SIFMA today submitted a comment letter to the Financial Industry Regulatory Authority (FINRA) expressing significant concerns with FINRA's proposal for the development of a Comprehensive Automated Risk Data System (CARDS). The letter includes two new studies by IBM, commissioned by SIFMA, that estimate the significant costs and cybersecurity risks posed by CARDS, as proposed. SIFMA concludes that FINRA's CARDS proposal would impose undue costs and burdens on member firms far exceeding any benefit and does not appropriately account for the impact on investor privacy and cybersecurity risk, and therefore should not be filed with the Securities and Exchange Commission (SEC). Further, CARDS, as proposed, would be duplicative to existing investor protection systems and processes.
"FINRA has an important investor protection mission and should have the tools it needs to do its job. CARDS, as proposed, is not necessary for that mission," said Kenneth E. Bentsen, Jr., SIFMA president and CEO. "CARDS would infringe upon investors' right to privacy by mandating that brokerage firms turn over to FINRA all individual account information on a monthly basis. This would result in the creation of a centralized database of all individual brokerage accounts, updated monthly and held by a quasi-governmental entity. This centralized individual account database would become a prime target for cyber attackers, be costly to build and maintain, and would produce more false positives that would drain resources that could be put to better use to help investors."
Bentsen added, "Our analysis, based on a broad survey of a representative sample of the industry, found that the cost to the industry, and FINRA itself, would be far greater than FINRA reported in its proposal, at a time when the industry is already working to implement many major technology requirements such as the Consolidated Audit Trail, or CAT. It would be much more efficient and effective for FINRA to work with the reams of data it already gets through existing systems such as OATS, LOPR and other systems, and to consider what data fields could possibly be added to the CAT if FINRA adequately demonstrated an actual need for additional data, rather than mandate a redundant new system. This proposal should not be submitted to the SEC; instead, FINRA should conduct a thorough cost benefit analysis and provide it to member firms for comment."
SIFMA's letter further details its concerns with the CARDS proposal and the conclusions of IBM's studies, including:
- FINRA Lacks the Authority to Issue CARDS: CARDS does not "promote efficiency, competition, and capital formation," as required by the Exchange Act. CARDS would impose a "burden on competition not necessary or appropriate" in furtherance of the Exchange Act.
- Cost: As currently proposed, the costs of CARDS far outweigh the anticipated benefits. An IBM study commissioned by SIFMA estimates the total cost of CARDS Phase I for clearing and carrying firms alone would be approximately $680M to build, with $360M required for labor, infrastructure, and storage to maintain the reporting regime annually. This estimate does not include the additional Phase II costs that would extend to introducing brokers. FINRA has previously estimated its own costs to develop CARDS to be between $8M and $12M over a three year period. FINRA has not, but should, conduct a formal and complete Cost-Benefit Analysis and share it with its members before submitting the proposed rule to the Securities and Exchange Commission.
- Privacy and Data Security Issues Raised by CARDS: FINRA has inappropriately concluded that the benefits of CARDS outweigh the privacy intrusion and cyber security risks, and that it believes there is no re-identification risk. An IBM study commissioned by SIFMA concluded that although CARDS does not include Personally Identifiable Information, CARDS data includes sufficient detail for an attacker to reverse engineer an investor's identity using only a handful of other data points to target both specific, highly sensitive persons and members of the general investing public for fraud, market manipulation and other crimes.
- Scope of Data Collection: The scope of data required to be produced by CARDS exceeds its stated objectives. At a minimum, information related to institutional accounts should be excluded.
- Clearing Firm Concerns: FINRA should specifically address that a clearing firm is not responsible for oversight or supervision of information maintained and submitted to CARDS from introducing brokers if it uses the data for no other purpose.
- Regulatory Paradigm Shift: For over 75 years, the first line of supervision of individual account-level activities has been the responsibility of broker-dealers. CARDS would shift this duty to FINRA. This is not feasible or effective, as FINRA does not have the same on-the-ground knowledge of investor accounts. As such, CARDS would overwhelm FINRA with superfluous data that may not be meaningful without the appropriate context.
The full comment letter and analysis are available here:http://www.sifma.org/issues/item.aspx?id=8589952228.