Stash Capital Let 9 Million Accounts Run Without Real Identity Checks for Four Years

A federal regulatory settlement reveals that the popular investing app’s broker-dealer arm failed three separate legal requirements designed to protect ordinary customers from fraud and money laundering, all while the company scaled aggressively and said nothing about it publicly.

The Non-Financial Ledger

Imagine you signed up for a beginner investing app because someone told you it was a safe way to start building something. You handed over your name, your address, your Social Security number. You trusted that someone on the other side of the screen was actually checking who you were before letting you in.

At Stash Capital, that trust was not honored. For more than four years, the firm’s own account approval process was structured in a way that allowed accounts to be opened without anyone genuinely confirming a customer’s identity. The automated system flagged applications as “rejected” or “indeterminate” when something looked off, then routed those same applications through more automated reviews that did not actually address the specific problems that triggered the flags. People were let in anyway.

That means real customers, ordinary people putting their money into brokerage accounts primarily for personal and household purposes, were operating in an environment where the firm managing their money had no reliable picture of who else was in there with them. If your account was swept up in a fraud ring operating through shared phone numbers or temporary email addresses, Stash Capital’s compliance team would have been relying on manual reviews by individual staff members to catch it. With millions of accounts. By hand.

The identity theft risk lands hardest on the people with the least margin for error. A compromised brokerage account is not a minor inconvenience for someone living paycheck to paycheck who used Stash precisely because they were trying to get started with a small amount. The damage to credit, the time spent navigating disputes, the anxiety of not knowing what was done in your name. These harms do not appear in the $450,000 fine. They never do.

Legal Receipts

“From January 2019 to June 2023, the firm failed to develop and implement an AML program that was reasonably designed to achieve compliance with the BSA and its implementing regulations in light of the size and nature of the firm’s customer base.”

• This is FINRA’s formal finding, not an accusation. Stash Capital accepted it without admitting or denying it, which is the standard AWC structure. What it establishes is a four-and-a-half year window of documented non-compliance at a firm with millions of customers.
• The phrase “in light of the size and nature of the firm’s customer base” is doing significant legal work here. The law does not require perfection; it requires a program proportionate to the scale and risk profile of the business. Stash Capital had tens of millions of customers and did not have that.

“The firm approved numerous applications without sufficiently forming a reasonable belief that it knew the true identity of each of its customers.”

• This is the core legal failure. Knowing who your customer is, called KYC in the industry, is the foundational requirement of every anti-money laundering and fraud prevention framework in U.S. securities law. The regulators found Stash Capital failed to meet this baseline.
• The language “numerous applications” is intentionally general in the AWC, but the document also provides specific examples: roughly 350 accounts with only four Social Security digits, and accounts belonging to people purportedly born in the 1930s and 1940s approved despite fraud indicators already present in their applications.

“The firm did not take additional investigative steps regarding the use of the common phone number and allowed additional accounts to be opened using the same number flagged by its clearing firm for almost six additional months.”

• This quote documents a specific, time-stamped failure. The clearing firm, a separate company handling the actual transaction processing, had already done its job by raising the alert. Stash Capital received that warning, locked some accounts, and then kept the door open for half a year without any further investigation into the pattern.
• The phrase “almost six additional months” means the company was not simply slow to act on a new discovery. It had been told something was wrong and continued allowing the same suspicious activity to proceed.

“Prior to October 2021, the firm primarily relied on customers to report instances where they believed their identity had been stolen or on its clearing firm to report when mail could not be delivered to customers’ purported mailing addresses.”

• This quote reveals the actual operational reality of Stash Capital’s identity theft prevention for the first two-plus years of its violations. The company’s fraud detection strategy was: wait for the victim to call and complain, or wait for the post office to bounce a letter.
• Rule 201 of Regulation S-ID explicitly requires a written program designed to detect and prevent identity theft. Outsourcing detection to victims and mail carriers does not satisfy that standard.

Public Deception

Stash Capital marketed itself as a platform built for everyday people learning to invest, emphasizing simplicity and accessibility. The regulatory record establishes specific gaps between what the firm’s operational reality was and what its compliance systems implied to customers and regulators.

