For purposes of the January 29, 2020 Exemption Request, the term 
``CCID'' and ``CAT Customer-ID'' means the ``Customer-ID'' under the 
CAT NMS Plan.
    \6\ ``Industry Member'' means ``a member of a national 
securities exchange or a member of a national securities 
association.'' See CAT NMS Plan, Article I, Section 1.1.
    \7\ A ``Customer'' means ``the account holder(s) of the account 
at a registered broker-dealer originating the order; and any person 
from whom the broker-dealer is authorized to accept trading 
instructions for such account, if different from the account 
holder(s). See CAT NMS Plan, Article I, Section 1.1.
    \8\ ``Firm Designed ID'' means ``a unique identifier for each 
trading account designated by Industry Members for purposes of 
providing data to the Central Repository, where each such identifier 
is unique among all identifiers from any given Industry Member for 
each business date.'' See CAT NMS Plan, Article I, Section 1.1. 
Article VI, Section 6.4(d)(ii)(C) of the CAT NMS Plan requires CAT 
Reporters (as defined below) to report the Firm Designated ID to be 
reported to the Central Repository.
    \9\ See January 29, 2020 Exemption Request. Unless otherwise 
noted, capitalized terms are used as defined in the CAT NMS Plan.
---------------------------------------------------------------------------

    Section 36 of the Exchange Act grants the Commission the authority, 
with certain limitations, to ``conditionally or unconditionally exempt 
any person, security, or transaction . . . from any provision or 
provisions of [the Exchange Act] or of any rule or regulation 
thereunder, to the extent that such exemption is necessary or 
appropriate in the public interest, and is consistent with the 
protection of investors.'' \10\ Under Rule 608(e) of Regulation NMS, 
the Commission may ``exempt from [Rule 608], either unconditionally or 
on specified terms and conditions, any self-regulatory organization, 
member thereof, or specified security, if the Commission determines 
that such exemption is consistent with the public interest, the 
protection of investors, the maintenance of fair and orderly markets 
and the removal of impediments to, and perfection of the mechanism of, 
a national market system.'' \11\
---------------------------------------------------------------------------

    \10\ 15 U.S.C. 78mm(a)(1).
    \11\ 17 CFR 242.608(e).
---------------------------------------------------------------------------

    For the reasons set forth below, this Order grants the 
Participants' request for exemptions from specified provisions of the 
CAT NMS Plan as set forth in January 29, 2020 Exemption Request, 
subject to certain conditions.

II. Description

    As set forth in the January 29, 2020 Exemption Request regarding 
the CCID Alternative, the Participants state that ``in light of 
security concerns raised with regard to the maintenance of Customer 
information in the CAT, the Participants request an exemption to 
eliminate one of the most sensitive CAT data elements--SSNs--from the 
CAT.'' \12\ In lieu of retaining such sensitive information in the CAT, 
the Participants would use the CCID alternative, a strategy developed 
by the Chief Information Security Officer for the CAT and the Chief 
Information Security Officers from each of the Participants, in 
consultation with security experts from member firms of Securities 
Industry and Financial Markets Association.\13\ According to the 
Participants, the CCID Alternative allows the Plan Processor \14\ to 
generate a CCID without requiring the Plan Processor to receive SSNs or 
store SSNs within the CAT.\15\ Under the CCID Alternative, according to 
the Participants, the Plan Processor would generate a unique CCID using 
a two-phase transformation process that avoids having SSNs reported to 
or stored in the CAT.\16\ In the first transformation phase, a CAT 
Reporter \17\ would transform the SSN to an interim value.\18\ The 
Participants state that the Plan Processor would provide CAT Reporters 
the tools and/or technology to transform SSNs into interim values.\19\ 
This transformed value, and not the SSN, would be submitted to a 
separate system within the CAT (``CCID Subsystem'').\20\ The CCID 
Subsystem

[[Page 16153]]

would then perform a second transformation to create the globally 
unique CCID for each Customer that is unknown to, and not shared with, 
the original CAT Reporter.\21\ According to the Participants, the CCID 
would then be sent to the customer and account information system of 
the CAT, where it would be linked with the other customer and account 
information.\22\ The transformed value would be sent to the CAT 
``separate and apart from the other customer and account information.'' 
\23\ The Participants state that the CCID may then be used by the 
Participants' regulatory staff and the SEC in queries and analysis of 
CAT Data.\24\
---------------------------------------------------------------------------

