SoFi Financial, a San Francisco-based brokerage firm catering to self-directed retail clients, has agreed to pay a $1.1 million penalty to settle charges by the Financial Industry Regulatory Authority that for five months the firm’s cash management brokerage accounts were vulnerable to fraud, allowing thieves to use the accounts to transfer $8.5 million in funds from stolen, outside accounts into SoFi’s money accounts without detection.

Ultimately, the thieves withdrew $2.5 million in stolen funds before SoFi systems and managers caught on to the transfers from unaffiliated financial institutions, Finra said in the settlement.

SoFi itself brought the issue to Finra’s attention, reporting that third parties had fraudulently transferred funds without authorization into accounts with SoFi Money, the firm’s cash management offering. The firm is “pleased to have resolved this matter, which relates to events from 2018 to 2019,” a SoFi spokesperson said.

Without admitting or denying guilt, the firm settled the charges and agreed to both a $1.1 million fine and a censure. All “injured parties” have been reimbursed after SoFi reviewed activity in “thousands of high-risk accounts,” Finra said.

From December 2018 through April 2019, as a result of weak internal and external customer identification and verification systems, “SoFi Money applicants stole from customers of other financial institutions and used SoFi Money to withdraw the funds,” Finra said in the acceptance, waiver and consent agreement.

The scam artists used stolen or fictitious identities to take advantage of the weaknesses in SoFi’s systems and procedures to open approximately 800 SoFi Money accounts, link those accounts to external bank accounts to which they had fraudulently obtained access, and transfer funds from the external accounts to their SoFi Money accounts, Finra said.

The thieves “then withdrew the stolen funds from the SoFi Money accounts through ACH [Automated Clearing House] transfers, ATM withdrawals and debit card purchases. In total, approximately $2.5 million in stolen funds that were transferred to SoFi Money accounts was subsequently withdrawn from those accounts,” Finra said.

Red Flags Missed
According to the agency, the fraud was possible because SoFi failed to establish and maintain a program “reasonably designed to verify customers’ identity because its account approval process allowed opening of SoFi Money accounts without a reasonable review of potential red flags associated with some applicants.”

During this period, SoFi used a third-party vendor as a key part of its customer identity verification process, which provided a number score for each applicant and, if there were red flags, a manual review that SoFi was supposed to monitor. “As a result of this process, however, SoFi automatically approved the opening of numerous accounts despite the presence of red flags contained in the vendor's report, without further review or follow up,” Finra said.

In certain instances, multiple red flags were present in a single customer application identified in the vendor report, Finra added. “Yet these applications were automatically approved. In one instance, the applicant had an invalid name, the address provided by the applicant did not exist or was not valid, the email address and phone number provided were both considered high risk, the vendor was unable to verify date of birth, and the [Social Security number] provided by the applicant was issued prior to the entered date of birth and was associated with a different name and address,” Finra said.

The regulator said that because of its design, SoFi’s system failed to detect that some of the applicants had previously attempted to engage in fraud in separate SoFi products, despite a consultant recommending before the launch of SoFi Money that the broker-dealer update its systems to be able to identify those customers whose loan or investment accounts were previously rejected or closed for suspected fraud.

“SoFi did not implement this recommendation prior to making SoFi Money available to the public,” Finra said.

In February 2022, SoFi became a bank holding company, and in June 2022 it ceased offering SoFi Money to new customers (except in some limited circumstances), according to the settlement.

This latest settlement comes on the heels of a separate SoFi settlement with Finra for failing to adequately supervise its fully paid securities lending program. The firm paid $700,000 in customer restitution and fines to settle the allegations.