Customer Information Protection

Protection of financial and personal customer information is a key responsibility and obligation of FINRA member firms. Under the SEC’s Regulation S-P, firms are required to have policies and procedures addressing the protection of customer information and records. This includes protecting against any anticipated threats or hazards to the security or integrity of customer records and information and against unauthorized access to or use of customer records or information. The rule also requires firms to provide initial and annual privacy notices to customers describing information sharing policies and informing customers of their rights.

Additionally, Regulation S-ID requires member firms that offer or maintain covered accounts to develop and implement written identity theft prevention programs.

Firms should be aware that customer information and records can be compromised in a variety of ways. This is especially true for firms that offer online, Web-based access to trading platforms and customer account information. Firms must understand and address the potential risks of brokerage account intrusions, whereby an unauthorized person gains access to a customer account and either steals available assets or misuses the account to manipulate the market.

Intrusions are generally accomplished through the theft of the login credentials of a customer or firm employee. Accounts have also been breached through fake electronic instructions (e.g., email requests for funds transmittals). Since this type of illicit activity can raise both investor protection and market integrity concerns, it is essential that firms use reasonable measures to protect customer information and assets. FINRA Rule 3110 specifically requires firms to adopt procedures concerning transmittals of customer funds that include a means of customer confirmation.

If a Customer's Account or Data is Compromised

Contact your FINRA Coordinator and the SEC immediately.
Review this Checklist to determine next steps.
You may need to contact state and other relevant regulatory authorities. State laws may require specific reporting procedures
Consider whether or not the incident should be reported to FinCEN as a suspicious activity.

Contact OGC

FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see Interpreting the Rules for more information.

OGC staff contact:
Jeanette Wingler
FINRA, OGC
1735 K Street, NW
Washington, DC 20006
(202) 728-8000

Related: Cybersecurity

FINRA Rules
2266. SIPC Information
FINRA Rules
3110. Supervision

Information Notice – 6/19/15
Distributed Denial of Service (DDoS) Attacks on Member Firms
06/19/2015
Regulatory Notice 14-10
SEC Approves New Supervision Rules
03/19/2014
Regulatory Notice 12-08
SEC Requests Broker-Dealers Make SARs and SAR Information Available to FINRA
02/10/2012
Regulatory Notice 12-05
Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts
01/26/2012
Regulatory Notice 09-64
Verification of Instructions to Transmit or Withdraw Assets from Customer Accounts
11/13/2009
Regulatory Notice 07-36
FINRA Clarifies Guidance Relating to SEC Regulation S-P under Notice to Members 07-06 (Special Considerations When Supervising Recommendations of Newly Associated Registered Representatives to Replace Mutual Funds and Variable Products)
08/13/2007
Notice to Members 07-29
SEC Approves Rule 2342 Setting Forth Requirements for Providing SIPC Information to Customers
06/08/2007
Notice to Members 05-49
NASD Reminds Members of Their Obligations Relating to the Protection of Customer Information
07/28/2005
Notice to Members 05-48
Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers
07/22/2005
Notice to Members 02-47
Treasury Issues Final Suspicious Activity Reporting Rule for Broker/Dealers
08/12/2002

