FINRA Requests Comment on a Rule Proposal to Implement the Comprehensive Automated Risk Data System
Comprehensive Automated Risk Data System
Request for Comment
Referenced Rules & Notices
FINRA Rule 4311
Regulatory Notice 13-42
SEA Rule 15c3-3
SEA Rule 17a-3
SEA Rule 17a-4
FINRA is requesting comment on a proposed rule to implement the Comprehensive Automated Risk Data System (CARDS). FINRA initially released CARDS as a concept proposal in Regulatory Notice 13-42. This rule proposal reflects the comments received on the concept proposal.
The rule proposal would be implemented in phases and would exclude the collection of personally identifiable information (PII) for customers, including account name, account address and tax identification number. The first phase would require approximately 200 carrying or clearing firms (i.e., firms that carry customer or non-customer accounts or clear transactions) to periodically submit in an automated, standardized format specific information that is part of the firms' books and records relating to their securities accounts and the securities accounts for which they clear. The information to be submitted would include data relating to securities and account transactions, holdings, account profile information (excluding PII), and securities reference data. A carrying or clearing firm would not, however, be required to submit specified account profile information primarily related to suitability, for the securities accounts it carries or clears on a fully-disclosed or omnibus basis for others. For all other securities accounts, carrying or clearing firms would be required to submit these account profile-related data elements as part of the first phase of CARDS. The second phase of CARDS would require fully-disclosed introducing firms to submit the specified account profile-related data elements either directly to FINRA or through a third party.
The text of the proposed rule can be found at www.finra.org/notices/14-37.
Questions concerning this Notice should be directed to:
FINRA encourages all interested parties to comment on the proposal. Comments must be received by December 1, 2014.
Comments must be submitted through one of the following methods:
Marcia E. Asquith
Office of the Corporate Secretary
1735 K Street, NW
Washington, DC 20006-1506
To help FINRA process comments more efficiently, persons should use only one method to comment on the proposal.
Important Notes: All comments received in response to this Notice will be made available to the public on the FINRA website. In general, FINRA will post comments as they are received.1
Before becoming effective, a proposed rule change must be authorized for filing with the Securities and Exchange Commission (SEC) by the FINRA Board of Governors, and then must be filed with the SEC pursuant to Section 19(b) of the Securities Exchange Act of 1934 (SEA).2
Background and Discussion
CARDS is an initiative that would allow FINRA to enhance investor protection and help restore and maintain investor confidence by collecting information in a standardized format across all firms subject to CARDS on a regular basis. The information that FINRA would collect through CARDS is substantially consistent with the information it already collects when it conducts an individual examination. The transition to a standardized and regular data collection method is vital to FINRA's goal to transform its regulatory surveillance program and implement a more comprehensive examination program.
CARDS is intended as the next step in the evolution of FINRA's risk-based surveillance and examination programs. Through the CARDS initiative, FINRA recognizes that technological advancements can be leveraged to obtain, store, manage and access large quantities of data to identify and quickly respond to potentially fraudulent and abusive behavior that it might not see through its current surveillance or examination programs. Today, FINRA has a robust examination program through which firms are inspected on-site every one to four years. These examinations are based on a combination of sampling methodologies, reviews of customer and firm activities, focused reviews in priority areas of concern, and interactions with firm staff to understand the specific circumstances surrounding areas highlighted through data analysis. In contrast, CARDS would require the submission of data on a regular, automated basis from all firms subject to CARDS. The receipt of more up-to-date and complete data would allow FINRA to identify and quickly respond to high-risk areas and suspicious activities. CARDS would enable FINRA to enhance its ability to, for example:
CARDS would also enable firms to better manage compliance through shared information provided to firms based on FINRA's analyses. The feedback and report card approach has worked well in FINRA's market surveillance program and would be a valuable enhancement to FINRA's member regulation programs as well. Further, FINRA would plan to provide firms access to their own data in a way that would facilitate the firms' use of the data as part of their compliance efforts. FINRA would work with firms to determine the extent and nature of any tools that FINRA would provide as part of this effort. FINRA believes that this could strengthen compliance efforts at many firms, particularly those smaller firms that cannot afford to create compliance tools themselves.
FINRA believes that after accounting for the initial investment to implement CARDS, CARDS would serve to reduce burdens on firms and lower costs due to, among other things, eliminating intermittent, and sometimes frequent and extensive, information requests from FINRA for the information CARDS covers. In addition, FINRA would analyze CARDS information before launching firm-wide sweeps or examining firms on-site, thereby potentially eliminating some sweeps, more effectively targeting the firms included in other sweeps, reducing the burdens associated with targeted, multi-firm initiatives, and streamlining reviews conducted as part of on-site visits to firms that pose low risks of harm to investors.
