Robinhood agrees to pay $7.5M fine to settle with Massachusetts securities regulator

Robinhood Financial, LLC has agreed to settle a 2020 case brought by Secretary of the Commonwealth William F. Galvin over the online trading platform’s use of gamification strategies to attract and manipulate customers. As part of that settlement, Robinhood has agreed to pay an administrative fine of $7.5 million and overhaul its digital engagement practices.

In a consent order filed with Galvin’s Securities Division today, Robinhood agreed to resolve administrative complaints filed in 2020 and 2021. The consent order also addresses issues uncovered through an additional investigation by the Division into a 2021 data security breach that affected Massachusetts customers.

Galvin’s office has objected to the gamification of trading used by Robinhood to encourage digital engagement on its platform. As detailed in the consent order, Robinhood has previously used confetti animation, digital scratch tickets, free stock rewards and other game-like features to push customers to interact with the app. The app also employed push notifications and “most popular” lists to encourage frequent trades.

In 2021, Robinhood sued Galvin’s office, in an attempt to block the administrative proceedings against the broker-dealer. After a decision in Suffolk Superior Court and a subsequent appeal to the Massachusetts Supreme Judicial Court, Galvin’s authority to promulgate the Massachusetts Fiduciary Rule was upheld and the case was allowed to proceed in August of 2023.

While Robinhood ceased many of its gamification tactics after complaints were filed by the Securities Division, the settlement in this case ensures that for Massachusetts customer accounts, Robinhood will cease any future use of celebratory imagery tied to the frequency of trading, push notifications highlighting specific lists, and features that mimic games of chance. Robinhood must also add disclosures to its lists and engage an independent compliance consultant to evaluate other digital engagement practices that remain in use.

In addition to the gamification issues described in previous administrative complaints, the consent order also addresses serious cybersecurity issues identified by the Division after a November 2021 data security breach that affected approximately 117,000 customers in Massachusetts.

According to the consent order, an unauthorized third party was able to access Robinhood customer information due to a voice phishing scam that convinced an agent to download and run a third-party remote access software on a Robinhood-issued laptop. Robinhood devices did not block the installation of such unauthorized software.

The agent, left with inadequate direction on how to report critical data breaches, was unable to reach anyone at Robinhood to report the data breach for nearly an hour. The agent tried repeatedly to contact Robinhood for help, only to encounter silence, automated messages, and in one case, and internal bot named “Halp.” After the data breach occurred, while under Robinhood’s supervision, the agent submitted a play-by-play account of the breach in cloaked email purporting to include the agent’s resume.

Robinhood has admitted to the facts concerning the data breach that are detailed in the consent order, and has agreed to undergo an independent review its cybersecurity policies.

The filing of the consent order comes just a day before the broker-dealer’s deadline to file an appeal of the Massachusetts Supreme Judicial Court’s August 2023 decision with the U.S. Supreme Court. Robinhood has agreed not to seek an appeal and to dismiss, with prejudice, litigation pending in Suffolk Superior Court.