Firm Checklist for Compromised Accounts
What should your firm do after it discovers that customers’ accounts have been compromised?
Firms may consider the following practices if they learn that an unauthorized person may have gained access to customers’ accounts. This checklist is not exhaustive, and firms may need to take additional steps depending on the nature or cause of the intrusion, the firms’ business models and customer base, shifting security threats and changes in state and federal law.
- Monitor, the customer account for suspicious activity.
- Contact affected customers and, if appropriate, change their passwords or account numbers.
- Provide credit monitoring services to customers where appropriate.
- Notify relevant staff in your firm (e.g., your firm’s Legal, Compliance and Cybersecurity departments, if applicable) to review relevant legal and regulatory requirements applicable to your firm and evaluate for any other unusual activity in other customer accounts. Firms may want to consider designating in advance a specific individual or department to serve as a central contact for questions about account intrusions.
- Identify, if possible, the root cause of the account intrusion (e.g., your firm’s system was compromised, the customers’ accounts were hacked or customers were victims of identity theft) and determine whether the intrusion is isolated to one accounts or whether it may be more widespread.
- Evaluate whether the use of outside legal counsel or cybersecurity or technology consulting support and guidance would be helpful for your firm as it responds to the intrusion.
- If your firm is not self-clearing, notify your clearing firm about the situation.
FINRA urges firms to protect customers and other firms by immediately reporting scams and any other potential fraud to:
- FINRA‘s Regulatory Tip Form found on FINRA.org;
- U.S. Securities and Exchange Commission’s tips, complaints and referral system (TCRs) or by phone at (202) 551-4790;
- the Federal Bureau of Investigation’s (FBI) tip line at 800-CALLFBI (225-5324) or a local FBI office;
- the Internet Crime Compliant Center (IC3) for cyber-crimes (particularly if a firm is trying to recall a wire transfer to a destination outside the United States); and
- local state securities regulators.1
In addition, firms should consider whether circumstances require that the firm file a SAR2 or report pursuant to FINRA Rule 4530 (Reporting Requirements).3
FINRA reminds firms that they should consider establishing and regularly testing written formal incident response plans that outline procedures for responding to cybersecurity and information security incidents, including compromised accounts. A rapid, effective response is critical to mitigate customer harm – especially when trying to retrieve funds that have been transferred (wire or ACH) outside of your firm.
If your firm needs assistance, review the resources listed on FINRA’s Cybersecurity Topic Page, including Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts), and contact your firm’s FINRA Risk Monitoring Analyst or Member Supervision’s Cybersecurity team at [email protected].
FINRA Compliance Tool Disclaimer
This optional tool is provided to assist member firms. This tool is provided as a starting point and you must tailor this tool to reflect the size and needs of your firm. Using this tool does not guarantee compliance with or create any safe harbor with respect to FINRA rules, the federal securities laws or state laws, or other applicable federal or state regulatory requirements. This tool does not create any new legal or regulatory obligations for firms or other entities.
Updates – This tool was last updated on November 4, 2021. This tool does not reflect any regulatory changes since that date. FINRA periodically reviews and update these tools. FINRA reminds member firms to stay apprised of new or amended laws, rules and regulations, and update their WSPs and compliance programs on an ongoing basis.
Member firms seeking additional guidance on certain regulatory obligations should review the relevant FINRA Topic Pages.
Staff Contact(s) – FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see Interpreting the Rules for more information.
OGC staff contacts:
1735 K Street, NW
Washington, DC 20006
1 See North American Securities Administrations Association’s Contact Your Regulator.
2 See FinCEN’s July 2020 Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic for additional guidance on filing SARs; see also FinCEN’s Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs).
3 For additional information about the requirements of FINRA Rule 4530 (Reporting Requirements), see Rule 4530 Frequently Asked Questions.