As discussed in more detail below, FINRA is conducting an analysis of the economic impacts associated with CARDS. FINRA asked a series of questions in the concept proposal, has met with firms and other stakeholders to better understand the concerns raised in response to the concept proposal, and developed a set of questions to elicit feedback from a group of firms—including self-clearing, correspondent clearing and introducing firms—regarding the economic impact of the rule proposal to firms. In addition, FINRA requests comment in this Notice on the economic impact of the rule proposal, including the costs and benefits of the proposal, and requests submission of data and quantified comments, where possible.
As stated in the concept proposal, FINRA envisioned that under CARDS, clearing and carrying firms (on behalf of introducing firms) and self-clearing firms would submit in an automated, standardized format specific information relating to their customers' accounts and the customer accounts of each firm for which they clear. The concept proposal stated that such information would include, at a minimum, account information, account activity information and security identification information. To minimize the impact on small and mid-size firms, the concept proposal further stated that introducing firms would not be required to transmit the specified information directly to FINRA, but would provide their clearing firms with the information in their possession that is necessary for the clearing firms to comply with CARDS' information submission requirements. In addition, the concept proposal stated that firms would submit the required information to FINRA on a regular schedule (such as on a daily or weekly basis) in a standardized format that would permit FINRA to run analytics for a particular day during the period being reported and that a firm submitting information would be permitted to enter into an agreement with a third party to fulfill the firm's reporting obligations.
FINRA received approximately 800 comment letters in response to the concept proposal, including 140 unique comment letters. In addition to reviewing the comment letters, FINRA has been actively meeting with firms—collectively, individually and via FINRA's advisory committees—to obtain additional feedback on the concept proposal and to inform FINRA's development of the rule proposal. FINRA has worked intensively with a group of six "pilot" firms to further refine and develop the CARDS data specifications and rule proposal and has received valuable feedback. FINRA also has sought feedback on the CARDS data specifications from a "sounding board" of 11 firms that includes self-clearing, correspondent clearing and introducing firms. Because investor protection is the driver for CARDS, FINRA conferred with investor and consumer protection groups to obtain feedback on the concept proposal and in developing the rule proposal. FINRA now requests comment on the rule proposal. The key provisions of the rule proposal are set forth below; however, interested persons should carefully read the rule text for a complete understanding of the proposal.
The rule proposal would be implemented in phases and would exclude the collection of PII. The rule proposal includes the first two phases of CARDS. Any later phases would be subject to additional rulemaking and attendant public comment.
A primary concern raised early in the comment process related to the collection of PII. Although the concept proposal noted that in developing CARDS, FINRA was interested in considering ways in which to gather account identifying information without disclosing account names or other PII, it became evident early on that firms remained concerned about FINRA's intent relative to collecting PII. Accordingly, on March 4, 2014, FINRA issued a statement that CARDS would not require the submission of information that would identify to FINRA the individual account owner, including, account name, account address or tax identification number. This clarification served the dual purpose of confirming that PII would not be collected while also addressing certain concerns associated with data security. Despite the March 4 statement, some commenters continued to express concerns that FINRA would be able to link customers' identities across firms and that identities could be discerned by any potential hackers of the CARDS database. In the absence of PII, FINRA believes that CARDS would not contain information that would enable accounts to be linked across firms or that would reasonably enable a potential hacker to determine the identity of an account's owner.
Moreover, all data sent to FINRA would be encrypted in transmission and after receipt in a way that would not permit anyone to read or interpret the data without the proprietary encryption keys. FINRA would also limit access to the raw data to a few select full-time technical employees, whose access to the data would be carefully tracked and actively monitored.
Given that (i) FINRA will not be collecting PII as part of the CARDS information, (ii) unlike financial firm account databases, access to the CARDS database would provide no ability for potential hackers to access or cause movements of either cash or securities, and (iii) as discussed in more detail below, the security disciplines FINRA would employ, the likelihood of anyone exploiting what would be anonymous data would be small.
FINRA's security protocols for handling confidential data became a focal point after the CARDS concept was announced. Commenters expressed concerns about CARDS information being held in a single database and the potential security concerns that could present. As noted above, FINRA believes that such a security risk would be low. FINRA has been maintaining high security standards and safely hosting highly confidential broker data for decades. Moreover, FINRA believes that the investor protection benefits that would come from CARDS, and FINRA's increased ability to reduce fraudulent and abusive behavior, significantly outweigh the remote risk of a security breach.
Nevertheless, FINRA is committed to the highest level of security when it comes to CARDS and the information that would be collected. FINRA would apply to CARDS the many security controls and protocols it already has in place. In particular, FINRA operates a comprehensive security program to mitigate cyber and physical information security and privacy threats, and to ensure compliance with applicable data privacy regulations and laws. FINRA's program is based upon industry best practices, is guided by relevant federal and international standards, and is compliant with relevant data security and privacy laws and regulations.
