SoFi Technologies, Inc.
TABLE OF CONTENTS
Item 1A. Risk Factors
In evaluating our company and our business, you should carefully consider the risks and uncertainties described below, together with the other information in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes and the section titled "Management's Discussion and Analysis of Financial Condition and Results of Operations". The occurrence of one or more of the events or circumstances described in these risk factors, alone or in combination with other events or circumstances, may have a material adverse effect on our business, reputation, revenue, financial condition, results of operations or future prospects, in which case the market price of our common stock could decline, and you could lose part or all of your investment. Unless otherwise indicated, references in this section and elsewhere in this Annual Report on Form 10-K to our business being adversely affected, negatively impacted or harmed will include an adverse effect on, or a negative impact or harm to, our business, reputation, financial condition, results of operations, revenue or our future prospects. The material and other risks and uncertainties summarized in this Annual Report on Form 10-K and described below are not intended to be exhaustive and are not the only ones we face. Additional risks and uncertainties not presently known to us or that we currently deem immaterial may also impair our business. This Annual Report on Form 10-K also contains forward-looking statements that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of a number of factors, including the risks described below. See the section titled "Cautionary Statement Regarding Forward-Looking Statements".
Summary Risk Factors
Our business is subject to numerous risks and uncertainties, which illuminate challenges that we face in connection with the successful implementation of our strategy and the growth of our business. Our business, prospects, financial condition or operating results could be harmed by any of these risks, as well as other risks not currently known to us or that we currently consider immaterial. These risks are discussed more fully below and include, but are not limited to:
Business, Financial and Operational Risks
•our ability to successfully identify and address the risks and uncertainties we face, particularly with respect to certain rapidly evolving industries;
•demands on our resources, intense and increasing competition, and the success of our business model;
•legislative and regulatory policies and related actions that apply or may apply to us, particularly as a result of our operating a bank and as a bank holding company, in connection with student loans, given our brokerage and investment advisory activity, or related to services provided by our technology platform;
•loss of one or more significant purchasers of our loans or one or more significant technology platform clients;
•adverse developments affecting the financial services industry, such as actual events or concerns involving liquidity, defaults, or non-performance by financial institutions or transactional counterparties;
•uncertainty of macroeconomic conditions and the impact of macroeconomic factors, including changes in governmental policy, regulatory responses, applicable laws and regulations, fluctuating inflation and interest rates, delinquency rates on consumer debt, changes in consumer discretionary spending and economic uncertainty;
•failure of third-party service providers or systems on which we rely or, in the event we move certain services or systems in-house, our ability to successfully perform those services or implement and operate those systems;
Risks Related to Market and Interest Rates
•cost and availability of funding in the capital markets and fluctuations in interest rates could impact our ability to operate our business;
•higher than expected payment rates of loans have in the past and could in the future negatively impact our returns as the holder of the residual interests in securitization trusts;
•decreased demand for certain lending products due to changes in interest rates, such as student loans and home loans, could negatively impact our results of operations;
•an inability to maintain a competitive annual percentage yield on deposits could cause members to transfer checking and savings account balances to our competitors;
Risks Related to Strategic and New Products
•potential and past acquisitions that require significant attention could disrupt our business and adversely affect our financials;
27
SoFi Technologies, Inc.
TABLE OF CONTENTS
•we may fail to innovate or respond to evolving technological or other changes;
•we may experience an increase in fraudulent activity, particularly in connection with our personal loans product, credit card and SoFi Money;
•inability to increase fee-based, capital-light revenue sources and continue to expand our Loan Platform Business;
•we are subject to increased business, economic and regulatory risks from continued expansion abroad, given our brokerage and investment advisory activity, or related to services provided by our technology platform;
Credit Market Related Risks
•we could be adversely impacted by worsening economic conditions, including general economic uncertainty, fluctuating inflation and interest rates, market volatility, the cyclical nature of our industry, and our ability to maintain expected levels of liquidity;
•our inability to make accurate credit and pricing decisions or effectively forecast our loss rates;
•the discharge of qualified student loans in bankruptcy in certain circumstances;
•the failure of our third-party service providers to perform functions related to the origination and servicing of loans;
•financial issues or liquidity issues experienced by our technology platform clients could result in termination of, or inability to pay for, their services;
Risks Related to Funding and Liquidity
•our ability to retain, increase or secure new or alternative financing, including through deposits, to finance our business and the receivables that we originate or other assets that we hold;
•termination of one or more of our warehouse facilities on which we are highly dependent;
•our ability to sell the loans we originate to third parties;
•increases in member loan default rates or the possibility of being required to retain or repurchase loans or indemnify the purchasers of our loans;
Regulatory, Tax and Other Legal Risks
•our exposure to evolving laws, rules, regulations and government enforcement policies, and potential enforcement actions, litigation, investigations, exams or inquiries or impairment of licenses;
•our ability to effectively mitigate risk exposure;
•changes in business, economic or political conditions;
•failure to comply with laws and regulations, including related to banks and bank holding companies, consumer financial protection, anti-money laundering, anti-corruption or privacy, information security and data protection;
•increased regulatory scrutiny of the services provided by our technology platform;
•application of regulations and supervision under banking and securities laws and regulations;
•our ability to efficiently protect our intellectual property rights;
•failure to comply with open source licenses for open source software included in our or any of our subsidiaries' platforms;
•the risk that we are, or any of our subsidiaries is, determined to have been subject to registration as an investment company under the Investment Company Act;
Personnel and Business Continuity Risks
•the loss of key management members or key employees, or an inability to hire key personnel;
•natural disasters, power outages, telecommunications failures, man-made problems and similar events;
•employee misconduct;
Risk Management and Financial Reporting Risks
•our ability to establish and maintain proper and effective internal control over financial reporting and risk management processes and procedures;
•adjustments to our key business metrics, including adjustments to the total number of members or products in the event a member is removed in accordance with our terms of service which may not be reflected in the current period;
•changes in accounting principles generally accepted in the United States;
28
SoFi Technologies, Inc.
•incorrect estimates or assumptions by management in connection with the preparation of our financial statements;
Information Technology and Data Risks
•breach or violation of law by a third party on which we depend;
•cyberattacks and other security breaches or disruptions of our systems or third-party systems on which we rely, including our cloud computing services arrangement, disruptions that may impact our ability to collect loan payments and maintain accurate accounts, or our ability to provide services to our technology platform clients;
•technology challenges related to the collection, processing, use, storage and transmission of personal data;
•liabilities related to the data, models, and use of artificial intelligence in products or business processes;
Risks Related to Ownership of Our Securities
•volatility in the price of our common stock, changes in analyst ratings or expectations, and future dilution of our stockholders;
•possibility of securities litigation, which is expensive and time consuming; and
•failure to comply with Nasdaq continued listing standards.
Business, Financial and Operational Risks
We operate in rapidly evolving industries and have limited experience in parts of our Financial Services and Technology Platform segments, which may make it difficult for us to successfully identify and address the risks and uncertainties we face.
We operate in rapidly evolving industries which may make it difficult to successfully identify risks to our business and evaluate our future prospects. In addition, in recent years, we have rapidly expanded our operations to include or expand, among other things, deposit accounts, credit cards, investment services, technology solutions, home loan originations, small business financing solutions, loan platform business solutions, alternative investments, and international operations, and we have limited experience in these areas. In the first quarter of 2022, we acquired a bank charter and face risks as a result of our lack of experience operating a bank and as a bank holding company. We also acquired Technisys in the first quarter of 2022, which furthered our international expansion into Latin America and introduced new risks due to our limited history of operations in certain Latin American countries. In 2023, we acquired Wyndham, a fintech mortgage lender, which expanded our home loan business. In 2024, we adopted our Technology Platform's Cyberbank Core in connection with the launch of a commercial payment services sponsor bank program.
In addition to the events above, we face numerous challenges to our success, including our ability to:
•increase or maintain the number, volume and types of, and add new features to, the loans we extend to our members as the market for loans evolves and as we face new and increasing competitive threats;
•successfully integrate our past and future acquisitions, including continuing to develop Wyndham's technology, performing functions in home loans origination, such as home loans processing and underwriting, and managing the origination of new home loan types;
•increase the number of members utilizing our non-lending products, including our direct deposit feature, and maintain and build on the loyalty of existing members by increasing their use of new or additional products;
•continue to increase our fee-based revenue within our Loan Platform Business, including fees earned for originating loans on behalf of third-party partners and fees earned for referring loans to be originated by third party partners;
•successfully maintain and enhance our diversified funding strategy, including through deposits, securitization financing from consolidated and nonconsolidated VIEs, whole loan sales, and debt warehouse facilities;
•further establish, diversify and refine our checking and savings, credit card, investment and brokerage offerings to meet evolving consumer needs and preferences;
•offer an attractive annual percentage yield on our deposits compared to our competitors and manage deposit costs;
•diversify our revenue streams across our products and services;
•favorably compete as a service provider with other companies and banks, including traditional and alternative technology-enabled lenders, financial service providers, broker-dealers, social media and other commerce platforms and applications that offer peer-to-peer, in-app and social commerce payment capabilities, and technology platform;
29
SoFi Technologies, Inc.
•continue to realize the benefits of operating a bank;
•introduce new products or other offerings, as well as new or improved technologies, to meet the needs of our existing and prospective members or to keep pace with competitive lending, checking and savings, credit card, investment, technology and other developments;
•maintain or increase the effectiveness of our direct marketing and other sales and marketing efforts, and maintain our brand;
•successfully design, develop, integrate, operate and maintain technology systems at scale and with a high degree of reliability that support our member growth and product adoption;
•successfully navigate economic conditions and fluctuations in the credit markets, including fluctuating inflation and interest rates, and economic uncertainty;
•continue to add new clients and new products to existing clients in our technology platform as a service business;
•successfully identify financial issues or liquidity issues experienced by our technology platform clients that could result in termination of, or their inability to pay for, our technology platform services;
•successfully diversify our technology platform clients into new industry verticals and new geographies;
•successfully identify a slowdown or acceleration in the business growth of our technology platform clients to ensure aligned costs and capabilities;
•successfully navigate the evolving regulatory environment for a technology platform as a service provider;
•establish fraud prevention strategies that proactively identify threat vectors and mitigate losses;
•defend our platform from information security vulnerabilities, cyberattacks or malicious attacks;
•effectively manage the growth of our business;
•effectively manage our expenses;
•obtain debt or equity capital on attractive terms or at all;
•successfully continue to expand internationally;
•adequately respond to macroeconomic and other exogenous challenges, including fluctuating interest rates, market volatility, particularly in the financial services industry, changes in consumer confidence, consumer discretionary spending and loan delinquency rates, pandemics or other health-related crises, escalating conflict in the Middle East, the ongoing war in Ukraine, and significant changes related to governmental policy, rules and regulations or executive actions;
•maintain successful relationships with our governmental regulatory agencies and law enforcement authorities, as well as self-regulatory agencies; and
•anticipate and react to changes in an evolving regulatory and political environment.
We may not be able to successfully address the risks and uncertainties we face, which could negatively impact our business, financial condition, results of operations, cash flows and future prospects.
We have a history of losses and may experience net losses in the future and there is no assurance that our revenue and business model will be successful.
We have a history of net losses prior to the fourth quarter of 2023. We may incur net losses in the future, and any such losses may fluctuate significantly from quarter to quarter. We will need to continue to generate and sustain significant revenues for our business generally and achieve greater scale and generate increasing operating cash flows from our Financial Services segment, in particular, in future periods, as well as successfully navigate the macroeconomic environment, in order to maintain or increase our level of profitability. We intend to continue to invest in new products and businesses, which has in the past and may in the future cause us to fund and operate aspects of our business at a loss. We also intend to continue to invest in sales and marketing, technology, and additional products and services in order to enhance our brand, our brand recognition and our value proposition to our members, prospective members and clients in our technology platform business, and these additional costs will create further challenges to maintaining or increasing near-term profitability. Our general and administrative expenses have in the past and may in the future increase to meet the increased compliance and other requirements associated with operating as a public company and a bank holding company, operating a bank, and evolving regulatory requirements and policy changes. See "Regulatory, Tax and Other Legal Risks-As a bank holding company, we are subject to extensive supervision and
30
SoFi Technologies, Inc.
regulation, and changes in laws and regulations applicable to bank holding companies could limit or restrict our activities and could have a material adverse effect on our operations".
We are continuously refining our revenue and business model, which is premised on creating a virtuous cycle for our members to engage with more products across our platform, a strategy we refer to as the Financial Services Productivity Loop, and, with respect to our Technology Platform segment, adoption by clients of additional platform as a service offerings. There is no assurance that our revenue and business model, or any changes to our revenue and business model to better position us with respect to our competitors, will be successful. Our efforts to continue to grow our business may be more costly than we expect, and we may not be able to maintain or increase our revenue sufficiently to offset our higher operating expenses. We may incur future losses and we may be unable to maintain profitability, for a number of reasons, including the risks described in this Annual Report on Form 10-K, unforeseen expenses, difficulties, complications and delays, differences between our assumptions and estimates and results, the effects of macroeconomic conditions and other unknown events.
We have experienced rapid growth in recent years, including through the addition of new products and lines of business and entry into new geographies, which may place significant demands on our operational, risk management, sales and marketing, technology, compliance, and finance and accounting resources.
Our rapid growth in certain areas of our business in recent years, primarily within our Financial Services and Technology Platform segments, as well as operating a bank and as a bank holding company, has placed significant demands on our operational, risk management, sales and marketing, technology, compliance, and finance and accounting infrastructure, and has resulted in increased expenses, a trend that we expect to continue as our business grows. In addition, we are required to continuously develop and adapt our systems and infrastructure in response to the increasing sophistication of the consumer financial services market, changing technologies, evolving fraud, privacy and information security landscape, and regulatory developments, both domestically and internationally, relating to our existing and projected business activities. Our future growth will depend on, among other things, our ability to maintain an operating platform and management system able to address such growth, our ability to grow and optimize deposit balances, and our ongoing ability to demonstrate to our regulators that our risk management and compliance practices are growing and evolving in a commensurate fashion, all of which has required, and we expect will continue to require, us to incur significant additional expenses, expand our workforce and commit additional time from senior management and operational resources. We may not be able to manage supporting and expanding our operations effectively, and any failure to do so would adversely affect our ability to increase the scale of our business, generate projected revenue and control expenses.
