A new system to collect investor data is under review.

The Financial Industry Regulatory Authority’s reproposed plan to collect broker-dealer account data through its Comprehensive Automated Risk Data System (CARDS) is drawing heavy criticism from industry trade groups. In the face of such negative comments, FINRA insists that it will address such issues prior to further development of the data program.

FINRA spokesman George Smaragdis told ThinkAdvisor Tuesday that the self-regulator “welcomes comments on this important proposal and takes these comments very seriously. We are keenly focused on the specific issues raised in the comment letters, and we intend to address any and all meaningful risks before moving forward.” 

In late-September, FINRA released the second iteration of its controversial CARDS plan and sought comments on it through Dec. 1. CARDS would be a rule-based program that would allow FINRA to collect — on a standardized, automated and regular basis — account information, as well as account activity and security identification information, from firms.

The Securities Industry and Financial Markets Association said in its comment letter that FINRA not only lacks the statutory authority to move ahead with CARDS, but that its costly data collection plan “is an attempt to diagnose a regulatory ill without appropriately accounting for the impact on investor privacy and civil liberties,” and that the plan would be a “prime” target for hackers.

SIFMA told FINRA on Monday that instead of sending the revamped CARDS plan to the Securities and Exchange Commission for approval, FINRA should conduct a thorough cost-benefit analysis on the rule and provide it to member firms for comment.

Kenneth Bentsen, SIFMA’s president and CEO, said in the comment letter that CARDS would “infringe upon investors’ right to privacy by mandating that brokerage firms turn over to FINRA all individual account information on a monthly basis,” which would result “in the creation of a centralized database of all individual brokerage accounts, updated monthly and held by a quasi-governmental entity.”

This database, Bentsen argued, “would become a prime target for cyber attackers, be costly to build and maintain, and would produce more false positives that would drain resources that could be put to better use to help investors.”

Further, SIFMA said that it retained IBM to perform a detailed cost-benefit analysis of the CARDS proposal and that IBM estimates that Phase 1 of CARDS will cost the industry $680 million to build and $360 million annually for ongoing maintenance.

FINRA said in releasing its rule proposal that CARDS would be implemented in phases, with the first phase requiring that carrying or clearing firms (approximately 200 firms) periodically submit in an automated, standardized format specific information that is part of the firms’ books and records relating to their securities accounts and the securities accounts for which they clear. The second phase of CARDS would require fully disclosed introducing firms to submit specified account profile-related data either directly to FINRA or through a third party.

The Financial Services Institute agreed in its comment letter that CARDS’ “initial and on-going maintenance costs will be significant, particularly for smaller firms.”

The cost to the industry, and FINRA itself, Bentsen said, “would be far greater than FINRA reported in its proposal, at a time when the industry is already working to implement many major technology requirements,” such as FINRA’s Consolidated Audit Trail, or CAT.

Bentsen argued that it would be “much more efficient and effective” for FINRA “to consider what data fields could possibly be added to the CAT if FINRA adequately demonstrated an actual need for additional data, rather than mandate a redundant new system.”