In addition, as it does today, FINRA would continually look for ways to enhance its security measures that would be applicable to CARDS as well as FINRA's many other systems and programs relating to regulatory data collection, including through detailed discussions of security protocols with firms. To that end, FINRA is committed to assessing its security and privacy controls and practices against appropriate compliance standards, including by obtaining Service Organization Controls (SOC) 2 and 3 reports, to further demonstrate the integrity of its controls relating to security, availability, processing integrity, confidentiality and privacy. FINRA intends to undertake these assessments prior to the implementation date for CARDS.
The rule proposal would require the submission, in accordance with the phased approach discussed in this Notice, to FINRA of prescribed data relating to the following categories of information for all the firm's securities accounts3 to the extent the data is part of a firm's books and records:4
In the concept proposal, FINRA stated that CARDS would require carrying and clearing firms (on behalf of introducing firms) and self-clearing firms to submit in an automated, standardized format specific information relating to their customers' accounts and the customer accounts of each firm for which they clear. This was intended to reduce costs and make the data delivery process simpler for firms and FINRA. Since issuing the concept proposal, it has become evident that clearing firms were reluctant to handle data that they do not require for clearing purposes. Moreover, introducing firms prefer to decide whether to have a third party submit the information on their behalf or provide the submission themselves. In light of these comments, FINRA has modified the approach of CARDS such that it would be implemented in phases that permit these options.
The first phase of CARDS would limit the collection of information to only that data that resides at carrying or clearing firms (i.e., firms that carry customer or non-customer accounts or clear transactions). Carrying or clearing firms would be required to submit the data set forth in the CARDS data specifications that the firms have as part of their books and records relating to their securities accounts and securities accounts for which they clear. This would include information relating to securities and account transactions, holdings, account profile information (excluding PII) and securities reference data for all securities accounts.
Phase 1 would not include submission by a carrying or clearing firm of the following 15 data elements relating to account profile information (the Select Account Profile Data Elements) for securities accounts it carries or clears on a fully-disclosed or omnibus basis for others:
Carrying or clearing firms would also have the option of providing the required information to FINRA pursuant to an agreement with a third party. Notwithstanding the existence of such an agreement, each carrying or clearing firm would be responsible for complying with the CARDS reporting requirements applicable to it.
Because the information to be submitted as part of phase 1 would be limited to information that is part of a carrying or clearing firm's books and records, the rule proposal would not amend existing requirements relating to firms' maintenance and preservation of their books and records.9
The second phase of CARDS would add the collection of the Select Account Profile Data Elements (described above), as set forth in the CARDS data specifications, from fully-disclosed introducing firms for all the firms' introduced securities accounts. Fully-disclosed introducing firms would have the option of providing the information to FINRA directly or by entering into an agreement with a third party pursuant to which the third party agrees to fulfill the introducing firm's obligations for submitting the CARDS information to FINRA. Thus, fully-disclosed introducing firms would have flexibility in determining how to submit the information to FINRA.
Fully-disclosed introducing firms would be required to ensure that FINRA receives the Select Account Profile Data Elements as part of phase 2 from only one source, whether that is from the introducing firm directly or a third party. Fully-disclosed introducing firms would be required to identify to FINRA, as part of the CARDS registration process, from which source they would be providing the Select Account Profile Data Elements.
Several commenters requested that FINRA clearly define where supervisory and reporting responsibilities lie between introducing firms and their clearing firms. The allocation of responsibilities between an introducing firm and its clearing firm is governed by FINRA Rule 431110 and that rule is not changing. Firms may choose to re-negotiate their carrying agreements to comply with the CARDS reporting requirements. FINRA notes, however, that to the extent an introducing firm determines, under phase 2 of CARDS, to submit the Select Account Profile Data Elements to FINRA pursuant to an agreement with a third party, such as a clearing firm, the introducing firm would retain responsibility for ensuring the accuracy and completeness of the submitted information. If the submitted information is inaccurate or incomplete, the introducing firm would be responsible for providing the corrected or missing information to FINRA via the third party. The introducing firm would also be responsible for ensuring that FINRA receives the information within the time frame required for reporting CARDS information to FINRA. Moreover, if the third party is simply passing on the information to CARDS, and does not otherwise use the information for its customer reviews, that third party would not be held to any new supervisory or compliance obligations relating to the information.