• Stash Capital presented itself as a compliant FINRA member firm with functioning identity verification processes. The actual account approval system routed flagged applications through additional automated reviews that did not address the specific issues triggering those flags, meaning the appearance of a multi-step verification process masked a system that was clearing unresolved red flags automatically.
• The firm’s written procedures, prior to February 2022, did not accurately describe how customer identity verification was actually performed. Per the FINRA findings, those procedures did not describe which databases were searched, when manual reviews would occur, or how red flags would be handled. The written procedures did not match the operational reality.
• Between January 2019 and April 2022, the firm inaccurately believed its third-party vendor was verifying complete Social Security numbers, when in fact the vendor was only receiving the last four digits for approximately 350 accounts. The firm operated under a false assumption about its own core identity verification tool for over three years.

Profit-Maximization at All Costs

The FINRA settlement documents a company that grew at scale while its compliance infrastructure failed to keep pace, and the documented choices show where the priorities were.

• By the end of 2023, Stash Capital had opened more than 9 million customer accounts since its inception. The firm had only approximately 15 registered representatives during the relevant period. The firm relied on manual reviews by staff to catch fraud connections across millions of accounts. The math on that does not work, and the regulatory record establishes it did not work.
• The firm’s automated systems were designed to maximize account approvals. When the initial system flagged applications as rejected or indeterminate, those applications were routed into additional automated pipelines rather than being escalated to human review that addressed the specific flag. This design kept the approval funnel moving at scale.
• The clearing firm identified the shared-phone-number cluster as suspicious as early as 2020. Stash Capital did not write formal monitoring procedures for that specific red flag until May 2022. The gap is not explained by technical complexity. Writing a procedure requires a decision to prioritize it.
• The total penalty for over four years of three-category compliance failure across millions of accounts: $450,000. That figure represents an incentive structure, not a deterrent. It tells every fintech company with a growth-at-all-costs model exactly what the floor cost of skipping compliance infrastructure is.

Regulatory Gray Zones

The failures at Stash Capital were not ambiguous. The rules violated here are clear and specific. What the settlement reveals is how a firm can nominally participate in compliance frameworks while structuring its operations to do the minimum possible within them.

• FINRA Rule 3310 requires an AML program “reasonably designed” for the “size and nature” of the firm’s business. The phrase “reasonably designed” creates interpretive room. Stash Capital appears to have interpreted it as permitting a program designed for a much smaller operation, even as the firm scaled to millions of accounts. The firm maintained manual review processes suited for a small broker-dealer while operating one of the largest retail brokerage customer bases in the country.
• The rule’s risk-based framework for identity verification requires firms to assess their own risk profile and design a program accordingly. Stash Capital’s CIP procedures, prior to February 2022, did not describe the databases used, the sequencing of searches, or how manual reviews would be triggered. By leaving procedures vague and incomplete, the firm avoided documenting the gap between the required standard and its actual practices.
• The identity theft prevention rules under Regulation S-ID require a “written” program with specific components. Prior to October 2021, the firm’s approach of relying on customer self-reporting and mail bounce notifications was not equivalent to a written program, but the gap between a written program that exists on paper and a written program that functions in practice is not always a bright regulatory line.

Societal Impact Mapping

Public Economic Harm

The documented compliance failures created direct exposure for ordinary retail investors using Stash’s platform during the violation period.

• The firm’s failure to maintain a functional CIP meant that accounts could be opened by individuals whose true identities were never verified. Any legitimate customer whose identity was used fraudulently to open an account at Stash Capital during this period had no meaningful protection from the firm’s own systems.
• Approximately 200 accounts linked by a shared phone number were identified as part of a group suspected of attempting to reverse electronic payments in ways indicative of securities free riding. This is a form of financial fraud that exploits the settlement lag in securities transactions to extract money from a brokerage without having the funds to cover it. Legitimate customers and the broader market absorb these losses.
• The firm also failed to timely detect accounts opened using email addresses routed to the same inboxes or using temporary email domains. These are textbook signals of coordinated account fraud. The documented failure to catch them means those schemes had a functional window of operation at Stash Capital.
• Ordinary customers who entrusted Stash Capital with their personal financial information, including Social Security numbers, were operating in an environment where the firm’s own vendor was receiving incomplete data and the firm did not know it for over three years.