Our results of operations and future prospects depend on our ability to retain existing members and attract new members. We face intense and increasing competition and, if we do not compete effectively, our competitive positioning and our operating results will be harmed.
We operate in a rapidly changing and highly competitive industry, and our results of operations and future prospects depend on, among others:
•the continued growth and engagement of our member base;
•our ability to further monetize our member base, including through the use of additional products by our existing members;
•our ability to acquire members at a lower cost; and
•our ability to increase the overall value to us of each of our members while they remain on our platform (which we refer to as a member's lifetime value).
We expect our competition to continue to increase, as there are no substantial barriers to entry to certain of the markets we serve. Some of our current and potential competitors have longer operating histories, particularly with respect to our financial services products, significantly greater financial, technical, marketing and other resources, and a larger customer base than we do. This allows them to potentially offer more competitive pricing or other terms or features, a broader range of financial products, or a more specialized set of specific products or services, as well as respond more quickly than we can to new or emerging technologies and changes in member preferences. In addition to established enterprises, we may also face competition from early-stage companies attempting to capitalize on the same, or similar, opportunities as we are. Our existing or future competitors may develop products or services that are similar to our products and services or that achieve greater market acceptance than our products and services. This could attract current or potential members away from our services and reduce our market share in the future. Additionally, when new competitors seek to enter our markets, or when existing market participants seek to increase their market share, these competitors sometimes undercut, or otherwise exert pressure on, the pricing terms prevalent in that market, which could adversely affect our market share and/or our ability to capitalize on market opportunities.
31
SoFi Technologies, Inc.
We currently compete at multiple levels with a variety of competitors, including:
•other personal loan, student loan refinancing, in-school student loan and home loan lenders, including other banks and other financial institutions, as well as credit card issuers, that can offer more competitive interest rates or terms;
•banks and other financial institutions, with respect to our checking and savings accounts;
•rewards credit cards provided by other financial institutions, with respect to our SoFi Credit Card;
•other brokerage firms, including online or mobile platforms, and other companies for our SoFi Invest accounts;
•other mortgage lenders, including fintech-focused lenders, and other companies for our home loans;
•social media and other commerce platforms and applications that offer peer-to-peer, in-app and social commerce payment capabilities;
•other technology platforms with respect to the enterprise services we provide, such as technology products and solutions via Galileo and Technisys;
•other content providers for subscribers to our financial services content, including content from alternative providers available to our subscribers through our Lantern service, which is a financial services aggregator providing marketplace lending products, and various enterprise partnerships; and
•other financial services firms offering employers a comprehensive platform for employees to build financial well-being through student loan and 529 educational plan contributions, educational tools, and financial resources, all of which we provide through SoFi At Work.
We believe that our ability to compete depends upon many factors both within and beyond our control, including, among others, the following:
•the size, diversity and lifetime value of our member base and technology platform clients;
•our ability to introduce successful new products and services, as well as new or improved technologies, or to iterate and innovate on existing products or services to satisfy evolving member and technology platform client preferences or to keep pace with market trends;
•our ability to diversify our revenue streams across our products and services, and cost effectively acquire new members and technology platform clients;
•the timing and market acceptance of our products and services, including developments and enhancements to those products and services, offered by us and our competitors;
•member and technology platform client service and support efforts;
•selling, marketing and promotional efforts;
•our ability to continue to expand the Loan Platform Business with existing and new loan origination partners;
•our ability to continue to increase our fee-based revenue and diversify our revenue base;
•our ability to compete on price, particularly with respect to SoFi Invest and the Technology Platform where demand for our products and services may be affected if we are unable to compete with other brokerages or technology-as-a-service providers on price;
•our ability to offer competitive interest rates on deposit accounts;
•the ease of use, performance, price and reliability of solutions developed either by us or our competitors;
•our ability to attract and retain talent;
•changes in economic conditions, and regulatory and policy developments;
•our ability to successfully operate a national bank, grow deposits and realize the potential benefits to our members;
•our ability to successfully scale our products and services and execute on our Financial Services Productivity Loop strategy and our other business plans, including successfully integrating our acquisitions and diversifying our technology platform clients into new industry verticals and new geographies;
•general market conditions and their impact on our liquidity and ability to access funding;
•the impact of macroeconomic conditions, including changes in interest rates, stock market volatility, changes in consumer confidence, consumer discretionary spending, and any changes in loan default rates, and related developments on the lending and financial services markets we serve; and
32
SoFi Technologies, Inc.
•our brand strength relative to our competitors.
Our current and future business prospects demand that we act to meet these competitive challenges but, in doing so, our revenues and results of operations could be adversely affected if we, for example, increase marketing or other expenditures or make new expenditures in other areas. Competitive pressures could also result in us reducing the annual percentage rate on the loans we originate, increasing the annual percentage rate we pay on the checking and savings product, charging fees for services we currently provide for free, incurring higher member or technology platform client acquisition costs, or make it more difficult for us to grow our loan originations in both number of loans and volume for new as well as existing members or expand the adoption of additional products by our current, or acquire new, technology platform clients. All of the foregoing factors and events could adversely affect our business, financial condition, results of operations, cash flows and future prospects.
Increased market volatility and adverse changes in financial market conditions may increase our market risk.
Our liquidity, competitive position, business, results of operations and financial condition are affected by market risks such as changes in interest rates, fluctuations in equity, commodity and futures prices, the implied volatility of interest rates and credit spreads and other economic and business factors. These market risks may adversely affect, among other things, the value of our securities, the cost of debt capital and our access to credit markets, customer allocation of capital among investment alternatives, and our competitiveness with respect to deposit pricing, and may negatively impact customer confidence in the safety and soundness of banks. In times of market stress or other unforeseen circumstances, previously uncorrelated indicators may become correlated, which may limit the effectiveness of our strategies to manage these risks.
Our future growth depends significantly on our branding and marketing efforts, and if our marketing efforts are not successful or we receive negative publicity, our business and results of operations will be harmed.
We have invested significantly in our brand and believe that maintaining and enhancing our brand identity is critical to our success. Our ability to attract members depends in large part on the success of these marketing efforts and the success of the marketing channels we use to promote our products. Our marketing channels include, but are not limited to, earned media through press, social media and search engine optimization, as well as paid advertising, such as online affiliations, search engine marketing, digital marketing, social media marketing, influencer marketing, offline partnerships, out-of-home, direct mail, lifecycle marketing and television and radio advertising. Our ability to compete for, attract and maintain members, lending counterparties, marketing partners and other partners relies to a large extent on their trust in our business, our reputation and the value of our brand. While our goal remains to increase the strength, recognition and trust in our brand by increasing our member base and expanding our products and services, if any of our current marketing channels becomes less effective, if regulatory requirements, including the CFPB and FDIC's advertising rules, restrict or diminish our ability to use these channels, if we are unable to continue to use any of these channels, if we receive negative publicity or fail to maintain our brand, if the cost of using these channels significantly increases or if we are not successful in generating new channels, we may not be able to attract new members or increase the activity of our existing members on our platform in a cost-effective manner. For example, in February 2024, the CFPB released a Consumer Financial Protection Circular, warning digital comparison-shopping tool operators and lead generators that marketing practices that take unreasonable advantage of a consumer's reasonable reliance on the operator or lead generator to act in the consumer's interests may violate the CFPA prohibition on abusive acts or practices. Such unreasonable advantage can include distorting the shopping experience for a consumer financial product or service by giving preferential treatment to an operator or lead generator's own or other products or services through steering or enhanced product placement, for financial or other benefits. If we are unable to recover our marketing costs through increases in the size, value or the overall number of loans we originate, or member selection and utilization of other SoFi products such as SoFi Money, SoFi Invest and SoFi Credit Card, it could have a material adverse effect on our business, financial condition, results of operations, cash flows and future prospects. In addition, negative publicity can adversely affect our reputation and damage our brand, and may arise from many sources, including actual or alleged misconduct, errors or improper business practices by employees, employee claims of discrimination or harassment, product failures, existing or future litigation or regulatory actions, inadequate protection of consumer information by us or our third-party service providers, data breaches, matters related to or affecting our financial reporting or compliance with SEC and Nasdaq listing requirements and media coverage, whether accurate or not. Negative publicity or allegations could reduce demand for our products, result in a decrease in the price of our stock, undermine the loyalty of our members and the confidence of our lending counterparties and technology platform clients, impact our partnerships, reduce our ability to recruit and retain employees or lead to greater regulatory scrutiny, all of which could lead to the attrition of our members, lending counterparties, and/or technology platform clients and harm our results of operations. In addition, we and our officers, directors and/or employees have been, and may in the future be, named or otherwise involved in litigation or claims, including employment-related claims such as workplace discrimination or harassment, which could result in negative publicity and/or adversely impact our business, even if we are ultimately successful in defending against or litigating such claims.
33
SoFi Technologies, Inc.
Reputational harm, including as a result of our actual or alleged conduct or public opinion of the financial services industry generally, could adversely affect our business, results of operations, and financial condition.
Reputation risk, or the risk to our business, earnings and capital from negative public opinion, is inherent in our business and has increased substantially because of our size and profile in the financial services industry. Moreover, negative public opinion has in the past and could in the future result from actions by the financial services industry generally, including due to the failure of one or more additional banks, or by certain members or individuals in the industry and can adversely affect our reputation with no actual or alleged actions on our part. For example, public opinion of the financial services industry was negatively impacted following the 2023 closures of Silicon Valley Bank, Signature Bank, and First Republic Bank and generally resulted in decreases in the stock prices of financial services companies.
Negative public opinion could result from our actual or alleged conduct in any number of activities, including sales and marketing practices; home loan or other consumer lending practices; loan origination or servicing activities; mortgage foreclosure actions; management of client accounts or investments; lending, investing or other business relationships; identification and management of potential conflicts of interest from transactions; obligations and interests with and among our members or customers; environmental, social and governance practices; litigation or regulatory actions taken by us or to which we are a party; regulatory compliance; risk management; incentive compensation practices; and disclosure, sharing or inadequate protection or improper use of member or customer information, and from actions taken by government regulators and community or other organizations in response to that conduct. Although we have policies and procedures in place intended to detect and prevent conduct by employees and third-party service providers that could potentially harm members or customers or our reputation, there is no assurance that such policies and procedures will be fully effective in preventing such conduct.
Furthermore, our actual or perceived failure to address or prevent any such conduct or otherwise to effectively manage our business or operations could result in significant reputational harm. For example, our marketing strategy includes an emphasis on social media. Social media provides a powerful medium for consumers, employees and others to communicate their approval of or displeasure with a business. This aspect of social media is especially challenging because it allows any individual to reach a broad audience with an ability to respond or react, in near real time, with comments that are often not filtered or checked for accuracy. We monitor social media metrics for their impact on our business but if we are unable to quickly and effectively respond, any negative publicity could "go viral", causing nearly immediate and potentially significant harm to our brand and reputation, and our business, whether or not factually accurate, including a significant withdrawal of deposits from SoFi Bank within a short period of time.
Our reputation and/or business could be negatively impacted by ESG matters and/or our reporting of such matters.
We communicate certain ESG-related initiatives regarding our employees, climate-related commitments and goals, and other matters in our ESG Report, on our website, in our filings with the SEC, and elsewhere. These initiatives and commitments could be difficult to achieve and costly to implement. We could fail to achieve, or be perceived to fail to achieve, our ESG-related initiatives or commitments. In addition, we could be criticized for the timing, scope or nature of these initiatives, goals, or commitments, or for any revisions to them. To the extent that our required and voluntary disclosures about ESG matters change, we could be criticized for the accuracy, adequacy, or completeness of such disclosures. Our actual or perceived failure with respect to our ESG-related initiatives, goals, or commitments could negatively impact our reputation, result in ESG-focused investors not purchasing and holding our stock, or otherwise materially harm our business.
We may be unable to satisfactorily meet evolving standards, regulations and disclosure requirements related to ESG. For example, a number of state legislators and regulators have adopted or are currently considering proposing or adopting other rules, regulations, directives, initiatives and laws requiring ESG-related disclosures or conduct, including California laws S.B. 253, S.B. 261 and A.B. 1305. The adoption of these and similar laws could require us to, among other things, expend material capital resources in connection with such compliance efforts. Furthermore, there continues to be a lack of consistent proposed climate change and ESG-related legislation and guidance, which creates regulatory and economic uncertainty. Such matters can affect the willingness or ability of investors to make an investment in our Company, as well as our ability to meet regulatory requirements. Any failure, or perceived failure, to meet evolving regulations and industry standards could have an adverse effect on us.
In addition, in recent years "anti-ESG" sentiment has gained momentum across the U.S., with several states and Congress having proposed or enacted "anti-ESG" policies, legislation, or initiatives or issued related legal opinions, and President Trump having recently issued an executive order discouraging diversity equity and inclusion ("DEI") initiatives in the private sector. Such anti-ESG and anti-DEI-related policies, legislation, initiatives, litigation, legal opinions, and scrutiny could result in volatility of our stock price and the Company facing additional compliance obligations, becoming the subject of investigations and enforcement actions, or sustaining reputational harm.
34
SoFi Technologies, Inc.
We may experience fluctuations in our quarterly operating results.
We may experience fluctuations in our quarterly operating results due to a number of factors, including changes in the fair values of our instruments (including, but not limited to, our loans), the level of our expenses, the degree to which we encounter competition in our markets, general economic conditions, significant changes in default rates on loans, the rate and credit market environment and our ability to raise our coupon rates along with interest rates that are higher than those in the recent past, legal or regulatory developments, changing demographics, and legislative, regulatory or policy changes. In light of these factors, results for any period should not be relied upon as being indicative of performance in future periods.
We sell our loans to a concentrated number of whole loan purchasers and the loss of one or more significant purchasers could have a negative impact on our operating results.
Although we continue to hold loans on-balance sheet for longer periods, when we sell our personal loans, student loans and home loans, we sell to a concentrated number of whole loan purchasers. There are inherent risks whenever a large percentage of a business is concentrated with a limited number of parties. It is not possible for us to predict the future level of demand for our loans by these or other purchasers. In addition, purchases of our loans by these purchasers have historically fluctuated and may continue to fluctuate based on a number of factors, some of which may be outside of our control, including economic conditions, the availability of alternative investments, changes in the terms of the loans, loans offered by competitors, prevailing interest rates and a change in business plan, liquidity or strategy by the purchaser. If any of these purchasers significantly reduces the dollar amount of the loans it purchases from us, we may be unable to sell those loans to another purchaser on favorable terms or at all, which may require us to reduce originations or hold additional loans on balance sheet and may reduce our flexibility in making financing decisions. In addition, the loss of one or more significant purchasers of our loans could increase the volatility of the mark-to-market methodology we use to determine the fair value of the loans we hold on balance sheet. This may have a material adverse effect on our revenues, results of operations, capital requirements, liquidity and cash flows.