To the extent that a third party agrees to submit information to FINRA on behalf of a member firm, the member firm must require, as part of the agreement, that the third party maintain and preserve a copy of the data transmitted to FINRA in accordance with the time period required for the member firm to maintain and preserve such data under the proposed rule, i.e., three months.11
Several commenters on the concept proposal stated that account, activity and security identification information is not collected and maintained for all types of products and that firms would have to incur significant costs to obtain this information for such products. To reduce the costs of CARDS to firms, the rule proposal's reporting requirements relating to the transmission of purchases and sales securities transaction information would not apply to products that are not held, or custodied at, or executed through, a clearing firm, such as variable annuities, private placements, direct participation programs (DPPs), private investments in public equity (PIPEs), non-traded real estate investment trusts, unregistered securities, precious metals and direct mutual funds, other than NSCC Network Level 3 mutual funds.12 FINRA expects that the collection of this information may be part of a later phase of CARDS, which would be subject to additional rulemaking.
For both phases 1 and 2, the proposed rule would require the submission of information on a calendar month basis. Firms would be required to submit information to FINRA by the 10th business day of the following calendar month. For securities and account transaction information, however, firms would be permitted to submit the data more frequently if it better aligns with their business processes. In addition, for securities and account transaction information, firms would be required to submit information with daily granularity. With respect to holdings and account profile information (including the Select Account Profile Data Elements), firms would be required to submit a single monthly snapshot as of the last business day of the calendar month. Firms would be required to submit reference data relating to all of the securities referenced in the transmission for the prior month, although firms would have the option to transmit the reference data more frequently than monthly. Firms would be required to maintain and preserve a copy of the data transmitted by the member firm to FINRA for a period of not less than three months.13 FINRA would perform automated validations on submitted data and provide results to member firms. Some validations could result in errors, which member firms would need to correct within seven business days after receipt of the validation results from FINRA. The CARDS data specifications would provide additional detail regarding FINRA's validation approach, file rejections and repairs, as well as firm-initiated corrections and deletions of submitted CARDS information.
In seeking input from firms on the CARDS data specifications and in developing the rule proposal, several firms commented on the length of time following calendar month-end that FINRA would provide for firms to transmit the prescribed data to FINRA and on the amount of time that firms would receive to correct errors and repair file rejections. FINRA understands that firms need to have sufficient time to collect, clean, transmit, correct and repair the data, and is requesting additional feedback in this Notice to help further inform it regarding whether the proposed time periods would be appropriate.
Several commenters raised concerns regarding the difficulty of establishing common data content standards, particularly with respect to suitability information. Although the rule proposal would include the provision of a standardized file specification for transmitting data, it would also provide firms with the ability to report specified data elements in free format text fields, including suitability information and product and security descriptions. This would allow firms to continue to have the flexibility to develop and implement records relating to these data elements in their own formats.
In addition, some commenters noted that introducing firms, particularly smaller firms, use varying degrees of automation in recording suitability information. Accordingly, as part of phase 2, the rule proposal would provide fully-disclosed introducing firms with the option to provide the CARDS information directly to FINRA. Based on feedback from firms, FINRA understands that providing introducing firms with the option to submit the CARDS information directly to FINRA would lessen the costs to those firms that currently do not automate all or part of their recording of suitability information. FINRA would provide to introducing firms a Web interface, data upload and machine-to-machine capabilities.
CARDS would provide an independent environment for testing. Firms would be required to successfully transmit information to the CARDS test environment before they begin reporting data to the CARDS production environment. Before testing with the CARDS application could begin, member firms would need to register with CARDS business operations via a registration process. This registration process would, for example, establish firm contacts, provide user account numbers, and specify whether firm submissions would be directly from the firm or a third party. CARDS would process all data submissions it receives in the test environment in the same way as in the production environment. For example, after submitting data to the CARDS test environment, firms would be able to obtain or view feedback on the status of that data submission.
FINRA is proposing that a reasonable period of time within which carrying or clearing firms would be required to start submitting CARDS information to FINRA under phase 1 would be approximately nine months following SEC approval of CARDS requirements. FINRA anticipates that fully-disclosed introducing firms would begin submitting CARDS information to FINRA within 15 months of SEC approval of CARDS. FINRA would publish the schedule for phases 1 and 2 of CARDS as soon as it has been established following SEC approval of CARDS requirements.
In addition, carrying or clearing firms would be required to submit historical purchase and sales transaction information for the time period between the date of SEC approval of CARDS and the date on which the firms begin submitting CARDS information to FINRA. Several firms have expressed cost concerns relating to FINRA's proposed collection of historical purchase and sales transaction information. Because the collection of this information would allow FINRA to run analytics on the information as soon as CARDS is implemented, thereby making it a valuable analytical tool from the outset, FINRA has determined to include in the proposed rule the collection of this historical information and requests additional comment in this Notice regarding the requirement.