    \12\ See January 29, 2020 Exemption Request at 4.
    \13\ See January 29, 2020 Exemption Request at 4.
    \14\ ``Plan Processor'' means ``the Initial Plan Processor or 
any other Person selected by the Operating Committee pursuant to SEC 
Rule 613 and Sections 4.3(b)(i) and 6.1, and with regard to the 
Initial Plan Processor, the Selection Plan, to perform the CAT 
processing functions required by SEC Rule 613 and set forth in this 
Agreement.'' See CAT NMS Plan, Article I, Section 1.1.
    \15\ See January 29, 2020 Exemption Request at 4-5.
    \16\ See January 29, 2020 Exemption Request at 5.
    \17\ ``CAT Reporter'' means ``each national securities exchange, 
national securities association and Industry Member that is required 
to record and report information to the Central Repository pursuant 
to SEC Rule 613(c).'' See CAT NMS Plan, Article I, Section 1.1. Only 
Industry Members would be reporting an interim value.
    \18\ See January 29, 2020 Exemption Request at 5.
    \19\ See January 29, 2020 Exemption Request at 12.
    \20\ In the event that a Customer does not have an SSN, the 
Participants represent that the CAT Reporter would not be required 
to submit the transformed value to the CCID Subsystem. See January 
29, 2020 Exemption Request at 5.
    \21\ See January 29, 2020 Exemption Request at 5.
    \22\ See January 29, 2020 Exemption Request at 5. The CAT NMS 
Plan indicates that ``customer and account information'' is CAT Data 
that ``includes PII.'' See generally CAT NMS Plan, Appendix D, 
Section 6.2 at D-19. ``PII'' means ``personally identifiable 
information, including a social security number or tax identifier 
number or similar information; Customer Identifying Information and 
Customer Account Information.'' See CAT NMS Plan, Article I, Section 
1.1. ``Customer Identifying Information'' in turn is defined to mean 
``information of sufficient detail to identify a Customer, 
including, but not limited to, (a) with respect to individuals: 
name, address, date of birth, individual tax payer identification 
number (``ITIN'')/social security number (``SSN''), individual's 
role in the account (e.g., primary holder, joint holder, guardian, 
trustee, person with the power of attorney); and (b) with respect to 
legal entities: Name, address, Employer Identification Number 
(``EIN'')/Legal Entity Identifier (``LEI'') or other comparable 
common entity identifier, if applicable; provided, however, that an 
Industry Member that has an LEI for a Customer must submit the 
Customer's LEI in addition to other information of sufficient detail 
to identify a Customer.'' Id. ``Customer Account Information'' is 
generally defined to ``include, but not be limited to, account 
number, account type, customer type, date account opened, and large 
trader identifier (if applicable). . . .'' For purposes of the 
January 29, 2020 Exemption Request, the ``customer and account 
information system of the CAT'' refers to the database that contains 
PII, as defined in the Plan.
    \23\ See January 29, 2020 Exemption Request at 6.
    \24\ See January 29, 2020 Exemption Request at 5.
---------------------------------------------------------------------------

    The Participants state that there would be no cost imposed by the 
Plan Processor or CATLLC \25\ on an Industry Member if it uses the CAT 
Reporter Portal to transform an SSN prior to submission.\26\ For 
Industry Members that perform the CCID transformation and submit it via 
a machine-to-machine interface, the Participants state that there would 
be ordinary costs associated with installing the transformation logic, 
but that neither the Plan Processor nor CATLLC would impose any costs 
on Industry Members.\27\ The Participants state that actual costs would 
depend on the specific Industry Member's technology architecture, but 
would not be anticipated to be significant.\28\
---------------------------------------------------------------------------

    \25\ ``CATLLC'' refers to the limited liability company, set 
forth in the Limited Liability Company Agreement of Consolidated 
Audit Trail, LLC, formed by the Participants to conduct the 
activities related to CAT. See Securities Exchange Act Release No. 
87149 (September 27, 2019); 84 FR 52905 (October 3, 2019).
    \26\ See January 29, 2020 Exemption Request at 5. The ``CAT 
Reporter Portal'' is the ``Industry Member CAT Reporter Portal'' 
which is a web-based tool provided by the Plan Processor to CAT 
Reporters that allows CAT Reporters to monitor and manage data 
submissions to CAT. See ``Industry Member CAT Reporter Portal User 
Guide'' dated November 4, 2019, v. 1.0. https://catnmsplan.com/sites/default/files/2020-02/IM-Reporter-Portal-User-Guide_11042019.pdf. According to the Participants, Industry Members 
who use this CAT Reporter Portal to transform an SSN into the 
interim value will incur no cost to perform the transformation.
    \27\ See January 29, 2020 Exemption Request at 5.
    \28\ See January 29, 2020 Exemption Request at 5.
---------------------------------------------------------------------------

    The Participants note that Industry Members would continue to store 
individual customer \29\ SSNs outside the CAT, as they do currently, 
and that if a Participant's regulatory staff or the SEC needs to obtain 
a Customer's SSN during an investigation, such regulator would need to 
request that information from the CAT Reporter (e.g., via a FINRA Rule 
8210 request or the Electronic Blue Sheets).\30\ However, if a 
Participant's regulatory staff or the SEC already has an SSN via means 
other than the CAT, the Participants state that the regulator will have 
the ability to use that SSN to query the CAT.\31\ The Participants 
further state that similar to the process described above, the SSN 
would be transformed into the CCID, which, in turn, may be used by the 
Participant's regulatory staff and the SEC in queries and analysis of 
CAT Data.\32\
---------------------------------------------------------------------------

