Thursday, February 17, 2011
FINRA announced today that it imposed fines of $450,000 against Lincoln Financial Securities, Inc. (LFS) and $150,000 against an affiliated firm, Lincoln Financial Advisors Corporation (LFA), for failure to adequately protect non-public customer information. In addition, LFS failed to require brokers working remotely to install security application software on their own personal computers used to conduct the firm's securities business.
SEC and FINRA rules require every broker-dealer to adopt written policies and procedures that address safeguards for the protection of customer records and information. FINRA found that for extended periods of time – seven years for LFS and approximately two years for LFA – certain current and former employees were able to access customer account records through any Internet browser by using shared login credentials. From 2002 through 2009, between the two firms, more than 1 million customer account records were accessed through the use of shared user names and passwords. Since neither firm had policies or procedures to monitor the distribution of the shared user names and passwords, they were not able to track how many or which employees gained access to the site during this period of time. As a result of the weaknesses in access controls to the firms' system, confidential customer records including names, addresses, social security numbers, account numbers, account balances, birth dates, email addresses and transaction details were at risk.
In assessing sanctions, FINRA took into consideration the firms' efforts to notify all customers whose account information was or had been potentially exposed on the firms' Web-based system, and offered those customers credit monitoring and restoration services for a period of one year. In settling these matters, LFS, based in Concord, New Hampshire, and LFA, based in Fort Wayne, Indiana, neither admitted nor denied the charges, but consented to the entry of FINRA's findings.