A High Stakes Tradeoff for Investors: Protection vs. Privacy

Curt Bradbury is an unlikely agitator. The chief operating officer of Little Rock, Arkansas-based Stephens Inc., a regional brokerage firm, is a taciturn, card-carrying conservative. I've never seen him wear anything other than a dark suit and tie. Generally, he sits through board meetings with arms folded and a frown on his face.

But for the past several years, he has moonlighted as an activist for the privacy rights of individual investors.

In 2015, it was Bradbury who almost single-handedly forced the Financial Industry Regulatory Authority (FINRA) to withdraw its controversial proposal to create an automated risk-monitoring program (known as CARDS) that would have collected real-time data on the trading activity and brokerage accounts of every individual investor in America. 

Now Bradbury has his sights set on a new but similar initiative – a rule approved by the US Securities and Exchange Commission (SEC) that will create an equally massive database called the Consolidated Audit Trail (CAT). 

"We're going to have to address this politically", Bradbury told me, noting that Congress has recently shown heightened bipartisan concern about technology and rights to privacy. 

CAT would require self regulatory agencies to create, implement and maintain a consolidated audit trail that would capture customer and order information for most securities, across all markets, from order inception through routing, cancellation, modification and execution. The information would be kept in a single, centralized database and would be available to regulators, including the SEC, for regulatory purposes, including economic analyses, market structure analyses, market surveillance, investigations and examinations. 

"It's alternately been dubbed both the SEC's "Hubble Telescope" for stock market activity and a "one-stop shop for cyber criminals". 

A Well-Intentioned Proposal

Like CARDS, the underlying policy rationale behind CAT is to enable regulators to use data analytics to better protect participants in the financial markets. This idea appeals to many, given the continued drumbeat of regulatory enforcement actions and fines against financial services firms and the generally low opinion consumers have about the integrity of the financial industry.

But critics of CAT are concerned it has the potential to expose confidential information to tech-savvy criminals who have repeatedly shown the ability to hack government and financial services databases.

It's not a question of whether, but when, the SEC's database will be compromised," Bradbury said.

Ironically, the SEC itself just brought charges against traders who hacked its own EDGAR database and made money using insider information. And the list of financial services firms that have exposed personal financial information is growing, with the largest and most visible recent example being Equifax – which impacted almost 150 million individuals. 

Up to this point, the financial services industry has been cooperating with the SEC behind the scenes to try and modify CAT in a way that meets the agency's desire for real-time information without disclosing so-called "personally identifiable information."

But privately, CEOs of wealth management firms are wondering what their clients would say if they knew that their wealth managers were required to send information about their accounts to a target-rich central data repository. 

The unintended consequence, as one financial institution commented about the CARDS database, could be a chilling effect on "investor trust and confidence in the securities markets of the United States and the broker-dealer community. The mere perception that... retail client information [might be] more vulnerable to fraudsters could impact how retail investors view the brokerage community and how they choose to invest their funds."

Room for Refinement

Curt Bradbury and others are asking important questions about what Black Swan outcomes could arise from aggregating in one place, under the stewardship of quasi-governmental regulators and the SEC, customer information that most investors consider to be private – and want to keep as private as they possibly can.

Shortly before this blog was posted, the SEC fired the unregulated third-party firm building and administering CAT, Thesys Technologies, and transferred that responsibility to the Financial Industry Regulatory Authority (FINRA). Industry observers see the change as a positive, but one that stops short of addressing investor privacy issues.

"America's retail investors never wanted to send their personally identifiable information to an unregulated third-party like Thesys," said Chris Iacovella, CEO of the American Securities Association. "The SEC should take this as an opportunity to implement a CAT capable of needed market surveillance without collecting a jeopardizing the data security of almost every American investor."