Carl Reiner: “Did Robin Hood really steal from the rich and give to the poor?”
2000 Year Old Man (Mel Brooks): “No, he didn’t. He stole from everybody and kept everything.”
Carl Reiner: “How did the legend spring up?”
2000 Old Man: “How did legend spring up? He had a fellow, Marty – Marty the press agent. Ran in all the papers and wrote in scrolls ‘he took from the rich and gave to the poor!’ Who knew? He gave you such a knock on the head when he robbed you, you wouldn’t remember anything anyway.”
– Carl Reiner and Mel Brooks (2000 Year Old Man)
On June 28, 2021, the legendary comedian Mel Brooks celebrated his 95th birthday. Two days later, the Financial Industry Regulatory Authority (FINRA) announced that it fined Robinhood Financial LLC (Robinhood) $57 million and ordered Robinhood to pay approximately $12.6 million in restitution, plus interest, to thousands of harmed customers. The sanctions represent the largest financial penalty ever ordered by FINRA and are intended to reflect the scope and seriousness of Robinhood’s violations.
1. I have a vague memory that the SEC and FINRA have sanctioned Robinhood in the recent past. Am I right?
Yes. In December 2019, FINRA found that Robinhood had failed to exercise reasonable diligence to ascertain that the broker-dealers to which it routed customer orders for payment for order flow provided the best execution quality as compared to other execution venues and failed to implement a reasonably designed supervisory system and procedures to achieve compliance with its best execution obligations under FINRA’s rules. The firm consented to a censure, a $1,250,000 fine, and an undertaking to retain an independent compliance consultant to conduct a comprehensive review of the adequacy of the firm’s policies, systems, procedures, and training relating to achieving compliance with FINRA Rule 5310.
In December 2020, Robinhood agreed to settle charges with the Securities and Exchange Commission (SEC) that it made material misstatements and omissions relating to its receipt of payment for order flow and relating to the execution quality it achieved for its customers’ orders and that it failed to maintain required records. The SEC imposed the following sanctions: (1) an order to cease and desist from committing or causing any violations and any future violations of Section 17(a) of the Securities Act of 1933 (Securities Act) and Section 17(a) of the Securities Exchange Act of 1934 (Exchange Act) and Rule 17a-4 thereunder; (2) a censure; (3) a $65,000,000 civil money penalty; and (4) an undertaking to retain an independent compliance consultant to, among other things, conduct a comprehensive review of Robinhood’s policies and procedures to ensure that Robinhood’s retail communications comply with the requirements of the federal securities laws (the independent compliance consultant was the same one as the one retained as a result of the FINRA action).
2. What conduct triggered FINRA’s enforcement action against Robinhood?
FINRA found three broad categories of deficiencies.
- Robinhood negligently communicated false and misleading information to its customers. The false and misleading information covered a variety of critical issues, including whether customers could place trades on margin, how much cash was in customers’ accounts, how much buying power or “negative buying power” customers had, the risk of loss customers faced in certain options transactions, and whether customers faced margin calls.
- Robinhood failed to exercise due diligence before approving customers to place options trades. Robinhood relied on algorithms—known at Robinhood as “option account approval bots”—to approve customers for options trading, with only limited oversight by firm principals. Those bots often approved customers to trade options based on inconsistent or illogical information.
- FINRA found that, from January 2018 to February 2021, Robinhood failed to reasonably supervise the technology that it relied upon to provide core broker-dealer services, such as accepting and executing customer orders. Between 2018 and late 2020, Robinhood experienced a series of outages and critical systems failures. The most serious outage occurred on March 2 and 3, 2020, when Robinhood’s website and mobile applications shut down, preventing Robinhood’s customers from accessing their accounts during a time of historic market volatility. Although the firm had a business continuity plan at the time of the March 2-3 outage, it did not apply it because the plan was unreasonably limited to events that impacted the firm’s physical location – it did not apply to technological issues that affected the firm’s operations.
FINRA also found that Robinhood failed to report tens of thousands of written customer complaints that it was required to report. These failures resulted principally from a firm-wide policy that exempted certain broad categories of complaints from reporting, even though those categories fell within the scope of FINRA’s reporting requirements.
3. What false and misleading information did Robinhood communicate to its customers?
- Robinhood falsely told “Robinhood Instant” customers that they had to upgrade to “Robinhood Gold” to trade on margin when, in fact, Robinhood allowed “Instant” customers to place options trades that could trigger the use of margin.
