Robinhood Financial, LLC has agreed to settle a 2020 lawsuit brought by Commonwealth Secretary William F. Galvin over the online trading platform’s use of gamification strategies to lure and manipulate customers. As part of that settlement, Robinhood agreed to pay an administrative fine of $7.5 million and review its digital engagement practices.

In a consent order filed today with Galvin’s Capital Markets Division, Robinhood agreed to resolve administrative complaints filed in 2020 and 2021. The consent order also addresses issues uncovered through additional investigation by the Division into a 2021 data security breach that affected Massachusetts customers.

Galvin’s office has objected to the gamification of transactions that Robinhood uses to encourage digital engagement on its platform. As described in the consent order, Robinhood has previously used confetti animations, digital scratch-off tickets, free stock rewards and other game-like features to entice customers to interact with the app. The app also used push notifications and “most popular” lists to encourage frequent transactions.

In 2021, Robinhood sued Galvin’s office in an attempt to block the administrative proceeding against the broker-dealer. After a ruling in Suffolk Superior Court and a subsequent appeal to the Massachusetts Supreme Court, Galvin’s authority to publish the Massachusetts Fiduciary Rule was upheld and the case was allowed to proceed in August 2023.

While Robinhood discontinued many of its gaming tactics after complaints were filed by the Securities Division, the settlement in this case ensures that for Massachusetts customer accounts, Robinhood will stop any future use of holiday images associated with trading frequency, alerts push that highlight specific lists, and features that mimic gambling. Robinhood must also add disclosures to its lists and hire an independent compliance consultant to evaluate other digital engagement practices that remain in use.

In addition to the gaming issues described in previous administrative complaints, the consent order also addresses serious cybersecurity issues the Department identified following a November 2021 data security breach that affected approximately 117,000 customers in Massachusetts.

According to the consent order, an unauthorized third party was able to access Robinhood customer information due to a voice phishing scam that convinced an agent to download and run third-party remote access software on a Robinhood-issued laptop. Robinhood devices did not prevent the installation of such unauthorized software.

Left with inadequate guidance on how to report critical data breaches, the agent was unable to reach anyone at Robinhood to report the data breach for nearly an hour. The agent repeatedly tried to contact Robinhood for help, only to be met with silence, automated messages, and in one case, an internal bot named “Halp.” After the data breach took place while under Robinhood’s supervision, the agent provided a play-by-play account of the breach in hidden emails purporting to include the agent’s resume.

Robinhood has admitted the facts surrounding the data breach detailed in the consent order and has agreed to undergo an independent review of its cybersecurity policies.

The filing of the consent order comes just one day before the broker-dealer’s August 2023 deadline to appeal the Massachusetts Supreme Court decision to the U.S. Supreme Court. Robinhood agreed not to appeal and to dismiss, with prejudice, the lawsuit pending in Suffolk Superior Court.


Leave a Reply

Your email address will not be published. Required fields are marked *