Guidance
FINRA Provides Update on Sweep: Social Media Influencers, Customer Acquisition and Related Information Protection
This follow-up to the September 2021 targeted exam (sweep) of firms’ practices related to their acquisition of customers through social media channels and their sharing of customers’ usage information with affiliates and non-affiliated third parties summarizes selected practices FINRA has observed firms implement to this point in the sweep.
February 28, 2023
2023 Report on FINRAs Examination and Risk Monitoring Program
Anti-Money Laundering, Fraud and Sanctions
The Anti-Money Laundering, Fraud and Sanctions section of the 2023 Report on FINRA’s Examination and Risk Monitoring Program (the Report) informs member firms’ compliance programs by providing annual insights from FINRA’s ongoing regulatory operations, including (1) regulatory obligations and related considerations, (2) findings and effective practices, and (3) additional resources.
January 10, 2023
2023 Report on FINRAs Examination and Risk Monitoring Program
Cybersecurity and Technology Governance
The Cybersecurity and Technology Governance section of the 2023 Report on FINRA’s Examination and Risk Monitoring Program (the Report) informs member firms’ compliance programs by providing annual insights from FINRA’s ongoing regulatory operations, including (1) regulatory obligations and related considerations, (2) observations and effective practices, and (3) additional resources.
January 10, 2023
2022 Report on FINRAs Examination and Risk Monitoring Program
Anti-Money Laundering
The Anti-Money Laundering section of the 2022 Report on FINRA’s Risk Monitoring and Examination Activities (the Report) informs member firms’ compliance programs by providing annual insights from FINRA’s ongoing regulatory operations, including (1) relevant regulatory obligations and related considerations, (2) exam findings and effective practices, and (3) additional resources.
February 09, 2022
2022 Report on FINRAs Examination and Risk Monitoring Program
Cybersecurity and Technology Governance
The Cybersecurity and Technology Governance section of the 2022 Report on FINRA’s Risk Monitoring and Examination Activities (the Report) informs member firms’ compliance programs by providing annual insights from FINRA’s ongoing regulatory operations, including (1) relevant regulatory obligations and related considerations, (2) exam findings and effective practices, and (3) additional resources.
February 09, 2022
2021 Report on FINRAs Examination and Risk Monitoring Program
Anti-Money Laundering
The Anti-Money Laundering (AML) section of the 2021 Report on FINRA’s Risk Monitoring and Examination Activities (the Report) informs member firms’ compliance programs by providing annual insights from FINRA’s ongoing regulatory operations, including (1) relevant regulatory obligations and related considerations, (2) exam findings and effective practices, and (3) additional resources.
February 01, 2021
2019 Exam Findings Report
Observations on Cybersecurity
The Observations on Cybersecurity section of the 2019 Report on Exam Findings informs member firms’ compliance programs by describing recent findings and observations from FINRA’s examinations, and, in certain cases, also providing a summary of effective practices.
October 16, 2019
2017 Exam Findings Report
Cybersecurity
The Cybersecurity section of the 2017 Report on Exam Findings informs member firms’ compliance programs by describing recent findings and observations from FINRA’s examinations, and, in certain cases, also providing a summary of effective practices.
December 06, 2017
Guidance
Targeted Examination Letter on Cybersecurity
FINRA is conducting an assessment of firms’ approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.
January 01, 2014
2021 Report on FINRAs Examination and Risk Monitoring Program
Cybersecurity and Technology Governance
The Cybersecurity and Technology Governance section of the 2021 Report on FINRA’s Risk Monitoring and Examination Activities (the Report) informs member firms’ compliance programs by providing annual insights from FINRA’s ongoing regulatory operations, including (1) relevant regulatory obligations and related considerations, (2) exam findings and effective practices, and (3) additional resources.
Compliance Tools
Firm Checklist for Compromised Accounts
What should your firm do after it discovers that customers’ accounts have been compromised?
Guidance
Firm Identity Protection
FINRA has created this page to educate member firms on “Firm Identity Theft”.
Guidance
SEC Identity Theft Red Flags Rule
The Red Flags Rule requires that each "financial institution" or "creditor" --which include most member firms--implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts."

FINRA Fines E*Trade Securities LLC $900,000 for Supervisory Violations Related to Best Execution and Protection of Customer Order Information
June 02, 2016
FINRA Fines Morgan Stanley Smith Barney and Scottrade a Total of $950,000 for Failing to Supervise the Transmittal of Customer Funds to Third-Party Accounts
June 22, 2015
FINRA Issues New Investor Alert, Cold Calls From Brokerage Firm Imposters—Beware of Old-Fashioned Phishing
August 06, 2013
FINRA Warns Investors of Email Hack Attacks
January 26, 2012
FINRA Warns Public of Scam Using Fake FINRA Emails in "Phishing" Scheme
October 05, 2009

Investor Education
Phishing Scams: Stay Clear of the Bait
Phishing scams typically involve emails that falsely claim to be from a financial institution, credit card company or other familiar organization or service. Most of these emails attempt to lure you into providing sensitive personal information by requesting that you reply to the email or click on a link that mimics a legitimate website.