FINRA Imposes $1.1 Million Fine on SoFi for Violating Customer Identification & Identity Theft Prevention Rules

The Financial Industry Regulatory Authority (FINRA) has announced a significant penalty against SoFi Securities LLC, amounting to $1.1 million, for multiple violations related to its customer identification and identity theft prevention programs. SoFi Securities, headquartered in San Francisco, California, and a member of FINRA since 2011, was found to have inadequately established and maintained protocols for its cash management brokerage account, SoFi Money, resulting in vulnerabilities to fraudulent activities.

The violations stem from a period spanning December 2018 to April 2019 when SoFi Securities allegedly failed to implement a reasonable Customer Identification Program (CIP) for its SoFi Money accounts. During this time, approximately 800 accounts were opened through an automated process that did not adequately verify customers' identities, making them susceptible to exploitation by third parties utilizing fictitious or stolen identities. These accounts were then used to transfer approximately $8.6 million, with $2.5 million subsequently withdrawn without authorization.

Additionally, SoFi Securities was found to have neglected the development and implementation of a written Identity Theft Prevention Program (ITPP) aimed at detecting, preventing, and mitigating identity theft risks. This failure to establish effective protocols resulted in further violations of regulatory standards.

The investigation revealed several shortcomings in SoFi's practices, including:

• Approval of accounts without thorough review, despite the presence of red flags indicating potential fraudulent activity.
• Lack of proper verification processes, allowing applicants to use stolen or fictitious identities to open accounts and conduct unauthorized transactions.
• Delayed response to fraud alerts, with some alerts taking up to 132 days to review, during which unauthorized withdrawals were made.
• Failure to identify SoFi Money as a covered account in its written ITPP until April 2019.

In response to the findings, SoFi Securities has taken corrective measures, including increasing staff trained to review fraud alerts and implementing improvements to its CIP and ITPP systems. Furthermore, the company ceased offering SoFi Money to new customers in June 2022, following its transition to a bank holding company in February 2022.

As part of the settlement, SoFi Securities has accepted the sanctions imposed by FINRA, which include a censure and the aforementioned $1.1 million fine. The company has agreed to pay the monetary sanction and has waived its right to contest the allegations or appeal the decision.

This enforcement action underscores FINRA's commitment to upholding industry standards and protecting investors from fraudulent activities. It serves as a reminder to financial institutions of the importance of implementing robust compliance measures to safeguard against potential risks and maintain the integrity of the securities market.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.