In some ways, this disaster started out admirably with a registered representative father trying to find a way to leave his book of business for his son. The Devil is in the details and how the father went about his plans made all the difference -- and not in a good way. After moving through the FINRA disciplinary process, we wind up at the SEC, not once but twice.
In 2008, Tomlinson learned from a magazine article that a registered representative with whom he had trained years earlier had built a business at another broker-dealer firm to pass along to his son. That success story seemed to have troubled Tomlinson, who also desired to leave a business for his son but was growing concerned about the inherent limitations in his credit union's salary-based compensation system versus the brokerage industry's commission structure. Consequently, the magazine article may have fanned the embers of Tomlinson's desire to move on and move up.
Toward the end of June 2008, Tomlinson began talking to a friend at Wachovia about an opening in a nearby branch office; and in October 2008, Tomlinson visited a St. Louis, MO, Wachovia office. Tomlinson must have liked the grass on the other side of the fence because he soon decided to leave the credit union and RJFS to join Wachovia, where his new position offered a small payment for managing the branch coupled with the potential for much greater commission-based compensation.
As a credit union manager, Tomlinson was familiar with the organization's compliance manual, which, in pertinent part stated:
Associates may not share customer information with third parties unless specifically authorized by the client. Customer and confidential information may not be removed from a Raymond James office without the branch manager's permission.
Further, the credit union's compliance manual prohibited financial associates (subject to client authorization) from transmitting non-public or personally identifiable information (e.g., social security number, financial account numbers, net worth, income, tax bracket) to a third party for non-business purposes. Also, Tomlinson had signed a financial advisor agreement with RJFS and the credit union in which he agreed, among other things, not to remove records from the premises of the investment group without prior authorization and not to disclose to any person any non-public customer information.
In contemplation of his joining Wachovia, that firm had instructed Tomlinson that the only information he could bring with him was in the nature of a "Christmas card list;" i.e., the names, phone numbers and addresses of his clients. Wachovia conveyed the instruction several times in several different ways, including during a discussion at the St. Louis recruiting meeting and also memorialized in a "Financial Advisor Integration Planner" given to Tomlinson by the senior vice president who had handled his recruitment.
The Planner stated in bold-face type that financial advisors were not allowed to bring "client statements, account numbers, social security numbers, client files, confirmation, performance reports, copies of notes or any electronically stored client data;" however, exceptions were noted for certain allowable information, such as, customer name, client name, account title, their address, phone numbers, and their e-mail addresses.
During business hours and late at night on November 18th and November 20th, without authorization and prior notice to the credit union, RJFS, or Wachovia, Tomlinson downloaded confidential, non-public information of over 2000 credit union customers (e.g., social security numbers, birth dates, account numbers, and account balances) to his personal flash drive (unencrypted and lacking password protection) and his personal laptop. Wachovia provided Tomlinson with a firm-issued flash drive that he was supposed to use to download only the limited information that he was permitted to take with him, but he claimed to have had difficulty making the software work and downloaded information onto his personal flash drive. Although some of the clients involved on the downloaded files were Tomlinson's, about 60% were customers of other credit union financial advisors with whom he had previously had contact or were total strangers.
Tomlinson officially resigned from the credit union on November 24, 2008, Monday, and on that day he spoke with a number of people at the union and participated in an exit interview with an IT person. In keeping with the union's standard procedure, the IT person conducted an exit interview and received from a departing employee any physical keys and badges, including the Virtual Private Network ("VPN") token used to access the union's computer systems. Tomlinson returned a VPN token, his keys, and other things to union staff.
The credit union's protocol was that if a departing credit union employee had:
On the afternoon of November 24th, a credit union IT person "wiped clean" the telephone that the credit union had purchased for Tomlinson's use and returned the device with only his personal information. Notably, there was no discussion of Tomlinson's flash drive or personal laptop during the exit interview or wiping process.
Shortly before 6 p.m. on the day of his resignation, Tomlinson met with a Wachovia administrative assistant, who had been assigned to help Tomlinson prepare announcements about his move. The assistant, who had been waiting for Tomlinson all afternoon, asked him for the flash drive, but he had neglected to bring it and went home to retrieve the device. Upon his return later that evening, a snowstorm was underway, prompting Tomlinson and the assistant to defer to the next day the creation of a mailing announcing his relocation. The assistant put the flash drive in her purse and went to a hotel. Tomlinson went home.
