Credit: Askar/Adobe Stock

Two brokerage units of investment firm Robinhood Markets have agreed to pay $45 million in combined civil penalties to settle a range of SEC violations arising from their brokerage operations, including one stemming from a 2021 data breach that exposed millions of customer names and emails.

The violations stem from numerous failures related to trading activity reporting, cybersecurity practices, recordkeeping, filing timely reports of suspicious activity and customer communication, according to SEC acting director Sanjay Wadhwa in a statement.

Recommended For You

Robinhood also admitted to breaking rules over retaining work-related communications with employees' use of messaging apps, such as WhatsApp, and other "off-channel" communication platforms.

Robinhood Securities will pay $33.5 million as part of the settlement, while Robinhood Financial will pay $11.5 million. The firms have also agreed to conduct internal audits and address the regulatory deficiencies identified in the SEC’s order.

“Today’s order finds that two Robinhood firms failed to observe a broad array of significant regulatory requirements, including failing to accurately report trading activity, comply with short sale rules, submit timely suspicious activity reports, maintain books and records, and safeguard customer information,” said Wadhwa.

Robinhood, founded in 2013, has a history of big-ticket regulatory penalties. In 2020, Robinhood Financial paid $65 million to settle SEC allegations that it didn’t sufficiently disclose its business dealings with high-speed traders. In 2021, the same unit paid nearly $70 million to the Financial Industry Regulatory Authority, the brokerage industry’s self-regulator. 

Related: Stifel Financial, Invesco fined $35M each by SEC for misuse of texting apps, in latest crackdown

Both Robinhood broker-dealer’s violations include the following conduct, from 2019 to 2022:

  • Suspicious activity reporting: Failure to timely investigate suspicious transactions, resulting in systematic failures to timely file suspicious activity reports.
  • Identity theft protection: Failure to implement adequate policies and procedures designed to protect their customers from the risk of identity theft.
  • Unauthorized access: Failure to adequately address cybersecurity risks related to remote access to their systems, after a third party obtained unauthorized access and downloaded information related to millions of individuals who had provided that information to Robinhood.
  • Off-channel communications: Longstanding failures to maintain and preserve electronic communications in violation of the recordkeeping provisions of the federal securities laws.
In addition, Robinhood Securities alone failed to provide complete and accurate securities trading information, known as “blue sheet data,” according to the SEC.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Lynn Cavanaugh

Lynn Varacalli Cavanaugh is Senior Editor, Retirement at BenefitsPRO. Prior, she was editor-in-chief of the What's New in Benefits & Compensation newsletter. She has worked for major firms in the employee benefits space, Vanguard and Willis Towers Watson, as well as top media companies, including Condé Nast and American Media.