FINRA recently organized roundtable discussions with representatives from 20 firms of various sizes and business models to discuss their approaches to mitigating the risks from account takeovers. Account takeover attempts (ATO) are when bad actors are using stolen or synthetic identification material to open accounts at firms that they then use to generate or launder illicit proceeds. Regulators noted a post pandemic rise in online account opening. These activities make it particularly difficult, because the identities are stolen so even with a SARS filed the true identity of the bad actor is generally never known.
Regulatory Notice 21-18 shares a number of common challenges and noted practices used to help firms comply not only with their regulatory obligation but also tools to help mitigate risk.
Regulatory Obligations
In this notice, FINRA reminds firms that there are rules already in place to protect sensitive client information including
- FINRA Rule 2090- Know your customer
- SEC Regulation S-P, Rule 30
- SEC Regulation S-ID
- Customer Identification Program (CIP)
- FINRA Rule 4512 (Customer Account Information)
- FINRA Rule 3110 (Supervision) (Anti-Money Laundering Compliance Program)
Common Challenges
The notice identified a number of challenges post pandemic that firms noted as it relates to risk mitigation.
- Identifying effective methods of verifying the identities of customers who establish accounts online;
- Addressing increased volume of attempted customer ATOs;
- Preventing bad actors from transferring money in and out of customer accounts;
- Identifying when bad actors have taken over customer accounts by modifying customers’ critical account information (e.g., email address, bank information) and are attempting fraudulent transactions;
- Identifying when login attempts and requests to reset account passwords are actually made by a bad actor who has taken over a customer’s email account; and
- Balancing security and customer experience considerations.
Noted Practices
During the roundtable discussion firm’s noted a risk based approach to mitigation of common challenges including:
Verifying Customers’ Identities When Establishing Online Accounts
- Validating customer information through likeness checks
- Asking follow-up questions or supplemental documents from reporting bureau
- Working with third party vendors to support firms with checks and identification validation
Authenticating Customers’ Identities During Login Attempts
Multifactor identification practices is not a silver bullet but has been shown to reduce the likelihood of successful account takeover attempts. Multifactor uses two or more methods to verify identity such as a password and code sent via a Short Message Service (SMS) text message or an authentication app.
Adaptive authentication is where the system assesses activities and factors such as login location and type of activity to be performed and then requires additional information based on the risk presented. For example, logging into an account with a new device or withdrawing a specific amount may prompt supplemental information to verify identity
Supplemental authentication factor are the methods that a Firm can use. Firm’s noted that email verification is not used as much due to email account takeovers.
- SMS text message codes;
- Phone call verifications;
- Media access control (MAC) addresses;
- Geolocation information;
- Third-party authenticator apps; and
- Biometrics.
Back-End Monitoring and Controls
Back-end monitoring and controls can be used once the account is opened for ongoing surveillance for activities such as
- Failed login attempts
- Significant increases in failed login attempts across multiple accounts
- Monitoring emails received for suspicious activity such as links and grammar
- Additional controls for 3rd party disbursements
- Scanning the dark web for keywords or data that bad actors can use
Procedures for Potential or Reported Customer ATOs
Firms noted proactive actions used to help address account takeover attempts are when bad actors use stolen or fake identification to open accounts to generate or launder illicit proceeds.
including a dedicated fraud investigation unit, providing methods for customers to quickly communicate with the firm on any issues related to cyber risks, and reminding customers of security practices.
Automated Threat Detection
- Using technology to identify suspicious IP addresses, geographic based control and using web application firewalls.
- Restoring customer account access
- Practices include requiring customers to contact call centers or multi authentication to restore logins.
Investor Education
This area was key and included education in all phases of the client journey from cyber education in onboarding resources, on the firm website, text alerts, and educational content on statements for older investors.
MasterCompliance provides expert consulting in compliance best practices and support in creating a risk based cybersecurity program. If you would like to explore additional assistance or services, please contact us.