- Robinhood falsely told “Robinhood Gold” customers that they could “disable” margin in their accounts when, in fact, Robinhood allowed “Gold” customers to place options trades that could trigger the use of margin even after they had “disabled” margin.
- Robinhood displayed inaccurate cash balances to certain customers. Some inaccuracies were significant. For example, Robinhood displayed to many customers negative cash balances that were twice as large as they actually were.
- Robinhood provided false information to customers about the risks associated with certain options transactions. For example, Robinhood falsely told customers that they would “never lose more than the premium paid to enter [a] debit spread” when customers could, and many did, lose vastly more than the premiums they paid.
- Robinhood issued to certain customers erroneous margin calls and margin call warnings, telling them that they were in “danger of a margin call” when they were not.
FINRA found that one cause of these violations was that Robinhood failed to establish and maintain a supervisory system, and failed to establish, maintain, and enforce written supervisory procedures, that were reasonably designed to achieve compliance with FINRA’s communications rules.
FINRA noted that although Robinhood’s written supervisory procedures required that a registered principal of the firm approve retail communications, those supervisors tasked with this responsibility often lacked the experience and expertise necessary to determine that certain of the communications they approved were accurate and not misleading. Those supervisors approved certain communications—that Robinhood later published on its website and mobile applications—that were false or misleading, such as whether customers could “disable” margin in their accounts and the risk of loss associated with certain options transactions.
FINRA also found that Robinhood failed to establish reasonable procedures to supervise the accuracy of the account information it displayed to customers via its website and mobile applications. While Robinhood relied on mathematical models and formulas to calculate much of the data it displayed to customers, it did not require that a supervisory principal review the accuracy of those models and formulas. Moreover, Robinhood failed to detect inconsistencies between the data it displayed to customers and the data contained in its back-office system. As a result, the firm displayed to customers account information, including cash balances, that was inaccurate and inconsistent with the firm’s back-office calculations.
Third, FINRA found that Robinhood failed to establish reasonable procedures to identify when it communicated false information or omitted information that should have been communicated to customers, and it ignored red flags that should have alerted it of the need to implement preventive controls. For example, over the course of three years, Robinhood issued several erroneous margin calls and margin call warnings to thousands of customers. Yet, Robinhood did not discover its erroneous margin calls and margin call warnings through its own supervisory controls and, instead, learned of the mistakes through its review of customer complaints and through discussions on internet forums.
4. How did Robinhood approve customers for options trading without exercising due diligence?
Robinhood’s written supervisory procedures assign registered options principals the responsibility of approving accounts for options trading. So far, so good. However, in practice, Robinhood relied on computer algorithms, with limited oversight by firm principals. This limited principal review, together with the firm’s failure to remediate flaws in its algorithms, resulted in Robinhood’s approval for options trading of thousands of customers who did not satisfy the firm’s eligibility criteria or whose account records contained red flags that options trading may not be appropriate for them. As noted above, Robinhood’s bots failed to take into account all information available to Robinhood. Therefore, the bots would approve:
- options trading if the customers represented that they had three years’ options trading experience—even if the customers were younger than 21 years old or had previously represented (even only minutes earlier) that they had no options trading experience;
- spread options trading if the customers represented that they had three years’ options trading experience—even if the customers previously certified that they did not understand options spreads;
- new options applications from customers whose prior applications had been denied – even minutes before submitting the new application, and with information that contradicted information provided elsewhere.
FINRA found that while Robinhood assigned principals to review the bots, the principals’ reviews were limited only to ensuring that the bots function as programmed— they did not evaluate whether the information reviewed by the algorithms is consistent with other information available to Robinhood or whether options trading is appropriate for the customer.
5. What did FINRA find that indicates that Robinhood did not supervise the technology supporting its core broker-dealer business functions?
FINRA noted that for much of the time in question, Robinhood relied exclusively on its website and mobile applications to receive, accept, and execute orders and for virtually all communications with its customers. Robinhood outsourced to its parent company—which is not a FINRA member firm—the responsibility of operating and maintaining the firm’s website and mobile applications and their supporting technology. However, FINRA found that Robinhood did not reasonably supervise those outsourced activities.
FINRA found that since at least January 2018, Robinhood has experienced periodic system outages caused by, among other things, technology changes, system maintenance problems, and overload issues. These outages ranged in duration from a few minutes to, in one instance, more than a day, and varied in impact from displaying inaccurate customer order information on Robinhood’s website and mobile applications to rendering its systems nonfunctional.
