FINRA highlighted practices which firms found effective for mitigating risks associated with customer account takeovers ("ATOs"); i.e., criminals gaining unauthorized entry to customers' online accounts.

In its Notice, FINRA reported a substantial increase in ATO incidents due to an increase in the number of online accounts and the availability of customer information on the "dark web." In light of the increased risk of ATOs, FINRA reaffirmed rules that obligate broker-dealers to protect their customers' accounts, including FINRA Rules 2090 ("Know Your Customer"), 3310 ("Anti-Money Laundering Compliance Program") and 4512 ("Customer Account Information"), Regulation S-P ("Privacy of Consumer Financial Information and Safeguarding Personal Information"), and the requirement that firms have a Customer Identification Program.

FINRA acknowledged the challenges firms face as they (i) balance factors of security with customer experience and (ii) strengthen efforts to detect and prevent attempts by bad actors to log into customers' accounts, transfer funds or carry out fraudulent transactions.

Among others, FINRA highlighted the following practices that firms have adopted that might reduce ATO-related risks:

  • verifying customer identities upon the creation of an online account, including validating addresses, social security numbers and information from credit bureaus;
  • authenticating customer identities upon multiple login attempts, including (i) multifactor authentication, (ii) adaptive authentication and (iii) supplemental authentication, such as text message codes and geolocation information;
  • conducting ongoing back-end monitoring of customer accounts for any anomalies;
  • establishing proactive procedures for potential or identified customer ATOs, such as (i) dedicating a fraud group solely for investigating ATOs and (ii) providing customers with a method for fast communication with firm employees;
  • adopting automated processes for the detection of potential threats, including (i) using firewalls, (ii) isolating a suspect IP address and (iii) putting in place controls based on geographic locations; and
  • educating customers on account security.

Primary Sources

  1. FINRA Regulatory Notice 21-18: FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.