Robinhood to Pay $7.5M Over 'Gamification' Practices

News January 18, 2024 at 12:35 PM
Share & Print

After a three-year fight with the Massachusetts Securities Division, Robinhood agreed Thursday to pay $7.5 million to the state and overhaul its digital engagement practices, Secretary of the Commonwealth William Galvin said in a statement.

The Massachusetts Supreme Judicial Court ruled last August to uphold the state's fiduciary rule and allow Galvin's administrative case against Robinhood to move forward.

The case against Robinhood that the court allowed to move forward involves Galvin accusing Robinhood in December 2020 of violating state law by using overly "aggressive tactics to attract new, often inexperienced, investors" and "gamification to encourage and entice continuous and repetitive use" of its mobile application.

In a consent order filed with Galvin's Securities Division on Thursday, Robinhood agreed to resolve administrative complaints filed in 2020 and 2021.

"While I'm happy that this case with Robinhood has finally been resolved, I'm most grateful that after being thoroughly tested in court, the Massachusetts Fiduciary Rule remains the law of the land," Galvin said in the statement. "This rule allows my office to ensure that investors' interests are being protected in this state, and I hope that other states follow suit."

Lucas Moskowitz, Deputy General Counsel and Head of Government Affairs at Robinhood Markets, Inc., said Thursday in a statement that the settlement "resolves historical matters dating back to 2021 that do not reflect Robinhood today. We've invested heavily in strengthening how we supervise our technology and system controls, ensuring platform stability, and enhancing cybersecurity policies and practices."

As detailed in the consent order, "Robinhood has previously used confetti animation, digital scratch tickets, free stock rewards and other game-like features to push customers to interact with the app."

The app "also employed push notifications and 'most popular' lists to encourage frequent trades," the order states.

In 2021, Robinhood sued Galvin's office, in an attempt to block the administrative proceedings against the broker-dealer.

"While Robinhood ceased many of its gamification tactics after complaints were filed by the Securities Division, the settlement in this case ensures that for Massachusetts customer accounts, Robinhood will cease any future use of celebratory imagery tied to the frequency of trading, push notifications highlighting specific lists, and features that mimic games of chance," according to Galvin's office.

Robinhood must also "add disclosures to its lists and engage an independent compliance consultant to evaluate other digital engagement practices that remain in use," the order states.

A Robinhood spokesperson said Thursday in a statement that "We reject the premise that any part of our app, past or present, is 'gamified.' The settlement concerns historical practices related to supervisory controls and procedures, and the order does not find that digital engagement practices in the app themselves violated the regulations or the state's fiduciary rule, or that they negatively influenced customer behavior."

Cyber Breach

The consent order with Robinhood also details cybersecurity issues identified by the Division after a November 2021 data security breach that affected about 117,000 customers in Massachusetts.

According to the consent order, "an unauthorized third party was able to access Robinhood customer information due to a voice phishing scam that convinced an agent to download and run a third-party remote access software on a Robinhood-issued laptop."

Robinhood devices did not block the installation of such unauthorized software.

"The agent, left with inadequate direction on how to report critical data breaches, was unable to reach anyone at Robinhood to report the data breach for nearly an hour," the order explains.

"The agent tried repeatedly to contact Robinhood for help, only to encounter silence, automated messages, and in one case, an internal bot named 'Halp,'" the complaint states.  "After the data breach occurred, while under Robinhood's supervision, the agent submitted a play-by-play account of the breach in a cloaked email purporting to include the agent's resume."

Galvin added: "It is clear from the facts gathered in our investigation that Robinhood's internal cybersecurity policies and procedures were deficient.

"Not only did the company not have the necessary technological safeguards in place to protect investor information, but the failure to ensure that an employee could immediately and easily report a data breach to an actual human is unacceptable," he explained.

Robinhood, according to Galvin's office, "has admitted to the facts concerning the data breach, and has agreed to undergo an independent review of its cybersecurity policies."

A Robinhood spokesperson said in a statement that the firm takes "the safety and security of our customers' information and accounts seriously. Since 2021, we have taken numerous steps to safeguard our systems including enhancing our internal security controls and training, as well as building upon our threat detection, threat intelligence, and incident management programs."

The filing of the consent order comes just a day before the broker-dealer's deadline to file an appeal of the Massachusetts Supreme Judicial Court's August 2023 decision with the U.S. Supreme Court.

Robinhood has agreed not to seek an appeal and to dismiss, with prejudice, litigation pending in Suffolk Superior Court, Galvin's office said.

(Credit: Bloomberg)

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center