Galileo and Technisys depend on a small number of clients, the loss or disruptions in operations of any of which could have a material adverse effect on their businesses and financial results, and negatively impact our financial results and results of operations.
Galileo and Technisys revenue from clients is highly concentrated. There are inherent risks whenever a large percentage of net revenue is concentrated with a limited number of clients, including fluctuations in revenue, the loss of any one or more of those clients as a result of bankruptcy or insolvency proceedings involving the client, the loss of the client to a competitor, harm to that client's reputation or financial prospects or other reasons, including adverse general economic conditions affecting Galileo and Technisys clients many of which are fintechs and other financial services firms. Any reduction in the amount of revenues that we derive from these clients, without an offsetting increase in new sales to other clients, has had and could have a material adverse effect on our operating results in the future. A significant change in the liquidity or financial position of our clients could also have a material adverse effect on our liquidity and our future operating results. In addition, disruptions in the operations of certain of Galileo's key clients have had an adverse impact on Galileo, and any future disruptions in the operations of any key Galileo or Technisys clients could be material and have an adverse impact on our results of operations.
We rely on third parties to perform certain key functions, and their failure to perform those functions could adversely affect our business, financial condition and results of operations.
We rely on certain third-party computer systems or third-party service providers, including cloud technology providers such as AWS, internet service providers, payment services providers, market and third-party data providers, regulatory and compliance services providers, clearing systems, market makers, exchange systems, banking technology systems, co-location facilities, communications facilities and other facilities to run our platform, facilitate trades by our members and support or carry out certain functions. For example, to provide our checking and savings account, cash management account, credit cards and other products and services, we rely on third parties that we do not control, such as payment card networks, our acquiring and issuing processors, payment card issuers, various financial institution partners, systems like the ACH, and other partners. We rely on these third parties for a variety of services, including the transmission of transaction data, processing of chargebacks and refunds, settlement of funds, and the provision of information and other elements of our services. In addition, external content providers provide us with financial information, market news, charts, option and stock quotes, digital assets quotes, research reports and other fundamental data that we provide to our members. Any interruption in these third-party services, or deterioration in the quality of their service or performance, could be disruptive to our business. Furthermore, third parties may rely on artificial intelligence or machine learning for the services they provide us and, given that the regulatory framework relating to the use of machine learning and artificial services in the provision of financial services is still developing, the third
35
SoFi Technologies, Inc.
parties' use of such technologies may impact their ability to carry out certain functions or impact the quality of their service or performance.
Because we are a bank holding company subject to regulation, supervision and examination by the Federal Reserve, and because SoFi Bank is subject to regulation, supervision and examination by the OCC and the FDIC, and SoFi Bank and its affiliates are subject to regulations issued by the CFPB, our and SoFi Bank's oversight of third-party service providers is also subject to regulatory oversight. In 2024, the Federal Reserve, OCC and FDIC increased their focus on regulating banks' relationships and oversight over third-party service providers. For example, these agencies published interagency guidance and a joint statement on banks' vendor management practices and arrangements with third parties to deliver bank products and services in May 2024 and July 2024, respectively, and these and other regulatory authorities continued to scrutinize and take enforcement actions against banks and their business partners for insufficient third-party management programs in 2024. In addition, because Galileo provides technology services to SoFi Bank, we are subject to additional regulatory scrutiny under Regulation W which requires, among other things, that arrangements between a bank and its affiliates are on market terms. If a regulatory authority found our or SoFi Bank's service provider oversight to be lacking, the regulatory authority could require that we or SoFi Bank implement corrective action, including limiting or terminating certain relationships with service providers, which could be costly and disruptive to our business.
Further, we may, from time to time, decide to modify or terminate relationships with third-party service providers and to perform certain functions and/or services internally. For example, we historically used a third party bank to issue the SoFi Money debit cards and sponsor access to debit networks for payment transactions, funding transactions and associated settlement of funds, and sponsor and support ACH, check and wire transactions along with associated funds settlement. However, after gaining direct access to debit networks, we directly perform certain services previously sponsored by the third party bank. Although we have performed these services satisfactorily to date, there is no guarantee we will be able to continue to do so. Additionally, the migration of any such functions and/or services may introduce additional risks and could cause disruption to our business.
Our third-party service providers are susceptible to operational, technological and security vulnerabilities, including security incidents and breaches and outages, which may impact our business, and our ability to monitor our third-party service providers' data security is limited. In addition, these third-party service providers may rely on subcontractors to provide services to us that face similar risks.
Failures or security incidents or breaches by or of our third-party service providers or their subcontractors that result in an interruption in service, unauthorized access, misuse, loss or destruction of data or other similar occurrences could interrupt our business, have in the past and could in the future cause us to incur losses, result in decreased member or client satisfaction and increase member or client attrition, subject us to member or client complaints, significant fines, litigation, disputes, claims, regulatory investigations or other inquiries and harm our reputation. Through contractual provisions and third-party risk management processes, we take steps to require that our providers, and their subcontractors, protect our data and information, including personal data. However, due to the size and complexity of our technology platform and services, the amount of data that we store and the number of members, technology platform clients, employees and third-party service providers with access to personal data, we, our third-party service providers and their subcontractors are potentially vulnerable to a variety of intentional and inadvertent cybersecurity breaches and other security-related incidents and threats, which could result in a material adverse effect on our business, financial condition and results of operations. Any contractual protections we may have from our third-party service providers may not be sufficient to adequately protect us against such consequences, and we may be unable to enforce any such contractual protections.
In addition, there is no assurance that our third-party service providers or their subcontractors will be able to continue to provide these services to meet our current needs in an efficient, cost-effective manner or that they will be able to adequately expand their services to meet our needs in the future. Certain of our vendor agreements are terminable on short or no notice, and if current vendors were to stop providing services to us on acceptable terms, we may be unable to procure alternatives from other vendors in a timely and efficient manner and on acceptable terms, or at all. An interruption in or the cessation of service by our third-party service providers or their subcontractors, coupled with our possible inability to make alternative arrangements in a smooth, cost-effective and timely manner, could have adverse effects on our business, financial condition and results of operations.
Certain aspects of the services we provide also rely and depend upon the ability of third parties with whom we do not contract directly to perform specified tasks or execute certain functions. For example, our customers access trading venues like securities exchanges through third parties like clearing brokers. If a trading venue experiences a system error and/or a failure of controls, subsequent trades may be impacted, such as trading executed at anomalous pricing. Similarly, if a trading venue experiences an outage, our customer's ability to place trades or our ability to effect transactions in securities on behalf of
36
SoFi Technologies, Inc.
customers via our broker-dealer may be impacted. As a result of these impacts, we might experience customer complaints, loss of revenue or other financial loss, or we may have to respond to regulatory inquiries related to such outages.
If a service provider fails to either provide the services required or expected or meet applicable contractual or regulatory requirements such as service levels or compliance with applicable laws, the failure could negatively impact our business. Such a failure could also adversely affect the perception of the reliability of our networks and services and the quality of our brand, which could materially adversely affect our business and results of operations. Further, if there were deficiencies in the oversight and control of our third-party relationships, and if our regulators held us responsible for those deficiencies, it could have an adverse effect on our business, reputation and results of operations.
The conditional conversion feature of our convertible notes, if triggered, may adversely affect our financial condition.
Holders of our convertible notes issued in October 2021 and due in 2026 and our convertible notes issued in March 2024 and due in 2029 (collectively, the "notes") may be entitled to convert the notes during specified periods at their option. If one or more holders elect to convert their notes, we may settle converted principal through the payment of cash and/or shares of common stock, which could adversely affect our financial results and liquidity and could result in a decline in our stock price.
The Capped Call Transactions may affect the value of the notes and our common stock.
In connection with the issuance of the notes, we entered into privately negotiated capped call transactions (the "Capped Call Transactions") with certain financial institutions (the "Capped Call Counterparties"). The Capped Call Transactions are expected generally to reduce the potential dilutive effect on our common stock upon any conversion of the notes and/or offset any potential cash payments we are required to make in excess of the principal amount of converted notes, as the case may be, with such reduction and/or offset subject to a cap. In connection with establishing their initial hedges of the Capped Call Transactions, the Capped Call Counterparties or their respective affiliates entered into various derivative transactions with respect to our common stock and/or purchased shares of our common stock concurrently with or shortly after the pricing of the notes.
In addition, the Capped Call Counterparties and/or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions following the pricing of the notes and from time to time prior to the maturity of the notes (and are likely to do so following any conversion of the notes, any repurchase of the notes by us on any fundamental change repurchase date, any redemption date or any other date on which the notes are retired by us, in each case if we exercise the relevant election to terminate the corresponding portion of the Capped Call Transactions). This activity could also cause or avoid an increase or a decrease in the market price of our common stock or the notes. The potential effect, if any, of these transactions and activities on the market price of our common stock or the notes will depend, in part, on market conditions and cannot be ascertained at this time. Any of these activities could adversely affect the value of our common stock.
We are subject to counterparty risk with respect to the Capped Call Transactions, and the Capped Call Transactions may not operate as planned.
The Capped Call Counterparties are financial institutions or affiliates of financial institutions, and we will be subject to the risk that any or all of them might default under the Capped Call Transactions. Our exposure to the credit risk of the Capped Call Counterparties will not be secured by any collateral. Global economic conditions have, from time to time, resulted in the actual or perceived failure or financial difficulties of many financial institutions. If a Capped Call Counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at that time under our transactions with that Capped Call Counterparty. Our exposure will depend on many factors, but, generally, an increase in our exposure will be correlated with increases in the market price or the volatility of our common stock. In addition, upon a default by a Capped Call Counterparty, we may suffer more dilution than we currently anticipate with respect to our common stock. We can provide no assurances as to the financial stability or viability of any Capped Call Counterparty.
In addition, the Capped Call Transactions are complex, and they may not operate as planned. For example, the terms of the Capped Call Transactions may be subject to adjustment, modification or, in some cases, renegotiation if certain corporate or other transactions occur. Accordingly, these transactions may not operate as we intend if we are required to adjust their terms as a result of transactions in the future or upon unanticipated developments that may adversely affect the functioning of the Capped Call Transactions.
37
SoFi Technologies, Inc.
Market and Interest Rate Risks
Our business and results of operations have in the past and may in the future be adversely affected by the financial markets, fiscal, monetary, and regulatory policies, and economic conditions generally.
Our business, results of operations and reputation are directly affected by elements beyond our control, including general economic, political, social and health conditions in the U.S. and in countries abroad. These elements can arise suddenly and the full impact can remain unknown or result in adverse effects, including, but not limited to, extreme volatility in credit, equity and foreign currency markets, changes to buying patterns of our members and prospective members or reductions in the credit quality of our members, and changes to the financial condition of our technology platform clients and prospective clients.
In particular, markets in the U.S. or abroad have been and may in the future be affected by the level and volatility of interest rates, availability and market conditions of financing, recessionary pressures, inflation and hyperinflation, supply chain disruptions, changes in consumer spending, employment levels, labor shortages, changes to fiscal policy, including expansion of U.S. federal deficit spending and resultant debt issuance, federal government shutdowns, developments related to the U.S. federal debt ceiling, changes in legislation, regulations or policy, energy prices, home prices, commercial property values, bankruptcies, a default by a significant market participant or class of counterparties, market volatility, liquidity of the global financial markets, the growth of global trade and commerce, exchange rates, trade policies, the availability and cost of capital and credit, disruption of communication, transportation or energy infrastructure and investor sentiment and confidence. Additionally, global markets have been and may in the future be adversely affected by the current or anticipated impact of climate change, extreme weather events or natural disasters, the emergence or continuation of widespread health emergencies or pandemics, cyberattacks or campaigns, military conflict (e.g., the escalating conflict in the Middle East and the ongoing war in Ukraine), terrorism or other geopolitical events, including the upcoming changes to the United States presidential administration, which may affect our results of operations. For example, although we do not have operations in the locations impacted by these conflicts, the ongoing war in these locations has led and could in the future lead to macroeconomic effects, including volatility in commodity prices and the supply of energy resources, instability in financial markets, supply chain interruptions, political and social instability, as well as an increase in cyberattacks and espionage. Also, any sudden or prolonged market downturn in the U.S. or abroad, as a result of the above factors or otherwise, could adversely affect our business, results of operations and financial condition, including capital and liquidity levels. We are not able to predict with any certainty the ultimate impact that any of these events, as well as any other future events, may have on our business.
Significant downturns in the securities markets or in general economic and political conditions have in the past and may in the future also decrease the demand for our products and services and could in the future result in our members reducing their engagement with our platform. In addition, such significant downturns may cause default rates on our loans to increase and cause funding and liquidity concerns for our current and prospective technology platform clients reducing their adoption and use of our platform as a service products and services. Conversely, significant upturns in the securities markets or in general economic and political conditions may cause individuals to be less proactive in seeking ways to improve the returns on their trading or investment decisions and, thus, decrease the demand for our products and services. Any of these changes could cause our future performance to be uncertain or unpredictable, and could have an adverse effect on our business, financial condition and results of operations. In addition, a prolonged weakness in the U.S. equity markets or a general extended economic downturn could cause our members or technology platform clients to incur losses, which in turn could cause our brand and reputation to suffer. If our reputation is harmed, the willingness of our existing members or technology platform clients and potential new members or clients to do business with us could be negatively impacted, which would adversely affect our business, financial condition and results of operations.
