The Financial Industry Regulatory Authority (FINRA) brought the fines against Lincoln Financial Securities, Inc. (LFS) and Lincoln Financial Advisors Corporation (LFA). A FINRA news release said LFS was sanctioned for not forcing brokers working remotely to install security software on their personal computers used to conduct firm business. FINRA said LFS was fined $450,000 and LFA $150,000.
FINRA and the Securities and Exchange Commission (SEC) require broker/dealers to safeguard customer records and information.
From 2002 through 2009, between the two firms, more than one million customer account records were accessed through the use of shared user names and passwords, FINRA said. Since neither firm had policies or procedures to monitor the distribution of the shared user names and passwords, they were not able to track how many, or which employees, gained access to the site during this period.
As a result of the weaknesses in access controls to the firms’
system, confidential customer records including names, addresses, social
security numbers, account numbers, account balances, birth dates, email
addresses and transaction details were at risk, FINRA charged.
FINRA alleged the Web-based system both firms used combined non-public customer account information from various sources and allowed employees to view the customer account information within a single site. Home office personnel from both firms could access the system either by clicking on a link on the firm’s Web site or could gain access through any Internet browser by going directly to the system’s Web site and logging in with one of the shared user names and passwords.
FINRA also found that LFS and LFA did not have procedures to disable or change the shared user names and passwords on a recurring basis even after a home office employee had been terminated. Many individuals left the two firms during the time period involved in the charges, yet the shared user names and passwords were never changed, and the firms had no way of determining whether former employees continued to access confidential customer information using those same user names and passwords.
In settling these matters, LFS, based in Concord, New Hampshire, and LFA, based in Fort Wayne, Indiana, neither admitted nor denied the charges, but agreed to the entry of FINRA’s findings.