The next day, November 25, 2008, Tuesday, the administrative assistant used the flash drive at a computer in the public reception area of the Wachovia office. Tomlinson did not supervise her work and was in a separate office that had been assigned to him. The assistant had difficulty using the flash drive and called Wachovia's IT department, which remotely accessed the disk to assist her. The disk remained in the reception area until after lunch, by which time Tomlinson and the assistant had examined and culled labels for the mailing. Finally, around 2-3 p.m., the assistant gave the flash drive back to Tomlinson.
On November 26, 2008, Wednesday, one day before Thanksgiving, the credit union CEO asked the credit union CIO to begin an investigation because the CEO had been informed that a customer had received a mailing from Tomlinson, in potential violation of the former employee's non-compete agreement. The CIO started by looking at Tomlinson's desktop computer, which disclosed that customer information had been downloaded onto a remote storage device (such as a flash drive) and put into a directory that Tomlinson had labeled in a way to denote a connection with Wachovia Securities.
On December 1, 2008, the credit union drafted and delivered a letter to Tomlinson at Wachovia demanding, among other things, the return of the flash drive with the "stolen" information on it. Tomlinson found the letter "scary," and, thereupon, he deleted downloaded flash drive files except for the one file containing his own clients' data. He also deleted credit union files from his personal laptop. Upon learning of these deletions, Wachovia's attorney instructed Tomlinson to stop.
Eventually, Tomlinson returned to the credit union his flash drive, mobile telephone, and personal laptop; and the union's CIO determined that customer information had been on all three of Tomlinson's devices and that most of those files had been deleted after Tomlinson was informed of the investigation. The CIO requested that Wachovia check its computers and was subsequently informed that Wachovia had identified at least one subject file on a secretary's computer at Wachovia.
In response to the filing of a disciplinary Complaint by FINRA's Department of Enforcement, Tomlinson sought to characterize his actions as thoughtless and not motivated by any desire to harm his former employer. Further, Tomlinson contended that notwithstanding his copying of customer files, the credit union was unharmed because only the names and addresses of his own clients were used to create address labels for "tombstone" announcements of his move to his new firm. FINRA Department of Enforcement, Complainant, v. Steven Robert Tomlinson, Respondent (OHO Hearing Panel Decision, March 21, 2013).
Following a hearing, a FINRA Hearing Panel essentially shredded what they viewed as excuses and somewhat self-serving explanations set forth by Tomlinson, which the panel characterized as constituting three points.
First, Tomlinson argued that he lacked intent to do wrong or to cause harm - he asserted that his conduct was something of a spur of the moment undertaking in which he "just didn't think at the time." Noting that the Rule 2110 violation with which he had been charged did not require proof of intent, the Panel further noted that the evidence suggested at least Tomlinson's consciousness of wrongdoing. In raising that prospect, the Panel pointed at Tomlinson's after hours and fairly surreptitious downloading; and his failure to even mention during the exit interview that he had customer information on a flash drive and personal laptop.
Second, Tomlinson argued that he had used only a limited portion of the downloaded information and only for a legitimate purpose; namely his client file to fabricate "tombstone" notices of his move to Wachovia." In contradistinction to Tomlinson's benign characterization, the Panel seemed perplexed by his inability to recognize the potential disaster that could have resulted from the misuse of the personal information on the files that were resident on an unencrypted, non-password-protected device, which was left unattended in a relatively public space.
Third, Tomlinson asserted that the credit union had known for a long time prior to his departure that he had used his personal devices for business purposes, downloading client information in order to work at home. This argument seems to have rankled the Panel, which rejected the attempt to "explain away his actions as an innocent or inadvertent mistake." In response to Tomlinson's suggestion that he had been somewhat victimized by the credit union's unfair and overly harsh response that included notifying customers that their confidentiality had been breached, the Panel interpreted this point, as an inappropriate attempt to focus "not on the customers' interest in keeping their highly sensitive information private, but rather on his view that the credit union has nothing to complain about."
