FINRA Publishes Helpful Notice About Online Account Takeover (ATO)

May 17, 2021

As readers of the Blog know, our publisher Bill Singer is a frequent critic of many FINRA Regulatory Notices; see, for example: "FINRA Fear And Wall Street Trembling And The Financial Sickness Unto Death" ( Blog / April 29, 2021) As Bill often admonishes, FINRA's effluent of endless numbers of notices unwisely divert the focus of industry compliance staff from serious tasks and this stress has been exacerbated by the COVID pandemic. Perhaps in response to some of Bill's recent complaints, FINRA just published the truly helpful: Cybersecurity / FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts (FINRA Regulatory Notice 21-18 / May 12, 2021) 

After having been revived from the shock of FINRA's about-face, Bill notes that Regulatory Notice 21-18 is not another pointless "reminder" about what industry compliance professional know, but, to the contrary, the Notice shares better practices used by member firms to protect the public against online account takeover ("ATO") attempts. Thankfully, what FINRA advertised by way of a headline was delivered in full in the Notice!  As has often been reported in the BrokeAndBroker.Com Blog and the companion Securities Industry Commentator Feed, ATOs are a growing threat to the financial services industry. Apparently recognizing this danger, FINRA convened a roundtable at which some 20 member firms offered examples of how they were responding to ATO attacks. As such, the 12-page Notice is a useful tool for firms implementing a cybersecurity program and for enhancing policies and procedures already in play. As noted in the Report [Ed: footnotes omitted]:

Common Challenges to Protecting Customer Accounts

During the roundtable discussions with FINRA, firms discussed the following cybersecurity challenges they have encountered when safeguarding customer accounts from ATOs:

  • identifying effective methods of verifying the identities of customers who establish accounts online;
  • addressing increased volume of attempted customer ATOs;
  • preventing bad actors from transferring money in and out of customer accounts;
  • identifying when bad actors have taken over customer accounts by modifying
  • customers' critical account information (e.g., email address, bank information) and are
  • attempting fraudulent transactions;
  • identifying when login attempts and requests to reset account passwords are actually
  • made by a bad actor who has taken over a customer's email account; and
  • balancing security and customer experience considerations. 
The Notice covers the following topics:

Verifying Customers' Identities When Establishing Online Accounts 

Authenticating Customers' Identities During Login Attempts

Back-End Monitoring and Controls

Procedures for Potential or Reported Customer ATOs

Automated Threat Detection

Restoring Customer Account Access

Investor Education

Industry compliance staff should set aside some time to carefully read the Report and ensure that their in-house protocol includes the pointers set out in detail. Unlike many prior FINRA notices that deal in generalities and point out problem areas but offer no solutions, FINRA Notice 21-18 has quite a bit of nuts-and-bolts advice. Compliments to FINRA on an intelligent and worthwhile report!