Stash Capital LLC, a broker-dealer that operates a digital investment platform, recently agreed to be censured by the Financial Industry Regulatory Authority (“FINRA”) and pay a $450,000 fine. The sanctions were imposed to resolve allegations that the company failed to develop and implement a reasonable anti-money laundering (“AML”) program in compliance with the requirements of the Bank Secrecy Act and failed to implement a reasonable identity theft prevention program, which broker-dealers are required to implement under Rule 201 of Regulation S-ID of the Securities and Exchange Act of 1934. According to a Letter of Acceptance, Waiver, and Consent (“AWC”) that was accepted by FINRA on March 20, 2026, Stash agreed to the terms of the settlement without admitting or denying FINRA’s findings.
According to the AWC, the AML violations largely occurred between January 2019 and June 2023. Stash allegedly failed to establish and maintain a written customer identification program (“CIP”) that was appropriate for the company’s size and business. According to FINRA, Stash’s written procedures failed to provide its staff with adequate instructions on how customers’ identities should be verified – failures that allegedly enabled customer accounts to be opened with incomplete information, including valid social security numbers as FINRA’s CIP Rule requires. Between January 2019 and April 2022, the company allegedly approved the opening of approximately 350 accounts for applicants that only provided the last four digits of their social security numbers, under the mistaken assumption that its vendor had been verifying complete social security numbers. Prior to 2022, Stash’s compliance program also allegedly failed to reasonably describe its CIP processes, including what databases should be searched during the verification process and what situations might prompt a manual review of a customer’s information. According to FINRA, these actions violated FINRA Rules 3310(b) and 2010.
FINRA also indicated that Stash’s AML program failed to contain policies and procedures that were reasonably expected to detect and report suspicious transactions. According to FINRA, between January 2019 and June 2023, Stash’s procedures omitted the identification of AML-specific red flags, even those directly relevant to the company’s business. While Stash was reportedly able to receive automated alerts regarding suspicious deposits and withdrawals that seemed large or excessively frequent, red flags concerning other suspicious activities could only be identified by conducting a manual review of the account at a time when the company had millions of customer accounts. FINRA found that Stash relied solely on manual reviews to link red flags that were present during an account’s opening process with red flags that arose after the account was opened, which prevented the company from detecting, reasonably investigating, and reporting suspicious transactions. For example, the company had approximately 200 accounts that had been opened using a common phone number, and many of these accounts had been identified as a group that engaged in suspicious requests. While Stash was able to lock some of the accounts after its clearing firm confirmed suspicious activity, the company failed to investigate the use of the common phone number and, consequently, continued to open accounts that used this phone number for six months after the problem was discovered. According to FINRA, these deficiencies violated FINRA Rules 3310(a), 3310(f)(ii), and 2010.
From January 2019 to June 2023, Stash also allegedly failed to develop and implement a reasonable identity theft prevention program, and, prior to October 2021, mostly relied on customers to report incidents of suspected identity theft or for its clearing firm to report when mail could not be delivered to physical addresses on file. When identity theft was confirmed, FINRA found that Stash was also unable to take corrective action in a timely manner. FINRA determined that this failure violated FINRA Rule 2010.