As discussed above, FINRA has modified its approach to CARDS in response to the comment letters and additional feedback it has received from meeting with firms individually and collectively regarding the concept proposal and the development of the rule proposal. In addition, commenters raised concerns relating to the purpose and scope of CARDS, which are addressed below.
In response to the concept proposal, some firms commented that CARDS would supplant the legal, compliance and supervisory programs firms administer. CARDS is not intended to, nor will it, duplicate these functions. FINRA will not establish a transaction-by-transaction based exception program. Granular oversight to ensure compliance or prevent and detect problems with individual customers and transactions remains the central role of a firm's compliance and supervisory programs. Thus, a firm's compliance and supervisory programs would remain responsible for oversight to prevent and detect problems based on the full information the firm holds.
CARDS may permit FINRA to provide valuable information to firms that compliance and supervisory staffs can use to enhance their operations. FINRA seeks comment from firms regarding what information would be valuable for purposes of their compliance and supervisory programs. Based on comments from firms, there is a significant interest in obtaining access to their own submitted data. FINRA would provide this access in a form that would facilitate and improve a firm compliance department's capabilities. FINRA would also consider making this data available to a firm's service provider if the firm authorized such access.
Many commenters questioned why FINRA is moving forward with CARDS at the same time that the Consolidated Audit Trail (CAT) is being developed. Fundamentally, CAT and CARDS collect different information. Unlike CARDS, CAT will not contain information regarding customer risk tolerance, investment objectives, money movements, margin requirements and position data that FINRA uses to conduct its reviews. This distinction is a core feature of CARDS and emphasizes FINRA's investor protection mission. In addition, an analysis by FINRA staff of any potential overlap between the data fields proposed to be collected by CARDS and CAT indicated that there was limited overlap. Any transaction information proposed to be collected by CARDS that would also have to be collected by CAT would require significant additional information such as commissions and fees and final settled moneys that CAT would not collect.
In addition, FINRA has performed an extensive analysis of current firm reporting to FINRA to determine to what extent CARDS information is already being collected through existing reporting systems. FINRA has determined that, other than as discussed below, its existing reporting systems do not collect the same type or granularity of information that FINRA would collect under CARDS.
One area of duplication that FINRA has identified relates to INSITE,14 which FINRA intends to retire as firms start submitting CARDS information to FINRA under phase 1. Another area of duplication that FINRA has identified is the stock record data collected from firms as part of FINRA's Automated Exam Program (AEP). CARDS would collect the information currently reported by firms under FINRA's AEP. FINRA is proposing the collection of the information reported by firms under FINRA's AEP such that it would be collected on a monthly basis, rather than the current annual basis, because of its value in surveilling for firms' compliance with customer protection obligations, as well as various other risks, such as market and credit risk.
During the time period between SEC approval of CARDS and the implementation date for CARDS, FINRA expects firms to continue providing AEP information to FINRA under their existing processes. FINRA intends to retire the current processes for collecting AEP information as firms start submitting the information as part of CARDS.
To the extent any other CARDS-related information is obtained through other reporting obligations, FINRA is committed to eliminating any duplicate reporting requirements.
Interim Economic Impact Assessment
In the concept proposal, FINRA provided a high-level description of the key economic impacts it identified as associated with CARDS. Benefits identified in the concept proposal included: (1) increased investor protection through greater effectiveness of FINRA's surveillance and examination programs; (2) reduced regulatory costs and burdens on firms associated with providing information on an ad hoc basis in support of FINRA examinations; and (3) elimination of duplicative systems that provide information CARDS would cover. The anticipated costs identified in the concept proposal included costs associated with: (1) building and maintaining an infrastructure to submit the required data; (2) transmission and reconciliation of data to FINRA by clearing firms; and (3) production and provision of additional CARDS data by introducing firms to clearing firms. The concept proposal also noted that there may be other costs to firms depending on the specific obligations in the rule.
The rule proposal refines the CARDS concept proposal. It would, among other refinements discussed herein, exclude the collection of PII and provide greater flexibility to introducing firms and carrying or clearing firms in meeting the proposed reporting obligations. The rule proposal reflects FINRA's understanding that it can provide greater flexibility to firms while maintaining its objective of increased investor protection. Increased flexibility would be provided through the exclusion of PII, the format in which suitability information would be collected, the regularity of data provision and the channels available to firms to provide the required CARDS information.
In phase 1, CARDS would impose new obligations on approximately 200 carrying or clearing firms. These firms would be required to provide to FINRA a regular data submission that includes specified data, some with specified values, and in a specified file format. The information submitted in phase 1 would cover securities accounts of these firms along with those of approximately 1,850 fully-disclosed introducing firms. As part of phase 1, CARDS would also collect information currently reported by firms under FINRA's AEP. This collection of information would create an additional reporting obligation for firms that do not currently report under FINRA's AEP, which FINRA estimates to be approximately 100 firms among the carrying or clearing firms identified above. Fully-disclosed introducing firms would not have any additional reporting obligations in phase 1 for the accounts they clear through other firms. In phase 2, fully-disclosed introducing firms would be required to submit the Select Account Profile Data Elements directly to FINRA or through a third party.