Our business is sensitive to interest rates and interest rates are highly sensitive to many factors that are beyond our control, including global, domestic and local economic conditions and the policies of various governmental and regulatory agencies and, in particular, the Federal Reserve. The Federal Reserve increased interest rates throughout 2022 and 2023 before lowering interest rates in 2024, and we are unable to predict whether interest rates will increase or decrease in the future. Further changes to prevailing interest rates could influence not only the interest we receive on loans and investments and the amount of interest we pay on deposits and borrowings, but such changes have in the past and could in the future also affect (i) our ability to originate loans at competitive rates and obtain deposits; (ii) the fair value of our financial assets and liabilities; (iii) the average duration of our loan portfolios and other interest-earning assets; (iv) the mix of lending products we originate which is influenced by demand for refinancing products; and (v) the competition faced by our SoFi Money deposit product from other investment products which may become more attractive as interest rates rise. See "Changing expectations for inflation and fluctuations in interest rates could decrease demand for our lending products and negatively affect loan performance, as well as increase certain operating costs, such as employee compensation" for additional information on the risks of interest rate fluctuations to our business.
38
SoFi Technologies, Inc.
Interest rate changes and other actions, including balance sheet management, lending facilities, and the Federal Reserve's exit from quantitative easing, and similar actions taken by the Federal Reserve or other central banks, are beyond our control and difficult to predict. These actions affect interest rates and the value of financial instruments, increase the likelihood of a more volatile market, a further appreciating U.S. dollar and negative growth in gross domestic product, and affect other assets and liabilities and can impact our members and technology platform clients. Any economic downturn, especially in the regions in which we operate, may adversely affect our asset quality, deposit levels, loan demand and results of operations.
Changes or uncertainty with respect to existing laws, regulations and policies, including changes in guidance and interpretation by regulatory authorities, and evolving priorities, including those related to financial regulation, taxation, international trade, fiscal policy, cybersecurity and privacy, digital assets, climate change (including any required reduction of greenhouse gas emissions) and healthcare, may adversely impact U.S. or global economic activity and our members, our technology platform clients, our counterparties and our earnings and operations. For example, changes, or proposed changes, to certain U.S. trade and international investment policies, particularly with important trading partners (including China and the European Union (the "EU")) have in recent years negatively impacted financial markets. Actions taken by other countries, particularly China, to restrict the activities of businesses, could also negatively affect financial markets. An escalation of tensions, such as a trade war between certain countries or a further escalation in conflict in the Middle East, could lead to further measures that adversely affect financial markets, disrupt world trade and commerce and lead to trade retaliation, including through the use of duties and tariffs, foreign exchange measures or the large-scale sale of U.S. Treasury Bonds.
Any of these developments could adversely affect our business, our members, our technology platform clients, the value of our loan portfolios, our level of charge-offs and provision for credit losses, our capital levels, our liquidity and our results of operations.
We have the option of pursuing a gain-on-sale origination model and, consequently, our business is affected by the cost and availability of funding in the capital markets.
In addition to the issuance of equity, historically we have funded our operations and capital expenditures through sales of our loans, secured and unsecured borrowing facilities and securitizations. We have the option of pursuing a gain-on-sale origination model and, consequently, our earnings and financial condition are largely dependent on the price we can obtain for our products in the capital markets, which has been and may be negatively impacted by interest rates that are higher than those in the recent past combined with longer periods during which we have held, and may continue to hold, loans on-balance sheet. These capital markets risks may be partially mitigated by the availability of bank deposits and other corporate cash (if any) to temporarily hold the loans on our balance sheet, and by utilizing our Loan Platform Business to originate and sell loans, in certain instances on a fixed fee basis. However, bank deposits and corporate cash have not historically been our primary source of funding and can be impacted by a number of factors, and our Loan Platform Business is new and does not have a significant performance history. Our ability to obtain financing in the capital markets depends, among other things, on our development efforts, business plans, operating performance, lending activities, public perceptions of the financial services industry, and condition of, and our access to, the capital markets at the time we seek financing. The capital markets have from time-to-time experienced periods of significant volatility, including, most recently, volatility driven by benchmark interest rate movements, uncertainty in the financial services sector, and the ongoing war in Ukraine, among other things. This volatility can dramatically and adversely affect financing costs when compared to historical norms or make funding unavailable. Additional factors that could make financing more expensive or unavailable to us include, but are not limited to, financial losses, events that have an adverse impact on our reputation, lawsuits challenging our business practices, adverse regulatory changes, changes in the activities of our business partners, loan performance, events that have an adverse impact on the financial services industry generally, counterparty availability, negative credit rating actions with respect to our rated securities, corporate and regulatory actions, interest rate changes, general economic conditions, including changing expectations for inflation, and the legal, regulatory and tax environments governing funding transactions, including existing or future securitization transactions. If financing is difficult, expensive or unavailable, our business, financial condition, results of operations, cash flows and future prospects could be materially and adversely affected.
Changing expectations for inflation and fluctuations in interest rates could decrease demand for our lending products and negatively affect loan performance, as well as increase certain operating costs, such as employee compensation.
The U.S. economy has remained strong despite facing certain headwinds, including, but not limited to, changing U.S. consumer spending patterns, fluctuating inflation and interest rates, reduced consumer discretionary spending, and weakening wage growth, but there is no guarantee that future changes will not have an impact. For example, the Federal Reserve increased interest rates throughout 2022 and 2023 before lowering interest rates in 2024. We are unable to predict whether interest rates will increase or decrease in the future. Continued elevated interest rates may decrease borrower demand for certain of our lending products, even as inflation places pressure on consumer spending, borrowing and saving habits as consumers evaluate
39
SoFi Technologies, Inc.
their prospects for future income growth and employment opportunities in the current economic environment, and as borrowers face uncertainty about the impact of elevated prices on their ability to repay a loan. A change in demand for our lending products and any steps we may take to mitigate such change could impact our credit quality and overall growth. For example, we have experienced lower demand for our home loans in an elevated interest rate environment, as our historical demand has primarily resulted from refinancing, which is less attractive in a higher interest rate environment. We have also focused on personal loan originations to offset the lower demand in other lending products. Personal loans are a higher risk product than home loans or student loans and we have seen an increase in the amount of personal loans that we originate which may increase the inherent risk in our overall portfolio. In addition, fluctuating interest rates may increase our cost of capital and ability to offer a competitive interest rate on our loans. Although we closely monitor these increased risks, there is no guarantee we will make the correct adjustments to our originations or make adjustments quickly enough. Furthermore, economic pressure resulting in the inability of a borrower to repay a loan could translate into increased loan defaults, foreclosures and charge-offs and negatively affect our business, financial condition, results of operations, cash flows and future prospects.
Additionally, an inflationary environment combined with a healthy labor market and decreases in the market value of our equity awards could make it more costly for us to attract or retain employees. In order to meet the compensation expectations of our prospective and current employees due to inflationary and other factors, we have in the past and may in the future be required to increase our operating costs or risk losing skilled workers to competitors. See "Personnel and Business Continuity Risks-The job market and the optimization of our workforce creates a challenge and potential risk as we strive to attract and retain a highly skilled workforce" for more information on the risks posed by a competitive labor market.
Fluctuations in interest rates could negatively affect the demand for our checking and savings product.
Falling, low or fluctuating interest rates, including declining interest rates in 2024, have in the past had and may in the future have a negative impact on the demand for our checking and savings product. Checking and savings provides members a digital banking experience that offers a variable annual percentage yield, which is at our discretion. If we are not able to offer competitive interest rates on deposit accounts, demand for our checking and savings product may decrease, which may impact our ability to access deposits as a more cost-effective source of funding for our loans. Although we have been in an elevated interest rate environment in recent years, interest rates began to decline in 2024 and there is no guarantee that the interest rate we offer on our deposit accounts will remain competitive and in a falling or low interest rate environment, account holders and prospective account holders may be discouraged from using these products, which would adversely affect our business, financial condition, results of operations, cash flows and future prospects.
Higher than expected payment speeds of loans could negatively impact the fair market value of the lending portfolio and our returns as the holder of the residual interests in securitization trusts holding personal and student loans. These factors could materially alter our net revenue or the value of our residual interest holdings.
The rate at which borrowers prepay their loans can have a material impact on our net revenue, the value of our lending portfolio and the value of our residual interests in securitization trusts. Prepayment rates are subject to a variety of economic, social, competitive and other factors, including fluctuations in interest rates, availability of alternative financings, legislative, regulatory or policy changes affecting the student loan market, the home loan market, consumer lending generally and the general economy, including changing expectations for inflation. For example, interest rates began to decline in 2024, and a lower interest rate environment may lead to higher prepayment rates on loans.
While we anticipate some variability in prepayment rates, extraordinary or extended increases or decreases in prepayment rates could materially affect our liquidity and net revenue. For example, when, as a result of unanticipated prepayment levels, loans within a securitization trust amortize faster than originally contracted due to prepayments, the trust's pool balance may decline at a rate faster than the prepayment rate assumed when the trust's bonds were originally issued. If the trust's pool balance declines faster than originally anticipated, in most of our securitization structures, the bonds issued by that trust will also be repaid faster than originally anticipated. In such cases, our net revenue may decrease, inclusive of our servicing revenue and the diminished value of any retained residual interest by us in the trust.
Finally, in instances of significant slowdowns in payment rates, rating agencies may place bonds on watch or change their ratings on (or their ratings methodology for) the bonds issued by a securitization trust, possibly raising or lowering their ratings, based upon these prepayment rates and their perception of the risk posed by those rates to the timing of the trust cash flows. Placing bonds on watch, changing ratings negatively, proposing or making changes to ratings methodology could: (i) affect our liquidity, (ii) impede our access to the securitization markets, (iii) require changes to our securitization structures, and (iv) raise or lower the value of the residual interests of our future securitization transactions.
40
SoFi Technologies, Inc.
We are exposed to financial risks that may be partially mitigated but cannot be eliminated by our hedging activities, which carry their own risks.
We continue to use, and may in the future use, financial instruments for hedging and risk management purposes in order to protect against possible fluctuations in interest rates, or for other reasons that we deem appropriate. In particular, we expect our interest rate risk to increase with our home loans business which continues to grow, including as a result of our acquisition of Wyndham. However, any current and future hedges we enter into will not completely eliminate the risk associated with fluctuating interest rates and our hedging activities may prove to be ineffective.
The success of our hedging strategy will be subject to our ability to correctly assess counterparty risk and the degree of correlation between the performance of the instruments used in the hedging strategy and any changes in interest rates, along with our ability to continuously recalculate, readjust and execute hedges in an efficient and timely manner. Therefore, though we may enter into transactions to seek to reduce risks, unanticipated changes may create a more negative consequence than if we had not engaged in any such hedging transactions. Moreover, for a variety of reasons, we may not seek to establish a perfect correlation between such hedging instruments and the instruments being hedged. Any such imperfect correlation may prevent us from achieving the effect of the intended hedge and expose us to risk of loss. Any failure to manage our hedging positions properly or inability to enter into hedging instruments under acceptable terms, or any other unintended or unanticipated economic consequences of our hedging activities, could affect our financial condition and results of operations.
Our financial condition and results of operations have been and may in the future be adversely impacted by an epidemic or pandemic.
Occurrences of epidemics or pandemics, depending on their scale, may cause different degrees of disruption to the regional, state and local economies in which we offer our products and services. For example, the COVID-19 pandemic caused changes in consumer and student behavior, as well as economic disruptions. Any future pandemic or public health crisis may result in, among other impacts, worker shortages, supply chain issues, inflationary pressures, and the reinstatement and subsequent lifting of restrictions and health and safety related measures. Any future epidemics or pandemics or other public health crises could adversely affect our business, operations and financial condition, as well as the business, operations and financial conditions of our members, other customers and partners.
See "Our business and results of operations have in the past and may in the future be adversely affected by the financial markets, fiscal, monetary, and regulatory policies, and economic conditions generally" and "Management's Discussion and Analysis of Financial Condition and Results of Operations-Key Business Metrics" and "-Consolidated Results of Operations" for further discussion of the impact of macroeconomic conditions in recent periods on our business and operating results.
Strategic and New Product Risks
We have in the past consummated, and from time to time we may evaluate and potentially consummate, acquisitions, which could require significant management attention, disrupt our business and adversely affect our financial results.
Our success depends, in part, on our ability to expand our business. In some circumstances, we may determine to do so through the acquisition of complementary assets, businesses and technologies rather than through internal development. For example: (i) in April 2020, we acquired 8 Limited, an investment business in Hong Kong, (ii) in May 2020, we acquired Galileo, a company that provides technology platform services to financial and non-financial institutions, (iii) in February 2022, we acquired Golden Pacific, a bank holding company, (iv) in March 2022, we acquired Technisys, a cloud-native digital multi-product core banking platform, and (v) in April 2023, we acquired Wyndham, a mortgage lender. The identification of suitable acquisition candidates can be difficult, time-consuming and costly, and we may not be able to successfully complete identified acquisitions. The risks we face in connection with acquisitions include, among others:
•diversion of management time and focus from operating our business to addressing acquisition integration challenges;
•coordination of technology, product development, risk management and sales and marketing functions;
•retention of employees from the acquired company and retention of our employees due to cultural challenges associated with integrating employees from the acquired company into our organization;
•integration of the acquired company's accounting, management information, human resources, third-party risk management and other administrative systems;
41
SoFi Technologies, Inc.
•the need to implement or improve controls, procedures and policies at a business that prior to the acquisition may have lacked effective controls, information security and cybersecurity safeguards, procedures and policies, including third-party risk management practices;
•write-offs or impairments of intangible assets, goodwill or other assets recognized in connection with the acquisition;
•liability for activities of the acquired company before the acquisition, including patent and trademark infringement claims, violations of laws, including employment laws, commercial disputes, tax liabilities and other known and unknown liabilities;
•litigation or other claims in connection with the acquired company, including claims from terminated or current employees, customers, former stockholders or other third parties; and
•known and unknown regulatory compliance risks resulting from geographic expansion, including elevated risk factors for tax compliance, money laundering controls, and supervisory controls oversight.
Our failure to address these risks or other problems encountered in connection with our acquisitions and investments could cause us to fail to realize the anticipated benefits of these acquisitions or investments, cause us to incur unanticipated liabilities and harm our business, generally. Future acquisitions could also result in dilutive issuances of our equity securities, the incurrence of debt, contingent liabilities, regulatory obligations to further capitalize our business, goodwill and intangible asset impairments, and increased regulatory scrutiny, any of which could harm our financial condition and negatively impact our stockholders. To the extent we pay the consideration for any future acquisitions or investments in cash, it would reduce the amount of cash available to us for other purposes.
Demand for our products may decline if we do not continue to innovate or respond to evolving technological or other changes.