    \29\ See January 29, 2020 Exemption Request at 5. Both 
``customer'' and ``Customer'' are used by the Participants in the 
January 29, 2020 Exemption Request. The Commission assumes, for 
purposes of this Order, that the Participants intended the term 
``Customer'' as defined in the CAT NMS Plan; however, in Section II 
of this Order, the Commission reflects the terms used in the January 
29, 2020 Exemption Request.
    \30\ Pursuant to the CCID Alternative, because SSNs would no 
longer be reported to or collected by the CAT, regulatory staff 
would only be able to obtain an individual's SSN associated with 
a(n) CCID by submitting a request for such SSN to the CAT Reporter 
that retains the SSN. Data provided via Electronic Blue Sheets, or 
EBS data, is provided pursuant to Rule 17a-25 under the Act, and 
includes certain detailed execution information, including the SSN 
of a Customer. See 17 CFR 240.17a-25.
    \31\ See January 29, 2020 Exemption Request at 5.
    \32\ See January 29, 2020 Exemption Request at 5.
---------------------------------------------------------------------------

    The Participants state that the proposed CCID Alternative is 
necessary and appropriate in the public interest, and is consistent 
with the public interest, the protection of investors, the maintenance 
of fair and orderly markets and the removal of impediments to, and 
perfection of the mechanisms of, a national market system.\33\ The 
Participants believe that, subject to accurate implementation by CAT 
Reporters, the CCID Alternative will have the capability to create a 
reliable and accurate CCID that is unique for each Customer, and that 
regulators will be able to use a unique CCID to track orders from any 
Customer throughout the order's lifecycle, regardless of what brokerage 
account was used to enter the order.\34\ The Participants state that 
the use of CCIDs would thus enhance the security of the Central 
Repository while preserving regulatory benefits of the CAT.\35\ The 
Participants state that because only CCIDs would be stored in the 
Central Repository, rather than SSNs, the proposed relief would 
eliminate the risk of having a comprehensive aggregated source for all 
individual Customer SSNs (i.e., the potential use of illegally obtained 
SSNs to facilitate identity theft or other fraud).\36\ The Participants 
state that no SSNs would be collected or stored in the CAT, and that 
instead, only Industry Members would continue to collect individual 
Customer SSNs, as they do currently.\37\ The Participants state that 
the process to create CCIDs using, in part, SSNs would be secure.\38\ 
The Participants also state that the significant reduction in the risk 
that information in the CAT could be used to facilitate identity theft, 
achieved by the use of CCIDs, does not compromise the regulatory 
benefits of the CAT.\39\ The Participants state that the CCID

[[Page 16154]]

Subsystem is subject to the security provisions of the CAT NMS 
Plan.\40\
---------------------------------------------------------------------------

    \33\ See January 29, 2020 Exemption Request at 5.
    \34\ See January 29, 2020 Exemption Request at 5-6. The 
Participants state that if the Commission grants this request for 
exemptive relief, each Participant will propose to amend its 
Compliance Rules consistent with the exemptive relief. See January 
29, 2020 Exemption Request at 6, n.17. Each Participant is obligated 
to enforce compliance by its members with such Compliance Rules, 
including rules related to implementation of the CCID Alternative. 
Id. ``Compliance Rule'' means ``with respect to a Participant, the 
rule(s) promulgated by such Participant as contemplated by Section 
3.11.'' See CATNMS Plan, Article I, Section 1.1. Section 3.11 of the 
Plan states that ``[e]ach Participant shall comply with and enforce 
compliance, as required by SEC Rule 608(c), by its Industry Members 
with the provisions of SEC Rule 613 and of this Agreement, as 
applicable, to the Participant and its Industry Members. The 
Participants shall endeavor to promulgate consistent rules (after 
taking into account circumstances and considerations that may impact 
Participants differently) requiring compliance by their respective 
Industry Members with the provisions of SEC Rule 613 and this 
Agreement.'' Id. at Article III, Section 3.11.
    \35\ See January 29, 2020 Exemption Request at 6.
    \36\ See January 29, 2020 Exemption Request at 6.
    \37\ See January 29, 2020 Exemption Request at 6.
    \38\ See January 29, 2020 Exemption Request at 6.
    \39\ See January 29, 2020 Exemption Request at 6.
    \40\ See January 29, 2020 Exemption Request at 12.
---------------------------------------------------------------------------

