The Financial Industry Regulatory Authority (“FINRA”) has upgraded the Web Investment Adviser Registration Depository (“IARD”) and Central Registration Depository (“CRD”) to include multi-factor authentication (“MFA”) in an effort to make the websites more secure:
- Beginning on May 16, FINRA will begin phasing in MFA for both the IARD and CRD;
- MFA allows for an additional layer of security by requiring two additional pieces of identification in order for the user to access the sites;
- The roll-out will occur over a period of months and will be made available for Super Account Administrators (“SAAs”) and Account Administrators (“AAs”); and,
- Other IARD and CRD users will be notified when MFA becomes available for them;
Background on MFA
MFA is an important tool in preventing unauthorized access to user accounts that contain sensitive information including personal identifying information (“PII”). By enabling MFA, organizations can add an additional layer of security that can prevent hackers and other malefactors from gaining access by stealing passwords. Many firms have MFA enabled for their own systems and MFA has become an essential component of firm cybersecurity policies and procedures to ensure the protection of sensitive data.
FINRA’s new MFA Features
Because MFA is one of the most effective ways to ensure the prevention of unauthorized access to an SAA or AA’s IARD and/or CRD account, FINRA made the decision to enable MFA in order to protect its users’ information.
Passwords are becoming increasingly vulnerable to hackers and in an attempt to protect sensitive user information, FINRA has partnered with the Cisco vendor Duo to use their MFA service for SAAs and AAs.
Once a Firm has been notified its IARD and/or CRD accounts have been enabled with MFA, the firm’s SAA and AAs will need to register their devices with the IARD and CRD. Users will need to register their cellphone, landline, or tablet to commence their MFA process. The new MFA process will use three options to provide secondary identification for user access to the IARD and CRD: (1) a mobile application; (2) a text message; or (3) a phone call.
FINRA is planning to make MFA mandatory for all SAA and AA IARD and CRD accounts by December 2020.
To learn more about FINRA’s MFA features and their rollout, click here.
What Do These Updates Mean for Me?
Chief Compliance Officers (CCOs) and Information Security Officers (ISOs) should review their SAA and AA credentials to determine how many of their employees will need to enable MFA for their IARD and CRD accounts. Once the SAA and AA accounts have been identified, CCOs and ISOs should review FINRA’s MFA guide and ensure that the steps and guidance they are providing for SAAs and AAs don’t contradict the firm’s cybersecurity policies and procedures (“P&Ps”). For instance, if the firm has a policy that only allows administrators to download applications on company-issued smartphones or tablets, then this policy will need to be applied to setting up the MFA process for the IARD and CRD accounts. Additionally, make sure that the P&Ps are updated to include information regarding the IARD and CRD MFA requirements. Lastly, make sure that the IARD and CRS MFA credentials are noted as part of the firm’s inventory and that the MFA credentials are reviewed and tested during the firm’s annual cybersecurity risk assessment.
Should you or your firm have questions regarding FINRA’s MFA process, questions regarding firm MFA policies for P&P manuals, and/or guidance on testing MFA policies for the purposes of a cybersecurity risk assessment, please contact us at (619) 278-0020 to schedule a consultation. Our compliance experts are standing by to help you.