Overview
Rules Notices Guidance
News Releases Investor Education Protection of financial and personal customer
information is a key responsibility and obligation of FINRA member firms. Under the SEC’s Regulation S-P, firms are required to have policies and procedures addressing the protection of customer information and records. This includes protecting against any anticipated threats or hazards to the security or integrity of customer records
and information and against unauthorized access to or use of customer records or information. The rule also requires firms to provide initial and annual privacy notices to customers describing information sharing policies and informing customers of their rights. Additionally, Regulation S-ID requires member firms that offer or maintain
covered accounts to develop and implement written identity theft prevention programs. Firms should be aware that customer information and records can be compromised in a variety of ways. This is especially true for firms that offer online, Web-based access to trading platforms and customer account information. Firms must understand and address the potential risks of brokerage account intrusions, whereby an unauthorized person gains access to a customer account and either steals available
assets or misuses the account to manipulate the market. Intrusions are generally accomplished through the theft of the login credentials of a customer or firm employee. Accounts have also been breached through fake electronic instructions (e.g., email requests for funds transmittals). Since this type of illicit activity can raise both investor protection and market integrity concerns, it is essential that firms use reasonable measures to protect customer information and assets.
FINRA Rule 3110 specifically requires firms to adopt procedures concerning transmittals of customer funds that include a means of customer confirmation. The Cybersecurity and Technology Governance and Anti-Money Laundering sections of the 2022 Report on FINRA’s Risk Monitoring and Examination Activities (the Report) informs member
firms’ compliance programs by providing annual insights from FINRA’s ongoing regulatory operations, including (1) relevant regulatory obligations and related considerations, (2) exam findings and effective practices, and (3) additional resources. FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see
Interpreting the Rules for more information. OGC staff contact: Related: Cybersecurity Distributed Denial of Service (DDoS) Attacks on Member Firms Fri, 06/19/2015 - 12:00 SEC Approves New Supervision Rules Wed, 03/19/2014 - 12:00 SEC Requests Broker-Dealers Make SARs and SAR Information Available to FINRA Fri,
02/10/2012 - 12:00 Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts Thu, 01/26/2012 - 12:00 Verification of Instructions to Transmit or Withdraw Assets from Customer Accounts Fri, 11/13/2009 - 12:00 FINRA Clarifies Guidance Relating to SEC Regulation S-P
under Notice to Members 07-06 (Special Considerations When Supervising Recommendations of Newly Associated Registered Representatives to Replace Mutual Funds and Variable Products) Mon, 08/13/2007 - 12:00 SEC Approves Rule 2342 Setting Forth Requirements for Providing SIPC Information to Customers Fri, 06/08/2007 - 12:00 NASD
Reminds Members of Their Obligations Relating to the Protection of Customer Information Thu, 07/28/2005 - 12:00 Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers Fri, 07/22/2005 - 12:00 Treasury Issues Final Suspicious Activity Reporting Rule for Broker/Dealers Mon, 08/12/2002 - 12:00
When should privacy notices be provided?You must provide an "initial notice" by the time the customer relationship is established. If this would substantially delay the customer's transaction, you may provide the notice within a reasonable time after the customer relationship is established, but only if the customer agrees.
How often must a customer receive a privacy notice?A financial institution must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the customer relationship unless an exception to the annual privacy notice requirement applies. Generally, new privacy notices are not required for each new product or service.
When must a financial institution provide a customer with a privacy notice?Section 216.10(a)(1) of the Privacy Rule provides that a financial institution may not share a consumer's nonpublic personal information unless the institution has given the consumer an initial privacy notice, an opt out notice, and a reasonable opportunity to opt out, and the consumer has not opted out.
Are privacy notices required for consumers?(a) How to provide notices.
You must provide any privacy notices and opt out notices, including short-form initial notices, that this part requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
|