SoFi's self-directed retail brokerage unit has been fined $1.1 million by financial regulator Finra over ID verification failures that enabled thieves to steal $8.1 million from the accounts of customers at other financial institutions.
According to the enforecement filing, SoFi used a third party automated process to verify customer identities and approve the opening of SoFi Money accounts.
Finra says the fraud was possible because SoFi failed to establish and maintain a programme “reasonably designed to verify customers’ identity because its account approval process allowed opening of SoFi Money accounts without a reasonable review of potential red flags associated with some applicants.”
During the period in question - from December 2018 to April 2019 - the firm failed to detect red flags for approximately 800 accounts that were opened with fake identities. The fraudsters then used these accounts to transfer $8.6 million from hacked accounts held with other financial institutions. Approximately $2.5 million of those funds were subsequently withdrawn by the fraudsters through ACH transfers, ATM withdrawals and debit card payments.
In addition to the vulnerabilities in its customer identification processes, SoFi also failed to develop and implement a written identity theft prevention program, Finra says.
The firm has since moved to enhance its verification service and to hire third-party consultants to address “the significant volume of fraud alerts that had been generated” since the public launch of SoFi Money in February 2019.