By John Filar Atwood
Robinhood Financial ended its three-year fight with Massachusetts over its gamification and cyber practices by agreeing to pay a $7.5 million fine and to change its digital engagement and cyber practices. While it neither admitted nor denied the gamification-related violations, Robinhood did admit to the facts surrounding its data breach and agreed to undergo an independent review of its cybersecurity policies.
The consent order settles charges brought in 2020 by the Massachusetts Secretary of the Commonwealth that Robinhood used gamification strategies to attract and influence customers. The practices to which the Massachusetts Secretary objected included the use of confetti animation, digital scratch tickets, free stock rewards, and other game-like features to pressure customers to interact with the Robinhood app. The broker also used push notifications and most-popular lists to encourage frequent trades, according to the Massachusetts Secretary.
Impact on inexperienced investors. The Massachusetts Secretary found that based on these practices over 200 Robinhood customers with no self-reported investment experience averaged at least five trades per day on Robinhood’s platform, and at least 25 customers with no self-reported investment experience made at least 15 trades per day. Some inexperienced customers averaged 58 to 92 trades per day, according to the consent order.
Robinhood discontinued many of its digital engagement practices after Massachusetts filed its complaint. The broker ceased use of the digital confetti feature, the digital scratch-off ticket to reveal free stock rewards, and the use of the waitlist tapping feature for its cash management product. Robinhood also stopped using certain push notifications, including those with links to the Top Movers list and 100 Most Popular list.
Fiduciary rule upheld. At the same time, however, Robinhood sued to block the action against it. In the Suffolk Superior Court and later on appeal to the Massachusetts Supreme Judicial Court, the Massachusetts Secretary’s authority to enforce the Massachusetts Fiduciary Rule was upheld. Rather than appeal that ruling, Robinhood agreed to settle.
Better Markets hailed the settlement as a major victory for investors by holding Robinhood accountable for luring inexperienced investors into harmful trading activity. It added that the settlement vindicates the power of Massachusetts Fiduciary Rule to require brokers to act always in the best interest of investors without regard to the financial gain.
Cyber issues. Along with the gamification practices, the consent order relates to cybersecurity issues identified by the Massachusetts Secretary after a November 2021 data security breach. An unauthorized third party accessed Robinhood’s customer information through a voice phishing scam that convinced an agent to run remote access software on a Robinhood-issued laptop. According to the consent order, Robinhood devices did not block the installation of the unauthorized software, and the broker had no procedures in place to enable the agent to quickly report the breach.
Robinhood agreed to review and report on the sufficiency of user access controls, the sufficiency of controls on users’ ability to download third-party software, and the sufficiency of controls on users’ ability to access and download bulk-files. It also agreed to review the process for employees to report data breaches and other similar events.