Systemic Financial Integrity

Anti-money laundering and suspicious activity reporting requirements exist because financial systems can be used to move, hide, and legitimize criminal proceeds. When a broker-dealer opts out of maintaining those systems, the harm extends beyond its own customers.

• From January 2019 to June 2023, Stash Capital’s AML procedures did not include red flags for customers with criminal, civil, or regulatory proceedings against them for crime, corruption, or misuse of public funds, a specific red flag category identified in FINRA’s own Regulatory Notice 19-18, published in May 2019. That means the firm had constructive knowledge of what to look for, from its own regulator, and did not build it into its procedures.
• The firm’s SAR-triggering system flagged only large or excessively frequent deposits and withdrawals. It had no mechanism to connect behavioral patterns across the account lifecycle, from opening red flags through ongoing transaction patterns. This left a structural gap in the firm’s ability to detect the type of coordinated fraud documented in the settlement.
• A broker-dealer with over 9 million accounts that does not function as an effective node in the anti-money laundering network is a gap in the financial system’s defenses. The consequences of that gap are not limited to Stash Capital’s own customer base.

The Settlement Is Not Justice

The settlement structure in this case illustrates precisely why FINRA enforcement does not function as a deterrent for well-capitalized fintech companies.

• Stash Capital is censured and fined $450,000. The firm operated in violation of three separate regulatory frameworks, across at least five specific FINRA and federal rules, for a documented period of four years and five months, across an account base that reached more than 9 million accounts. There is no formula in this settlement that connects the penalty to the scale or duration of the harm.
• The AWC structure allows Stash Capital to settle “without admitting or denying” the findings. The company is not required to state publicly that it did anything wrong. It cannot directly contradict the findings, but it does not have to stand behind them. The regulatory record exists; the company’s public posture does not need to acknowledge it.
• The settlement contains no documented restitution to customers whose accounts were opened under deficient identity verification, no remediation fund, and no independent monitor requirement. The only documented remedies are procedural updates the firm had already been implementing in the final months before the AWC was filed.
• Signing the AWC waives the firm’s right to a hearing, a written decision, and an appeal. This means the matter closes with no adversarial process, no public testimony, and no independent factual record beyond what FINRA’s examination produced. The company avoids the reputational risk of a public disciplinary proceeding.

The “Cost of a Life” Metric

This Is the System Working as Intended

The outcome of this case is not a malfunction of financial regulation. It is what financial regulation produces when a company scales aggressively, compliance infrastructure lags, and the enforcement mechanism is a negotiated settlement with no admission of wrongdoing.

• FINRA’s AWC process is designed to produce settlement, not accountability. The firm can propose the settlement, negotiate its terms, waive its procedural rights, and close the matter without a public hearing. The structure incentivizes firms to self-navigate toward the lowest-cost resolution, and the settlement figure confirms that Stash Capital found it.
• The documented fact that Stash Capital’s clearing firm raised the shared-phone-number red flag in 2020 and the firm did not write a monitoring procedure until May 2022 illustrates that compliance action followed only when regulatory examination pressure made inaction untenable, not when the company independently identified the harm and acted on it.
• The three-year window during which the firm incorrectly believed its vendor was verifying complete Social Security numbers is a documented product of not auditing your own compliance infrastructure. This is what happens when growth is the operating priority and compliance is treated as a cost center rather than a core function.
• Stash Capital’s business model targets people who are new to investing, people with less financial experience and less ability to independently audit the safety of the platform managing their money. The populations most likely to be harmed by deficient identity protection are the same populations the product was built to recruit.

What a Legitimate Fix Looks Like

The core structural failure this case exposes: FINRA’s examination-and-settlement model produces penalties that fintech companies can price into their growth strategies rather than compliance investments that would have prevented the harm.

The following are editorial recommendations grounded in the failure modes documented in this case. They are not findings of the source document.

