The brokerage industry is digging in its heels to ward off the Financial Industry Regulatory Authority’s controversial Comprehensive Automated Risk Data System proposal, known as CARDS.
The massive CARDS project would collect customer account information and create a database for automated oversight.
Finra says CARDS will harness modern technology and improve regulation, but brokerage firms see it as overly intrusive and expensive.
On Monday, Wall Street’s powerful trade group, the Securities Industry and Financial Markets Association, said it is dead set against the idea.
CARDS “is an attempt to diagnose a regulatory ill without appropriately accounting for the impact on investor privacy and civil liberties, and should not be filed with the Securities and Exchange Commission,” wrote Sifma general counsel Ira Hammerman, in a comment letter.
“Most troubling is that CARDS would require the continued and regular disclosure to Finra of the most intimate financial details for every investor’s securities account, would be aggregated and stored on Finra’s computer system, thereby creating a centralized, prime target for computer hackers and nation state sponsored cyber terrorists,” Hammerman said.
In September, Finra asked for comment on a CARDs rule. Comments were due Monday.
Finra can still amend the proposal, which has yet to be filed with the SEC for approval.
The CARDS database would be a “honey pot of [data on] the wealth of all the citizens in the U.S.” for cyber criminals, Hammerman said in an interview.
Even if CARDS were totally secure, “do we really want our government to have, at the push of a button, the account balances and the money movements of all the citizens of a country?” Hammerman said. “I’ll bet 80 percent [of Americans] would say, no way.”
Sifma’s arguments are “frenzied” and “hysterical,” countered Barbara Roper, director of investor protection at the Consumer Federation of America.
Finra has made clear that it will do what is needed to address any security concerns, she said.
“It’s absurd to believe a hacker would target the CARDs database [which would have] no personally identifiable information and no ability to transact, and [a hacker would] perform some complex reverse engineering” to identify customers in the CARDs system instead of going to the brokerage firms themselves, Roper said.
The privacy and civil liberty arguments Sifma is making “sound so much better than saying, ‘We don’t want our regulators to have the ability to look over our shoulders,” Roper added.
Multiple regulators are already scrutinizing brokerage firms, Hammerman said.
“Clients of the brokerage firms do not want [CARDs],” he said. “They do not want the government scrutinizing [and] monitoring their account balances, their transactions and they money movements.”
Sifma says Finra hasn’t spelled out in enough detail how it would keep CARDs data secure.
To buttress its concerns, Sifma retained consultants from IBM to estimate costs and security risks from CARDS.
The IBM analysis estimated that total costs to the industry for the 200 large clearing and carrying firms (which would be the first to implement the program) would be $680 million to build CARDS systems, and $360 million a year to run them.
The Sifma-funded study also said Finra may be underestimating its own costs. “Finra has previously estimated its own costs to develop CARDS to be between $8 million and $12 million over a three-year period,” the IBM study said. “Given the average record volumes captured in our survey, costs to store this data alone could approach $50 million annually.”
Although Finra has promised not to collect personally identifiable information such as names and tax I.D. numbers, the IBM consultants said CARDS data would still include “sufficient detail for an attacker to reverse engineer an investor’s identity using only a handful of other data points.”
“FINRA welcomes comments on this important proposal and takes these comments very seriously,” said Finra spokesman George Smaragdis in an email. “We are keenly focused on the specific issues raised in the comment letters, and we intend to address any and all meaningful risks before moving forward.”
The Financial Services Institute, which represents independent broker-dealers, told Finra it should not proceed with CARDs until Finra can collect data on business done directly with product sponsors.
Finra is proposing to capture such “check-and-application” business at a later stage.
The FSI said in a comment letter that delaying the capture of direct business would result in the collection of “incomplete and potentially misleading information regarding specific firms, financial advisors and branch offices.”
Many independent broker-dealers do significant business directly with mutual funds, variable annuities and direct investments.
The brokerage industry is also worried that Finra will use CARDS to generate more enforcement cases based on improper data submissions, and will use CARDS data to make suitability determinations without proper context.
With CARDS, "alarm bells will be ringing all day long” at Finra, and firms will have to respond, Hammerman told Financial Advisor.
In addition, Sifma and the FSI are concerned about duplicate data-collection systems, and want Finra to consider using the Consolidated Audit Trail (CAT) system to collect some of the information being proposed for CARDS. Finra has already rejected that idea, however.