    The Participants believe that eliminating the retention of SSNs in 
the CAT would not have an adverse impact on the effective operation of 
the CAT.\41\ The Participants recognize, however, that the elimination 
of the collection of SSNs would cause CAT Reporters to assume a 
critical role in the accurate generation of CCIDs.\42\ The Participants 
state that to mitigate the potential risk to the integrity of the CCID 
values ultimately assigned to Customer records in the CAT, the 
Participants, working with the Plan Processor, will consider methods 
for detecting errors in the transformed values submitted by CAT 
Reporters, such as through validation processes and/or testing of 
accounts, as well as methods that may be identified by functionality 
supporting the Error Resolution for the Customer Data requirement in 
Section 9.4 of Appendix D of the CAT NMS Plan.\43\ The Participants 
represent that the Plan Processor is currently exploring potential 
validation checks that could be performed upon submission by an 
Industry Member of an initial CCID, such as ensuring the value 
submitted is within an expected range of values.\44\ The Participants 
state that such a validation check would help identify transformation 
errors (e.g., transformation resulted in an invalid or malformed SSN), 
but it would not ensure that the correct SSN for a specific customer 
was used for the transformation.\45\ The Participants state that, in 
consultation with the working group of industry members that developed 
the CCID Alternative, they believe that the value of eliminating the 
need for CAT Reporters to transmit SSNs to the CAT exceeds the 
potential increased risk to the integrity of CCID assignments.\46\
---------------------------------------------------------------------------

    \41\ See January 29, 2020 Exemption Request at 6.
    \42\ See January 29, 2020 Exemption Request at 6.
    \43\ See January 29, 2020 Exemption Request at 6. The Plan does 
not define ``Customer Data''; however, Appendix D, Section 9.4 
references various data elements related to the PII reported and 
collected by the CAT. The Commission assumes for purposes of the 
January, 29, 2020 Exemption Request that ``Customer Data'' refers to 
such PII.
    \44\ See January 29, 2020 Exemption Request at 6.
    \45\ See January 29, 2020 Exemption Request at 6.
    \46\ See January 29, 2020 Exemption Request at 6.
---------------------------------------------------------------------------

    As set forth in the January 29, 2020 Exemption Request, the 
Participants also state that in light of security concerns raised with 
regard to the maintenance of Customer information in the CAT, the 
Participants also propose to eliminate dates of birth and account 
numbers for individuals from the CAT. Under this proposal, or the 
Modified PII Approach, dates of birth and account numbers for natural 
persons would not be reported to the CAT and therefore would not be 
stored in the CAT.\47\ The Participants state that similar to SSNs, 
this information is particularly sensitive from a security perspective 
and should not be included in the CAT (i.e., the Participants believe 
that such information, if illegally obtained, could be used to 
facilitate identity theft or other fraud).\48\ The Participants 
represent that the Modified PII Approach has been discussed with the 
Advisory Committee.\49\
---------------------------------------------------------------------------

    \47\ See January 29, 2020 Exemption Request at 7.
    \48\ See January 29, 2020 Exemption Request at 7.
    \49\ See January 29, 2020 Exemption Request at 7. According to 
the CAT NMS Plan, the Advisory Committee ``shall advise the 
Participants on the implementation, operation, and administration of 
the Central Repository, including possible expansion of the Central 
Repository to other securities and other types of transactions.'' 
See CAT NMS Plan, Article IV, Section 4.13(d).
---------------------------------------------------------------------------

    The Participants believe that the Modified PII Approach is 
necessary and appropriate in the public interest, and is consistent 
with the public interest, the protection of investors, the maintenance 
of fair and orderly markets and the removal of impediments to, and 
perfection of the mechanisms of, a national market system.\50\ The 
Participants believe that by eliminating dates of birth and account 
numbers from the CAT, the proposed relief would significantly reduce 
the risk profile of data collected and stored in the CAT by eliminating 
the PII data elements that would support attempted identity theft.\51\ 
In addition, the Participants state that the elimination of dates of 
birth and account numbers for individuals would not compromise the 
regulatory benefits of the CAT, including the ability of regulators to 
identify Customers and their related trading activity.\52\ The 
Participants state that instead of reporting dates of birth and account 
numbers for individuals, CAT Reporters would report to the CAT year of 
birth and Firm Designated IDs for accounts for individuals.\53\
---------------------------------------------------------------------------

    \50\ See January 29, 2020 Exemption Request at 7.
    \51\ See January 29, 2020 Exemption Request at 7.
    \52\ See January 29, 2020 Exemption Request at 7.
    \53\ See January 29, 2020 Exemption Request at 7. The Commission 
assumes for purposes of this Order that the January 29, 2020 
Exemption Request seeks relief from the requirement to report all 
account numbers, not limited to account numbers individuals.
---------------------------------------------------------------------------

    The Participants state that the Participants, Industry Members, and 
others have raised concerns regarding the security risk of having 
personally identifying Customer information in the CAT for individual 
Customers of every securities brokerage account involving Eligible 
Securities \54\ in the U.S. securities markets in the CAT.\55\ The 
Participants noted the statements made by Chairman Clayton, members of 
Congress and the broker-dealer community regarding the importance of 
evaluating the collection of information into the CAT.\56\ The 
Participants state that the Operating Committee of the CAT shares these 
security concerns and noted that they formed a PII Working Group \57\ 
to research and recommend potential alternatives regarding the handling 
of PII, including SSNs.\58\ After considering various alternatives, the 
PII Working Group ultimately recommended the CCID Alternative to the 
Operating Committee of the CAT.\59\
---------------------------------------------------------------------------