FINRA staff is continuing to collect and assess information about the costs, benefits and other economic impacts of CARDS from a variety of sources, including the six pilot and 11 sounding board firms, commenters and FINRA internal sources. An interim assessment of the associated economic impacts based on information gathered to date is provided below. FINRA requests comment on the anticipated costs, benefits and other economic impacts to firms, investors and the public associated with the rule proposal.
CARDS would be designed to enhance investor protection and ensure market integrity by allowing FINRA to identify and quickly respond to high-risk areas and suspicious activities that it might not identify through its current surveillance and examination programs. FINRA's current examination program involves the collection of information, on a firm by firm basis, which can vary in content, scope and time period across examinations. CARDS would enable FINRA to automate its data collection and run regular and ad hoc analytics against more up-to-date and complete data, thereby enhancing FINRA's ability to more quickly uncover potentially fraudulent and abusive behavior. CARDS would provide a comprehensive view of firm and industry activity that would allow FINRA to, among other things, analyze customer dealing activities within individual firms, at particular branch offices, and with specific registered representatives, as well as compare one firm's customer activities against those of its peers. Access to comprehensive information would enable FINRA to promptly identify emerging risks and problematic patterns and incorporate the information in developing surveillance and examination strategies and priorities.
FINRA would use the information collected through CARDS to enhance its supervision of firms in several ways. CARDS would enable FINRA to review firm data ahead of individual examinations, thereby leading to more focused examinations. Collection of data on a more regular basis from firms would permit FINRA to react more quickly and effectively to unexpected and rapidly developing events that could threaten investor protection or market integrity. The use of CARDS in these ways would lead to a more effective allocation of regulatory resources and enhanced investor protection.
FINRA believes that the regular collection of information as described in this Notice would lead to greater investor protection, in part, because of its recent experience in employing analytics against a large amount of customer account information collected for a limited number of firms in an examination context. FINRA's experience with its Risk Discovery and Analytics Tool (RDAT) pilot program provides direct experience in applying automated analytics on data, albeit for a limited number of firms and for a limited time period. Specifically, FINRA staff has noted that this platform has allowed it to save days to weeks usually committed to standardizing and conforming data for analysis during an examination. Further, the regular provision of data in anticipation of an examination replaces a process of request and response for information that can typically take weeks.
Most importantly, the RDAT analytics helped FINRA identify firms involved in potentially problematic practices and uncover issues such as suspicious trading activity, excessive commissions, concentration of high-risk products in customer accounts and inadequate sales practice supervisory procedures. For example, the RDAT analytics helped FINRA identify a firm that was selling a new, high-risk product—a business in which the firm was not historically engaged and its financial reporting did not disclose. For another firm, RDAT reports allowed FINRA staff to filter through millions of trades to quickly identify potential areas of risk related to penny stocks liquidations and suspicious trading activity. In addition, FINRA used the data collected to conduct analyses on Puerto Rican debt during the period when a potential default was of heightened concern. FINRA used the data collected to determine which firms had exposure to Puerto Rican debt and quickly target for resolution investor protection concerns, such as which investor accounts had high concentrations of Puerto Rican debt and conflicts of interest based on a firm's proprietary accounts or employees selling their own holdings of Puerto Rican debt while their customers were buying these securities. In addition, the analytics enhanced FINRA's understanding of the firms' business models, operations and sales activity, and improved the quality of business conduct reviews through comprehensive, automated analysis of brokerage activity.
The collection of more complete information, over a longer period, would enhance FINRA's ability to identify appropriate concerns in a more timely manner and further enhance investor protection. For example, more complete information would provide FINRA with the ability to eliminate certain sweep initiatives where the sought after information is already within FINRA's possession, and better and more quickly identify the appropriate set of firms when a sweep remains appropriate. As a result, firms without significant exposures would not be asked to commit resources to respond to a sweep request, while investors who are most at risk would benefit from quicker and more targeted action. Access to more comprehensive information would also further enhance FINRA's risk reviews that are core to its mission of investor protection. For example, CARDS would provide a more holistic view of customer accounts, thereby allowing FINRA to better pinpoint where suitability risks might exist by identifying groups of customers holding high-risk products, branch offices with concentrations of such products and registered representatives selling those products. Similarly, CARDS would allow FINRA to run analytics on a more complete and comparable set of transactions to identify accounts where excessive commissions may have been charged. CARDS would enable FINRA to better assess the business lines and activities in which firms are engaged, the risks associated with those business lines, and the factors that aggravate or mitigate those risks, and incorporate this assessment in surveillance activities, planning examination cycles and developing its focus for individual examinations.
