LPL has become the latest victim of the SEC’s Reg S-P crackdown. The SEC announced September 11 that it had brought an enforcement action against LPL Financial Corp., saying the largest independent broker/dealer had failed to adopt policies and procedures to safeguard its customers’ personal information, leaving at least 10,000 customers vulnerable to identity theft following a series of hacking incidents involving LPL’s online trading platform.
Reg S-P requires broker/dealers and SEC registered investment advisors like LPL to adopt policies and procedures reasonably designed to safeguard customer information. The SEC says LPL agreed to pay a $275,000 penalty to settle the SEC’s enforcement action without admitting or denying the findings.
The SEC’s administrative order against LPL finds that the firm conducted an internal audit in mid-2006 that identified inadequate security controls to safeguard customer information at its branch offices. “LPL’s audit specifically identified the risk from hacking. The SEC’s order finds that LPL failed to take timely corrective action because, by the time that hacking incidents began in July 2007, the firm had not implemented increased security measures in response to the identified weaknesses,” the SEC said in a release announcing the enforcement action.
According to the SEC’s order, “LPL experienced multiple hacking incidents between July 2007 and early 2008, and unauthorized persons gained access to the online trading platform LPL provided for its registered representatives. Once logged onto LPL’s trading platform, the perpetrators placed or attempted to place 209 unauthorized securities trades worth more than $700,000 combined in 68 customer accounts.”
The SEC ordered LPL to cease and desist from committing future violations of the Safeguards Rule, censured it for its conduct, and ordered it to pay the $275,000 penalty. The SEC says that “LPL further agreed to undertake certain remedial actions including retaining an independent consultant to review LPL’s policies and procedures required by the Safeguards Rule, and to devise and implement a policy and set of procedures for training its employees and all registered representatives regarding safeguarding customer records and information. LPL consented to the entry of the SEC’s order without admitting or denying the SEC’s findings.”