Industry Issues

Advertising
Anti-Money Laundering
Books & Records
Breakpoints
Business Continuity Planning
College Savings Plans
Customer Information Protection
Mergers Acquisitions and Business Transfers
Mutual Funds
Research Analyst Rules
Security Futures
Senior Investors
Supervisory Control
Variable Annuities

Customer Information Protection

This page contains information about firms' obligations to protect customer account information and links to resources to help firms meet those obligations.

Note: FTC's Red Flags Rule Enforcement Has Been Delayed to June 1, 2010

See also: Firm Identity Protection

Protection of financial and personal customer information is a key responsibility and obligation of FINRA member firms. Under the SEC’s Regulation S-P, firms are required to have policies and procedures addressing the protection of customer information and records. This includes protecting against any anticipated threats or hazards to the security or integrity of customer records and information and against unauthorized access to or use of customer records or information.

Firms should be aware that customer information and records can be compromised in a variety of ways. This is especially true for firms that offer online, web-based access to trading platforms. Firms must understand and address the potential risks of brokerage account intrusions, whereby an unauthorized person gains access to a customer account and either steals available assets or misuses the account to manipulate the market. Intrusions are generally accomplished through the theft of the login credentials of a customer or firm employee.

Since this type of illicit activity can raise both investor protection and market integrity concerns, it is essential that firms use reasonable measures to protect customer information and assets.

Actions to Take If a Customer Account or Data Is Compromised

Contact your FINRA Coordinator and the SEC immediately. You may need to contact state and other relevant regulatory authorities.
Review this Checklist to determine what firms should do in the event an account is compromised.

Regulatory Notices

Regulations and Rules

The following section lists some of the rules and regulations concerning the protection of customer information that firms should be familiar with. This list is not comprehensive, and it is the responsibility of each firm to research all applicable laws and rules, review their most recent versions, and consider their applicability to the particular firm.

Regulation S-P: Privacy of Consumer Financial Information
Supervision Rules
- NASD Supervision Rule 3010
- NYSE Approval, Supervision and Control Rule 342
- FINRA Regulatory Notice 08-24: Proposed Consolidated FINRA Rules Governing Supervision and Supervisory Controls
State and Local Laws and Regulations
- National Conference of State Legislators’ listing of state notification requirements
  This site may not be updated or comprehensive. It is the responsibility of each firm to research all applicable state requirements.
- State and Local Laws and Regulations are not uniform. All broker-dealers must have policies and procedures reasonably designed to prevent and detect violations of the laws and regulations of the jurisdictions in which they operate.
The Federal Trade Commission and the Federal Financial Institution Regulatory Agencies
- Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule

Educational and Information Resources

News Releases and Speeches

Other Helpful Sources of Information

Federal Trade Commission (FTC)
Guidance on Authentication in Internet Banking Environment- Federal Financial Institutions Examination Council's (FFIEC)
Financial Services - Information Sharing and Analysis Center
National Cyber-Forensics & Training Alliance
Report on Data Security in Financial Services - United Kingdom Financial Services Authority