    \54\ ``Eligible Securities'' means ``(a) all NMS Securities and 
(b) all OTC Equity Securities.'' See CAT NMS Plan, Article I, 
Section 1.1. ``NMS Securities'' is defined as ``any security or 
class of securities for which transaction reports are collected, 
processed, and made available pursuant to an effective transaction 
reporting plan, or an effective national market system plan for 
reporting transactions in Listed Options.'' Id. ``OTC Equity 
Securities'' is defined as ``any equity security, other than an NMS 
Security, subject to prompt last sale reporting rules of a 
registered national securities association and reported to one of 
such association's equity trade reporting facilities.'' Id.
    \55\ See January 29, 2020 Exemption Request at 3.
    \56\ See January 29, 2020 Exemption Request at 3 and 4.
    \57\ The Participants formed the PII Working Group to analyze 
whether it might be possible to meet the goals of the CAT while 
capturing less PII than Rule 613 currently requires. The PII Working 
Group was composed of representatives from the Participants and the 
Advisory Committee.
    \58\ See January 29, 2020 Exemption Request at 4.
    \59\ See January 29, 2020 Exemption Request at 4.
---------------------------------------------------------------------------

III. Request for Relief

    In order to implement the CCID Alternative and Modified PII 
Approach, the Participants request that the Commission grant exemptive 
relief from the following sections of the CAT NMS Plan as set forth 
below:
     Section 6.4(d)(ii)(C) of the CAT NMS Plan which requires 
Industry Members, through the SRO CAT compliance rules, to record and 
report to the Central Repository for the original receipt of an order, 
SSNs, dates of birth, and account numbers for individuals. The 
Participants request relief from the requirement in Section 
6.4(d)(ii)(C) that Industry Members, through their Compliance Rules 
record and report to the Central Repository for the original receipt of 
an order, SSNs, dates of birth, and account numbers for individuals. In 
place of reporting SSNs, dates of birth, and account numbers, the 
Participants will require Industry Members, through their Compliance 
Rules, to report to the Central Repository a transformed value for the 
SSN, year of birth, and the Firm

[[Page 16155]]

Designated ID for accounts for individuals.\60\
---------------------------------------------------------------------------

    \60\ See January 29, 2020 Exemption Request at 9.
---------------------------------------------------------------------------

     Section 9.1 of Appendix D which requires the CAT to 
capture and store Customer and Customer Account Information in a secure 
database physically separated from the transactional database and that 
requires the following attributes, at a minimum, to be captured: SSN or 
ITIN and date of birth. Section 9.1 of Appendix D also requires the 
Plan Processor to maintain valid Customer and Customer Account 
Information for each trading day. The Participants request relief from 
these requirements in Section 9.1 of Appendix D that the CAT capture 
and store SSNs, dates of birth, and account numbers in the CAT.\61\ In 
place of SSNs, dates of birth and account numbers, Industry Members 
will report to the Central Repository a transformed value for the SSN, 
year of birth and the Firm Designated ID for accounts of individuals.
---------------------------------------------------------------------------

    \61\ See January 29, 2020 Exemption Request at 8-9.
---------------------------------------------------------------------------

     Section 9.1 of Appendix D which requires the Plan 
Processor ``provide a method for Participants' regulatory staff and the 
SEC to easily obtain historical changes to [Customer and Customer 
Account] information.'' If the Commission grants the requested 
exemptions, SSNs, dates of birth, and account numbers for individuals 
would not be stored within the CAT and, thus, Participants' regulatory 
staff and the Commission staff would not be able to obtain historical 
changes to SSNs, dates of birth and account numbers for individuals. 
The Participants request exemptive relief from the requirement in 
Section 9.1 of Appendix D that the Plan Processor provide a method for 
Participants' regulatory staff and Commission staff to obtain 
historical changes to SSNs, dates of birth and account numbers. 
Instead, the Participants state that the Plan Processor will manage 
changes to CCIDs, years of birth and Firm Designated IDs to provide a 
history of such data over time.\62\
---------------------------------------------------------------------------

    \62\ See January 29, 2020 Exemption Request at 9. The Commission 
assumes for purposes of this Order that the requirement that the 
Plan Processor will ``manage changes to CCIDs, years of birth and 
Firm Designated IDs to provide a history of such data over time'' 
means that Plan Processor will provide a method for Participants' 
regulatory staff and Commission staff to easily obtain historical 
changes to CCIDs, years of birth and Firm Designated IDs in the same 
manner as required by the CAT NMS Plan for Customer and Customer 
Account information. See CAT NMS Plan, Appendix D, Section 9.1 at D-
33.
---------------------------------------------------------------------------

