Reports of online takeovers of customer’s broker-dealer accounts are growing in number, while some broker-dealers are lagging in their cybersecurity procedures. FINRA just published Regulatory Notice 21-18, “FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts.” Our firm was out ahead of this regulatory notice, representing clients in arbitrations where the customers’ accounts were fraudulently taken over. One of these will be arbitrated in June.
In the case we have coming up for arbitration, the broker-dealer denied liability despite its weak cybersecurity procedures, relying on a provision in the client agreement that basically attempted to place all liability for account takeovers on the customer. We believe this is in violation of securities regulations in the Code of Federal Regulations, as well as Uniform Commercial Code provisions adopted by many states.
As noted previously, some firms are lagging in their cybersecurity procedures. Customer accounts with some firms are only protected by a password, while additional security measures are being used by other firms, such as:
(1) Multifactor identification: “Unlike single-factor authentication (e.g. a password), MFA uses two or more different types of factors or secrets – such as password and code sent via a Short Message Service (SMS) text message or an authentication app – which significantly reduces the likelihood that the exposure of a single credential will result in account compromise.” Regulatory Notice 21-18.
(2) Adoptive authentication: This system requires the customer to provide additional proof of identity when a higher risk level is detected.
(3) Supplemental authentication factors: “There are a variety of factors that firms and vendors may incorporate into their authentication system and processes to verify a customer’s identity, including:
- SMS text message codes;
- Phone call verifications;
- Media access control (MAC) addresses;
- Geolocation information;
- Third-party authenticator apps; and
If you are a victim of an account takeover, you need to look into the remedies available to you.