Customer Information Protection

Protection of financial and personal customer information is a key responsibility and obligation of FINRA member firms. Under the SEC’s Regulation S-P, firms are required to have policies and procedures addressing the protection of customer information and records. This includes protecting against any anticipated threats or hazards to the security or integrity of customer records and information and against unauthorized access to or use of customer records or information.

Firms should be aware that customer information and records can be compromised in a variety of ways. This is especially true for firms that offer online, Web-based access to trading platforms and customer account information. Firms must understand and address the potential risks of brokerage account intrusions, whereby an unauthorized person gains access to a customer account and either steals available assets or misuses the account to manipulate the market. Intrusions are generally accomplished through the theft of the login credentials of a customer or firm employee.

Since this type of illicit activity can raise both investor protection and market integrity concerns, it is essential that firms use reasonable measures to protect customer information and assets.

If a Customer's Account or Data Is Compromised

Titlesort descendingTypeDate
National Conference of State Legislatures List of State Security Breach Notification LawsLink02-19-2015
SEC Staff Responses to Questions about Regulation S-PLink02-19-2015
Identity Theft Red Flags Rule: A Small Entity Compliance GuideLink02-19-2015
SEC Chair Mary Jo White, “Opening Statement at SEC Roundtable on Cybersecurity”Speech / Testimony02-19-2015
SEC Commissioner Luis A. Aguilar: The Commission’s Role in Addressing the Growing Cyber-Threat
SEC Commissioner Luis A. Aguilar, “The Commission’s Role in Addressing the Growing Cyber-Threat,” Statement at SEC Roundtable on Cybersecurity
SEC Office of Compliance Inspections and Examinations (OCIE) Cybersecurity InitiativeLink02-19-2015
Tips from US-CERTLink02-19-2015
Federal Financial Institutions Examination Council's (FFIEC) Guidance on Authentication in Internet Banking EnvironmentLink02-19-2015
FTC Guide for Businesses on Protecting Personal InformationLink02-18-2015
FTC Data SecurityLink02-18-2015
Regulation S-PLink02-18-2015
U.K. Financial Conduct Authority (FCA) Data Security PageLink02-18-2015
U.K. FCA Data Security and Consumer CommunicationsLink02-18-2015
FTC Model Consumer Privacy Notice Online Form BuilderLink02-18-2015
FFIEC Supplement to Authentication in an Internet Banking EnvironmentLink02-18-2015
Financial Services- Information Sharing and Analysis CenterLink02-18-2015
FTC Identity Theft SiteLink02-18-2015
National Cyber-Forensics & Training AllianceLink02-18-2015
SEC Identity Theft Red Flags Rule Template
SEC Identity Theft Red Flags Rule Template Identity Theft Red Flags Rule Template Important: If you choose to use this template as a guide, you must adapt it to reflect your individual firm. Without the analysis and modification required to fit your firm’s situation, your Identity Theft Prevention
Tool / Resource07-21-2014
Regulatory Notice 14-10
SEC Approves New Supervision Rules
Sweeps Letter- Cybersecurity
FINRA is conducting an assessment of firms’ approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.
Regulatory Notice 12-05
Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts
Regulatory Notice 07-36
FINRA Clarifies Guidance Relating to SEC Regulation S-P under Notice to Members 07-06 (Special Considerations When Supervising Recommendations of Newly Associated Registered Representatives to Replace Mutual Funds and Variable Products)
Notice to Members 05-49
NASD Reminds Members of Their Obligations Relating to the Protection of Customer Information
Firm Identity Protection
FINRA has created this page to educate member firms on “Firm Identity Theft”.