     Section 9.1 of Appendix D which states that the Plan 
Processor ``will design and implement a robust data validation process 
for submitted Firm Designated ID, Customer Account Information and 
Customer Identifying Information, and must continue to process orders 
while investigating Customer information mismatches,'' and that 
``[v]alidations should: . . .Confirm the number of digits on a SSN, 
Confirm [sic] dates of birth, and Accommodate [sic] the situation where 
a single SSN is used by more than one individual.'' If the Commission 
grants the requested exemption from the requirement that SSNs, dates of 
birth, and account numbers for individuals be submitted to the CAT, no 
validation process would be necessary for these elements. The 
Participants request exemptive relief from the requirement in Section 
9.1 of Appendix D for the Plan Processor to design and implement a 
robust data validation process with regard to SSNs, dates of birth, and 
account numbers. In place of validation of SSNs and dates of birth, the 
Participants state that the Plan Processor will implement a validation 
process for transformed values submitted by CAT Reporters to the Plan 
Processor. The Participants state that both the Plan Processor and the 
Participants believe the validations in the CAT NMS Plan that require 
the identification and handling of inconsistencies in Customer 
information can still be performed as envisioned using a CCID rather 
than an SSN. This would include things such as validating that there 
are not duplicate CCIDs and significantly different names, and 
duplicate CCIDs and different year of births.\63\
---------------------------------------------------------------------------

    \63\ See January 29, 2020 Exemption Request at 9.
---------------------------------------------------------------------------

     Section 9.2 of Appendix D which requires the Central 
Repository to accept ``[a]t a minimum, the following Customer 
information data attributes. . . . : Account Tax Identifier (SSN, TIN, 
ITIN).'' If the Commission grants the requested exemptions, SSNs would 
not be submitted to the CAT.\64\ The Participants request exemptive 
relief from the requirement in Section 9.1 of Appendix D for the 
Central Repository to accept SSNs. Instead, the Central Repository will 
accept a transformed value for SSNs.\65\
---------------------------------------------------------------------------

    \64\ See January 29, 2020 Exemption Request at 10.
    \65\ See January 29, 2020 Exemption Request at 10.
---------------------------------------------------------------------------

     Section 9.4 of Appendix D which requires the Plan 
Processor to design and implement procedures and mechanisms to handle 
both ``minor and material inconsistencies in Customer information.'' 
For example, ``[m]aterial inconsistencies such as two different people 
with the same SSN must be communicated to the submitting CAT Reporters 
and resolved within the established error correction timeframe as 
detailed in Section 8.'' Section 9.4 of Appendix D also states that the 
Central Repository must have an audit trail showing the resolution of 
all errors. The required audit trail must, at a minimum, include a 
variety of items including ``duplicate SSN, significantly different 
Name'' and ``duplicate SSN, different DOB.'' The Participants request 
exemptive relief from these error resolution requirements with regard 
to SSNs, dates of birth and account numbers of individuals. Instead, 
the Plan Processor will be required to design and implement an error 
resolution process for CCIDs and years of birth.\66\
---------------------------------------------------------------------------

    \66\ See January 29, 2020 Exemption Request at 10.
---------------------------------------------------------------------------

     Section 4.1.6 of Appendix D requires that PII data not be 
included in the result set(s) from online or direct query tools, 
reports or bulk data extraction, and further requires that ``[i]nstead, 
results will display existing non-PII unique identifiers (e.g., 
Customer-ID or Firm Designated ID).'' \67\ In addition, Sections 4.1.6, 
8.1.1 and 8.2 of Appendix D further state that the ``PII corresponding 
to these identifiers can be gathered using the PII workflow described 
in Appendix D, Data Security, PII Data Requirements.'' The PII 
corresponding to the identifiers referenced in this requirement 
includes SSNs, dates of birth, and account numbers for individuals. The 
Participants request exemptive relief from the requirements in Section 
4.1.6, 8.1.1 and 8.2 to provide regulators with the ability to gather 
SSNs, dates of birth, and account numbers that correspond with CCIDs 
and Firm Designed IDs. The Participants state that regulators will have 
the ability to gather years of birth that correspond with CCIDs.\68\
---------------------------------------------------------------------------

    \67\ See CAT NMS Plan, Appendix D, Section 4.1.6 at D-14.
    \68\ See January 29, 2020 Exemption Request at 10.
---------------------------------------------------------------------------

     Section 6.2 of Appendix D which requires that ``Customer 
information that includes PII data be available to regulators 
immediately upon receipt of initial data and corrected data, pursuant 
to security policies for retrieving PII.'' PII under the Plan includes 
SSNs, dates of birth, and account numbers as defined in Section 1.1 of 
the CAT NMS Plan. The Participants request exemptive relief from the 
requirement in Section 6.2 of Appendix D to provide regulators with 
SSNs, dates of birth and account numbers. In place of SSNs, dates of 
birth and account numbers the Participants state that years of birth 
will be available to regulators immediately upon receipt of initial 
data and

[[Page 16156]]

corrected data, pursuant to security policies.\69\
---------------------------------------------------------------------------

    \69\ See January 29, 2020 Exemption Request at 11.
---------------------------------------------------------------------------