We operate in a dynamic industry characterized by rapidly evolving technology, frequent product introductions, and competition based on pricing and other differentiators. We continue to explore new product offerings and may rely on our proprietary technology to make our platform available to members, to service member accounts, to provide our technology platform as a service to clients and to introduce new products, which both fosters innovation and introduces new potential liabilities and risks. In addition, we may increasingly rely on technological innovation as we introduce new types of products, expand our current products into new markets, and continue to streamline our platform. For example, while we do not currently rely heavily on artificial intelligence, we expect to integrate more artificial intelligence into our technology in the future especially to improve the experience of our members. Even if we enhance our current products or release new products that incorporate artificial intelligence, there can be no assurance that our products will be successful or that we will innovate effectively to keep pace with the rapid evolution of artificial intelligence. Our ability to integrate artificial intelligence or other new technologies may also be limited by new laws or regulatory guidance. The process of developing new technologies and products is complex, and if we are unable to successfully innovate and continue to deliver a superior member and technology platform client experience, members' and clients' demand for our products may decrease and our growth and operations may be harmed.
An increase in fraudulent activity could lead to reputational damage to our brand and material legal, regulatory and financial exposure (including fines and other penalties), and could reduce the use and acceptance of SoFi Money and SoFi Credit Card.
Financial institutions like us, as well as our members, colleagues, regulators, vendors and other third parties, have experienced a significant increase in fraudulent activity in recent years and will likely continue to be the target of increasingly sophisticated fraudsters and fraud rings in the future. This is particularly true for our newer products where we have limited experience evaluating customer behavior and performing tailored risk assessments, such as checking and savings and credit card.
We develop and maintain systems and processes aimed at detecting and preventing fraudulent activity, which require significant investment, maintenance and ongoing monitoring and updating as technologies and regulatory requirements change and as efforts to overcome security and anti-fraud measures become more sophisticated. Despite our efforts, we have in the past and may in the future be subject to fraudulent activity, which may affect our results of operations. For example, our general and administrative expenses in the past have included charges related to fraud events. The possibility of fraudulent or other malicious activities and human error or malfeasance cannot be eliminated entirely and will evolve as new and emerging technology is deployed, including the increasing use of personal mobile and computing devices that are outside of our network and control environments, particularly as a large part of our workforce works remotely. Risks associated with each of these include theft of funds and other monetary loss, the effects of which could be compounded if not detected quickly. Fraudulent
42
SoFi Technologies, Inc.
activity may not be detected until well after it occurs and the severity and potential impact may not be fully known for a substantial period of time after it has been discovered.
Fraudulent activity and other actual or perceived failures to maintain a product's integrity and/or security has led to increased regulatory scrutiny and may lead to regulatory investigations and intervention (such as mandatory card reissuance), increased litigation (including class action litigation), remediation, fines and response costs, negative assessments of us and our subsidiaries by regulators and rating agencies, reputational and financial damage to our brand, and reduced usage of our products and services, all of which could have a material adverse impact on our business. In addition, we offer certain fraud and compliance and risk management services to technology platform clients as part of our platform as a service offerings and regulatory scrutiny of these types of services has increased recently. Any failure in these services provided to technology platform clients could result in regulatory actions or fines, and potential loss of client accounts.
Successful fraudulent activity and other incidents related to the actual or perceived failures to maintain the integrity of our processes and controls could negatively affect us, including harming the market perception of the effectiveness of our security measures or harming the reputation of the financial system in general, which could result in reduced use of our products and services. Such events could also result in legislation and additional regulatory requirements. Although we maintain insurance, there can be no assurance that liabilities or losses we may incur will be covered under such policies or that the amount of insurance will be adequate.
We may be unable to realize the anticipated benefits of acquiring Technisys.
We closed the Technisys acquisition in March 2022 and its operations have been largely integrated into our business. The success of the Technisys acquisition, including anticipated benefits and cost savings and potential additional revenue opportunities, will depend, in part, on our ability to realize various benefits, including, among other things, the development of an end-to-end vertically integrated banking technology stack to support multiple products and enable the combined company to meet the expanding needs of existing customers and serve additional established banks, fintechs and non-financial brands looking to enter financial services. The inability to realize our expected cost savings in connection with the Technisys' acquisition could have an adverse effect on our business, financial condition, operating results and prospects. Failure to achieve these anticipated benefits could result in increased costs, decreases in the amount of expected revenues, lost cost savings and incremental revenue opportunities and diversion of management's time and energy and could have an adverse effect on our business, financial condition, operating results and prospects.
We may continue to expand operations abroad where we have limited operating experience and may be subject to increased business, economic and regulatory risks that could adversely impact our financial results.
In April 2020, we undertook our first international expansion by acquiring 8 Limited, an investment business in Hong Kong. Additionally, with the acquisition of Galileo in May 2020, we gained clients in Canada, Mexico and Colombia and, with the acquisition of Technisys in March 2022, we further expanded our operations into Latin America. We may, in the future, continue to pursue further international expansion of our business operations, either organically or through acquisitions, in new international markets where we have limited or no experience in marketing, selling and deploying our products and services. If we fail to deploy or manage our operations in these countries successfully, our business and operations may suffer. In addition, we are subject to a variety of risks inherent in doing business internationally, including:
•political, social and/or economic instability or military conflict;
•risks related to governmental regulations in foreign jurisdictions, including regulations relating to privacy, and unexpected changes in regulatory requirements and enforcement;
•fluctuations in currency exchange rates and global market volatility;
•higher levels of credit risk and fraud;
•enhanced difficulties of integrating foreign acquisitions;
•burdens of enforcing and complying with a variety of foreign laws;
•reduced protection for intellectual property rights in some countries;
•difficulties in staffing and managing global operations and the increased travel, infrastructure and legal compliance costs associated with multiple international locations and subsidiaries;
•different regulations and practices with respect to employee/employer relationships, existence of workers' councils and labor unions, and other challenges caused by distance, language, and cultural differences, making it harder to do business in certain international jurisdictions;
43
SoFi Technologies, Inc.
•compliance with statutory equity requirements; and
•management of tax consequences.
If we are unable to manage the complexity of global operations successfully, our financial performance and operating results could suffer.
Credit Market Related Risks
We operate in a cyclical industry. In an economic downturn, member default rates may increase, there may be decreased demand for our products, and there may be adverse impacts to our business.
Recent macroeconomic factors, such as elevated interest rates, global events and market volatility and general uncertainty, may cause the economy to enter into a period of slower economic growth or a recession, the length and severity of which cannot be predicted. Such uncertainty and negative trends in general economic conditions can have a significant negative impact on our ability to generate adequate revenue and to absorb expected and unexpected losses. Many factors, including factors that are beyond our control, may result in higher default rates by our members and non-payment by our technology platform clients, a decline in the demand for our products, and potentially impact our ability to make accurate credit assessments, lending decisions or technology platform client selections. Any of these factors could have a detrimental impact on our financial performance and liquidity.
Our Lending and Financial Services segments may be particularly negatively impacted by worsening economic conditions that place financial stress on our members resulting in loan defaults or charge-offs. If a loan charges off while we are still the owner, the loan either enters a collections process or is sold to a third-party collection agency and, in either case, we will receive less than the full outstanding interest on, and principal balance of, the loan. Declining economic conditions may also lead to either decreased demand for our loans or demand for a higher yield on our loans, and consequently lower prices or a lower advance rate, from institutional whole loan purchasers, securitization investors and warehouse lenders on whom we rely for liquidity.
The longevity and severity of a downturn or recession would also place pressure on lenders under our debt warehouses, whole loan purchasers and investors in our securitizations, each of whom may have less available liquidity to invest in our loans, and long-term market disruptions could negatively impact the securitization market as a whole. Although certain of our debt warehouses contain committed terms, there can be no assurance that our financing arrangements will remain available to us through any particular business cycle or be renewed on the same terms. The timing and extent of a downturn may also require us to change, postpone or cancel our strategic initiatives or growth plans to pursue shorter-term sustainability. The longer and more severe an economic downturn, the greater the potential adverse impact on us.
Our Technology Platform segment is also susceptible to worsening economic conditions that place financial stress on our current clients using our platform as a service products and services and potential new clients interested in such services. These clients and potential clients may experience liquidity and other financial issues or strategically slowdown growth, any of which could lead them to decrease or terminate their use of our technology platform services or delay or reject implementation of new or expanded products and services. Any such actions with respect to our technology platform products and services could have an adverse impact on our business.
There can be no assurance that economic conditions will be favorable for our business, that interest in purchasing our loans by financial institutions or investment by clients in our platform as a service products and services will remain at current levels, or that default rates by our members or instances of non-payment by our technology platform clients will not increase. Reduced demand, lower prices or a lower advance rate for our loan products from institutional whole loan purchasers, securitization investors and warehouse lenders, increased default rates by our members, and reduced demand, lower prices and increased non-payment by our technology platform clients, may limit our access to capital, including debt warehouse facilities, securitizations and secured and unsecured borrowing facilities, and negatively impact our profitability. These impacts, in addition to limiting our access to capital and negatively impacting our profitability, could also in turn increase the volatility of the mark-to-market methodology we use to determine the fair value of the loans and credit card receivables we hold on balance sheet and consequently have a material adverse effect on our revenues, results of operations, capital requirements, liquidity and cash flows.
44
SoFi Technologies, Inc.
If we do not make accurate credit and pricing decisions or effectively forecast our loss rates, our business and financial results will be harmed, and the harm could be material.
In deciding whether to extend credit to prospective or existing members, we rely upon data to assess our ability to extend credit within our risk appetite, our debt servicing capacity, and overall risk level to determine lending exposure and loan pricing. If the decision components, rapidly deteriorating macroeconomic conditions or analytics are either unstable, biased, or missing key pieces of information, the wrong decisions will be made, which will negatively affect our financial results. If our credit decisioning strategy fails to adequately predict the creditworthiness of our members, including a failure to predict a member's true credit risk profile and ability to repay their loan or credit card balance, higher than expected loss rates will impact the fair value of our loans and credit card receivables. Additionally, if any portion of the information pertaining to the prospective member is false, inaccurate or incomplete, and our systems did not detect such falsities, inaccuracies or incompleteness, or any or all of the other components of our credit decision process fails, we may experience higher than forecasted losses, including losses attributed to fraud. Furthermore, we rely on credit reporting agencies to obtain credit reports and other information we rely upon in making underwriting and pricing decisions. If one of these third parties experiences an outage, if we are unable to access the third-party data used in our decision strategy, if such data contains inaccuracies or our access to such data is limited, our ability to accurately evaluate potential members will be compromised, and we may be unable to effectively predict credit losses inherent in our loan portfolio, which would negatively impact our results of operations, which could be material.
Additionally, if we make errors in the development, validation, or implementation of any of the underwriting models or tools that we use for the loans securing our debt warehouses or included in securitization transactions or whole loan sales, such loans may experience higher delinquencies and losses, which would negatively impact our debt warehouse financing terms and future securitization and whole loan sale transactions.
If the information provided to us by applicants is incorrect or fraudulent, we may misjudge an applicant's qualification to receive a loan or use one of our products, and our results of operations may be harmed.
Our lending and platform access decisions are based partly on information provided to us by applicants. To the extent that an applicant provides information to us in a manner that we are unable to verify, or the information provided by an applicant consists of data obtained under false pretenses by third parties, is a manufactured/synthetic identity, or is a stolen identity, our credit decisioning process may not accurately reflect the associated risk. In addition, data provided by third-party sources, including credit reporting agencies, is a significant component of our credit decisions and this data may contain inaccuracies. Inaccurate analysis of credit data that could result from false loan application information could harm our reputation, business and results of operations. Additionally, we rely on the accuracy of applicant information in approving applicants for our non-lending products, such as SoFi Money, SoFi Credit Card or SoFi Invest accounts. If the information provided to us by these applicants is incorrect or fraudulent and we are unable to detect the inaccuracies, it increases our regulatory and fraud risk and the risk of identity theft to our members, and could harm our reputation, business and results of operations.
We use identity and fraud prevention tools to analyze data provided by external databases or automated physical identity document proofing technologies to authenticate each applicant's identity. These fraud prevention tools, scores, and data aggregators are reliant on sustained access to reliable data sources to facilitate robust verification which have reduced effectiveness with diminished data access. From time to time in the past, however, these checks have failed and there is a risk that these checks could fail in the future and fraud, which may be significant, may occur and go undetected. For example, in the past we have identified certain fraudulent activity related to our personal loan products. While the fraudulent activity was detected and the losses were recognized in our results of operations, there can be no assurance there will not be future instances of fraud, that we will be able to detect such fraudulent activity in a timely manner, or that such future fraudulent activity will not be material. We may not be able to recoup funds underlying loans made in connection with inaccurate statements, omissions of fact or fraud, in which case our revenue, results of operations and profitability will be harmed. Fraudulent activity or significant increases in fraudulent activity could also lead to regulatory intervention, which could negatively impact our results of operations, brand and reputation, and require us to take steps to reduce fraud risk, which could increase our costs.
Internet-based loan origination processes may give rise to greater risks than paper-based processes.
We use internet-based loan processes to obtain application information and distribute certain legally required notices to applicants for, and borrowers of, loans and to obtain electronically signed loan documents in lieu of paper documents with ink signatures obtained in person. These processes may entail greater risks than paper-based loan origination processes, including regarding the sufficiency of notice for compliance with consumer protection laws, risks that borrowers may challenge the authenticity of loan documents, or the validity of the borrower's electronic signature on loan documents, and risks that unauthorized changes are made to the electronic loan documents. If any of those factors were to cause our loans, or any of the
45
SoFi Technologies, Inc.
terms of our loans, to be unenforceable against the relevant borrowers, or impair our ability to service our loans (as master servicer or servicer), the value of our loan assets would decrease significantly to us and to our whole loan purchasers, securitization investors and warehouse lenders. In addition to increased default rates and losses on our loans, this could lead to the loss of whole loan purchasers and securitization investors and trigger terminations and amortizations under our debt warehouse facilities, each of which would materially adversely impact our business.
Student loans are subject to discharge in certain circumstances.
