CFA Institute: Learn from SEC’s CAT Before Building FINRA’s CARDS
When the Financial Industry Regulatory Authority (FINRA) first released a concept proposal in February for the massive surveillance and data collection system it was considering — one that would require brokers and registered representatives to submit, among other things, information identifying the individual account owner, including the account name, account address, or tax identification number — the public loudly protested. The primary concern was that collection of such personally identifiable information (PII) raised serious risk and privacy issues. Despite FINRA’s elimination of this requirement in the latest proposal to implement its comprehensive automated risk data system (CARDS), the two-phased information collection system has failed to quell privacy concerns and remains highly controversial.
Dubbed by FINRA as a means to enhance investor protection and help restore investor confidence, CARDS would require firms to submit on a monthly automated basis and in standardized format information in five broad categories: securities transactions, account transactions, holdings, account profile information, and securities reference data. FINRA contends that by receiving this information systematically, it would be more able to identify and address problems at firms sooner than during regular examinations, which may only occur every four years for some firms. In particular, by receiving information through this system, FINRA hopes to more easily understand a firm’s business profile, track product mixes across firms, identify patterns where firms — or their brokers — sell unsuitable products to clients, understand the overall risk profile of firms, identify patterns of transactions that indicate bad behavior (such as mis-selling), as well as other suspicious activities.
Given that FINRA says it already reviews and collects most of the information being sought through CARDS during individual firm examinations, the pushback from industry may seem extreme. But costs, timing, and privacy of information remain big concerns for many.
First, the US Securities and Exchange Commission (SEC) recently adopted a rule that requires national exchanges and self-regulatory organizations, including FINRA, to submit a national market system (NMS) plan to create and implement a consolidated order-tracking system or consolidated audit trail (CAT), for the trading of NMS securities. While FINRA says it does not believe the information that will be tracked through CARDS substantially duplicates what will be captured through CAT, both systems will be time- and cost-intensive to build. Creating the infrastructure for both systems in relatively similar timeframes may impose excessive cost burdens, particularly on smaller firms, and strain the overall resources of a number of parties.
Moreover, some parties worry about the security of collecting and housing such sensitive and expansive information in one database. While FINRA assures that it will employ all necessary safeguards to protect the information, cyber-attacks on large institutions, including governmental entities, continue to raise concerns about protecting the privacy of information.
While FINRA’s investor protection motivations are certainly laudable, implementing an information surveillance and collection system of this magnitude must be carefully balanced with a variety of concerns. In our comment letter on the proposal, CFA Institute urges implementation of the SEC’s CAT system before undertaking FINRA’s CARDS. Building and testing the infrastructure of one system first may not only allow a more measured use of firm resources, but also help avoid costly mistakes.
If you liked this post, consider subscribing to Market Integrity Insights.
Photo credit: iStockphoto.com/teekid