Most notably, on March 2–3, 2020, Robinhood’s website and mobile applications shut down, preventing all of Robinhood’s customers (12.5 million accounts at the time) from accessing their accounts during a time of historic market volatility. During the outage, customers could not enter, modify, or cancel orders. Customers also could not communicate with the firm because the firm’s only support options at the time—email and an in-application customer contact portal—also experienced disruptions during portions of the outage and the firm had no live customer service telephone line.
Less than a week later, Robinhood experienced a second outage. This outage was caused by a third-party execution venue’s change to the messaging protocol used to communicate with Robinhood. Robinhood’s parent company failed to test the change to the messaging protocol before implementation. Once the protocol went live, Robinhood’s order entry system was unable to process incoming messages due to an internal coding error. This caused the firm’s order entry system to shut down and remain inoperable for 45 minutes. During the outage, Robinhood customers were unable to submit new orders, existing orders could not be canceled, new orders could not be routed, and it was unclear to Robinhood’s customers whether existing orders were being executed. Furthermore, approximately 166,000 customer orders were temporarily stuck in a “pending” state.
Although Robinhood’s written supervisory procedures discussed supervision of some of the technology-related functions performed by Robinhood’s parent company, FINRA found that no Robinhood principals were responsible for implementing those procedures, and none did so. For example, Robinhood did not supervise its parent company’s response to the outages or assess how its parent company was addressing the root causes of the outages.
6. Where did Robinhood’s business continuity plan fall short?
First, FINRA found that Robinhood unreasonably limited its business continuity plan (BCP) to events that affected its employees’ ability to conduct business from the firm’s physical locations due to, for example, a natural disaster or pandemic. Robinhood’s BCP failed to address technology-related threats to business continuity despite experiencing numerous technology-related outages beginning as early as January 2018 and continued to ignore these threats even after the March 2-3, 2020 outage.
Second, from at least January 2018 through August 2020, Robinhood’s BCP tracked FINRA’s template for “small introducing firms,” and, as a result, was not tailored to (and at times was not even applicable to) Robinhood’s business and large customer base. For example, the BCP stated that, if a significant business disruption occurred, Robinhood would take orders through methods other than its website and mobile applications. Robinhood, however, did not have an alternative method of taking orders. Similarly, the BCP referenced an “alternative trading system” for order execution that did not exist.
7. Did FINRA find other shortcomings?
Yes. FINRA rules require each member firm to report any written grievance by a customer that involves the firm or a person associated with the firm. As noted above, Robinhood’s policy carved out several categories of customer complaints – including those that concerned margin calls unless the customer threatened to file a complaint with a regulator or consult an attorney, those that Robinhood determined lacked merit, including complaints concerning unauthorized account access and those that related to customers’ cryptocurrency purchases or sales through the firm’s cryptocurrency affiliate even if the transactions adversely affected the customers’ brokerage accounts – from the scope of customer complaints that it would report to FINRA.
FINRA also found that Robinhood failed to “establish, document, and maintain a written Customer Identification Program . . . appropriate for [the firm’s] size and business” and that the program failed to contain “procedures for verifying the identity of each customer to the extent reasonable and practicable.” In particular, FINRA found that although Robinhood’s procedures called for it to “request an ID such as a driver’s license or passport” when Robinhood could not verify a customer’s identity using credit reporting agency data, in practice, it usually would automatically approve accounts even when the accounts had been flagged for potential fraud.
Finally, FINRA found that Robinhood’s website and mobile applications failed to display all items of market data required to be displayed by a broker-dealer providing quotation information in NMS stocks for customers. Robinhood failed to display required information such as the size of the last reported sale, the market where the last reported sale occurred or the markets displaying the best bid and the best offer for the security.
8. You mentioned the fines and the restitution. Any other sanctions?
Why, yes. Robinhood was censured. In addition, as noted above, Robinhood has been required to employ an independent compliance consultant in connection with the FINRA and SEC best execution/payment for order flow enforcement actions mentioned above. Robinhood will be required to continue to engage this independent compliance consultant to conduct a comprehensive review of the adequacy of Robinhood’s compliance with all of the areas identified in FINRA’s most recent enforcement action.
9. It really sounds like FINRA means business. I’m concerned that FINRA may find that our procedures are deficient, or that while they look good, we aren’t following them. Is there anyone who can help us?
Yes, of course! If you would like further information concerning the matters discussed in this Legal Insight, please contact a Partner in the Financial Services practice area.