Firm Checklist for Compromised Accounts

What steps could your firm consider after it discovers that customers’ accounts have been compromised?

A firm may consider the following practices if it learns that an unauthorized person may have gained access to customer accounts or attempted to gain access to customer accounts. This checklist is not exhaustive, and a firm may need to take additional steps depending on the nature or cause of the intrusion, the firm’s business model and customer base, shifting security threats and changes in compliance with state and federal laws.

Identify the number of accounts and types of information that may have been exposed. For email account take overs, identify sensitive information that may have been exposed in the mailbox text or attachments.
Monitor the customer account(s) for suspicious activity and money movement. Preserve relevant evidence e.g.: systems logs, configuration settings, Internet Protocol (IP) addresses with time stamps, device identifiers and other cyber-event information. ¹
Contact affected customers and follow your firm’s procedures for making customers whole, which may include providing credit monitoring services to customers, and prompting password changes, and changing account numbers, where appropriate.
Notify relevant staff in your firm (e.g., Legal, Compliance, Anti-Money Laundering, Fraud Prevention and Cybersecurity personnel, if applicable) to review relevant firm procedures and legal and regulatory requirements applicable to your firm and evaluate for any other unusual activity in other customer accounts. Firms may want to consider designating in advance a specific individual or department to serve as a central contact for questions about account intrusions.
Identify, if possible, and document the root cause of the account intrusion (e.g., your firm’s system was compromised, customer accounts were hacked, or customers were victims of identity theft) and determine whether the intrusion is limited or whether it may be more widespread.
Evaluate whether the use of outside legal counsel or cybersecurity or technology consulting support and guidance would be helpful for your firm as it responds to the intrusion.
If your firm is not self-clearing, notify your clearing firm about the situation.
Consider updating written supervisory procedures (WSPs) and staff training based on lessons learned.

Suspicious Activity Reporting

Under FINRA Rule 3310(a) member firms are required to establish and implement policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions required under 31 U.S.C. 5318(g) and 31 CFR 1023.320 (the suspicious activity reporting rule for broker-dealers). On October 25, 2016, the Financial Crime Enforcement Network (FinCEN) issued advisory FIN-2016-A005 (“Cyber Advisory”) and a series of frequently asked questions to assist financial institutions in understanding their obligations under the BSA with respect to the reporting of cyber-events and cyber-enabled crime.² In situations where it is determined that filing a SAR involving a cyber-event is warranted, the Cyber Advisory also sets forth the information which should be included in the SAR (to the extent this information is available). This includes, for example, a description of the event and its magnitude, known or suspected time, location and characteristics of the event, indicators or compromise, relevant IP addresses and their timestamps, device identifiers, and methodologies used.

In situations involving violations that require immediate attention, such as terrorist financing or ongoing money laundering schemes, 31 CFR § 1023.320(b)(3) also requires broker-dealers to immediately notify by telephone an appropriate law enforcement authority in addition to filing timely a SAR.

Reporting Fraud and Potential Fraud

In addition to filing any required SARs, FINRA urges firms to protect customers and other firms by immediately reporting incidents and potential fraud to:

FINRA’s Regulatory Tip Form found on FINRA.org;
U.S. Securities and Exchange Commission’s tips, complaints and referral system (TCRs) or by phone at (202) 551-4790;
the Federal Bureau of Investigation’s (FBI) tip line at 800-CALLFBI (225-5324) or a local FBI office;
the Internet Crime Compliant Center (IC3) for cyber-crimes (particularly if a firm is trying to recall a wire transfer to a destination outside the United States); and
local state securities regulators.³

In addition, determine whether the firm must notify FINRA pursuant to FINRA Rule 4530 (Reporting Requirements).⁴

FINRA reminds firms that they should consider establishing and regularly testing written formal incident response plans that outline procedures for responding to cybersecurity and information security incidents, including compromised accounts. A rapid, effective response is critical to mitigate customer harm – especially when trying to retrieve funds that have been transferred (wire or ACH) outside of your firm.⁵

If your firm needs assistance, review the resources listed on FINRA’s Cybersecurity Topic Page, including Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts), and contact your firm’s FINRA Risk Monitoring Analyst or Member Supervision’s Cybersecurity team at [email protected].⁶

FINRA Compliance Tool Disclaimer

This optional tool is provided to assist member firms. This tool is provided as a starting point and you must tailor this tool to reflect the size and needs of your firm. Using this tool does not guarantee compliance with or create any safe harbor with respect to FINRA rules, the federal securities laws or state laws, or other applicable federal or state regulatory requirements. This tool does not create any new legal or regulatory obligations for firms or other entities.

Updates – This tool was last updated on September 5, 2023. This tool does not reflect any regulatory changes since that date. FINRA periodically reviews and update these tools. FINRA reminds member firms to stay apprised of new or amended laws, rules and regulations, and update their WSPs and compliance programs on an ongoing basis.

Member firms seeking additional guidance on certain regulatory obligations should review the relevant FINRA Topic Pages.

Staff Contact(s) – FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see Interpreting the Rules for more information.

OGC staff contacts:

Philip Shaikun and Carrie Jordan
FINRA, OGC
1700 K Street, NW
Washington, DC 20006
(202) 728-8000

¹American Bar Association, Evidence Preservation: The Key to Limiting the Scope of a Breach

² For guidance on cyber-related suspicious activity reporting, see FinCEN’s October 25, 2016 Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, FinCEN’s Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs) and FinCEN’s July 2020 Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic.

³ See North American Securities Administrations Association’s Contact Your Regulator.

⁴ For additional information about the requirements of FINRA Rule 4530 (Reporting Requirements), see Rule 4530 Reporting Requirements.

⁵ On March 15, 2023, the U.S. Securities and Exchange Commission (SEC) proposed amendments to Regulation S-P and a new cybersecurity risk management rule. If adopted as currently proposed, the Regulation S-P amendments would, among other things, require covered institutions to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information, and to adopt written policies and procedures for providing timely notification to affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.

If adopted as currently proposed, the new cybersecurity risk management rule would, among other things, require entities to address cybersecurity risks through policies and procedures, notification and reporting of significant cybersecurity incidents to the SEC, and public disclosures. See Securities Exchange Act Release No. 97141 (March 15, 2023), 88 FR 20616 (April 6, 2023) (Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information); Securities Exchange Act Release No. 97142 (March 15, 2023), 88 FR 20212 (April 5, 2023) (Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents).

⁶ Member firms may also wish to review Regulatory Notice 23-06 (FINRA Shares Effective Practices to Address Risks of Fraudulent Transfers of Accounts Through ACATS).