     Section 10.1 of Appendix D which requires the ``Plan 
Processor to provide technical, operational, and business support to 
CAT Reporters for all aspects of reporting. Such support will include, 
at a minimum: . . . [Managing] Customer and Customer Account 
Information.'' The Participants request exemptive relief from Section 
10.1 of Appendix D that requires the Plan Process to provide technical, 
operation and business support to CAT Reporter with regard to SSNs, 
dates of birth and account numbers of individuals. In place of such 
support requirements with regard to SSNs, dates of birth and account 
numbers of individuals, the Participants state that the Plan Processor 
will provide technical specifications and help desk support to CAT 
Reporters with respect to the implementation of the CCID Alternative 
and the reporting of years of birth.\70\
---------------------------------------------------------------------------

    \70\ See January 29, 2020 Exemption Request at 11.
---------------------------------------------------------------------------

     Section 10.3 of Appendix D which requires that ``CAT Help 
Desk support functions must include: . . . . Supporting CAT Reporters 
with data submissions and data corrections, including submission of 
Customer and Customer Account Information.'' The Participants request 
exemptive relief from the requirements of Section 10.3 of Appendix D 
regarding CAT Help Desk support function requirements with regard to 
SSNs, dates of birth, and account numbers of individuals. In place of 
such CAT Help Desk support functions, the Participants state that the 
CAT Help Desk will provide support to CAT Reporters with respect to the 
implementation of the CCID Alternative and the reporting of years of 
birth.\71\
---------------------------------------------------------------------------

    \71\ See January 29, 2020 Exemption Request at 11.
---------------------------------------------------------------------------

IV. Discussion

    The Commission shares the concerns raised by market participants, 
industry representatives and the Participants about the importance of 
only requiring the necessary Customer and Customer account information 
sufficient to achieve regulatory objectives. Since the inception of the 
CAT, the Commission has been focused on the security and treatment of 
PII, which is defined in the CAT NMS Plan.\72\ Additionally, the Plan 
itself focuses on the security and confidentiality of PII. For example, 
the Plan requires that PII be stored separately from transaction CAT 
Data, and contains restrictions for accessing PII such that that 
regulators entitled to query transaction CAT Data are not automatically 
authorized for PII access under the Plan.\73\ The Plan explicitly 
requires that the process by which a person becomes entitled for PII 
access, and how they then go about accessing PII data, must be 
documented by the Plan Processor.\74\ According to the Plan, access to 
PII is based on a Role Based Access Control model, and follows the 
``least privileged'' practice of limiting access as much as possible, 
and limits access to PII to a ``need-to-know'' basis.\75\ In addition, 
the Plan requires that all PII data, as with transaction CAT Data, must 
be encrypted both at-rest and in-flight, including archival data 
storage methods such as tape backup, and prohibits the storage of 
unencrypted PII data.\76\ The Plan Processor also must describe how PII 
encryption is performed and the key management strategy (e.g., AES-256, 
3DES).\77\ While all of these safeguards in the CAT NMS Plan combine to 
create robust security protections around PII that is reported to and 
retained by the CAT, the most secure approach to addressing any piece 
of sensitive retail Customer PII would be to eliminate its collection 
altogether.
---------------------------------------------------------------------------

    \72\ For example, Rule 613(e)(4)(i)(A) requires policies and 
procedures to ensure the security and confidentiality of all 
information reported to the central repository by requiring that the 
Participants and their employees agree to use appropriate safeguards 
to ensure the confidentiality of such data and agree not to use such 
data for any purpose other than surveillance and regulatory 
purposes. Rule 613(e)(4)(i)(B) requires the Participants adopt and 
enforce rules that require information barriers between regulatory 
staff and non-regulatory staff with regard to access and use of data 
in the central repository and permit only persons designated by plan 
sponsors to have access to the data in the central repository. Rule 
613(e)(4)(i)(C) also requires that the Plan Processor develop and 
maintain a comprehensive information security program for the 
central repository, with dedicated staff, that is subject to regular 
reviews by the Chief Compliance Officer; have a mechanism to confirm 
the identity of all persons permitted to access the data; and 
maintain a record of all instances where such persons access the 
data.
    \73\ See CAT NMS Plan at Appendix D, Section 4.1.6.
    \74\ See CAT NMS Plan at Appendix D, Section 4.1.6.
    \75\ See CAT NMS Plan at Appendix D, Section 4.1.6; see also CAT 
NMS Plan at Appendix C, C-35.
    \76\ See CAT NMS Plan, Appendix D, Section 4.1.2.
    \77\ See CAT NMS Plan, Appendix D, Section 4.1.2.
---------------------------------------------------------------------------

