SoFi Financial, a San Francisco-based brokerage firm specializing in self-directed retail trading, will pay $1.1 million to settle FINRA charges alleging that the firm’s cash management brokerage account was vulnerable to fraud, with third parties transferring millions from customer accounts without authorization.
Starting in 2018, SoFi offered some customers the “SoFi Money” brokerage account, offering features similar to traditional banking, including check writing and debit cards; the program went live for the general public the following February.
However, beginning in December 2018 and continuing until April 2019, some applicants used stolen or fictitious identities to open about 800 accounts on the SoFi money platform and linked them to external bank accounts that they’d accessed fraudulently. Then, they used the SoFi platform to extract money from those separate accounts into SoFi money accounts and withdraw it through ACH transfers, ATM withdrawals and debit card purchases.
According to FINRA, the firm used a third-party vendor in this process. The vendor provided each application with a score correlated to any red flags or risks in the application; scores that didn’t reach a certain threshold triggered a manual review from SoFi. If the score did satisfy the threshold (along with other tools used by SoFi in the identity authentication process), the firm would automatically approve the account.
But according to FINRA, this system meant SoFi missed numerous “red flags” in some customers’ applications, including invalid Social Security numbers, telephone numbers or residential addresses (as well as providing the same address or number as another account) and applicants with no credit history, among other things.
FINRA also argued SoFi’s supervisory systems also missed instances of identity theft. At certain times, even when their systems did find identity theft, if the overall application reached the threshold for automatic approval, it wouldn’t be flagged for a SoFi manual review, according to FINRA.
In all, the third parties illegally accessing accounts at other financial institutions transferred about $8.6 million from those institutions without customers’ authorization, with about $2.5 million of those transfers subsequently withdrawn by those third parties from the SoFi Money accounts, according to the FINRA settlement.
SoFi brought the issue to FINRA’s attention by self-reporting that third parties had fraudulently transferred funds without authorization to accounts with SoFi money. A SoFi spokesperson said the firm was “pleased to have resolved this matter, which relates to events from 2018 to 2019.”
In addition to the fine, SoFi agreed to a censure, though it didn’t admit or deny the findings in the settlement letter.
This latest settlement comes several months after SoFi settled separate FINRA allegations for allegedly poor oversight of a fully paid securities lending program. The firm agreed to pay more than $700,000 in fines and restitution.