Three-year legal battle with Massachusetts Secretary of State Comes to a Close
After a three-year legal ordeal, Robinhood Financial, LLC has agreed to a settlement with the Massachusetts Secretary of the Commonwealth’s office over the Division’s allegations of the online platforms “gamification of trading.” As outlined in the consent order, filed with Galvin’s Securities Division, Robinhood agreed to resolve all of the administrative complaints filed against the app in 2020 and 2021.
For those unfamiliar with this proceeding, the genesis of the case centered on Secretary Galvin’s office objections to the gamification of trading used by Robinhood to encourage digital engagement on its platform. Galvin’s office contended that the Robinhood app’s actions were primarily implemented to attract and manipulate its customers. Evidence of this, cited by the Massachusetts Securities Division, included Robinhood’s use of confetti animation, digital scratch tickets, free stock rewards and other game-like features to push customers to interact with the app. The use of push notifications and “most popular” lists to encourage frequent trades was also cited as evidence of the app’s “gamification of trading”.
“While I’m happy that this case with Robinhood has finally been resolved, I’m most grateful that after being thoroughly tested in court, the Massachusetts Fiduciary Rule remains the law of the land,” Galvin said today. “This rule allows my office to ensure that investors’ interests are being protected in this state, and I hope that other states follow suit.”
As part of the settlement, Robinhood has agreed to pay an administrative fine of $7.5 million and overhaul its digital engagement practices.
Robinhood originally sued the Mass. Secretary of State’s office in 2021
In 2021, Robinhood sued Galvin’s office, in an attempt to block the administrative proceedings against the broker-dealer. After a decision in Suffolk Superior Court and a subsequent appeal to the Massachusetts Supreme Judicial Court, Galvin’s authority to promulgate the Massachusetts Fiduciary Rule was upheld and the case was allowed to proceed in August of 2023.
While Robinhood ceased many of its gamification tactics after complaints were filed by the Securities Division, the settlement in this case ensures that for Massachusetts customer accounts, Robinhood will cease any future use of celebratory imagery tied to the frequency of trading, push notifications highlighting specific lists, and features that mimic games of chance. Robinhood must also add disclosures to its lists and engage an independent compliance consultant to evaluate other digital engagement practices that remain in use.
Consent order also addresses serious cybersecurity failings by the trading app
In addition to the gamification issues described in previous administrative complaints, the consent order also addresses serious cybersecurity issues identified by the Division after a November 2021 data security breach that affected approximately 117,000 customers in Massachusetts.
According to the consent order, an unauthorized third party was able to access Robinhood customer information due to a voice phishing scam that convinced an agent to download and run a third-party remote access software on a Robinhood-issued laptop. Robinhood devices did not block the installation of such unauthorized software.
The agent, left with inadequate direction on how to report critical data breaches, was unable to reach anyone at Robinhood to report the data breach for nearly an hour. The agent tried repeatedly to contact Robinhood for help, only to encounter silence, automated messages, and in one case, and internal bot named “Halp.” After the data breach occurred, while under Robinhood’s supervision, the agent submitted a play-by-play account of the breach in cloaked email purporting to include the agent’s resume.
“It is clear from the facts gathered in our investigation that Robinhood’s internal cybersecurity policies and procedures were deficient,” Galvin said. “Not only did the company not have the necessary technological safeguards in place to protect investor information, but the failure to ensure that an employee could immediately and easily report a data breach to an actual human is unacceptable.”
Robinhood has admitted to the facts concerning the data breach that are detailed in the consent order and has agreed to undergo an independent review its cybersecurity policies.
Deal comes just before deadline to appeal to the U.S. Supreme Court
The filing of the consent order comes just a day before the broker-dealer’s deadline to file an appeal of the Massachusetts Supreme Judicial Court’s August 2023 decision with the U.S. Supreme Court. Robinhood has agreed not to seek an appeal and to dismiss, with prejudice, litigation pending in Suffolk Superior Court.