The US Securities and Exchange Commission has warned online brokers to improve security following a nationwide review which revealed the routine transmission of confidential customer information by unsecured e-mail.
The failures in security have been highlighted by the staff at the SEC's Office of Compliance Inspections and Examinations, as part of a review of standards of performance at online brokerages nationwide.
The biggest failings entail the use of e-mail, with SEC staff observing "many instances of confidential information being sent without any security measures, including account numbers, passwords, social security numbers, or details of trades placed".
At some broker-dealers, customer service representatives routinely request confidential information from customers such as account number, social security number, and mother's maiden name, via e-mail. Of the brokers reviewed, only one-fifth of the firms have written policies on employees sending confidential information over e-mails and a fifth of the firms warn customers about sending confidential information through e-mails.
About a third of broker-dealers use some form of e-mail encryption, the SEC says, but almost all use an encryption system that only encrypts incoming traffic so that e-mails sent by the firm to customers are not secure.
The review team also criticises brokers for lax procedures in the allocation and maintenance of customer passwords. For instance, several broker-dealers allow customers to e-mail that they have lost their password, and the firm resets the password to its original default without obtaining any verifying information.
The examination also highlights other areas for improvement. With regard to reducing customer complaints, the SEC recommends that firms include the provision of help screens on web sites with explanations of key investing terms and concepts; take steps to prevent executions of unintended duplicate orders; provide enhanced margin disclosure, include a list of securities with higher margin requirements and the actual interest rate that will be charged on margin balances; describe the IPO allocation process; and inform customers with cash accounts of their trading liabilities.
Firms should also scrutinise their order routing practices to ensure they are meeting their legal obligation to seek the best execution of their customers' orders, advises the SEC.