FINRA fines SoFi $1.1m after consumer identification flaws led to multi-million dollar heist
Online lending platform SoFi has been fined $1.1 million after alleged consumer identification flaws across its cash management brokerage service enabled fraudsters to make away with funds totalling approximately $2.5 million.
SoFi hit with $1.1 million fine from FINRA
According to a filing made with the Financial Industry Regulatory Authority (FINRA) this month, the fintech failed to establish and maintain an effective customer identification programme (CIP) or a written identity theft prevention programme (ITPP) for its SoFi Money unit.
It instead relied on “a largely automated process” which, between December 2018 and April 2019, it leveraged to approve the opening of around 800 accounts within the service for third parties.
The regulator claims this approach “was not reasonably designed to verify the customers’ identity”, and was therefore “vulnerable to fraud perpetrated by third parties using fictitious or stolen identities”.
This concern appears validated by the matter that fraudsters used SoFi Money accounts to seize approximately $8.6 million in funds over the allotted period from the accounts of customers at other financial institutions without authorisation.
From this sum, around $2.5 million was then withdrawn by the third parties through ACH transfers, ATM withdrawals and debit card purchases, all while exploiting the alleged flaws in SoFi’s CIP and ITPP frameworks.
The filing makes note that the flaws were self-identified by SoFi, with the fintech’s remediation efforts including increased staff training, as well as enhancements to its fraud identification processes and customer verification logic.
It is also thought to have engaged with third-party consultants to address “the significant volume of fraud alerts that had been generated” since the public launch of SoFi Money in February 2019.
Then operating as a bank holding company, SoFi later closed down the unit to new customers in June 2022. It did not immediately respond to FinTech Futures‘ request for comment regarding the FINRA fine.
