SoFi’s self-directed retail brokerage unit has been fined $1.1 million by financial regulator Finra due to ID verification shortcomings that allowed thieves to steal $8.1 million from customers’ accounts at other financial institutions.
The enforcement report indicates that SoFi employed a third-party automated process to verify customer identities and approve the opening of SoFi Money accounts. According to Finra, the fraud occurred because SoFi did not maintain a program “reasonably designed to verify customers’ identity,” which led to the approval of accounts without a thorough examination of potential red flags associated with some applicants.
Between December 2018 and April 2019, the firm failed to identify red flags for roughly 800 accounts opened using fake identities. Fraudsters exploited these accounts to transfer $8.6 million from compromised accounts at other financial institutions, with approximately $2.5 million of those funds being withdrawn by the criminals through ACH transfers, ATM withdrawals, and debit card transactions.
In addition to the weaknesses in its customer identification processes, SoFi did not develop and implement a written identity theft prevention program, according to Finra.
Since then, the firm has taken steps to enhance its verification services and has engaged third-party consultants to address the “significant volume of fraud alerts” that emerged following the public launch of SoFi Money in February 2019.