Broker-dealer trade groups are fighting back against the Financial Industry Regulatory Authority’s proposed Comprehensive Automated Risk Data System (CARDS) as they say it presents “serious privacy” concerns and is a “huge” regulatory undertaking with significant costs.
The original comment period on the plan expired on Feb. 21, but FINRA extended the comment period another month, to Friday.
As FINRA explains, CARDS would be a rule-based program that would allow FINRA to collect — on a standardized, automated and regular basis — account information, as well as account activity and security identification information that a firm maintains as part of its books and records.
The automated system would gather data from broker-dealers and clearing firms that the regulator can then use to spot potential problems with sales practices of individual BDs, branches and reps prior to onsite FINRA exams.
FINRA said in early March that it would modify its originial approach by not collecting sensitive personally identifying information from the data it receives from CARDS.
FINRA stated that after considering the written comments on the CARDS concept proposal and the views expressed in FINRA staffers’ discussions with industry participants on investor privacy, FINRA “has concluded that the CARDS proposal will not require the submission of information that would identify to FINRA the individual account owner, particularly, account name, account address or tax identification number.”
Barbara Roper, director of investor protection for the Consumer Federation of America, told FINRA in her comment letter that “the biggest risk for investors of such a system — the risk that it would create a new and ultimately vulnerable database of sensitive personal financial data — appears to have been alleviated by FINRA’s decision not to collect the information in a form that would identify the individual account owner.”
But the Financial Services Institute told FINRA in its Thursday comment letter that the move does not erase other concerns related to CARDS.
FSI told FINRA that while CARDS is capable of improving oversight, increasing the efficiency of the examination process and enhancing investor protection, they system as proposed “presents significant challenges due to its ambitious scope and massive scale. These challenges include data standardization, data complexity, data translation, system infrastructure, and the incredible financial costs required to develop, implement and maintain CARDS.”
In addition, FSI said that the “collection and centralized warehousing of vast quantities of data raises substantial concerns with regard to data security, privacy, and potential liability in the event of a security breach.”
The Securities Industry and Financial Markets Association told FINRA in its comment letter that while SIFMA supports FINRA’s goal of utilizing technology to be a more efficient and effective regulator, SIFMA “cannot support” the CARDS concept.
“More information as well as further analysis on how the system would be structured and utilized, and a better understanding of what existing FINRA-mandated systems would be replaced is necessary before proceeding any further,” SIFMA said.
The data collected by CARDS would include sensitive information regarding retail customer brokerage accounts, including customer profile information, account activity and account balances and holdings, SIFMA points out.
“CARDS would be a massive and invasive regulatory undertaking with serious privacy implications for the general public and added technology costs and regulatory burdens for the financial industry,” said Ira Hammerman, executive vice president and general counsel of SIFMA.
FINRA’s concept proposal “raises serious questions about data security and privacy issues for retail investors, as it would create a centralized location for highly personal, private and sensitive consumer financial data,” Hammerman continued. “Further, CARDS would require tremendous resources from the financial industry, and it’s not clear why existing systems or the new required Consolidated Audit Trail system couldn’t be used to accomplish FINRA’s goal. Without more information on the intent and structure of CARDS, we cannot do the necessary analysis to support the proposal.”