Don’t Bury Your Head in the Sand: Applying the Identity Theft Red Flags Rule

The Financial Industry Regulatory Authority (FINRA) fined a broker-dealer $65,000 for failing to act when the email account of its CCO/CEO had been hacked. FINRA determined that the member firm violated the Identity Theft Red Flags Rule.

Per the FINRA website, The FTC’s Red Flags Rule requires a member firm “that is a “financial institution” or “creditor” […] to develop, implement and administer a Written Identity Theft Prevention Program (Program) to detect, prevent and mitigate identity theft in connection with the opening of a covered account or the maintenance of any existing covered account… [and] periodically reassess whether it offers or maintains covered accounts that would require it to have in place a written Program.”

In other words, financial institution or creditor firms must adopt a written identity theft program that includes policies and procedures designed to: (1) Identify relevant types of identity theft red flags; (2) Detect the occurrence of those red flags; (3) Respond appropriately to the detected red flags; and (4) Periodically update the identity theft program.

The CEO/COO received hundreds of email notifications over a four-month period indicating that his outbound emails could not be delivered to an external email address. The CEO/COO had never provided the external email address and didn’t recognize it, but chose to ignore it and not investigate how or why he was receiving those notifications. As such, the member firm violated the Identity Theft Red Flags Rule because, although its security program properly detected the red flags, the executive failed to mitigate the potential for identity theft by “responding appropriately to the detected red flags” (element 3 of the Rule).

In the financial services space in particular, cyber-attacks are a common occurrence. Just earlier this month, SDDco was made aware of a phishing attempt received by various contacts. Fake emails, posed as being sent from the Securities Investor Protection Corporation (SIPC), stated that the SIPC had “tried contacting [the recipient] several times via email in the past week” and advised that “urgent response is required.” While those emails were seemingly being sent from SIPC, closer investigation unveiled that they were in fact being sent from an imposter website domain. The official website of SIPC has since displayed a “Fraudulent Email Alert” banner in response (

Think Advisor – FINRA Fines BD Over Handling of CEO Email Hack
FINRA: Regulatory Notice 08-69
FINRA: SEC Identity Theft Red Flags Rule