Coming in right at the Dec. 1 deadline for comments, the Securities Industry and Financial Markets Association, the lobbying arm of Wall Street, submitted a letter to the Financial Industry Regulatory Authority that outlines objections to the proposed Comprehensive Automated Risk Data System rule. The rule would require clearing firms and, eventually, brokerages to submit data on securities transactions, holdings and account profiles. FINRA has said no personally identifiable account holder information would be collected as part of the process.
The SIFMA letter argues that the costs and cybersecurity risks posed by CARDS far outweigh any benefits for investors.
“CARDS would infringe upon investors’ right to privacy by mandating that brokerage firms turn over to FINRA all individual account information on a monthly basis,” Kenneth E. Bentsen, Jr., the president and CEO of SIFMA, said in a statement. “This centralized individual account database would become a prime target for cyber attackers, be costly to build and maintain, and would produce more false positives that would drain resources that could be put to better use to help investors.”
When FINRA proposed the two-phase rollout of CARDS, it estimated that the first phase would cost between $8 million and $12 million, with another $76,000 to $8.3 million annually for maintenance. SIFMA argues that according to a study by IBM, which SIFMA commissioned, the first phase of CARDS would cost firms $680 million to build and another $360 million annually to maintain the database.
The IBM study also disputed FINRA’s claim that CARDS would be safe from hackers. Despite encryption and the removal of “personally identifying information,” such as Social Security numbers, IBM found that there was still enough information collected by CARDS for cybercriminals to reverse-engineer an investor’s identity.
Bentsen said that FINRA should instead find a way to work with the “reams of data” it already receives from firms, and conduct a thorough re-evaluation of the program.
“This proposal should not be submitted to the SEC; instead, FINRA should conduct a thorough cost benefit analysis and provide it to member firms for comment,” Bentsen said.