Regulatory Notice 21-18
Summary
FINRA has received an increasing number of reports regarding customer account takeover (ATO) incidents, which involve bad actors using compromised customer information, such as login credentials (i.e., username and password), to gain unauthorized entry to customers’ online brokerage accounts.
To help firms prevent, detect and respond to such attacks, FINRA recently organized roundtable discussions with representatives from 20 firms of various sizes and business models to discuss their approaches to mitigating the risks from ATO attacks.
This Notice outlines the recent increase in ATO incidents; reiterates firms’ regulatory obligations to protect customer information; and discusses common challenges firms identified in safeguarding customer accounts against ATO attacks, as well as practices they find effective in mitigating risks from ATOs—including recent innovations—which firms may consider for their cybersecurity programs.
This Notice does not create new legal or regulatory requirements, or new interpretations of existing requirements. A firm’s cybersecurity program should be reasonably designed and tailored to the firm’s risk profile, business model and scale of operations. There should be no inference that FINRA requires firms to implement any specific practices described in this Notice.
Questions regarding this Notice should be directed to: