War of the Words between FINRA and SIFMA
Big data bites back, as an industry that embraces advanced analytics technology is spooked by how a regulator wants to use it.
In their 2011 book Race against the Machine, Massachusetts Institute of Technology professors Erik Brynjolfsson and Andrew McAfee surveyed the revolutionary possibilities of “a world of plentiful accurate data, powerful sensors and massive storage capacity and processing power” — and warned of economic and workplace dislocations to which societal institutions and government policies would be comparatively slow to adjust.
A conflict now brewing in the financial services industry shows not only the power of new technology to modernize and transform historically less automated modes of operation, but also that potentially displaced workers are not alone in being motivated to push back against “the machine.”
The antagonists are the Securities Industry and Financial Markets Association, the broker-dealer lobby, and the Financial Industry Regulatory Authority, a self-regulatory agency overseeing firms and exchanges with a primary mandate of investor protection. The organizations’ relationship is generally cordial if not cozy. But they are now at loggerheads over the Comprehensive Automated Risk Data System (CARDS), a plan by FINRA to turn the big guns of big data on SIFMA members.
As FINRA defined CARDS in late 2013, its objective is “to collect on a standardized, automated and regular basis, account information, as well as account activity and security identification information that a firm maintains as part of its books and records.”
In other words, FINRA wants to apply big-data aggregation and analysis capabilities — not unlike those that financial institutions are developing for trading, marketing and other activities — to accelerate data collection and improve supervision. At the annual SIFMA Tech conference last June, FINRA chief information officer Steven Randich explained that CARDS, then in a proof-of-concept stage with two clearing firms, “will provide us with ongoing bird’s-eye-view surveillance that complements our boots-on-the-ground exams.”
SIFMA saw red from the beginning. It voiced concerns about overreach by FINRA, the security and privacy of account data collected by the regulator, and compliance costs and operational burdens on member firms.
By year-end 2014, SIFMA’s critique had escalated to all-out resistance. To a 23-page letter to FINRA on December 1, SIFMA attached an analysis by IBM showing that CARDS would cost the brokerage industry $680 million up front and $360 million annually for labor, infrastructure and data storage. IBM also estimated FINRA’s ongoing storage costs to be $50 million a year. SIFMA argued that a true cost-benefit assessment was lacking and that CARDS “unjustifiably adds to the cumulative effect of numerous regulatory initiatives imposed on the industry over the last five years.”
For all its litany of objections, SIFMA deemed “most troubling” the required disclosure to FINRA “of the most intimate financial details for every investor’s securities account” and their vulnerability on FINRA’s computer systems “as a centralized, prime target for computer hackers and nation-state-sponsored cyber terrorists.”
Those fighting words resounded when the Sony Corp. security breach captured headlines in December, including this one on investmentnews.com: “SIFMA Says Sony Hack Is Cautionary Tale for CARDS.” That stance has SIFMA on the side of some strange bedfellows: The American Civil Liberties Union and the Consumer Federation of America submitted critical comment letters on the CARDS proposal, and SIFMA commissioned a Harris Poll indicating a majority of investors oppose CARDS, once it is explained to them, and agree that the security risks outweigh the benefits.
Is it real, or is it just politics? FINRA, for its part, says its interest is in broad marketplace surveillance and that personally identifiable information will not be vulnerable. The critics counter that even anonymized metadata is open to abuse.
Of course, there is nothing new about data reporting to financial regulators. This sort of outcry is a by-product of the “race against the machine” age and likely won’t be the last. The SEC’s Consolidated Audit Trail promises to be an even bigger storehouse of transaction data. SIFMA has said CAT could be a better vehicle for accomplishing CARDS’s goals. Ironically, FINRA is in the running to build and manage CAT.
Seemingly in anticipation of such conflicts, a September 2013 working paper by the U.S. Treasury’s Office of Financial Research suggested cryptographic, secure computation technologies as a solution for protecting regulatory data. But even these, said the OFR’s Mark Flood and three co-authors, “are not a panacea.”
Jeffrey Kutler is editor-in-chief of Risk Professional magazine, published by the Global Association of Risk Professionals.