    The Commission believes that exemptive relief pursuant to Section 
36 to allow for the CCID Alternative and the Modified PII approach is 
appropriate in the public interest, and is consistent with the 
protection of investors and additionally that, pursuant to Rule 608(e), 
such relief is consistent with the public interest, the protection of 
investors, the maintenance of fair and orderly markets and the removal 
of impediments to, and perfection of the mechanisms of, a national 
market system. The CCID Alternative minimizes the risk of theft of 
SSNs--the most sensitive piece of PII--by allowing the elimination of 
SSNs from the CAT, while still facilitating the creation of a reliable 
and accurate Customer-ID.\78\ Thus, the CCID Alternative preserves the 
regulatory benefit of being able to track a specific order of a 
Customer through its entire lifecycle, as originally contemplated by 
the Plan, without requiring the reporting of SSNs by Industry Members 
and the retention of SSNs by the Plan Processor. SSNs are considered 
among the most sensitive PII that can be exposed in a data breach.\79\ 
Thus, the elimination of SSNs from the CAT may reduce both the risk of 
attracting bad actors and the impact on retail investors in the event 
of an incident.
---------------------------------------------------------------------------

    \78\ The ability to efficiently and accurately identify 
individual Customers will allow regulators to establish those that 
might be responsible for illegal conduct, or to identify those that 
might be the victim of fraudulent activity. Indeed, one of the 
hallmarks of the CAT is the ability to provide customer attribution 
of order and trade activity even if such trading activity spans 
multiple broker-dealers. Pursuant to the Plan, the identification of 
Customers is achieved by the creation and use of the Customer-ID, a 
code that uniquely and consistently identifies every Customer. The 
Commission continues to believe, as it did when it approved the 
Plan, that the ability to link the full life cycle of every order as 
that order travels across broker-dealers and market centers to a 
specific Customer through the use of a Customer-ID will greatly 
facilitate the regulatory and surveillance efforts of regulators. 
For the Commission in particular, this ability to identify a 
Customer through the use of a CCID will also facilitate the 
Commission's efforts in the areas of market reconstruction, market 
analysis and rule-making support. Indeed, in the Commission's view, 
without the Customer-ID, the value and usefulness of the CAT would 
be significantly diminished.
    \79\ See Identify Theft Resource Center 2018 End of Year Breach 
Report, pg. 13, https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_2018-End-of-Year-Aftermath_FINAL_V2_combinedWEB.pdf.
---------------------------------------------------------------------------

    The Modified PII Approach removes two additional pieces of 
sensitive PII--account numbers and dates of birth--both of which can 
also be used perpetrate identify theft against retail investors. 
Reduction of these additional sensitive PII data elements in the CAT is 
expected to further reduce both the attractiveness of the database as a 
target for hackers and reduce the impact on retail investors in the 
event of an incident of unauthorized access and use. However, certain 
limited retail customer information will remain in the CAT; 
specifically, name, address, and birth year. Having such customer 
information remain in the CAT will allow regulators to identify bad 
actors who are using retail trading accounts to perform illegal 
activity. Finally, requiring that the birth year of retail investor 
continue to be reported to the

[[Page 16157]]

CAT will also permit regulators to use CAT data to protect senior 
investors and identify other types of fraudulent activity that may 
target certain age demographics.
    Based on the foregoing, the Commission is granting conditional 
exemptive relief from Section 6.4(d)(ii)(C) and Appendix D, Sections 
4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 10.3 of the CAT NMS 
Plan (1) related to SSNs to allow for the implementation of the CCID 
Alternative; and (2) related to dates of birth and account numbers to 
allow for the implementation of the Modified PII Approach.
    This order granting Exemptive Relief is conditioned upon the 
implementation of the CCID Alternative and the Modified PII Approach in 
a manner consistent with the January 29, 2020 Exemption Request, 
including each of the representations made and conditions included in 
the January 29, 2020 Exemption Request with regard to the CCID 
Alternative and the Modified PII Approach.
    This order granting Exemptive Relief also is conditioned upon the 
following:
    (1) The Process described in the January 29, 2020 Exemption 
Request, Section D.9(5) will support the efficient and accurate 
conversion of multiple SSNs at the same time into their corresponding 
CCIDs. The Commission believes this condition is appropriate in order 
to promote efficiency when a regulator obtains multiple SSNs from other 
sources;
    (2) The Participants shall ensure the timeliness, accuracy, 
completeness, and integrity of the interim value, and shall ensure the 
accuracy and overall performance of the CCID Alternative process and 
the CCID Subsystem to support the creation of a global Customer-ID that 
uniquely identifies each Customer; and
    (3) The Participants must assess the overall performance and design 
of the CCID Alternative process and the CCID Subsystem as part of each 
annual Regular Written Assessment of the Plan Processor, as required by 
Article VI, Section 6.6(b)(i)(A).
    Accordingly, it is hereby ordered, pursuant to Section 36 and Rule 
608(e) of the Exchange Act,\80\ that the Commission grants the 
Participants' request for exemptive relief, as set forth in the January 
29, 2020 Exemption Request, from Section 6.4(d)(ii)(C) and Appendix D, 
Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 10.3 of the 
CAT NMS Plan, subject to the conditions set forth above.
---------------------------------------------------------------------------

    \80\ 17 CFR 242.608(e).

    By the Commission.
J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2020-05935 Filed 3-19-20; 8:45 am]
 BILLING CODE 8011-01-P