U.S. SEC Fines Robinhood $45 Million for Cybersecurity Failures

The Securities and Exchange Commission (SEC) announced that Robinhood Securities LLC and Robinhood Financial LLC, two broker-dealers under the Robinhood brand, will pay $45 million in combined civil penalties for violating several provisions of U.S. securities laws. The firms admitted to the SEC's findings and agreed to several remedial measures in addition to the financial penalties.

Robinhood has gained prominence as a major online brokerage platform, popularizing commission-free trading and fractional share purchases. Its user-friendly app has attracted millions of retail investors, many of whom are new to stock market trading. However, its rapid growth and innovative business model have also drawn scrutiny from regulators, particularly concerning operational controls and investor protections.

Multiple cybersecurity failures

The SEC's investigation uncovered a broad range of compliance failures by the two firms over several years. Sanjay Wadhwa, Acting Director of the SEC's Division of Enforcement, emphasized the importance of broker-dealers adhering to regulatory requirements, stating that the violations compromised both investor protection and market integrity. The violations outlined in the SEC's order span across multiple areas of regulatory oversight, including cybersecurity, suspicious activity reporting, recordkeeping, and compliance with short sale rules. Specifically, these include:

1. Suspicious Activity Reporting (SARs): Between January 2020 and March 2022, Robinhood failed to promptly investigate and file reports on suspicious transactions, resulting in significant delays and lapses in compliance with SAR requirements.
2. Identity theft: From April 2019 to July 2022, Robinhood lacked sufficient policies to safeguard customers against identity theft risks, exposing them to potential financial harm.
3. Unauthorized access: In late 2021, a cybersecurity vulnerability allowed unauthorized third-party access to millions of customer records. Robinhood failed to adequately address the known risks associated with this vulnerability between June and November 2021, leading to a major data breach.
4. Off-channel communications: Robinhood was found to have long-standing deficiencies in preserving electronic communications, violating federal recordkeeping provisions.
5. Retention of brokerage data: Robinhood failed to maintain key operational records and customer communications as required by law, particularly between 2020 and 2021.

Additional, non-cybersecurity violations include:

1. Electronic Blue Sheets (EBS): Robinhood Securities failed to provide complete and accurate securities trading data to the SEC for more than five years, impeding regulatory oversight.
2. Fractional share trading and stock lending: The firm violated multiple provisions of Regulation SHO, the SEC framework designed to prevent abusive short-selling practices. From May 2019 to December 2023, Robinhood Securities failed to comply with Reg SHO's close-out, order-marking, and locate requirements.

Robinhood ordered to pay

Robinhood Securities will pay a $33.5 million penalty, while Robinhood Financial will pay $11.5 million, totaling $45 million in penalties. Both firms have been censured and have agreed to undertake significant remediation efforts, including conducting an internal audit to improve compliance with recordkeeping laws, particularly around off-channel communications. Robinhood Securities must also certify it has resolved deficiencies related to its Regulation SHO violations.