CARDS would also replace existing reporting systems that already collect related information. Several commenters noted that FINRA should identify and retire systems that collect CARDS-related information to minimize duplication and overall compliance costs. FINRA is committed to eliminating any systems with duplicate reporting requirements. As noted above, one such reporting system is INSITE, which FINRA intends to retire after firms start submitting information to FINRA as part of the first phase of CARDS. FINRA also intends to retire the current systems and processes for collecting AEP information, and instead require firms to submit such information as part of CARDS. The replacement of AEP processes by CARDS would streamline data reporting and eliminate duplication for AEP firms.
Following FINRA's analyses of the information firms provide, FINRA intends to share relevant data and analyses, including firms' own data and performance benchmarks, with firms. Several commenters stated that receiving performance benchmarks would be beneficial and could support their in-house compliance programs. FINRA believes that this information sharing could help firms with their compliance and supervisory programs that would continue to have the obligation to conduct oversight. Further, FINRA believes that the opportunity to share standardized data and metrics would particularly benefit smaller firms because of the relatively higher costs associated with capturing, standardizing and maintaining data.
FINRA anticipates that carrying or clearing firms submitting information under phase 1 would incur costs to develop and maintain infrastructure to submit the required data. Costs to these firms would include the cost of compiling, standardizing and formatting data, possibly across multiple systems. These firms would also incur costs associated with quality control, reconciliation and transmission, as well as archiving and storing the CARDS data transmitted, as regulatory records. Some of these costs may be related to the timing of reporting, reconciling and repairing data submitted. In addition, as noted above, phase 1 would require carrying or clearing firms to submit information currently collected under FINRA's AEP. Firms that do not currently submit information under FINRA's AEP would incur costs to develop and maintain infrastructure to submit the information as part of CARDS. Firms that currently submit information under FINRA's AEP would need to retire their existing AEP systems and increase the frequency of the information provided from annual to monthly. CARDS would provide carrying or clearing firms the option of transmitting the required information directly to FINRA or through a third party, thereby allowing these firms to choose the least costly option.
Fully-disclosed introducing firms would not have any additional reporting obligations in phase 1, for the accounts they clear through other firms and, as a result, would not incur direct costs associated with those accounts. Fully-disclosed introducing firms may incur indirect costs if carrying or clearing firms pass on CARDS costs to their introducing firms. However, the extent to which carrying or clearing firms can pass on these costs depends on the degree of competition in the market for carrying or clearing services. The more competitive the market for these services, the more difficult it would be for carrying or clearing firms to pass on all their costs to introducing firms.
In phase 2, fully-disclosed introducing firms would submit the Select Account Profile Data Elements directly to FINRA or through a third party. Introducing firms would, therefore, have flexibility in determining how to submit the information to FINRA, which is intended to reduce costs for these firms by allowing them to choose the most cost effective option. Firms that choose to provide the information to FINRA directly would incur costs associated with developing and maintaining systems and procedures to compile, standardize and transmit the data to FINRA. These firms would also incur costs associated with quality control, archiving and storing the data submissions as regulatory records. Firms that choose to provide the CARDS information to FINRA through a third party may pay a third party for agreeing to fulfill their reporting obligations. These firms may also incur costs associated with compiling and transmitting any required information to the third party, reconciling the information and quality control, to ensure the accuracy and completeness of the submitted information.
Carrying or clearing firms may agree to transmit the Select Account Profile Data Elements in phase 2 to FINRA on behalf of their introducing firms. As a result, carrying or clearing firms may incur costs associated with collecting any required data from their introducing firms, as well as compiling, standardizing, and transmitting it to FINRA. If these carrying or clearing firms transmit the data for some but not all of their introducing firms, they may incur additional costs, such as costs associated with keeping track of whether they have been identified by their introducing firms to be the source of the phase 2 data elements.
Similar to introducing firms in phase 1, investors may face indirect costs if firms covered by this proposal attempt to pass their costs on to the public. But here too, the extent to which broker-dealers can pass on these costs depends on the degree of competition in the market for brokerage services.
FINRA is collecting information about anticipated costs to firms, and other economic impacts associated with CARDS, from a group of clearing, self-clearing and introducing firms. Based on the information collected to date from a limited number of clearing and self-clearing firms, the preliminary estimates of cost to develop CARDS systems and procedures range from approximately $390,000 to $8.33 million and the annual cost to maintain these systems ranges from approximately $76,000 to $2.44 million. The median estimates of cost to develop and annual cost to maintain CARDS systems and procedures are approximately $1.68 million and $400,000, respectively. These cost estimates represent firms with different sizes, clearing arrangements and business models, and are influenced by, among other factors, the complexity of their business and their technology infrastructure. FINRA is continuing to review the estimates provided to date and collect cost estimates from additional firms.
