The capital markets are following the SEC’s lead in deepening their use of structured data such as XBRL. The agency’s commitment to data technology extends from the staff to the highest levels. SEC Chair Jay Clayton confirmed this in a keynote address he gave at the June 4th regulatory conference held by the SEC’s Philadelphia office. He reviewed current SEC practices in two areas: data analytics for the SEC’s review and enforcement activities; and the security of data that it collects from filers.Clayton’s commitment
Since his appointment to the SEC leadership over two years ago, Mr. Clayton has vigorously sought to advance the SEC’s use of structured data and leverage technology. In his first congressional budget testimony in 2017, he stated that the SEC must keep up with the accelerating data technology of the capital markets which it regulates. This technological arms race is an issue the chair understands well. While a partner at law firm Sullivan & Cromwell, he represented major financial institutions, including Goldman Sachs. It was therefore with strong authority that he told members of Congress how the money the SEC plans to spend on information technology “is quite modest, by way of comparison, to the amounts that the major Wall Street firms spend on their own information technology systems.”
Soon afterward, in a July 2017 speech, Mr. Clayton further mapped out his vision of the SEC’s data analytics: “Technology is not just the province of those we regulate. The SEC has the capability to develop and utilize it, too. We apply sophisticated analytic strategies to detect companies and individuals engaging in suspicious behavior. We are adapting machine learning and artificial intelligence to new functions, such as analyzing regulatory filings.”
Equally prominent during Mr. Clayton’s leadership tenure has been the SEC’s data security. The disturbing hack of the SEC’s own EDGAR system in 2016—not revealed until the following year—brought home the need for the SEC to wield the same level of cybersecurity and transparency that it demands from issuers.
Data analytics: Detecting risks and fraud with NEAT, HAL, and ATLAS
Given this context, the June 4th keynote address offers an insightful window into the progress of the SEC’s steadily
advancing data analytics and cybersecurity. Mr. Clayton noted: “These challenges, which we have faced head on with our eyes wide open, make our data analytics work more important than ever.” As an example, he cited the Office of Compliance Inspections and Examinations (OCIE), which performs the SEC’s National Examination Program. “Data analytics is an increasingly important part of OCIE’s risk-based program and OCIE has developed proprietary tools for analyzing data in support of the program.”
OCIE’s National Exam Analytics Tool (NEAT) enables the SEC staff to gather and examine datasets of trading records “to identify potentially problematic activity and better understand a firm’s business during examinations.” OCIE completed more than 3,150 examinations during fiscal year 2018, 10% more than in the prior year. While initially NEAT honed in on analyzing trades by investment advisors, the tool was later broadened to analyze trading records of broker-dealers and practices for countering money-laundering.
Another tool developed by OCIE is the High-Frequency Analytics Lab (HAL), which helps SEC staff in its examinations and oversight of market microstructure, including high-frequency trading. “HAL produces reports on SEC registrant and market behavior at relevant time resolutions down to microseconds,” Mr. Clayton explained. “These reports help to identify registrants engaging in potentially unfair market practices, and to shed light on major market events.”
The ATLAS initiative, developed by the SEC’s Philadelphia office, OCIE, and the Division of Enforcement, “allows our staff to harness multiple streams of data, including blue sheets, pricing, and public announcements,” he explained. The tool can look for insider trading before a major equity event, detect serial insider trading, and research historical securities prices.
The Division of Enforcement uses sophisticated data analytics, including trading-pattern recognition, to spot suspicious trading and violations of securities law. Mr. Clayton cited a recent case in which the SEC’s use of these analytics led to charging an investment banker for allegedly misusing access to confidential information. It also created the Retail Strategy Task Force, which develops data-driven analytical strategies for detecting practices perhaps harmful to retail investors.
Turning to the SEC’s own backyard, the chair reminded his audience that in January 2019 the SEC had charged nine
defendants in connection with the 2016 hack of the EDGAR system. The defendants—including a hacker based in Ukraine; six individual traders in California, Ukraine, and Russia; and two entities—were accused of stealing nonpublic information to use in illegal trading. “This case required careful analysis of trading in the window between when the material nonpublic information was extracted and when it was disseminated to the public,” he noted.
Editor’s Note: See also an investigative report issued by the SEC Division of Enforcement in October 2018, reminding public companies to consider cyber threats when implementing their internal accounting controls. Fraudsters posing as company executives or vendors used spoofed emails to dupe staff at nine public companies into sending money to the perpetrators’ bank accounts. The report warns that when a public company is a victim of a cyber-related fraud, it might have violated the federal securities laws by failing to establish a “sufficient system of internal accounting controls.”
Data security: With great analytics comes great responsibility
Mr. Clayton’s reference to the case against the EDGAR hackers offered a perfect transition to his next topic: data security at the SEC. While praising the SEC’s progress on data analytics, he asserted that “it is very important to recognize the great responsibility we have with respect to the data entrusted to us by our registrants and the public.”
After the EDGAR hack was discovered, the SEC launched several remedial initiatives to close the gaps that had allowed the intrusion. The Consolidated Audit Trail (CAT) is a vast database that lets regulators track all trading activity in equities and options throughout markets in the United States. The vulnerability of sensitive investor data held in CAT is a concern, so to shrink the footprint of this personally identifiable information (PII) and make it easier to protect the data, the SEC supports ending the retention of Social Security numbers in CAT, while still letting SEC staff monitor the activity of individual traders across multiple markets and broker-dealers. The SEC also delayed submission deadlines for filing Form N-PORT (used for reporting investment funds’ portfolios) to ensure the EDGAR system would handle the data securely.
New cybersecurity officials
Two key cybersecurity positions at the SEC have now been filled. A former Morgan Stanley executive, Gabriel Benincasa will serve as the first Chief Risk Officer, tasked with coordinating risk management across the SEC. Mr. Clayton has also filled a vacancy on his own staff: Kevin Zerrusen, a 30-year veteran of the CIA who ran that agency’s cyber center, is now the chair’s Senior Advisor for Cybersecurity Policy.
To read the most recent issue of DIMENSIONS, click here.