The Securities Industry and Financial Markets Association (“SIFMA”) expressed its opposition to FINRA’s plan to build the Comprehensive Automated Risk Data System (“CARDS”) in a comment letter recently. In its initial phase, CARDS would require carrying or clearing firms to periodically submit “data relating to securities and account transactions, holdings, account profile information (excluding [personally identifiable information]), and securities reference data” in a standardized format. According to FINRA, the “information that FINRA would collect through CARDS is substantially consistent with the information it already collects when it conducts an individual examination” (every one to four years), but that the system would allow for collection in a standardized format on a regular basis. It argues that CARDS “is vital to FINRA’s goal to transform its regulatory surveillance program and implement a more comprehensive examination program” and that the data will allow it “to identify and quickly respond to potentially fraudulent and abusive behavior.”
SIFMA opposed the proposal, claiming that CARDS is duplicative and expensive, and poses cybersecurity and privacy risks. A SIFMA-commissioned study found that the first phase of the rollout would cost approximately $680 million to build, and require $360 million in annual maintenance. The same study also found that, while FINRA attempted to remove personally identifiable information from the data that would be submitted, the data still contains details that could be used to determine the identity of an investor (concerns echoed by the ACLU in a separate comment letter). Further, SIFMA noted that “[t]he scope of information proposed to be available in CARDS stored in a central location would be valuable in the hands of threat actors such as cybercriminals, social and political hacktivists, and hostile nation states.” The letter also argued that institutional accounts should be excluded from the data collection because FINRA has “no demonstrable rationale” to collect such information. As an alternative to CARDS, SIFMA noted that the Consolidated Audit Trail (“CAT”) would collect much of the same data, and that the CAT could be adapted to add any missing fields, if necessary.