Customer Information Protection
Protection of financial and personal customer information is a key responsibility and obligation of FINRA member firms. Under the SEC’s Regulation S-P, firms are required to have policies and procedures addressing the protection of customer information and records. This includes protecting against any anticipated threats or hazards to the security or integrity of customer records and information and against unauthorized access to or use of customer records or information.
Firms should be aware that customer information and records can be compromised in a variety of ways. This is especially true for firms that offer online, Web-based access to trading platforms and customer account information. Firms must understand and address the potential risks of brokerage account intrusions, whereby an unauthorized person gains access to a customer account and either steals available assets or misuses the account to manipulate the market. Intrusions are generally accomplished through the theft of the login credentials of a customer or firm employee.
Since this type of illicit activity can raise both investor protection and market integrity concerns, it is essential that firms use reasonable measures to protect customer information and assets.
If a Customer's Account or Data Is Compromised
|National Conference of State Legislatures List of State Security Breach Notification Laws||Link||02-19-2015|
|SEC Staff Responses to Questions about Regulation S-P||Link||02-19-2015|
|Identity Theft Red Flags Rule: A Small Entity Compliance Guide||Link||02-19-2015|
|SEC Chair Mary Jo White, “Opening Statement at SEC Roundtable on Cybersecurity”||Speech / Testimony||02-19-2015|
|SEC Commissioner Luis A. Aguilar: The Commission’s Role in Addressing the Growing Cyber-Threat|
SEC Commissioner Luis A. Aguilar, “The Commission’s Role in Addressing the Growing Cyber-Threat,” Statement at SEC Roundtable on Cybersecurity
|SEC Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative||Link||02-19-2015|
|Tips from US-CERT||Link||02-19-2015|
|Federal Financial Institutions Examination Council's (FFIEC) Guidance on Authentication in Internet Banking Environment||Link||02-19-2015|
|FTC Guide for Businesses on Protecting Personal Information||Link||02-18-2015|
|FTC Data Security||Link||02-18-2015|
|U.K. Financial Conduct Authority (FCA) Data Security Page||Link||02-18-2015|
|U.K. FCA Data Security and Consumer Communications||Link||02-18-2015|
|FTC Model Consumer Privacy Notice Online Form Builder||Link||02-18-2015|
|FFIEC Supplement to Authentication in an Internet Banking Environment||Link||02-18-2015|
|Financial Services- Information Sharing and Analysis Center||Link||02-18-2015|
|FTC Identity Theft Site||Link||02-18-2015|
|National Cyber-Forensics & Training Alliance||Link||02-18-2015|
|SEC Identity Theft Red Flags Rule Template|
SEC Identity Theft Red Flags Rule Template SEC Identity Theft Red Flags Rule Template Identity Theft Red Flags Rule Template Important: If you choose to use this template as a guide, you must adapt it to reflect your individual firm. Without the analysis and modification required to fit your firm’s
|Tool / Resource||07-21-2014|
|Regulatory Notice 14-10|
SEC Approves New Supervision Rules
|Sweeps Letter- Cybersecurity|
FINRA is conducting an assessment of firms’ approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.
|Regulatory Notice 12-05|
Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts
|Regulatory Notice 07-36|
FINRA Clarifies Guidance Relating to SEC Regulation S-P under Notice to Members 07-06 (Special Considerations When Supervising Recommendations of Newly Associated Registered Representatives to Replace Mutual Funds and Variable Products)
|Notice to Members 05-49|
NASD Reminds Members of Their Obligations Relating to the Protection of Customer Information
|Firm Identity Protection|
FINRA has created this page to educate member firms on “Firm Identity Theft”.