The Financial Industry Regulatory Authority (FINRA) recently published Regulatory Notice 21-18 about roundtable discussions with 20 firms of various sizes and business models concerning customer account takeover incidents.
Account takeover (ATO) incidents involve “bad actors using compromised customer information, such as login credentials, to gain unauthorized entry to customers’ online brokerage accounts.” As such, ATO incidents can present significant risks to customers’ assets and personal information as well as risk to broker-dealers’ systems.
In Regulatory Notice 21-18 (the Notice), FINRA noted a proliferation of ATO incidents as member firms offer and customers exclusively use or, as part of their overall interactions with a firm, access online brokerage accounts, especially through the use of mobile devices and apps. While online access to brokerage accounts has advantages, it also presents additional risks. Broker-dealers should therefore evaluate the practices discussed in the Notice against their own risk mitigation practices and policies and make enhancements as appropriate.
Based on the existing regulatory framework, FINRA focuses on firms’ account opening and fund transfer oversight, including policies and procedures. FINRA identifies common challenges to protecting customer accounts within the existing framework, but also highlights practices member firms are using to protect customer accounts. We discuss those below.
In addition to the practices FINRA highlights in the Notice, we urge all broker-dealers to regularly test their systems, as well as the effectiveness of their procedures and practices, to confirm that they will effectively repel ATO attempts. In the event of an ATO resulting in takeovers of customer accounts by “bad actors,” no matter how comprehensive a firm’s policies, procedures, and practices are for detecting and preventing ATOs, the firm will be subject to extensive regulatory scrutiny.
The practices highlighted by FINRA in the Notice are discussed below.
Verifying Customers’ Identities When Establishing Online Accounts
During the customer onboarding process, firms validate information and documents provided through “likeness checks” and by requesting additional documents to validate a customer’s identity. Some firms do this internally, and others rely on third-party vendors to perform this validation. In either case, the member firm must provide appropriate oversight over the process.
Authenticating Customers’ Identities During Login Attempts
In order to authenticate customer identities during login attempts, many firms use multifactor authentication (MFA) as a key control to significantly mitigate against ATO attacks. In addition, firms use adaptive authentication, which assesses the risk associated with a customer login. For example, additional information from the customer may be required when the login attempt is made from a new device or a different location than usual. Some firms use supplemental authentication factors, such as SMS text message codes, to verify a customer’s identity, as well. Many firms also require additional customer identity validation in connection with higher-risk transactions involving, for example “abnormally large withdrawals” or penny stock transactions.
Back-End Monitoring and Controls Through Ongoing Surveillance
Firms also use ongoing surveillance to detect and mitigate ATO attacks. These practices include monitoring customer accounts for significant increases in failed login attempts or frequent transfers of funds in and out of the accounts. Firms also conduct reviews when there are significant increases in failed login attempts across multiple customer accounts associated with the same person. Some firms require a confirmation phone call to the customer using an established phone number when there is a request to move significant funds from the account. Additional controls are discussed in the Notice, such as “monitoring emails for red flags of social engineering” or “scanning the dark web for keywords or data that could be used by bad actors in facilitating an ATO.”
Procedures for Investigating Potential or Reported Customer ATOs
Many firms use a dedicated fraud group to investigate reported customer ATOs. Whether or not there is such a dedicated group, FINRA notes in the Notice that firms should proactively assess all of a customer’s accounts when potentially problematic activity arises in one account held by the customer, and have a plan that involves prompt and ongoing communication with customers about these efforts.
Automated ATO Threat Detection
Some firms use automated processes to detect potential ATOs. These include tools to prevent credential stuffing attacks, i.e., the use of illegally acquired information to access multiple user accounts, such as isolating suspicious IPs and implementing geographic-based controls. FINRA does not address whether automatic threat detection, no matter how sophisticated, would be adequate without additional review and analysis to assess the scale of potential or actual breaches and ATOs.
Restoring Customer Account Access After Possible or Actual ATOs
In the face of potential ATOs, FINRA recognizes in the Notice that firms must balance the need to quickly restore legitimate customer account access—for instance, when a customer forgets a password—with protecting a customer from a potential ATO. Because of the attendant risks, many firms have introduced MFA or require customers to contact a call center to answer security questions as an additional layer of protection when restoring customer account access.
Investor Education About How to Prevent ATOs
Investor education is always an important component of a reasonably designed supervision system, and based on the Notice, it appears that FINRA encourages the efforts of member firms to provide educational materials about cybersecurity threats frequently, including during the onboarding process, through periodic email or text alerts to customers (per their selections), and online through the firm’s website.
The Notice provides useful guidance into practices that FINRA appears to view as effective for preventing and mitigating against potential ATO attacks. Firms should consider the full set of practices identified in the Notice to evaluate their own ATO incident practices and policies and to make enhancements as appropriate to their businesses. Once ATO incident practices and policies are implemented, firms should regularly test their systems to detect and address potential weaknesses that could facilitate ATOs.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
 As described in the Notice, MFA requires two or more “factors or secrets” in order to successfully log into an account, thereby making unauthorized access more difficult for bad actors.
 Reg. Notice 21-18 at 7.