Firm Checklist for Compromised Accounts

What should a firm do after it discovers that a customer’s account has been compromised?

Below is a checklist of some steps that a firm may need to take if it learns that an unauthorized person may have gained entry to a customer’s brokerage account.  This checklist is not exhaustive, and a firm may need to take other steps depending on the nature or cause of the intrusion, the firm’s business model, the firm’s customer base, shifting security threats, and changes in law.

    

  • Monitor, limit, or temporarily suspend activity in the account until the situation is resolved.

  • Alert others in the firm (including the firm’s Legal and Compliance Department, if applicable) to be mindful of unusual activity in other customer accounts.  Firms may want to consider designating in advance a specific individual or department to serve as a central contact for questions about account intrusion.

  • Identify, if possible, the root cause of the account intrusion (e.g., the firm’s system was compromised, the individual account was hacked, the customer was the victim of identity theft) and determine whether the intrusion is isolated to one account. 

  • If the firm is not self-clearing, notify its clearing firm of the situation.

  • Contact the SEC and your FINRA Coordinator.  In the event of an account intrusion, have the following information readily available if possible:

    • Firm information (both the introducing and clearing firms involved)
      • Firm name and CRD number
      • Firm contact name and telephone number
    • Date(s) and time(s) of activity
    • IP addresses used to access the account
    • Security or securities involved (name and symbol)
    • Time and date of the activity
    • Details of the trades or unexecuted orders
    • Details concerning any wire transfer activity
    • Customer account affected by the activity, including name and account number
    • Whether the customer has been or will be reimbursed and by whom

  • If appropriate, contact law enforcement agencies, such as the FBI or, if the U.S. mail is involved, the United States Postal Inspector

  • Contact the firm’s relevant state regulatory authorities.

  • If the firm has not already done so, contact the customer and, if appropriate, change the password and/or account number.  For more information, view ways a firm can help a customer that has been the victim of identity theft.

  • Determine whether any unauthorized person has gained access to an account holder’s personally identifiable information and, if so, whether the firm must provide a specific type of notification to the customer or others under state law regarding the loss of the customer’s information.  Some states require notice to the Attorney General or other state law enforcement agencies if a customer’s “personally identifiable financial information” has been compromised.

  • Determine whether the firm should file a Suspicious Activity Report (SAR) under the federal anti-money laundering provisions.