FINRA Imposes Second Data Security Fine on Lincoln Financial

The Financial Industry Regulatory Authority (FINRA) recently imposed a $650,000 fine on Lincoln Financial Securities Corporation (Lincoln) for its failure, in relevant part, to secure its customers’ confidential information. According to FINRA, Lincoln failed to adopt written supervisory procedures to instruct its representatives how to adequately protect customer confidential information. FINRA cited Lincoln’s data security policy as an example of such a failure, as it instructed Lincoln’s representatives to use firewalls, but did not provide any specific guidance as to how to install the firewall or what type of firewall was appropriate to protect the information. FINRA found the policy insufficient to adequately protect Lincoln’s information, since the representatives lacked technical expertise and could not be expected to understand how to obtain and install the proper firewall mechanism.

According to FINRA, Lincoln’s failures constituted violations of FINRA Rules 2010 and 3110. In particular, FINRA Rule 3110 requires FINRA members to maintain systems to supervise its registered representatives that is reasonably designed to achieve compliance with applicable securities laws and regulations. FINRA cited Rule 30 of Regulation S-P, requiring appropriate safeguards for customer information, as the securities regulation at issue.

This was FINRA’s second such action against Lincoln. In 2011, Lincoln paid a $450,000 fine after FINRA alleged that Lincoln had similarly failed to establish procedures to protect confidential customer information on the computers of Lincoln’s registered representatives.

TIP: This case provides insight into FINRA’s expectations as to the content of written supervisory procedures. FINRA members may be well-served to review their procedures to ensure that the content provides instructions sufficient to protect customer information.