Bingham discusses FINRA’s Proposed Rule to Implement CARDS

FINRA is seeking comments on a proposed rule to implement the Comprehensive Automated Risk Data System (“CARDS”).[1] FINRA published a CARDS concept proposal on December 23, 2013 (the “Concept Proposal”),[2] to which it received approximately 800 comment letters.[3] According to FINRA, CARDS initially will collect account information, transaction activity, and security identification information on a standardized, automated and regular basis.[4] FINRA explained that CARDS will be the “next step in the evolution of FINRA’s risk-based surveillance and examination programs” by automating its data compilation and surveillance functions.[5] In its Rule Proposal, FINRA seeks industry comment on 14 specific questions geared towards assessing the impact of CARDS.[6] Firms are encouraged to submit comments to FINRA on the Rule Proposal before the comment period expires on December 1, 2014.[7]

Background

According to FINRA, CARDS will enable the regulator to collect, manage and access standardized account and transaction data to detect potential trading and supervisory violations.[8] While FINRA’s current industry surveillance and examination programs collect key customer and trading information, CARDS would gather “more up-to-date and complete data” to enable FINRA to act swiftly to prevent market abuse and fraud.[9] FINRA also says that it will provide firms with access to the firms’ own data to serve as a monitoring and compliance tool.[10]

CARDS would mark a substantial change in FINRA’s surveillance program and firms raised numerous issues in response to the Concept Proposal.[11] The most common complaint was that CARDS would collect personally identifiable information (“PII”).[12] Firms were also concerned that CARDS would displace their current surveillance functions.[13] In addition, firms did not understand FINRA’s interest in CARDS given the pending development of a seemingly duplicative data collection system, i.e. the Consolidated Audit Trail (“CAT”).[14] In its current proposal, FINRA has attempted to address these and other concerns.[15]

FINRA’s Proposed Rule

FINRA’s proposal includes the following key features:

  • Phased Approach: FINRA proposed that CARDS be launched in two phases, Phase 1 and Phase 2.

Phase 1: Phase 1 would apply to clearing (including self-clearing) and carrying firms only and would require them to provide only data that already resides on their systems. The proposed rule lists eighteen types of data potentially to be reported, grouped into four categories:

    • Securities transactions, including data on purchases, sales and dividend reinvestments;
    • Account transactions, including various data on ACAT transfers, non-ACAT transfers, and account additions and withdrawals;
    • Holdings, including stock records, allocation pair-off details, and security account balances; and
    • Account profiles, including account type, information about the person or entity associated with the account, representative servicing the account, and if the firm collects it for its own accounts, suitability information.

Firms would also be required to provide certain reference data related to the data in the listed categories. In a marked departure from the Concept Proposal, which focused only on customer account information, the Rule Proposal applies to “all of the firm’s securities accounts.”[16] FINRA has, however, limited the reporting requirements to purchases and sales of securities products that are held, custodied at or executed through the clearing firm, thereby excluding products such as variable annuities and private placements.[17]

Phase 2: Fully disclosed introducing firms would be required to submit 15 data elements (collectively the “Select Account Profile Data Elements”) related to suitability and supervision (e.g. investment time horizon, investment objective, net worth, representative identification including groups and commission splits, and whether the customer fits into certain special categories such as control person of a public company, politically exposed person, or employee of another broker-dealer) either directly or through a third party (which could be the clearing firm).[18] The proposal makes clear that, regardless of whether the introducing firm relies on a third party, the responsibility to provide this data remains with the introducing firm. This is another significant change from the Concept Proposal, which strongly suggested that clearing or carrying firms would be principally responsible for providing all CARDS data, even though these firms might have needed to rely on introducing firms to provide suitability information the clearing firms do not routinely collect. Moreover, while FINRA Rule 4311 allows introducing firms to shift responsibility for certain regulatory requirements to the clearing firm (e.g. generation of confirmations and account statements), introducing firms will not be able to avoid CARDS responsibility.

For both Phase 1 and 2, FINRA would require submission monthly by the 10th business day of the following calendar month.[19] Errors identified through FINRA’s validation process would require correction within seven business days.[20] While FINRA plans to specify data formats for many categories, it has said that firms will be allowed to report specified data elements, generally related to security descriptions and certain suitability information, in free format text fields, giving firms flexibility to transmit these data elements in the fashion in which they may already be collected and retained.[21]

  • Collection of PII and Data Security: Responding to its critics, in both Phase 1 and 2, FINRA has categorically stated that it will not collect PII, such as customer account name, address or tax identification number.[22] To further reassure the public regarding the security of CARDS data, prior to launching CARDS, FINRA has said that it will obtain Service Organization Controls (“SOC”) 2 and 3 reports to demonstrate its security and privacy controls.[23]
  • Onboarding and testing: FINRA would require firms to register with CARDS business operations and to test the connection and delivery systems before reporting data to the CARDS production environment.[24]
  • Implementation date and historical information: FINRA proposed implementation dates of nine months after the rule is approved by the SEC for Phase 1 and 15 months for Phase 2.[25]

In the Release, FINRA summarized its views on the costs and benefits of the proposed system. FINRA acknowledged that firms will be forced to incur significant front-end and ongoing expenses associated with CARDS, some of which may ultimately be borne by customers, and FINRA itself expects to spend $8–12 million to build out its own systems.