Private education loans, including the refinanced student loans and other student loans made by us, are generally not dischargeable by a borrower in bankruptcy. However, a private education loan may be discharged if a debtor files an adversary claim and the bankruptcy court determines that not discharging the debt would impose an undue hardship on the debtor and the debtor's dependents. In addition, changes in law, regulations or governmental policies could increase the number of student loans subject to discharge in certain circumstances which would adversely affect our business. For example, the Biden Administration gave judges more leeway to discharge student loans, resulting in more borrowers discharging their student loans in bankruptcy in 2023, compared to prior years. It is possible that a higher percentage of borrowers will obtain relief under bankruptcy or other debtor relief laws in the future than is reflected in our historical experience. A private education loan that is not a refinanced parent-student loan is also generally dischargeable as a result of the death or disability of the borrower. The discharge of a significant amount of our loans could adversely affect our business and results of operations. See "Regulatory, Tax and Other Legal Risks-Legislative and regulatory policies and related actions have had and could in the future have a material adverse effect on our student loan portfolios and our student loan origination volume".
We offer personal loans, which have a limited performance history, and therefore we have only limited prepayment, loss and delinquency data with respect to such loans on which to base projections.
The performance of the personal loans we offer is significantly dependent on the ability of the credit decisioning, income validation, and scoring models we use to originate such loans, which include a variety of factors, to effectively evaluate an applicant's credit profile and likelihood of default. Despite recession-readiness planning and stress forecasting, there is no assurance that our credit criteria can accurately predict loan performance under economic conditions such as a prolonged down-cycle or recessionary economic environment or the governmental response to periods of disruption, which may drive unexpected outcomes. If our criteria do not accurately reflect credit risk on the personal loans, greater than expected losses may result on these loans and our business, operating results, financial condition and prospects could be materially and adversely affected.
In addition, personal loans are dischargeable in a bankruptcy proceeding involving a borrower without the need for the borrower to file an adversary proceeding. The discharge of a significant amount of our personal loans could adversely affect our financial condition. Furthermore, other characteristics of personal loans may increase the risk of default or fraud and there are few restrictions on the uses that may be made of personal loans by borrowers, which may result in increased levels of credit consumption. We also originate a material portion of our personal loans through ACH deposits directly to the borrowers, which may result in a higher risk of fraud. The effect of these factors may be to reduce the amounts collected on our personal loans and adversely affect our operating results and financial condition.
We service all of the personal loans we originate and credit cards we issue, as well as other loans, and have limited servicing experience, and we rely on third-party service providers to service the student loans and home loans we originate, and to perform various other functions in connection with the origination and servicing of certain loans. If we or a third-party service provider fails to properly perform these functions, our business and our ability to service our loans may be adversely affected.
We service all of the personal loans we originate as well as certain loans originated by third parties and, in all material respects, all of the credit cards we issue, and we have limited experience with such servicing. We may begin servicing the student loans that we originate at some time in the future. We rely on sub-servicers to service all of our student loans and our home loans that we deliver to GSEs and do not sell servicing-released, and to perform certain back-up servicing functions with respect to our personal loans. In addition, we rely on third-party service providers to perform various functions relating to our loan origination and servicing business, including fraud detection, marketing, operational functions, cloud infrastructure services, information technology, telecommunications and processing remotely created checks. While we oversee these service providers to ensure they service our loans in accordance with our agreements and regulatory requirements, we do not have control over the operations of any of the third-party service providers that we utilize. In the event that a third-party service provider for any reason fails to perform such functions, including through negligence, willful misconduct or fraud, our ability to process payments and perform other operational functions for which we currently rely on such third-party service providers will suffer and our business, cash flows and future prospects may be negatively impacted. Such third-party service provider failures could also result in, among other things, increased regulatory scrutiny of our third-party service provider oversight, costly
46
SoFi Technologies, Inc.
investigations, required corrective action and remediation, regulatory enforcement actions, class action lawsuits, and harm to our reputation.
Any failure on our part or on the part of third parties on whom we rely to perform functions related to our servicing activities to properly service our loans or the loans originated by third parties could result in us being removed as the servicer on the loans, including loans financed by our warehouse facilities or sold into our whole loan sales channel and securitization transactions. If we fail to monitor our student loan sub-servicer and ensure that such sub-servicer complies with its obligations under state laws that require student loan servicers to be licensed, we may face civil claims for damages under such state laws. Because we receive revenue from such servicing activities, any such removal as the servicer or master servicer, could adversely affect our business, operating results, financial condition or prospects, as would the cost of onboarding a new servicer. Furthermore, we have agreed in our servicing agreements to service loans in accordance with the standards set forth therein and may be obligated to repurchase loans or indemnify the buyer of any such loans if we fail to meet those standards.
Additionally, if one or more key third-party service providers were to cease to exist, to become a debtor in a bankruptcy or an insolvency proceeding or to seek relief under any debtor relief laws or to terminate its relationship with us, there could be delays in our ability to process payments and perform other operational functions for which we are currently relying on such third-party service provider, and we may not be able to promptly replace such third-party service provider with a different third-party service provider that has the ability to promptly provide the same services in the same manner and on the same economic terms. As a result of any such delay or inability to replace such key third-party service provider, our ability to process payments and perform other business functions could suffer and our business, cash flows and future prospects may be negatively impacted.
We perform and manage the loan origination process for all of the home loans that we originate. If we fail to properly perform these functions, our home loans business may be adversely affected.
In April 2023, we acquired Wyndham, a mortgage lender, expanding our home loans business. In connection with the acquisition of Wyndham, we adopted loan origination technology which facilitates performing many functions in connection with the origination of home loans, including processing, underwriting, pricing, vendor management, closing, and additional functions for loan origination that we previously outsourced to third-party providers, and we now directly manage loan underwriters and loan processors which are services previously managed by third-party providers. In the event that we fail for any reason to perform or manage such functions in accordance with all applicable requirements, including through human errors, technology errors, negligence, willful misconduct or fraud, our ability to originate home loans will suffer and our business, cash flows and future prospects may be negatively impacted, and we could incur penalties or liabilities including obligations to repurchase loans from investors to whom we sold the loans. Additionally, if we fail to perform such functions or properly manage our new resources, we may be unable to complete, or be delayed in the completion of, the origination of home loans in our pipeline and to originate new home loans, and we may not be able to onboard a replacement service provider that has the ability to promptly provide the same services in the same manner and on the same economic terms.
Potential geographic concentration of our members may increase the risk of loss on the loans that we originate and negatively impact our business.
Any concentration of our members in specific geographic areas may increase the risk of loss on our loans. Certain regions of the U.S. from time to time will experience weaker economic conditions and higher unemployment and, consequently, will experience higher rates of delinquency and loss than on similar loans in other regions of the country. Moreover, a further deterioration in economic conditions or a recession, outbreaks of disease, the continued increase in extreme weather conditions and other natural events (such as hurricanes, tornadoes, floods, drought, wildfires, mudslides, earthquakes and other extreme conditions) and other factors could adversely affect the ability and willingness of borrowers in affected regions to meet their payment obligations under their loans and may consequently affect the delinquency and loss experience of such loans. In addition, we, as master servicer for all student loans and home loans and as servicer of our personal loans, have offered in the past, and may in the future offer, hardship forbearance or other relief programs in certain circumstances to affected borrowers.
Conversely, an improvement in economic conditions in one or more of the geographic areas in which we have members could result in higher prepayments of their payment obligations under their loans in such states. As a result, we and the whole loan purchasers who hold our loans or securitization investors or warehouse lenders who hold securities backed by our loans may receive principal payments earlier than anticipated, and fewer interest payments than anticipated, and face certain reinvestment risks, such as the inability to acquire loans on equally attractive terms as the prepaid loans. In addition, higher prepayments than anticipated may have a negative impact on our servicing revenue which could cause our operating results and financial condition to be materially and adversely affected.
47
SoFi Technologies, Inc.
Further, the concentration of our loans in one or more geographic locations may have a disproportionate effect on us or investors in our loans or securities backed by our loans if governmental authorities in any of those areas take action against us as originator, master servicer or servicer of those loans or take action affecting our ability as master servicer or servicer to service those loans.
Funding and Liquidity Risks
If we are unable to successfully manage our assets and liabilities on the balance sheet and our funding costs, including with respect to deposit-based funding, our ability to finance additional loans and introduce new products may be negatively impacted.
We fund our operations and capital expenditures primarily through SoFi Bank deposits, warehouse funding, common equity capital, convertible debt, a corporate revolving credit facility, securitizations, and other financings. Through SoFi Bank, we utilize deposits which generally has a lower borrowing cost of funds than warehouse financing, and we have the ability to access other funding sources, such as the FHLB and certain brokered deposit channels established by SoFi Bank. Because we rely on each of these outlets for liquidity, if we are unable to successfully manage our assets and liabilities and funding costs as described above, or if we experience a loss or reduction of these liquidity outlets, our business could be materially adversely impacted. For example, certain banks have faced operational difficulties in accessing the Federal Reserve discount window and there is no guarantee that we will not face the same or similar issues. In addition, there can be no assurance that we will be able to successfully access the securitization markets at any given time, and in the event of a sudden or unexpected shortage of funds in the banking and financial system, we cannot be sure that we will be able to maintain necessary levels of funding without incurring high funding costs, a reduction in the term of funding instruments, an increase in the amount of equity we are required to hold or the liquidation of certain assets. Furthermore, there is a risk that there will be no market at all for our loans either from whole loan buyers or through investments in securities backed by our loans.
We may require capital in excess of amounts we currently anticipate, and depending on market conditions and other factors, we may not be able to maintain our capital or obtain additional capital for our current operations or anticipated future growth on reasonable terms or at all. As the volume of loans that we originate, and the increased suite of products that we make available to members, increases, we may be required to expand the size of our debt warehousing facilities or seek additional sources of capital. The availability of these financing sources depends on many factors, some of which are outside of our control. We may also experience the occurrence of events of default or breaches of financial performance or other covenants under our debt agreements, which could reduce or terminate our access to institutional funding.
As we think about managing our assets and liabilities on the balance sheet and our funding costs, our deposit growth may slow. If we are unable to satisfactorily manage our current sources of funding, including deposits, or, if needed, secure new or alternative methods of financing, our ability to finance additional loans and to develop and offer new products may be negatively impacted. If deposit growth slows, we may need to turn to higher cost of funds. The interest rates, advance rates and other costs of new, renewed or amended facilities may also be higher than those currently in effect. If we are unable to renew or otherwise replace these facilities or generally arrange new or alternative methods of financing on favorable terms, we may be forced to curtail our origination of loans or reduce lending or other operations, which would have a material adverse effect on our business, financial condition, operating results and cash flows.
If one or more of our warehouse facilities, on which we are highly dependent, is terminated or otherwise becomes unavailable, we may be unable to find replacement financing on favorable terms, or at all, which would have a material adverse effect on our business and financial condition.
We require a significant amount of short-term funding capacity for loans we originate. Consistent with industry practice, our existing warehouse facilities generally require periodic renewal. If any of our committed warehouse facilities are terminated or are not renewed or our uncommitted facilities are not honored, we may be unable to find replacement financing on favorable terms, or at all, and we might not be able to originate an acceptable or sustainable volume of loans, which would have a material adverse effect on our business. Additionally, as our business continues to expand, including our home loan business, we may need additional warehouse funding capacity for the loans we originate. There can be no assurance that, in the future, we will be able to obtain additional warehouse funding capacity on favorable terms, on a timely basis, or at all.
If we fail to meet or satisfy any of the financial or other covenants included in our warehouse facilities, we would be in default under one or more of these facilities and our lenders could elect to declare all amounts outstanding under the facilities to be immediately due and payable, enforce their interests against loans pledged under such facilities and restrict our ability to make additional borrowings. Certain of these facilities also contain cross-default provisions. These restrictions may interfere with our ability to obtain financing or to engage in other business activities, which could materially and adversely affect us.
48
SoFi Technologies, Inc.
There can be no assurance that we will maintain compliance with all financial and other covenants included in our warehouse facilities in the future.
In addition, our agreements with our warehouse lenders contain various concentration limits and triggers, including related to excess spread. High interest rates have in the past and may in the future place pressure on our net cost of funds for loans held at SoFi Lending Corp., which do not benefit from deposit funding through SoFi Bank, and increase the likelihood of reaching an excess spread limit. A breach of such limits or other similar terms of such agreements could result in an inability to place loans in the relevant warehouse facilities and require us to pursue other forms of financing. If we are unable to find replacement financing on favorable terms, or at all, our operations could be impacted materially.
Increases in member default rates on loans could make us and our loans less attractive to whole loan buyers, lenders under debt warehouse facilities and investors in securitizations, which may adversely affect our access to financing and our business.
Increases in member default rates, due to deteriorating economic conditions or other factors, could make us and our loans less attractive to our existing or prospective funding sources, including whole loan buyers, securitization investors and lenders under debt warehousing facilities. If our existing funding sources do not achieve their desired financial returns or if they suffer losses, they or prospective funding sources may increase the cost of providing future financing or refuse to provide future financing or purchase loans on terms acceptable to us or at all.
Our securitizations are nonrecourse to the Company and are collateralized by the pool of our loans pledged to the relevant securitization issuer. If the loans securing our securitizations fail to perform as expected, rating agencies may place our bonds on watch or change their ratings on (or their ratings methodology for) the bonds issued by our securitization trusts. Our loans performance and any actions taken by the rating agencies could result in the lenders under our warehouse facilities, the whole loan purchasers who purchase our loans, the investors in our securitizations who purchase securities backed by our loans, or future lenders, whole loan purchasers or securitization investors in similar arrangements, increasing the cost of providing future financing or refusing to provide future financing or purchase loans on terms acceptable to us or at all.
While this risk may be partially mitigated by our ability to hold loans on our balance sheet, in sufficient volume, high member default rates would negatively impact our financial condition. Consequently, if we were to be unable to arrange new or alternative methods of financing on favorable terms, we may have to curtail or cease our origination of loans, which could have a material adverse effect on our business, financial condition, operating results and cash flows.
We make representations and warranties in connection with the transfer of loans to whole loan purchasers, government-sponsored enterprises, and our debt warehouse lenders and securitization trusts. If such representations and warranties are not correct, we could be required to repurchase loans or indemnify the purchaser, which could have an adverse effect on our ability to operate and fund our business.
