The Securities and Exchange Commission today said LPL Financial Corp. agreed to pay a $275,000 fine to settle an enforcement action against the company for failing to protect clients' personal information.
According to the SEC, LPL suffered multiple hacking incidents between July 2007 and early 2008 when unauthorized people tapped into the online trading platform used by LPL's registered representatives. Once there, they accessed 68 customer accounts and placed or tried to place 209 unauthorized trades worth more than $700,000.
Based in San Diego, Charlotte and Boston, LPL is an SEC-registered broker-dealer, investment adviser, and transfer agent. It has roughly 8,100 independent registered reps in about 3,600 branch offices serving more than one million accounts.
The SEC said an LPL internal audit in mid-2006 found inadequate controls to safeguard customer information at its branch offices, and it specifically raised a red flag about hacking risks. But according to the SEC, LPL failed to follow up with the necessary steps to prevent the hacking incidents that ultimately occurred. The result: LPL's lax security measures exposed at least 10,000 customers to identity theft.
LPL agreed to pay a $275,000 penalty to settle the matter without admitting or denying the findings. Along with imposing the fine, the SEC gave LPL cease-and-desist orders to prevent future violations and censured it for its conduct.
As part of the settlement, LPL will take certain remedial actions such as retaining an independent consultant to review LPL's policies and procedures, as well as implementing practices to train employees and registered reps in safeguarding customer records and information.
LPL couldn't be reached for comment.