Regulatory Track

• FINRA should require broker-dealers to submit CIP and AML program certifications that include third-party audits verifying that written procedures match operational reality, specifically addressing the gap this case documents between what procedures say and what automated systems actually do.
• Examinations of rapidly scaling fintech broker-dealers should include mandatory staff-to-account ratio assessments. A compliance program that relies on manual review for millions of accounts by a team of 15 registered representatives should trigger automatic heightened examination.
• FINRA’s existing Regulatory Notice 19-18 red flag guidance should be incorporated as a mandatory checklist component in CIP and AML program audits, not advisory guidance firms can choose to omit from their written procedures.
• FinCEN and FINRA should establish a requirement that broker-dealers annually verify, in writing, that their third-party identity verification vendors are actually receiving and processing the data fields the firm believes are being submitted. The three-year SSN mismatch documented in this case would be caught by a basic annual vendor audit.

Legislative Track

• Congress should require that FINRA enforcement penalties for AML and identity protection violations be calculated with a per-account scaling component when the violation affects a customer base above a defined threshold. A flat $450,000 fine across 9 million accounts is structurally incapable of functioning as a deterrent.
• Legislation should require that AWC settlements in cases involving consumer harm include a mandatory customer notification requirement, disclosing to affected account holders that their identity verification was conducted under a deficient program during the documented period.
• The Bank Secrecy Act’s implementing regulations should be updated to require that broker-dealers with consumer-facing retail platforms above a defined account threshold undergo annual independent compliance audits, with results filed with FinCEN, rather than relying solely on FINRA examination cycles.

Corporate Governance Track

• Stash Capital’s board should require that executive compensation include a compliance scorecard component with clawback provisions triggered by FINRA or SEC findings of rule violations, connecting leadership incentive structures to the compliance failures documented here.
• The firm should be required to maintain a board-level compliance committee with independent directors who have no financial stake in the firm’s growth metrics, specifically tasked with overseeing the adequacy of AML, CIP, and ITPP programs relative to the firm’s account growth trajectory.
• Any fintech broker-dealer that signs an AWC covering identity protection and AML violations should be required to engage an independent compliance monitor for a minimum of three years, with quarterly reports filed with FINRA, to verify that remediation is operational and not merely procedural on paper.

What Now?

Accountability for the compliance failures documented in this case runs through Stash Capital’s leadership and through the regulatory bodies responsible for ensuring the settlement is not the end of the story. The AWC was signed by Brandon Krieg, CEO of Stash Capital LLC, on March 18, 2026. FINRA accepted it on March 20, 2026.

Regulatory Watchlist

• FINRA (Financial Industry Regulatory Authority): The primary enforcement body in this case. Monitor FINRA’s BrokerCheck at finra.org/brokercheck for Stash Capital’s permanent disciplinary record, which now includes this AWC (Case No. 2022076038801). FINRA’s next examination of Stash Capital should be assessed against the remediation commitments embedded in this settlement.
• FinCEN (Financial Crimes Enforcement Network): Responsible for Bank Secrecy Act compliance and SAR reporting standards. The failure to maintain adequate SAR-triggering procedures documented here falls within FinCEN’s direct mandate. Press FinCEN to issue updated guidance specific to high-growth retail fintech broker-dealers.
• SEC (Securities and Exchange Commission): The Securities Exchange Act of 1934’s Regulation S-ID, violated in this case, is an SEC rule. The SEC has independent authority to examine whether Stash Capital’s Regulation S-ID violations warrant further action beyond the FINRA settlement.

Grassroots and Mutual Aid Actions

• If you held a Stash brokerage account between January 2019 and June 2023, file a complaint with FINRA’s investor complaint center and the CFPB. Even if you did not experience direct harm, documented consumer complaints create a public record regulators must address.
• Push your elected representatives on the House Financial Services Committee and Senate Banking Committee to require per-account penalty scaling in FINRA AML enforcement actions. Flat fines do not deter platforms operating at fintech scale.
• Support consumer financial advocacy organizations working on fintech accountability. The regulatory gap this case documents, between growth-stage fintech companies and the compliance infrastructure required of traditional broker-dealers, is a systemic issue, not an isolated one.