We sell and finance the loans we originate to and with third parties, including, with respect to home loans, counterparties like GSEs, and we make certain representations and warranties to those third parties in connection with the transfer of loans described below. In the ordinary course of business, we are exposed to liability under these representations and warranties made to purchasers of loans. Such representations and warranties typically include, among other things, that the loans were originated and serviced in compliance with the law and with our credit risk origination policy and servicing guidelines, and, in connection with transfers to GSEs, that the loans were originated in compliance with the guidelines of the relevant GSE, and that, to the best of our knowledge, each loan was originated by us without any fraud or misrepresentation on our part or on the part of the borrower or any other person. In addition, purchasers require loans to meet strict underwriting and loan term criteria in order to be eligible for purchase. If those representations and warranties are breached as to a given loan, or if a certain loan we sell does not meet the relevant eligibility criteria, we will be obligated to repurchase the loan, typically at a purchase price equal to the then-outstanding principal balance of such loan, plus accrued interest and any premium. We may also be required to indemnify the purchaser for losses resulting from the breach of representations and warranties. With regard to home loans insured by the Federal Housing Administration or the VA, and to the extent that any of our home loans do not comply with Federal Housing Administration or VA guidelines, we could also face claims under the False Claims Act. In connection with our whole loan sales, we also typically covenant to repurchase any loan that enters delinquent status within the first thirty to sixty days following origination of the loan. Any significant increase in our obligation to repurchase loans or indemnify purchasers of loans could have a significant adverse impact on our cash flows, even if they are reimbursable, and could also have a detrimental effect on our business and financial condition. If any such repurchase event occurs on a large scale, we may not have sufficient funds to meet our repurchase obligations, which would result in a default under the underlying agreements. Moreover, we may not be able to resell or refinance loans repurchased due to a breach of a representation or warranty or we may be forced to sell such loans below par. Any such event could have an adverse impact on our business, operating results, financial condition and prospects. In addition, in the acquisition of Wyndham, we also acquired
49
SoFi Technologies, Inc.
Wyndham's liability to its loan investors and loan insurers for mortgage loans originated by Wyndham, including repurchase obligations that might not be contingent upon the investor proving an error by Wyndham.
In addition to loan level representations and warranties, our agreements with the lenders and investors on our securitizations, debt warehouse facilities and corporate revolving debt contain a number of corporate financial covenants and early payment triggers and performance covenants. These facilities, together with deposits, are the primary funding sources available to support the maintenance and growth of our business and our liquidity would be materially adversely affected by our inability to comply with the various covenants and other specified requirements set forth in our agreements with our lenders and investors, which could result in the early amortization, default and/or acceleration of our existing facilities. Such covenants and requirements include financial covenants, portfolio performance covenants and other events. For a description of these covenants, requirements and events, see "Management's Discussion and Analysis of Financial Condition and Results of Operations - Liquidity and Capital Resources".
During an early amortization period or occurrence of a termination event or an event of default, principal collections from the loans in our warehouse facilities would be applied to repay principal under such facilities rather than being available to fund newly originated loans. During the occurrence of a termination event or an event of default under any of our facilities, the applicable lenders could accelerate the related debt and such lenders' commitments to extend further credit under the related facility, if any, would terminate. If we were unable to repay the amounts due and payable under such facilities and securitizations, the applicable lenders and noteholders could seek remedies, including against the collateral pledged under such facilities and by the securitization trust. An acceleration of the debt under certain facilities could also lead to a default under other facilities and, in certain instances, our hedging arrangements, due to cross-default and cross-acceleration provisions.
An early amortization event or event of default would negatively impact our liquidity, including our ability to originate new loans, and require us to rely on alternative funding sources, which might increase our funding costs or which might not be available when needed. If we were unable to arrange new or alternative methods of financing on favorable terms, we might have to hold loans on balance sheet in an amount that may negatively impact our financial condition, or curtail or cease the origination of loans, which could impair our growth, and, in each case, have a material adverse effect on our business, financial condition, operating results and cash flows, which in turn could have a material adverse effect on our ability to meet our obligations under our facilities.
We require substantial capital and, in the future, may require additional capital, to pursue our business objectives and achieve recurring profitability. If adequate capital is not available to us or is unavailable on favorable terms, including due to the cost and availability of funding in the capital markets, our business, operating results and financial condition may be harmed.
Since our founding, we have raised substantial equity and debt financing to support the growth of our business. We may require additional capital to pursue our business objectives and growth strategy and respond to business opportunities, challenges or unforeseen circumstances, including supporting our lending operations, increasing our marketing expenditures to attract new members and technology platform clients and improve our brand awareness, developing our products, introducing new services, further expanding internationally in existing or new countries or further improving existing offerings and services, enhancing our operating infrastructure and potentially acquiring complementary businesses and technologies, and complying with the increased regulatory requirements for bank holding companies and banks. Accordingly, on a regular basis we need, or we may need, to engage in additional debt or equity financings to secure additional funds. However, additional funds may not be available when we need them, in amounts we need, or permitted to be applied to specific use cases, on terms that are acceptable to us or at all. Volatility in the credit markets in general or in the market for personal, student and home loans and credit cards in particular may also have an adverse effect on our ability to obtain debt financing. Although our borrowing costs have trended lower following the acquisition of a national bank charter, the cost of our borrowing could increase due to market volatility, interest rates that are higher than those in the recent past, changes in the risk premiums required by lenders or the unavailability of traditional sources of debt capital. Volatility or depressed valuations or trading prices in the equity markets may similarly adversely affect our ability to obtain equity financing. Furthermore, if we raise additional funds through further issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock.
We are required to serve as a source of financial strength for SoFi Bank, which is subject to minimum capital requirements imposed by federal regulators, which means that we may be required to provide capital or liquidity support to SoFi Bank, even at times when we may not have the resources to provide such support. In addition, maintaining adequate liquidity is crucial to our securities brokerage, including key functions such as transaction settlement, custody requirements and margin lending. Our broker-dealer subsidiary, SoFi Securities, is subject to Rule 15c3-1 under the Exchange Act, which
50
SoFi Technologies, Inc.
specifies minimum capital requirements intended to ensure the general financial soundness and liquidity of broker-dealers, and SoFi Securities is subject to Rule 15c3-3 under the Exchange Act, which requires broker-dealers to maintain certain liquidity reserves. We meet our liquidity needs primarily from working capital, deposits and cash generated by member activity, as well as from external debt and equity financing. Increases in the number of members, fluctuations in member cash or deposit balances, as well as market conditions or changes in regulatory treatment of member deposits, may affect our ability to meet our liquidity needs.
A reduction in our liquidity position could reduce our members' confidence in us, which could result in the withdrawal of member assets, including deposits held at SoFi Bank, and loss of members, or could cause us to fail to satisfy minimum capital requirements for SoFi Bank, or broker-dealer or other regulatory capital guidelines, which may result in immediate suspension of banking and other securities activities, regulatory prohibitions against certain business practices, increased regulatory inquiries and reporting requirements, increased costs, fines, penalties or other sanctions, by the Federal Reserve, the OCC, the SEC, FINRA or other SROs or state regulators, and could ultimately lead to the liquidation of SoFi Bank or our broker-dealer or other regulated entities. Factors which may adversely affect our liquidity position include temporary liquidity demands due to timing differences between brokerage transaction settlements and the availability of segregated cash balances, fluctuations in cash held in member accounts, a significant increase in our margin lending activities, increased regulatory capital requirements, changes in regulatory guidance or interpretations, or Federal Housing Administration or VA guidelines, other regulatory changes or a loss of market or member confidence resulting in unanticipated withdrawals of member assets. We expect that we will continue to use our available cash to fund our lending activities and help scale our Financial Services segment. To supplement our cash resources, we may seek to enter into additional securitizations and whole loan sale agreements or increase the size of existing debt warehousing facilities, increase the size of, or replace, our revolving credit facility, continue to grow deposits and pursue other potential options. In addition, a reduction in our liquidity position could impair our technology platform clients' confidence in us and our platform as a service products and services, many of which require capital investments and ongoing platform maintenance by us, which could result in decisions by our technology platform clients to terminate or not renew their existing contracts or to not add new products to their account.
If we are unable to adequately maintain our cash resources, we may delay non-essential capital expenditures, implement cost cutting procedures, delay or reduce future hiring, discontinue the pursuit of our strategic objectives and growth strategies or reduce our rate of future originations compared to the current level. There can be no assurance that we can obtain sufficient sources of external capital to support the growth of our business. Delays in doing so or failure to do so may require us to reduce loan originations or reduce our operations, which would harm our ability to pursue our business objectives as well as harm our business, operating results and financial condition.
We are unable to finance all of the receivables that we originate or other assets that we hold, and that illiquidity could result in a negative impact on our financial condition.
We have the option of pursuing a gain-on-sale origination model, the success of which is tied to our ability to finance the assets that we originate. Certain of our assets, however, are ineligible for sale to a whole loan buyer or securitization trust, or are ineligible for, or are subject to a lower advance rate under, warehouse funding, each of which has specific eligibility criteria for receivables it purchases or holds as collateral. Ineligible receivables include, among others, those in default or that are delinquent, receivables with defects in their origination or servicing, including fraud, or receivables generated under origination guidelines and credit policies that are no longer in effect. In addition, many of our warehouse funding sources contain excess concentration limits for loans in forbearance or with specific loan level characteristics such as time-to-maturity or loan type. Once these limits have been exceeded, the advance rate applied to those receivables becomes less advantageous to us. If we are unable to sell or reasonably fund these receivables, we are required to hold them on our consolidated balance sheet which, in sufficient volume, negatively impacts our financial condition.
In addition to the receivables described above, we also hold on our consolidated balance sheet certain risk retention assets with respect to which we have a reduced ability to receive financing. These risk retention assets include residuals from our securitization trusts that are either ineligible for transfer or are subject to EU regulations. The illiquidity of these positions may negatively impact our financial condition.
Our checking and savings product is expected to continue to provide us with an important source of cost-efficient funding and any failure to scale the product due to our limited experience or a competitive marketplace could have a negative impact on our business, operating results and financial condition.
We expect that checking and savings, a deposit account product, will continue to provide us with an important source of deposits to use for cost-effective funding of loan originations and other activities. However, revenue growth for checking and savings is dependent on increasing the volume of members who open an account and on growing balances in those accounts. Although our checking and savings account product has grown since its introduction in the first quarter of 2022, there is no
51
SoFi Technologies, Inc.
guarantee that account openings and the amount on deposit in those accounts will continue to grow. In addition, although we have invested in a number of initiatives to attract new checking and savings account holders and capture a greater share of our members' savings, including offering a competitive annual percentage yield on deposits and offering SoFi Plus membership benefits to deposit holders, there can be no assurance that these investments to acquire and retain members, provide differentiated features and services and spur usage of our deposit account product will be effective or cost effective. There are also no assurances that we will be able to maintain a competitive annual percentage yield on deposits, and members can easily transfer checking and savings account balances to our competitors. Further, developing our service offerings and marketing the checking and savings product in additional customer acquisition channels could have higher costs than anticipated or be less effective than anticipated, and could adversely impact our results or dilute our brand. Finally, our checking and savings product faces competition from similar products offered by our competitors which may offer more attractive features, including a higher interest rate on deposits, which may impact the success of the product. In the event we are unable to sufficiently grow the checking and savings product, we may be required to find alternative, higher-cost funding for our lending and other activities, or we might not be able to originate an acceptable or sustainable volume of loans, either of which could have a negative impact on our business, operating results and financial condition. See "Market and Interest Rate Risks - Fluctuations in interest rates could negatively affect the demand for our checking and savings product".
Any failure to accurately capture credit risk or to execute our funding strategy for SoFi Credit Card could have a negative impact on our business, operating results and financial condition.
In October 2024, we expanded our credit card program by launching two new credit cards: SoFi Everyday Cash Rewards and SoFi Essential. The performance of these new credit cards and the existing SoFi Unlimited 2% Credit Card products is significantly dependent on the ability of the credit and fraud decisioning and scoring models we use to originate the product, which includes a variety of factors, to effectively prevent fraud, evaluate an applicant's credit profile and likelihood of default. Despite establishing a defined risk appetite and leveraging third-party stress testing of product loss forecasts, there is no assurance that our credit criteria can accurately predict repayment and loss profiles. If our criteria do not accurately prevent fraud or reflect credit risk on the SoFi Credit Card products, greater than expected losses may result and our business, operating results, financial condition and prospects could be materially and adversely affected.
In addition, revenue growth for the SoFi Credit Card program is dependent on increasing the volume of members who open an account and on growing loan balances on those accounts. Over time we will continue to invest in a number of new product initiatives to attract new SoFi Credit Card members and capture a greater share of our members' total spending and borrowings. Revenue growth for SoFi Credit Card may be adversely affected by new restrictions on credit card fees finalized by the CFPB in March 2024. Although originally scheduled to become effective in May 2024, the rule was challenged in the 5th U.S. Circuit Court of Appeals following a stay order from that court. In December 2024, a federal judge rejected the CFPB's request to reinstate the credit card late fee cap, effectively ending the CFPB's attempt to enforce the cap. With the change to the U.S. presidential administration in January 2025 and the possible reshaping of the CFPB under new leadership, the CFPB may not continue litigating in favor of the cap, or enforce the cap. If the CFPB's rule were to become effective as written, it could, if we modify our terms in response to changes made by issuers impacted by the rule, adversely affect revenue.
The operation of our rewards program for the SoFi Unlimited 2% Credit Card and the SoFi Everyday Cash Rewards could have a negative impact on the revenue for our Credit Card program. In December 2024, the CFPB published a Consumer Financial Protection Circular, which warned that the CFPB is scrutinizing and taking actions against operators of credit card reward programs, and declared it may be unlawful to devalue earned rewards, use fine print to disclose conditions for earning or redeeming rewards, or change the benefits for which rewards may be earned and redeemed. This guidance could make it more expensive to operate the rewards program and limit our ability to adapt the program to changing economic conditions.
While we have generally seen increases in revenue from SoFi Credit Card, there can be no assurance that our investments in SoFi Credit Card to acquire members, provide differentiated features and services and spur usage of our cards will continue to be effective, and developing our service offerings and forming new partnerships could have higher costs than anticipated, and could adversely impact our results or dilute our brand.
Furthermore, the success of the SoFi Credit Card products depends on our ability to execute on our funding strategy for the resulting credit card receivables. We may establish a credit card receivable securitization program in the future. There is no guarantee, however, that we will be successful in establishing a securitization program for these assets. In the event we are unable to finance our credit card receivables, we may be required to hold those assets on our consolidated balance sheet or sell them for a loss, either of which could have a negative impact on our business, operating results and financial condition.