FINRA's costs to implement phases 1 and 2 of CARDS would include costs to develop and maintain the technology infrastructure to collect, compile, standardize, reconcile, store and archive the CARDS data. Additional phase 2 costs would be incurred to develop and maintain a portal for introducing firms to submit phase 2 data directly to FINRA. There would also be costs associated with developing and sharing performance benchmarks and other information with firms. Based on the proposed rule requirements, FINRA's preliminary estimate of the cost to develop CARDS technology systems and processes ranges from $8 million to $12 million over a three-year period. There would be no direct impact to member firms associated with this investment. FINRA continues to assess the additional technology costs to maintain these systems, as well as costs to support an analytics program to run against the CARDS data.
Request for Comments
FINRA seeks comments on the rule proposal. In addition to generally requesting comments, FINRA specifically requests comments on the questions below. FINRA requests data and quantified comments where possible.
1 FINRA will not edit personal identifying information, such as names or email addresses, from comments. Persons should submit only information that they wish to make publicly available. See Notice to Members 03-73 (November 2003) (Online Availability of Comments) for more information.
2See SEA Section 19 and rules thereunder. After a proposed rule change is filed with the SEC, the proposed rule change generally is published for public comment in the Federal Register. Certain limited types of proposed rule changes, however, take effect upon filing with the SEC. See SEA Section 19(b)(3) and SEA Rule 19b-4.
3 The proposed rule defines "securities account" to mean an account as defined in SEA Rule 15c3-3(a)(14). SEA Rule 15c3-3(a)(14) provides that "[t]he term securities account shall mean an account that is maintained in accordance with the requirements of Section 15(c)(3) of the Exchange Act and §240.1Bc3-3." Thus, a securities account would include all retail and institutional customer accounts, as well as non-customer, proprietary, depository, custodial, clearance, items in transfer and similar accounts.
4 As noted above, interested persons should read the rule text for a complete understanding of the proposal, including a description of the categories of information to be submitted to FINRA.
5 ACATS, or Automated Customer Accounts Transfer Service, is a system administered by the National Securities Clearing Corporation (NSCC) through which transfers of customer accounts from one member firm to another are affected.
6 A non-ACATS transfer is a transfer of partial assets from a financial organization, or a transfer of assets from a non-NSCC member firm (for instance, a bank, credit union, or mutual fund company).
7 SEA Rule 17a-3(a)(5) provides that: "Every member of a national securities exchange who transacts a business in securities directly with others than members of a national securities exchange, and every broker or dealer who transacts a business in securities through the medium of any such member, and every broker or dealer registered pursuant to Section 15 of the Securities Exchange Act of 1934, as amended, shall make and keep current the following books and records relating to its business:... A securities record or ledger reflecting separately for each security as of the clearance dates all "long" or "short" positions (including securities in safekeeping and securities that are the subjects of repurchase or reverse repurchase agreements) carried by such member, broker or dealer for its account or for the account of its customers or partners or others and showing the location of all securities long and the offsetting position to all securities short, including long security count differences and short security count differences classified by the date of the physical count and verification in which they were discovered, and in all cases the name or designation of the account in which each position is carried."
8 The Financial Action Task Force (FATF) defines politically exposed persons (PEPs) as individuals who are or have been entrusted with prominent public functions domestically or by a foreign country, for example, heads of state or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations and important political party officials. FATF states that the definition of PEPs is not intended to cover middle ranking or more junior individuals. See International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, FATF Recommendations (February 2012).
9See, e.g., SEA Rule 17a-4 (Records to be Preserved By Certain Exchange Members, Brokers and Dealers). See also infra note 13, and accompanying text.
10See FINRA Rule 4311 (Carrying Agreements).
11See Section F (Frequency of Submissions) of this Notice for a discussion regarding firm record retention requirements relating to the data transmissions.
12 NSCC Network Level 3 refers to broker-dealer and other distribution firms that maintain full customer account control, handling orders, customer statements and reporting. The underlying customers do not have any direct privileges with the mutual fund company.
13 Based on discussions with SEC staff, to the extent the record retention requirements of SEA Rule 17a-4 would apply to the data transmissions, the rule's requirements would be satisfied by FINRA's retention of the data transmissions under SEA Rule 17a-1.
14 INSITE, or Integrated National Surveillance and Information Technology Enhancements, is an electronic information collection too that gathers data pursuant to NASD Rule 3150 (Reporting Requirements for Clearing Firms) via technical specifications and requirements published on FINRA's website (seethe INSITE web page).