SoFi Financial, a San Francisco-based brokerage firm specializing in self-directed retail trading, will pay $1.1 million to settle FINRA charges alleging the firm's cash management brokerage account was sensitive to fraud, with third parties transferring millions from customer accounts without authorization.

Starting in 2018, SoFi offered some customers the SoFi Money brokerage account, offering features similar to traditional banks, including check writing and debit cards; the program went live to the general public the following February.

However, beginning in December 2018 and continuing through April 2019, some applicants used stolen or fictitious identities to open approximately 800 accounts on the SoFi money platform and linked them to external bank accounts that they had accessed with deception They then used the SoFi platform to withdraw money from those separate accounts to SoFi cash accounts and withdraw it through ACH transfers, ATM withdrawals, and debit card purchases.

According to FINRA, the firm used a third-party vendor in the process. The vendor provided each app with a score associated with each red flag or risk in the app; results that did not meet a certain threshold triggered a manual review by SoFi. If the score met the threshold (along with other tools used by SoFi in the identity verification process), the firm would automatically approve the account.

But according to FINRA, this system meant that SoFi missed many “red flags” on some customer applications, including invalid Social Security numbers, phone numbers or residential addresses (as well as providing the same address or number as a other account) and applicants without credit history, among others.

FINRA also argued that SoFi's surveillance systems also missed cases of identity theft. At times, even when their systems found identity theft, if the overall application met the threshold for automatic approval, it would not be flagged for a manual SoFi review, according to FINRA.

In total, third parties who illegally accessed accounts at other financial institutions transferred approximately $8.6 million from those institutions without customers' authorization, with approximately $2.5 million of these transfers subsequently withdrawn by those third parties from SoFi accounts Money, as determined by FINRA.

SoFi brought this matter to FINRA's attention by self-reporting that third parties had fraudulently transferred funds without authorization to SoFi's cash accounts. A SoFi spokesperson said the firm was “pleased to have resolved this matter, which relates to events from 2018 to 2019”.

In addition to the fine, SoFi agreed to a censure, although it did not admit or deny the findings in the settlement letter.

This last solution comes a few months after SoFi settled separate FINRA charges for allegedly lax oversight of a fully paid-up securities lending program. The firm agreed to pay more than $700,000 in fines and restitution.