FINRA's Holiday 'CARDS'

Few Americans have even heard of the Financial Industry Regulatory Authority (FINRA), but the securities regulator is about to become intimately familiar with all Americans' investment portfolios. FINRA recently proposed the Comprehensive Automated Risk Data System, known by the less scary-sounding shorthand "CARDS." In the name of investor protection and investor confidence, FINRA plans to monitor all securities accounts and transactions. Investors should run from this kind of protection.

FINRA is a quasi-governmental organization that oversees the brokerage industry. It derives its exclusive powers from, and is in limited measure accountable to, the Securities and Exchange Commission. FINRA sets its own agenda, salaries and budget and is governed by a board of directors, some of whom represent industry and the majority of whom purportedly represent the public. As a new working paper released by the Mercatus Center at George Mason University discusses, FINRA is not truly accountable to the public, the industry or government.

This lack of accountability matters because FINRA's influence and power are growing. FINRA has grand plans for CARDS. Brokerage firms will be required to transmit monthly to FINRA information about customer profiles, account transactions and holdings. FINRA will use these data to assess how well brokers are serving their customers and to watch for unusual customer behavior.

FINRA champions CARDS as an investor protection mechanism. Yet the proposal reads more like a plan for micromanaging the financial system. After collecting the data, FINRA will provide it to firms along with a report card. The report card metrics are likely to drive firm behavior; regardless of what is best for customers, brokers will feel pressure to follow the metrics in order to keep FINRA happy. Over time, FINRA staffers' judgments — regardless of their merit — will increasingly determine how Americans' money is invested. The investing philosophies of customers and their finance professionals should not be displaced in this manner, even by well-intentioned regulators.

As originally conceived, CARDS would have collected personally identifiable information (PII) along with account information. In response to concerns about cybertheft, FINRA pledged not to ask for PII and to guard carefully the information it does receive. Even without PII, the FINRA database—full of information about individual accountholders and brokers—will likely be an attractive hacking target. FINRA says that it does not “believe” a potential hacker could determine an account owner’s identity. But with the comprehensive data that would be on file for every investor, what FINRA believes to be the case seems far from an adequate assurance.

Using information such as account numbers and the accountholders' birth years, creative hackers will be able to figure out an accountholder's name. FINRA will even require firms to identify accountholders who are "politically exposed individuals." Defined as "individuals who are or have been entrusted with prominent public functions domestically or by a foreign country, for example, heads of state or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations and important political party officials," politically exposed individuals are likely to be especially attractive to hackers.

But there is an even greater cost than the potential theft of information from the FINRA database. Ordinary Americans have an interest in not being monitored. The CARDS program would do just that. The American Civil Liberties Union explained in its comment letter on the program that such "broad surveillance ... implicates core privacy values of great importance to Americans" at a time when "Americans increasingly feel they have lost control over their personal information and ability to retain confidences in sensitive personal activity, like their finances." CARDS is designed not only to track what firms are doing, but to identify "suspicious activity" by their customers. The rejoinder that customers with nothing to hide need not worry ignores the real value in not being monitored.

FINRA believes, moreover, that it is responding to a demand from investors for more protection. In November, FINRA released an investor survey showing that investors support additional regulatory protections. Given the imprecise nature of the questions, the survey does not offer support for CARDS. Ninety percent of investors strongly or somewhat agreed that it is important to have a "'cop on the beat' to protect investors and police the markets." That investors want this sort of protection when their investments are at stake is hardly insightful. Seventy-four percent of investors supported "additional regulatory protections to further safeguard investors from misconduct by brokers or brokerage firms." That number dropped to 56 percent when investors were told they would have to bear a "minimal" cost increase to pay for those new safeguards.

FINRA did not ask investors how much they would be willing to pay — in terms of increased fees and lost privacy — for a program like CARDS. A brokerage industry trade group came closer to asking that question when it conducted its own investor survey. More than 70 percent of respondents aligned themselves with the statement that "the risks of FINRA's proposal outweigh the benefits, even if the data is kept anonymous, because it will create a new singular location that hackers and cyber terrorists can target, putting investors' account activity balances and money movements at risk." Again, not a surprising result.

FINRA should not base its decision about proceeding with CARDS on either set of survey results. But the regulator should rethink the proposal in light of its real costs to investors. These costs include impairing investors' ability to manage their own investments without a regulator watching their every move. The costs also include the potential exposure of sensitive investor information to hackers. Especially in this era of big data, true investor protection sometimes requires restraint.