Topic Page

Customer Information Protection

Protection of financial and personal customer information is a key responsibility and obligation of FINRA member firms. Under the SEC’s Regulation S-P, firms are required to have policies and procedures addressing the protection of customer information and records. This includes protecting against any anticipated threats or hazards to the security or integrity of customer records and information and against unauthorized access to or use of customer records or information.  The rule also requires firms to provide initial and annual privacy notices to customers describing information sharing policies and informing customers of their rights.

Additionally, Regulation S-ID requires member firms that offer or maintain covered accounts to develop and implement written identity theft prevention programs.

Firms should be aware that customer information and records can be compromised in a variety of ways. This is especially true for firms that offer online, Web-based access to trading platforms and customer account information. Firms must understand and address the potential risks of brokerage account intrusions, whereby an unauthorized person gains access to a customer account and either steals available assets or misuses the account to manipulate the market.

Intrusions are generally accomplished through the theft of the login credentials of a customer or firm employee.  Accounts have also been breached through fake electronic instructions (e.g., email requests for funds transmittals).  Since this type of illicit activity can raise both investor protection and market integrity concerns, it is essential that firms use reasonable measures to protect customer information and assets. FINRA Rule 3110 specifically requires firms to adopt procedures concerning transsmittals of customer funds that include a means of customer confirmation.

If a Customer's Account or Data is Compromised

  • Contact your FINRA Coordinator and the SEC immediately.
  • Review this Checklist to determine next steps.
  • You may need to contact state and other relevant regulatory authorities.  State laws may require specific reporting procedures
  • Consider whether or not the incident should be reported to FinCEN as a suspicious activity.

Comments?

Did you find what you were looking for? Do you have suggestions for how to make this page better? Tell our webmaster.

Related: Cybersecurity

Distributed Denial of Service (DDoS) Attacks on Member Firms
June 19, 2015
SEC Approves New Supervision Rules
March 19, 2014
SEC Requests Broker-Dealers Make SARs and SAR Information Available to FINRA
February 10, 2012
Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts
January 26, 2012
Verification of Instructions to Transmit or Withdraw Assets from Customer Accounts
November 13, 2009
FINRA Clarifies Guidance Relating to SEC Regulation S-P under Notice to Members 07-06 (Special Considerations When Supervising Recommendations of Newly Associated Registered Representatives to Replace Mutual Funds and Variable Products)
August 13, 2007
SEC Approves Rule 2342 Setting Forth Requirements for Providing SIPC Information to Customers
June 8, 2007
NASD Reminds Members of Their Obligations Relating to the Protection of Customer Information
July 28, 2005
Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers
July 22, 2005
Treasury Issues Final Suspicious Activity Reporting Rule for Broker/Dealers
August 12, 2002
NASD Provides Guidance to Member Firms Concerning Anti-Money Laundering Compliance Programs Required by Federal Law
April 10, 2002
NASD Regulation Withdraws Proposed Rule Regarding Confidential Customer Financial Information; SEC Issues Regulation S-P, "Privacy of Consumer Financial Information"
September 11, 2000
Targeted Examination Letter
FINRA is conducting an assessment of firms’ approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.
January 1, 2014
Guidance
What should a firm do after it discovers that a customer’s account has been compromised?

Guidance
The Red Flags Rule requires that each "financial institution" or "creditor" --which include most member firms--implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts."

Investor Alert
FINRA is updating this Alert to tell you about some of the latest online identify theft scams targeting financial sector customers and to provide tips for spotting and avoiding these scams.
Investor Alert
FINRA is issuing this Alert to warn the public about a recent auction rate securities (ARS) “phishing” scam that promises compensation from ARS settlements in exchange for personal information. The email looks like it originated from FINRA—although it did not.
Investor Alert
Recently, FINRA has received reports that scamsters are posing as employees of at least one well-known brokerage firm to obtain personal information. In a new twist to Internet "phishing schemes," which use spam email to lure you into revealing everything from Social Security numbers to financial account information, it appears that some fraudsters may be resorting to a time-tested method—the telephone call.
Investor Alert
Information technology (IT) plays a critical role in the securities industry. Unfortunately, cyber threats to the information and computer systems of brokerage firms are increasing, and with these threats comes the risk of potential harm to investors.
Investor Alert
FINRA has received an increasing number of reports involving investor funds being stolen by fraudsters who first gain access to the investor’s email account and then email instructions to the firm to transfer money out of the brokerage account. In addition to issuing a Regulatory Notice to firms, we are issuing this Alert to warn investors about the potential financial consequences of a compromised email account and to provide tips for safeguarding your assets.
Podcast
In the most serious cases, a compromised email account can lead not only to identity theft, but also to theft of your money. That’s why one of the most important first steps you should take if your email account has been hacked is to notify your brokerage firm and other financial institutions.
Investor Alert
Your brokerage firm has an obligation to safeguard your personal financial information. And every investor should take time to understand their firm’s cybersecurity procedures. But even the best procedures cannot prevent all instances of identity theft—especially if the vulnerability lies with you, the customer. Here are critical steps you can take to safeguard your financial accounts and help prevent identity theft.
Podcast
The Internet and, more recently, wireless technology have made it easy for investors to check brokerage account information and initiate investment transactions on the go. Investors should take precautions to help ensure the security of their brokerage accounts. Not doing so puts your account information and investments at risk.
Investor Alert
The Internet and, more recently, wireless technology have made it easy for investors to check brokerage account information and initiate investment transactions on the go. We are issuing this Alert to warn investors to take precautions to help ensure the security of their brokerage accounts. Not doing so puts your account information and investments at risk.