Today I want to return to FINRA’s enforcement action against Robinhood, that online stock trading app with the terrible track record at customer due diligence and risk profiling. Even though the case involves the somewhat rarified compliance rules for broker-dealer firms, there’s a lot here that speaks to technology and due diligence challenges overall.
Robinhood, as you might recall from our post about the company, agreed to pay a $70 million penalty for a raft of poor business practices and misleading statements made to customers through the late 2010s. The fundamental problem was that Robinhood grew so quickly, relying so much on automated software bots to approve customer accounts, that the firm lacked any real ability to enforce customer due diligence standards. Robinhood’s written policies and procedures, which the company did have, simply didn’t match what actually transpired at the business on a daily basis.
Raise your hand if that sounds familiar.
Moreover, I suspect this headache will become even more common in the future, as more and more businesses rely on software bots and other automation technology to perform all sorts of tasks. How can you assure that the people overseeing that technology exercise sufficient oversight (and exist in sufficient numbers) to meet all your compliance obligations?
That’s a question compliance officers will need to be able to answer if they want career security in years to come. So let’s take a close look at some of Robinhood’s oversight failures and see what they can tell us about mistakes and pitfalls one should avoid.
Inadequate Oversight of Automated Bots
A central pillar of Robinhood’s growth strategy was to onboard lots of customers — like, millions of them — as quickly as possible. That meant the company had to rely on software bots to review customer applications and grant approval for new accounts. Automated customer due diligence and risk profiling was critical for Robinhood to achieve its business objectives.
Except, as the bots performed those tasks, they deviated from Robinhood’s written policies and procedures. As described in FINRA’s settlement order, from the mid-2010s through November 2018, Robinhood automatically approved accounts that its clearing firm (that is, the business that actually executed orders that Robinhood customers placed) had flagged as needing further review.
For example, the clearing firm flagged customers who used Social Security numbers not actually issued by the Social Security Administration; or the customer’s address was a storage facility or check cashing store; or the address the customer gave had been used 10 or more times by other customers with different Social Security numbers. Those are all red flags for identity fraud.
FINRA found that despite direct warnings from the clearing firm, Robinhood still automatically approved 94 percent of all accounts the clearing firm had flagged for “high probability”that the customer’s Social Security number belonged to another person. From June 2016 to November 2018, Robinhood approved more than 90,000 accounts that had been flagged for potential fraud without obtaining any physical form of identification.
You might ask, “Where was the human oversight?” Well, during that same 30-month period, when Robinhood approved 5.5 million customers, Robinhood had no employees whose primary job responsibilities related to its customer identification program. One single person approved more than half of the more than 5.5 million new accounts that were opened, FINRA said.
Half of 5.5 million customers is 2.75 million. Do the math, and that means this single person had to review and approve 2.1 customer applications every minute of every day, for more than two years. Does that sound plausible to you?
Questions to Ask Ahead of Trouble
The fatal flaw here is that Robinhood did not have sufficient human oversight of the technology it was using for growth, and that led to a host of compliance risks spiraling out of control.
In practice, that means compliance officers need to raise several tough questions while talking with the board and senior management:
- How does the business plan to scale its growth over the next several years?
- What technology will we use to achieve that scale? What processes are getting automated?
- Do any of those automated processes touch customers or third parties? Because that’s where we are most likely to encounter compliance risks that could go wrong at scale as quickly as we’re growing at scale?
- How much human oversight is necessary to fulfill our regulatory compliance duties? This is especially important for financial firms, with heightened supervision duties. But it’s an equally valid point even for other businesses that are trying to meet expectations of, say, the Justice Department’s guidelines for effective compliance programs.
- How will we staff up and enforce that human oversight? Because that human oversight is how you assure the automated operations still match your written policies and procedures.
If senior leadership isn’t giving you good answers to those questions, or even allowing that conversation to happen at all — reconsider your commitment to where you work, since clearly they aren’t all that committed to you.