Nonetheless, FINRA argued, the costs are justified by enhanced investor protection arising from its increased effectiveness in overseeing the industry and detecting problematic conduct at an early stage. FINRA continued to claim, as they argued in the Concept Proposal, that firms’ expenses in implementing CARDS will be partially offset by savings in not having to collect and provide transaction related data on an ad hoc basis in exams, sweeps, and other inquiries, as well as by FINRA’s plan to retire INSITE and AEP once CARDS is implemented. FINRA also noted that the data CARDS would collect has only limited overlap with the data in CAT, making both programs necessary. Responding specifically to comments, FINRA advised that CARDS will not replace firm’s supervisory and surveillance responsibilities, but it expects that the data it will make available to firms may assist firms (particularly smaller firms) in these efforts.

Requests for Comments

In the Release, FINRA listed fourteen areas in which it is seeking comments, including information regarding economic impacts (and possible cost savings), potential use of third parties to transmit data to FINRA, possible exclusion of firms with no or limited retail business, industry interest in receiving data from FINRA to use in a firm’s own compliance efforts, and implementation timing.

Conclusion

FINRA developed the Rule Proposal to address industry concerns about various aspects of the Concept Proposal and to lay out the implementation of CARDS.[26] While receiving and analyzing this information will no doubt give FINRA new market surveillance abilities, there will also be substantial financial and compliance burdens across the industry associated with collecting and properly reporting this vast amount of data to FINRA. Interested parties should provide comments to FINRA about the costs and scope of the Rule Proposal no later than December 1, 2014.

Endnotes

[1] FINRA Requests Comment on a Rule Proposal to Implement Comprehensive Automated Risk Data System, Regulatory Notice 14-37 (“Notice 14-37”) available at
http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p600964.pdf.

[2] Comprehensive Automated Risk Data System, FINRA Requests Comment on a Concept Proposal to Develop the Comprehensive Automated Risk Data System, Regulatory Notice 13-42 (“Notice 13-42”) at 1, available at http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p413652.pdf. For a summary of the initial concept proposal, see FINRA Proposes a New Method to Obtain Transaction Information: Comprehensive Automated Risk Data System (Jan. 6, 2014).

[3] Notice 14-37 at 5.

[4] Notice 13-42 at 1.

[5] Notice 14-37 at 3.

[6] Id. at 20-23.

[7] Id. at 1. See also The Securities Industry and Financial Markets Association’s (“SIFMA”) Statement on FINRA CARDS Regulatory Notice discussing plans to submit comments to FINRA available at http://www.sifma.org/newsroom/2014/sifma_statement_on_finra_cards_regulatory_notice/.

[8] Id. at 3-5.

[9] Id. FINRA explained that such real-time information would provide FINRA with a greater understanding of a firm’s business profile, product mix, overall risk profile, anti-money laundering program and transaction patterns.

[10] Id. at 4. FINRA explained that the data access would serve a useful function for smaller firms in particular who often cannot afford to develop their own compliance tools.

[11] Notice 14-37 at 5, 13-14.

[12] Id. at 5.

[13] Id. at 13.

[14] Id. at 14. For additional information about the CAT, see http://catnmsplan.com.

[15] Id. at 3-23.

[16] Cf. Notice 13-42 at 5 with Notice 14-37 at 7, 21 n.3 (defining “securities account”)

[17] Notice 14-37 at 11 for a complete list of the Select Account Profile Data Elements. FINRA suggested that it may modify this requirement at a later stage of CARDS.

[18] Id. at 9-11. FINRA explained that, although it would allow firms to submit data through a third party, compliance with CARDS rests with the carrying or clearing firms. Further, Phase 1 would not include the Select Account Profile Data Elements for accounts the firm clears or carriers on a fully disclosed or omnibus basis.

[19] Id. at 11.

[20] Id.

[21] Id. at 12.

[22] Id. at 5.

[23] Notice 14-37 at 6.

[24] Id.

[25] Id. at 13.

[26] Id.

The full and original memorandum was published by Bingham McCutchen LLP on October 13, 2014, and is available here.