Overview

• The draft guidelines released on July 15 follow more than 7,000 unauthorized trading incidents in securities accounts during the first half of 2025
• Firms would be required to implement multi-factor authentication using methods such as biometrics or passkeys for logins, withdrawals and critical account changes
• New measures call for automated notifications to customers when transactions deviate markedly from their usual activity and for strengthened anti-phishing defenses
• Regulators have signaled they will issue business improvement orders to firms that fail to bolster online security and require them to compensate customers harmed by fraudulent trades
• Public feedback on the proposed supervisory revisions will be accepted through mid-August before the final guidelines take effect