Customer Information Protection
Protection of financial and personal customer information is a key responsibility and obligation of FINRA member firms. Under the SEC’s Regulation S-P, firms are required to have policies and procedures addressing the protection of customer information and records. This includes protecting against any anticipated threats or hazards to the security or integrity of customer records and information and against unauthorized access to or use of customer records or information. The rule also requires firms to provide initial and annual privacy notices to customers describing information sharing policies and informing customers of their rights.
Additionally, Regulation S-ID requires member firms that offer or maintain covered accounts to develop and implement written identity theft prevention programs.
Firms should be aware that customer information and records can be compromised in a variety of ways. This is especially true for firms that offer online, Web-based access to trading platforms and customer account information. Firms must understand and address the potential risks of brokerage account intrusions, whereby an unauthorized person gains access to a customer account and either steals available assets or misuses the account to manipulate the market.
Intrusions are generally accomplished through the theft of the login credentials of a customer or firm employee. Accounts have also been breached through fake electronic instructions (e.g., email requests for funds transmittals). Since this type of illicit activity can raise both investor protection and market integrity concerns, it is essential that firms use reasonable measures to protect customer information and assets. FINRA Rule 3110 specifically requires firms to adopt procedures concerning transmittals of customer funds that include a means of customer confirmation.
If a Customer's Account or Data is Compromised
- Contact your FINRA Coordinator and the SEC immediately.
- Review this Checklist to determine next steps.
- You may need to contact state and other relevant regulatory authorities. State laws may require specific reporting procedures
- Consider whether or not the incident should be reported to FinCEN as a suspicious activity.