While most of the world focused on the testimony that William Taylor, the top US diplomat to the Ukraine, gave before the House of Representatives’ Impeachment Inquiry, the Senate Banking, Housing, and Urban Affairs held a hearing on the current status of the Consolidated Audit Trail.

Committee Chairman Michael Crapo (ID-R) kicked off the hearing lending his support for the self-regulatory organizations’ request to the Securities and Exchange Commission that the CAT omit collecting Social Security numbers, individual taxpayer-identification numbers, and account numbers.

“This request is long overdue, and I encourage the SEC to grant this amendment, which I agree with the SROs will reduce the risk profile of the data collected and stored in the CAT while still preserving the CAT’s intended regulatory use,” said Sen. Crapo.

However, he questioned whether the CAT Customer Identifier (CCID), which replaces the role of PII, could pose a privacy risk via reverse engineering the CCID.

“We have a multi-step system in place that FINRA CAT will be building,” testified Michael Simon, Operating Committee Chairman at Consolidated Audit Trail LLC. “Broker dealers will be doing some hashing or changes to the Social Security Numbers, and it will be the CCID that will be kept in the database.”

Although the CCID is based on a Social Security Number, the Social Security Number never leaves the broker-dealer, added Shelly Bohlin, president & Chief COO, FINRA CAT, LLC.

“The CCID is only known to the CAT,” she testified. “It is not returned to a broker-dealer, and no one outside of CAT will ever have access to or know the CCID.”

Sen. Crapo remained concerned that the CAT could still request PII from the broker-dealers down the road.

“When the Consumer Financial Protection Bureau got rolling, it decided it wanted to collect credit card transactions on virtually everybody for everything,” he said. “We got into a fight with the CFPB over why. They claimed that they were not collecting all of the PII, which goes way beyond what we are talking about now. It turns out as we explored that with them, it would be as easy as flipping a switch to pick it up.’”

The SROs, in the course of their mandated market-surveillance role, could need to know the underlying customer information and ask broker-dealers for that information, but not the CAT, said Simon.

The continued argument regarding PII security should delay the CAT’s expected 2022 rollout, according to ranking member Sen. Sherrod Brown (OH-D).

“I trust the very capable minds of the exchanges and the SEC can work out access to data concerns, tracking the use of the audit trail and keep this long-overdue oversight tool to be completed,” he said. “The bottom line is that if you are smart enough to have information or strategies you think someone wants to steal, then you are smart enough to come up with ways to protect them.”