Key Lawmaker Calls for SEC to Delay Trading Database
WASHINGTON—One of Congress’s leading overseers of Wall Street urged regulators on Wednesday to delay the launch of a vast database of stock-market trades that is increasingly seen as a major target for hackers.
The comments by Rep. Jeb Hensarling (R., Texas), chairman of the House Financial Services Committee, add to pressure on SEC Chairman Jay Clayton to postpone the database’s launch or scale back its content after he disclosed last month that hackers accessed a key SEC system that stores market-moving information.
At a hearing of the House panel on Wednesday, Mr. Hensarling pressed Mr. Clayton to push back a Nov. 15 deadline for stock and options exchanges to begin reporting orders and trades to the database, called the Consolidated Audit Trail. Mr. Clayton defended the SEC’s need for data critical to its mission, but said he is considering whether to restrict the data that regulators access in order to reduce the risk it could be stolen by hackers.
“With the Consolidated Audit Trail serving as a central repository for order and trading activity data, I urge the SEC to delay its implementation date until the commission can ensure that the appropriate safeguards and internal controls are in place to protect this data,” Mr. Hensarling said.
The latest attack on the audit trail comes seven years after the SEC mandated its construction and spelled out what it should contain. Regulators accelerated the project—a complete inventory of market activity—after their failure to immediately explain the 2010 “flash crash” in which the Dow Jones Industrial Average plunged almost 1,000 points before quickly recovering.
The SEC finally approved the CAT plan last November, after years of proposals, delays and intra-industry fights over how it would be financed. Beyond trading data, it will hold personal information about individuals sending trades to their brokers, such as Social Security numbers and dates of birth.
Mr. Clayton said such granular data would allow regulators to more quickly identify insider trading. Having previously said that reporting to the audit trail shouldn’t be delayed, Mr. Clayton said Wednesday that the SEC wouldn’t download information from the database until he is satisfied that regulators need all of the data that the CAT would provide and can protect it.
“When do we need to get it? Do we need it all the time?” Mr. Clayton told lawmakers. “Those are very good questions.”
Thesys Technologies LLC, the entity building the CAT, declined to comment.
Mr. Clayton’s remarks Wednesday are likely to be seen as positive by exchanges, which fear they would be the target of lawsuits if valuable data is stolen. His comments also mark a significant contrast with the views of his predecessors, who saw the database as an essential tool for regulators trying to keep track of fragmented, high-speed markets where manipulative strategies are often layered across multiple exchanges.
“It looks like they are throwing sand in the wheels and trying to grind it to a halt,” said Joe Saluzzi, co-founder of brokerage Themis Trading LLC.
Individuals’ data such as Social Security numbers and dates of birth could be replaced in the repository with a different, unique client code supplied by brokers, he said. Regulators already use similar codes to identify trading activity by financial institutions. “Brokers have clients in Asia and Russia and how would I ever know who set the order in motion if I can’t track it down with an identifier?” Mr. Saluzzi said.
Responding to questions about the hack of the SEC’s electronic-filing system, known as Edgar, Mr. Clayton told lawmakers on Wednesday that the hackers likely got a sneak peek at corporate earnings news or “other events,” which would have allowed them to trade and profit ahead of the announcements.
“This is serious because it does impact the integrity of our markets,” the chairman said. “This information is a target of nefarious actors.”
Mr. Clayton said earlier this week that the hackers who broke into Edgar also accessed personal details about two people, including their names, dates of birth and Social Security numbers.
The Edgar breach—which occurred in 2016 but which Mr. Clayton didn’t learn about until August—has fed concerns in Congress that the SEC hasn’t shown it is capable of protecting audit-trail data. Reps. Brad Sherman (D., Calif.) and Warren Davidson (R., Ohio) said at the hearing they plan to introduce legislation that would delay the CAT until the SEC implements new data-security controls.