The FINRA Hearing Panel saw the key issue presented by Tomlinson's conduct as one in which the investing public cannot be expected to have confidence in the financial industry if investors' confidential, non-public information is not protected from disclosure. Further, when deliberating on the sanctions to be imposed, the Panel found as aggravating factors, Tomlinson's:
Accordingly, the Panel found that Tomlinson had violated NASD Rule 2110 and imposed the following sanctions:
Following Tomlinson's pro se appeal of the OHO Decision, FINRA's National Adjudicatory Council ("NAC") affirmed the findings of the OHO and the $10,000 fine, but increased the 10-business-day suspension to a 90-day suspension in all capacities. The NAC refrained from imposition of the fine and costs based upon Tomlinson's demonstrated inability to pay. In the Matter of FINRA Department of Enforcement, Complainant, vs. Steven Robert Tomlinson, Respondent, (NAC, 2009017527501, March 5, 2014).
The NAC's rationale for not imposing the fine offers some helpful insight as to the factors that are considered in determining whether to waive such payment:
Tomlinson has demonstrated a bona fide inability to pay. Thc record shows that since 2010 nearly all of Tomlinson's monthly net income has serviced a loan to him from Wells Fargo, and consequently, he does not have sufficient funds remaining to pay his family's other living expenses (which are significant). The bank holding liens on Tomlinson's real property (a primary residence and a home that for years has been in his family) has initiated foreclosure proceedings, and he is delinquent on numerous payments to other creditors. Tomlinson has also borrowed against his retirement savings, and represents that he has listed his primary residence and a boat for sale (which also appears to be encumbered). Simply put, Tomlinson does not earn nearly enough monthly income to pay his expenses on a going basis, has not for some time, and does not appear to have any realistic ability to borrow or otherwise raise additional funds . . .
Enforcement argues that Tomlinson's reported assets, by virtue of his own calculations, significantly exceed his reported liabilities. Enforcement, however, fails to account for the fact that the large majority of Tomlinson's net worth consists of equity in real property that is currently in foreclosure. We would be remiss if we did not consider that realization of any equity in these illiquid assets is no longer entirely in Tomlinson's control. In these unusual circumstances, a simple, mechanical calculation of net worth does not accurately and completely reflect Tomlinson's financial condition and ability to pay monetary sanctions. . . While we acknowledge that Tomlinson did not initially explain how he determined the value of his assets and did not provide complete documentation for each of his numerous liabilities, we find that Tomlinson has shown that he has a bona fide inability to pay the monetary sanctions we otherwise would impose upon him. Thus, given these facts, we do not impose the fine, nor do we order that Tomlinson pay costs.
Tomlinson argues that the NAC increased the suspension to "offset" his inability to pay the fine and as "retribution" for his appeal. But the "mere fact that the NAC increased the sanctions . . . does not render the [sanctions] invalid on fairness grounds."64 Tomlinson states that the NAC's refusal to impose the fine is "extremely helpful," but contends that the suspension "is 'far more costly' . . . to a career that has lasted 32 years without a customer complaint."65 Tomlinson asserts that "[a]lot has been learned over the past 5 1/2 years" and that he is "more than contrite and extremely remorseful for the impact [this action] has had on [his] family." While we acknowledge Tomlinson's concerns, we have stated previously that "[h]ow a respondent collaterally suffers as a result of the violation, or from the disciplinary proceeding that followed (e.g., that he lost money, the amount of time he was out of the industry, or the impact the disciplinary proceeding had on his reputation, career, or finances) is not a mitigating factor."66
We have construed Tomlinson's letter as a request for reconsideration and reject hisrequest on two independent grounds: it is untimely and lacks merit. Rule of Practice 470 provides, in relevant part, that a motion for reconsideration "shall be filed within 10 days after service of the order complained of." 4 Tomlinson was served with a copy of the December 11 Order on December 15, 2014 and received it on December 22, 2014, but his letter was not filed until January 9, 2015, which was beyond the ten-day period provided in Rule 470. As a result, Tomlinson's request for reconsideration of the December 11 Order was untimely.
Succinct and compelling decisions from FINRA's OHO and the NAC, and from the SEC. Not only do the rulings offer the necessary background to make the case intelligible, but each offers context in its rationale to allow us to understand the appropriateness of the imposed sanctions. Moreover, the NAC offered a thoughtful analysis of "inability to pay" factors that puts FINRA enforcement staff on notice that it's not a simple numbers game in considering requests for relief based upon a purported inability to pay.