In fact, both Finra and clearing firms should be subject to auditing standards for data privacy set forth by the American Institute of Certified Public Accountants, the FSI said.
Those rules would hold Finra “to the same standards as other data centers in the private sector,” the letter said, and would give broker-dealers “the ability to opt out of the CARDS submission process in the event that Finra becomes … deficient” in meeting the standards.
Additionally, “Finra should clarify that it alone would be liable in the event that its systems are compromised,” the FSI said.
Independent firms would also be challenged to provide data on transactions done directly with product providers, which clearing firms do not now collect, the FSI said. This “check and app” business is still used by many independents who deal directly with mutual funds, insurance companies and direct-participation program sponsors.
Finally, the FSI told Finra it should “conduct a thorough cost-benefit analysis of each feature and element of CARDS,” analyzing security risks, alternative approaches and the existing “resource drain on itself and broker-dealer firms from the number of ongoing large-scale data and technology initiatives it is currently undertaking.”
The FSI complained that Finra had not provided enough specifics in its CARDS concept release to allow firms to adequately estimate the full costs or benefits of CARDS.