On September 30, 2014, FINRA issued NTM 14-37 which updated FINRA’s December 2013 proposal (see NTM 13-42 )to develop the Comprehensive Automated Risk Data System (CARDS). FINRA proposes to compile a database that tracks every security transaction undertaken within the United States. It will take years to obtain regulatory approval and implement the CARDS program, but upon completion it will rival what the National Security Administration (NSA) purportedly is doing with analyzing email communications. By requiring all carrying and clearing firms to periodically submit, in an automated and standardized format, data relating to the securities and account transactions, holdings, account profile information (excluding personal identifying information) and securities reference data for every securities transaction undertaken by every broker-dealer in the United States, FINRA apparently believes CARDS will ultimately permit FINRA to more systematically monitor securities transactions, enhance FINRA’s oversight role and advance investor protection. The goal is to apply advanced surveillance analytics across the wide expanse of securities transactions and facilitate earlier, and arguably more effective, intervention to protect investors. As a carrot to help get industry buy-in for CARDS, FINRA even proposes to “share” at least some of these advanced analytics with member firms to enhance supervision and compliance before the regulator feels compelled to intervene and the Firm’s liability costs increase.
CARDS, however, presents a number of problems. Indeed, the initial proposal resulted in more than 800 comment letters from across the industry. Cyber security is at the top of the list of concerns for those commenting on the proposal. The ability of FINRA to protect CARDS and the massive amount of customer data that will be funneling through the system remains subject to much debate. It should be clear to everyone that a comprehensive database of the nature proposed by FINRA is certain to draw the attention of those countries intent on spying on and/or attacking the U.S. (Russia, China, North Korea, etc.), cyber-terrorists and plain old-fashion thieves. What is not clear is who will answer to the customers – FINRA or the broker-dealers – when the inevitable security breach occurs. A second major concern is the uncertain, but likely substantial costs, the 4,100 member firms will incur to both standardize and submit data for use in CARDS.
Yet, the most valuable of CARDS’ purported benefits will be deferred until some uncertain date in the future, and only after a second round of un-quantified costs have been incurred. CARDS will not, as presently contemplated for its initial stages, be collecting data on the products that FINRA considers the highest risk to retail investors and in the most need of enhanced surveillance and enforcement activity. Data regarding variable annuities, private placements, direct participation programs, PIPES, non-exchanged traded REITS, unregistered securities, precious metals and direct mutual fund transactions will not be collected in Phase 1 or 2 of CARDS implementation. Rather, given the substantial complexities and costs associated with attempting to gather data on these products, FINRA proposes to defer consideration of the who, what, when and where of how CARDS could ever effectively and efficiently aggregate the data that FINRA most needs to some date several years in the future and after substantial investment has already been made into CARDS. Thus, CARDS will create substantial immediate costs, but without substantial, immediate benefits to consumer protection.
NTM 14-37 requests further industry commentary regarding the revised CARDS proposal. The comment period is set to expire on December 1, 2014. And FINRA has been talking directly to clearing firms and industry participants to try to refine its proposal. Leading industry groups, such as the Financial Services Institute (FSI), are attempting to work with FINRA to more fully shape the CARDS concept. Once a final proposal for CARDS is prepared, FINRA will need to submit CARDS to the Securities and Exchange Commission for approval before FINRA can implement it.