Client Confidentiality & Cybersecurity for Investment Advisors

Instructor: Byron Yee

Byron has over 5 years of experience in banking and investments and is currently a Candidate for the Chartered Financial Analyst (CFA) Institute. He also is registered with FINRA Series 7 and 66 and has his Life & Disability Insurance producers license for WA state. Previous to his career in banking, he spent 2 years in West Africa as a Peace Corps Volunteer and 4 years in China as an English teacher and financial analyst. Byron double majored in Theatre Arts and Business Administration at Western Washington University. In his free time he enjoys hiking, cycling, running, and being in the great outdoors with his family.

This lesson describes common security issues in terms of stealing client information or money, and the regulations put in place to prevent these incidents from happening.

A Suspicious Phone Call From The Bank

Late one evening, Sarah received a call from someone claiming to be a member of the security team of her bank. She thought it was strange that they would call at this hour and also noticed the man on the phone had an accent that did not seem native to her country. The man said he was calling to confirm some recent transactions and needed to send her an authentication code via text message to authenticate Sarah's identity. Sarah read this code to the man on the phone, he then confirmed some recent transaction history, and then hung up the phone.

After the phone call, Sarah logged into her bank account online and noticed a $5,000 transfer out of her account that was made just minutes ago. As you may have guessed, the man on the phone was not a bank employee but a hacker who accessed Sarah's online accounts. The security code he asked for actually authorized the transfer of $5,000 from her account to his. Sarah reported this incident to the bank and police, who started an investigation, but mentioned they may not be able to retrieve these funds.

This story is based on real events, and this lesson discusses steps for firms to flag and prevent these issues from ever occurring.

Client Confidentiality

The Securities Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) have several policies that are aimed at protecting customer information. The most notable of which is SEC Regulation S-P. While the details of this rule are covered in another lesson, there are some key highlights worth mentioning. Regulation S-P requires all investment firms to have a Statement of Privacy, which addresses the protection and storage of critical customer information:

  • Privacy policy: The privacy policy defines all customer information that is considered confidential, which is any nonpublic information that could identify a customer (for example account numbers).
  • Data storage and security: The statement of privacy goes on to explain how any confidential information is stored and protected. For physical paper records, this includes locked storage cabinets. For digital records, the details of cybersecurity are covered later in this lesson.

The main target of any thief is to steal a customer (or firm's) money. And the place of highest risk is when money is in transit (electronic transfer, mailing paper checks, or delivering actual cash).

FINRA's Rule 3110 on supervision mentions that any transmission of assets (stocks, bonds, cash) need to have a confirmation sent to both the firm and client upon completion. For example, the last time you transferred money from your bank, you may have gotten a text or email notification something like 'You recently sent $1,000 to the following recipient. Please contact our fraud center immediately if this looks incorrect.' The problem with this confirmation is it happens after the money is already gone - preventing a fraudulent transfer is ultimately more important. To combat this, many firms require verbal authorization and possibly voice-recognition technology of a customer before the transfer is initiated.

Yet another problem with these prevention methods is the danger of a criminal already having access to confidential customer information used to authorize transactions. This is the topic of our next section.

Identity Theft

Identity theft can be defined as a criminal posing as a customer in order to steal money (or other assets) from them. Typically, a thief will gather information like passwords, social security numbers, or account or card numbers, all of which can be used to get access to a customer's accounts and transfer the money out. In relation to the investment industry, Regulation S-ID requires all firms to establish an identity theft program that covers three actions:

  1. Detection: The ability to find and flag any suspicious activity.
  2. Prevention: Once an activity is flagged, the firm needs a way to stop any criminal activity from happening.
  3. Mitigation: If a fraudulent act is committed, the firm needs to have a process in place to conduct an investigation and attempt to return stolen funds to the victim (customer).

Finally, we are going to discuss how to manage security in the digital age.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account