If there is any connection between the recent cyberattack on Sony Pictures Entertainment and the Financial Industry Regulatory Authority's (FINRA’s) proposed Comprehensive Automated Risk Data System (CARDS), it’s that the Sony incident should serve as a cautionary tale to FINRA about mass data collection risks, according to the Securities Industry and Financial Markets Association (SIFMA) in a recent article. In December 2013, FINRA proposed the CARDS initiative that would allow it to collect account information in a standardized format across all firms subject to CARDS on a regular basis. Since the proposal, the industry has responded largely in opposition through several commenting opportunities. At the center of controversy are security and privacy risks for investors, among other things.

With an eye toward a more comprehensive examination program that can scale into the future, FINRA’s position is that CARDS would allow it to enhance investor protection and help restore and maintain investor confidence. FINRA noted that technological advancements can be leveraged to identify and quickly respond to potentially fraudulent and abusive behavior that it might not see through its current surveillance or examination programs. Hardeep Walia, the chief executive of Motif Investing, described CARDS in a recent Forbes article as “the next-generation, technology-driven model of regulation for any industry” that will protect investors more effectively and efficiently. In keeping pace with technology, FINRA’s objectives appear consistent with many big data initiatives that organizations are undertaking in various other contexts. For example, The Wall Street Journal described how VISA was utilizing big data to quickly and effectively combat fraud, identifying billions of dollars in fraud. To address privacy and security concerns, FINRA’s most recent proposed framework excludes the collection of personally identifiable information (PII). So why shouldn’t FINRA be able to leverage similar technology to identify patterns of financial fraud and clever schemes?

SIFMA’s comments to FINRA’s proposal may offer some additional insight into the debate. There, as in other comment letters, SIFMA listed privacy and cybersecurity among several major concerns. SIFMA President and CEO Kenneth E. Bentsen, Jr., stated that "CARDS would infringe upon investors' right to privacy by mandating that brokerage firms turn over to FINRA all individual account information on a monthly basis. This would result in the creation of a centralized database of all individual brokerage accounts, updated monthly and held by a quasi-governmental entity. This centralized individual account database would become a prime target for cyber attackers, be costly to build and maintain, and would produce more false positives that would drain resources that could be put to better use to help investors.” The comment letter also enumerated areas that needed clarity:

1. How the data would be protected, both in the various stages of transmission, as well as while maintained at FINRA;
2. Who would be responsible to customers and/or the markets when a breach occurs;
3. Whether FINRA is prepared to indemnify introducing brokers and clearing firms for the release of customer data by FINRA;
4. Whether customers would be permitted to opt out, i.e., refuse to allow their information to be provided to FINRA via CARDS, and, if so, what logistics are required to facilitate an opt-out process;
5. What disclosures and/or protections would be offered to customers whose data is maintained by CARDS;
6. Who would have access to the information and how would such access be granted in the first instances and how would access be supervised/reevaluated on a going-forward basis;
7. How long the information would be maintained;
8. Who else, apart from FINRA staff with a “need to know,” would have access to the data;
9. The identity of its systems’ administrators, its policies and procedures for the protection and use of the data, whether it plans to use third-party vendors and the risk controls that would be used by the administrator;
10. How the costs of remediation of a data breach would be allocated if a breach occurs;
11. The applicability of state and federal data privacy laws to the data collected via CARDS, including an explanation as to whether FINRA, as a Delaware incorporated entity, is subject to state privacy laws directed at corporations;
12. How FINRA would respond to requests for information from private and/or public litigants, as FINRA would become a known repository of an inordinate amount of detailed, personal financial information, and
13. Which entity (introducing broker, clearing firm or FINRA) bears responsibility to notify individuals of a data breach when one occurs.

FINRA stated that in the absence of PII, it believes that CARDS would not contain information that would enable accounts to be linked across firms or that would reasonably enable a potential hacker to determine the identity of an account’s owner. With respect to cybersecurity, FINRA indicated that it operates a comprehensive security program to mitigate cyber and physical information-security and privacy threats and to ensure compliance with applicable data privacy regulations and laws. In addition, FINRA would continually look for ways to enhance its security measures that would be applicable to CARDS as well as FINRA’s many other systems and programs relating to regulatory data collection, including through detailed discussions of security protocols with firms.

While critics of the program raise fair points, one might also consider that investors and the market should get the benefit of new technology. As shown earlier in the VISA example, there are various contexts where big data and other new technologies play an effective role. FINRA is already collecting much of the information, sometimes at an even more granular level, though not in the manner and scale proposed. Additionally, its proposal includes Privacy by Design consistent with its standard practices and plans on undertaking Service Organizational Controls assessments prior to the implementation of CARDS.

From a technology standpoint, FINRA would apply to CARDS the many security controls and protocols it already has in place. Opposition and supporters of the program should also consider that other unique technological approaches may also address privacy and cybersecurity concerns. For example, in a Huffington Post interview, Prof. Alex Pentland, who directs MIT's Human Dynamics Laboratory and the MIT Media Lab, stated “a major risk of deploying big data operations comes from the danger of putting so much personal data into the hands of one organization and also from storing that data in a single location. Organizations must arrange big data resources in a distributed manner, with each different type of data separated and dispersed among many locations, using many different types of computer systems and encryption.” Such a technological framework extending beyond the basics of encryption and access control could foster an acceptable compromise in these types of situations.

The outcome of the CARDS process is work in progress, but watching it unfold could offer a learning exercise that privacy experts may integrate into their body of knowledge and practices.