52
SoFi Technologies, Inc.
Regulatory, Tax and Other Legal Risks
As a bank holding company, we are subject to extensive supervision and regulation, and changes in laws and regulations applicable to bank holding companies could limit or restrict our activities and could have a material adverse effect on our operations.
As a bank holding company, we are subject to regulation, supervision and examination by the Federal Reserve, and SoFi Bank is subject to regulation, supervision and examination by the OCC and the FDIC, as well as regulations issued by the CFPB. Federal laws and regulations govern numerous matters affecting us, including changes in the ownership or control of banks and bank holding companies, maintenance of adequate capital and the financial condition of a financial institution, permissible types, amounts and terms of extensions of credit and investments, permissible nonbanking activities, the level of reserves against deposits and restrictions on dividend payments. The OCC possesses the power to issue cease and desist orders to prevent or remedy unsafe or unsound practices or violations of law by banks subject to their regulation, and the Federal Reserve possesses similar powers with respect to bank holding companies. In general, the bank supervisory framework is intended to protect insured depositors and the safety, soundness and stability of the U.S. financial system and not shareholders in depository institutions or their holding companies.
In connection with applying for approval to become a bank holding company, we developed a financial and bank capitalization plan and enhanced our governance, compliance, controls and management infrastructure and capabilities in order to ensure compliance with all applicable regulations, which required, and will continue to require, substantial time, monetary and human resource commitments. If any new regulations or interpretations of existing regulations to which we are subject impose requirements on us that are impractical or that we cannot satisfy, our financial performance, and our stock price, may be adversely affected.
Federal regulations establish minimum capital requirements for insured depository institutions, including minimum risk-based capital and leverage ratios, and define "capital" for calculating these ratios. The minimum capital requirements are: (i) a common equity Tier 1 capital ratio of 4.5%; (ii) a Tier 1 to risk-based assets capital ratio of 6%; (iii) a total capital ratio of 8%; and (iv) a Tier 1 leverage ratio of 4%. The regulations also establish a "capital conservation buffer" of 2.5% of common equity Tier 1 capital. An institution will be subject to limitations on paying dividends, engaging in share repurchases and paying discretionary bonuses if its capital level falls below the capital conservation buffer amount. The federal banking regulators could also require the Company and/or SoFi Bank, as applicable, to hold capital that exceeds minimum capital requirements for insured depository institutions. The application of these capital requirements could, among other things, require us to maintain higher capital resulting in lower returns on equity, and we may be required to obtain additional capital, or face regulatory actions if we are unable, to comply with such requirements.
We are also subject to the requirements in Sections 23A and 23B of the Federal Reserve Act and the Federal Reserve's implementing Regulation W, which regulate loans, extensions of credit, purchases of assets, and certain other transactions between an insured depository institution (such as SoFi Bank) and its affiliates. The statute and regulation require us to impose certain quantitative limits, collateral requirements and other restrictions on "covered transactions" between SoFi Bank and its affiliates and require all transactions be on "market terms" and conditions consistent with safe and sound banking practices. For example, Galileo's provision of technology services to SoFi Bank is subject to Regulation W, including the requirement that the arrangement is on market terms.
The laws, rules, regulations, and supervisory guidance and policies applicable to us are subject to regular modification and change, including increased regulation as a result of the turmoil in the banking industry. These changes could adversely and materially impact us. For example, the Dodd-Frank Act and other federal banking laws subject companies with $10 billion or more of consolidated assets to additional regulatory requirements. Section 1075 of the Dodd-Frank Act, which is commonly known as the "Durbin Amendment", amended the Electronic Fund Transfer Act to restrict the amount of interchange fees that may be charged and prohibit network exclusivity for debit card transactions. SoFi Bank is required to comply with the restrictions on interchange fees that went into effect on July 1, 2023, which may negatively impact future interchange fees we collect. In addition, in November 2023, the Federal Reserve proposed changes to the regulations implementing the Electronic Fund Transfer Act that would further restrict the amount of interchange fees that may be charged and require biennial reviews of those fees. Guidance from regulators of SoFi Bank can subject its non-bank affiliates to increased governance. For example, the OCC's guidance on retail non-deposit investment products, or RNDIPs, applies to referral arrangements that SoFi Bank may have with an affiliate, including SoFi Securities. This guidance, which was further updated in June 2024 to align with the SEC's Regulation BI, requires that banks implement and maintain effective oversight and monitoring of relevant RNDIP arrangements to ensure that, among other things, sales transactions and recommendations to retail investors comply with SEC regulations. Changes in laws, rules, regulations and supervisory guidance and policies could, among other things, subject us to
53
SoFi Technologies, Inc.
additional costs, including costs of compliance; limit the types of financial services and products we may offer; and/or increase the ability of non-banks to offer competing financial services and products. Failure to comply with laws, regulations, policies, or supervisory guidance could result in enforcement and other legal actions by federal and state authorities, including criminal and civil penalties, the loss of FDIC insurance, revocation of a banking charter or registration as a broker-dealer and investment adviser, other sanctions by regulatory agencies, civil money penalties, and/or reputational damage, which could have a material adverse effect on our business, financial condition, and results of operations.
Finally, we intend to continue to explore other products for SoFi Bank over time. Some of those products may require, or be deemed to require, additional data, procedures, partnerships, regulatory approvals, or capabilities that we have not yet obtained or developed. Should we fail to expand and evolve SoFi Bank products in a successful manner, or should these new products, or new regulations or interpretations of existing regulations, impose requirements on us that are cumbersome or that we cannot satisfy, our business may be materially and adversely affected.
The U.S. Congress, the Trump administration, or any new administration may make substantial changes to fiscal, tax, and other federal policies that may adversely affect our business.
The Trump administration has called for significant changes to U.S. trade, healthcare, immigration and government regulatory policy and has begun implementing policy changes at a rapid pace. Changes to U.S. policy implemented by the U.S. Congress, the Trump administration or any new administration have impacted among other things, the U.S. and global economy, international trade relations, unemployment, immigration, healthcare, taxation, the U.S. regulatory environment, inflation and other areas. Although we cannot predict the impact, if any, of these changes to our business, they could adversely affect our business. Until we know what policy changes are made, whether those policy changes are challenged and subsequently upheld by the court system and how those changes impact our business and the business of our competitors over the long term, we will not know if, overall, we will benefit from them or be negatively affected by them.
Failure to comply with applicable laws, regulations or commitments, or to satisfy our regulators' supervisory expectations, could subject us to, among other things, supervisory or enforcement action, which could adversely affect our business, financial condition and results of operations.
If we do not comply with applicable laws, regulations or commitments, including SoFi Bank's operating agreement, if we are deemed to have engaged in unsafe or unsound conduct, or if we do not satisfy our regulators' supervisory expectations, then we may be subject to increased scrutiny, supervisory criticism, governmental or private litigation and/or a wide range of potential monetary penalties or consequences, enforcement actions, criminal liability and/or reputational harm. Such actions could be public or of a confidential nature, and arise even if we are acting in good faith or operating under a reasonable interpretation of the law and could include, for example, monetary penalties, payment of damages or other monetary relief, restitution or disgorgement of profits, directives to take remedial action or to cease or modify practices, restrictions on growth or expansionary proposals, denial or refusal to accept applications, removal of officers or directors, prohibition on dividends or capital distributions, increases in capital or liquidity requirements and/or termination of SoFi Bank's deposit insurance. Additionally, compliance with applicable laws, regulations and commitments requires significant investment of management attention and resources. Any failure to comply with applicable laws, regulations or commitments could have an adverse effect on our business, financial condition and results of operations.
An inability to accept or maintain deposits due to market demand or regulatory constraints could materially adversely affect our liquidity position and our ability to fund our business.
SoFi Bank accepts deposits and uses the proceeds as a source of funding, with our direct retail deposits becoming a larger proportion of our funding over time. Although we launched the SoFi Insured Deposit Program in 2023, whereby funds (up to $2 million) are deposited into deposit accounts at banks which are insured by the FDIC up to the applicable limits, we continue to face strong competition with regard to deposits, and pricing and product changes may adversely affect our ability to attract and retain cost-effective deposit balances. To the extent we offer higher interest rates to attract or maintain deposits, our funding costs will be adversely impacted.
Our ability to obtain deposit funding and offer competitive interest rates on deposits is also dependent on SoFi Bank's capital levels. The FDIA's brokered deposit provisions and related FDIC rules in certain circumstances prohibit banks from accepting or renewing brokered deposits and apply other restrictions, such as a cap on interest rates that can be paid. For example, while SoFi Bank met the definition of "well-capitalized" as of December 31, 2024 and currently has no restrictions regarding acceptance of brokered deposits or setting of interest rates, there can be no assurance that we will continue to meet this definition. In July 2024, the FDIC proposed a rule which, if finalized as proposed, would expand the types of deposits that would be considered "brokered deposits" and we could be subject to these restrictions. Additionally, our regulators can adjust
54
SoFi Technologies, Inc.
applicable capital requirements at any time and have authority to place limitations on our deposit businesses. An inability to attract or maintain deposits in the future could materially adversely affect our ability to fund our business.
Legislative and regulatory policies and related actions have had and could in the future have a material adverse effect on our student loan portfolios and our student loan origination volume.
Legislative and regulatory actions have had and could continue to have a significant impact on our student loan refinancing business. On March 27, 2020, the CARES Act was signed into law. In compliance with the CARES Act, payments and interest accrual on all loans owned by the U.S. Department of Education were initially suspended through September 30, 2020, a pause on student loan repayments that was subsequently extended through August 30, 2023 by a series of executive actions. Interest on federal student loans began accruing on September 1, 2023 and borrowers' first loan payments were due in October 2023. Although federal student loans are back in repayment, the increased focus in recent years by policymakers on outstanding federal student loans, including, among other things, on the total volume of outstanding loans and on the number of loans outstanding per borrower, has led to discussion of additional potential legislative and regulatory actions and other possible steps to, among other things:
•permit private education loans such as our refinanced student loan and in-school student loan products to be discharged in bankruptcy without the need to show undue hardship;
•amend the federal postsecondary education loan programs, including to reduce interest rates on certain loans, to revise repayment plans, to make income-driven repayment plans more attractive to borrowers, to implement broader loan forgiveness plans, to provide for refinancing of private education loans into federal student loans at low interest rates, to reduce or eliminate the Grad PLUS program (which authorizes loans that comprise a substantial portion of our student loan refinancing business) and to provide for refinancing of existing federally held student loans into new federal student loans at low interest rates;
•require private education lenders to reform loan agreements to provide for income-driven repayment plans and other payment plans; and
•make sweeping changes to the entire cost structure and financial aid system for higher education in the U.S., including proposals to provide free postsecondary education.
In addition, there is pressure on policymakers to reduce or cancel student loans or accrued interest at a significant scale, which would further reduce demand for our student loan refinancing product and have a negative impact on our loan origination volume and revenue. For example, despite legal challenges at the Supreme Court to some of the Biden Administration's prior student loan forgiveness measures, the Biden Administration subsequently continued to pursue options for providing relief to student borrowers. However, in December 2024, the U.S. Department of Education withdrew proposed rules seeking to provide student loan debt forgiveness for borrowers experiencing financial hardship and terminated three Program Integrity and Institutional Quality issues, which would have would have allowed the U.S. Secretary of Education to cancel student loans for several groups of borrowers, including those who had been in repayment for decades and others experiencing financial hardship, and could have reduced or eliminated the education debts of millions of Americans. In addition, the change of administration in January 2025 has brought uncertainty to the future of student debt relief programs and the U.S. Department of Education.
The future impact to our student loan refinancing product will also largely depend on expectations regarding the introduction or implementation of these or any additional relief measures, the interest rate environment, how competitive our student loan refinancing products are compared to our competitors and macroeconomic factors. If in the future, student loans were forgiven or canceled in any meaningful scale, or if federal loan borrowers were permitted to refinance at lower interest rates, our student loan refinancing business within our Lending segment, which is our largest segment, would be materially and adversely affected and our profitability, results of operations, financial condition, cash flows or future business prospects could be materially and adversely affected as a result. In addition, proposals to make student loans dischargeable in bankruptcy or similar proposals could make whole loan purchasers less likely to purchase our student loans, securitization investors less likely to purchase securities backed by our student loans or warehouse lenders less likely to lend against our student loans at attractive advance rates. As a result of any material adverse effect to our Lending segment, our overall profitability, results of operations, financial condition, cash flows or future business prospects may be adversely affected.
Although we continue to evaluate the ultimate impact of local, state and federal legislation, regulation and politics, guidance and actions, future legislative, regulatory and executive actions, and the ongoing impact of our own forbearance measures on our financial results, business operations and strategies, there is no guarantee that our estimates will be accurate or that any actions we take based on such estimates will be successful. Furthermore, we believe that the cost of responding to, and complying with, evolving laws and regulations, as well as any guidance from enforcement actions, will continue to increase, as
55
SoFi Technologies, Inc.
will the risk of penalties and fines from any enforcement actions that may be imposed on our businesses. Our profitability, results of operations, financial condition, cash flows or future business prospects could be materially and adversely affected as a result.
If we fail to comply with federal and state consumer protection laws, rules, regulations and guidance, our business could be adversely affected.
The CFPB, an agency which oversees compliance with and enforces federal consumer financial protection laws, has supervisory authority over the offer, sale or provision of our consumer financial products and services. Prior to January 1, 2024, the OCC examined SoFi Bank for compliance with CFPB rules and enforced CFPB rules with respect to SoFi Bank. In addition, to the extent certain of our lending or loan servicing activity was conducted outside of SoFi Bank, the CFPB had the authority to pursue enforcement actions against us as a company offering those certain consumer financial products or services. Beginning January 1, 2024, SoFi Bank and its affiliates became subject to supervision and regulation by the CFPB with respect to federal consumer protection laws, including laws relating to fair lending and the prohibition of UDAAP in connection with the offer, sale or provision of consumer financial products and services. As part of its regulatory oversight, the CFPB may seek a range of remedies, including rescission of contracts, refund of money, return of real property, restitution, disgorgement of profits or other compensation for unjust enrichment, damages, public notification of the violation and "conduct" restrictions (i.e., future limits on the target's activities or functions). Under the Biden administration, the CFPB pursued a more aggressive enforcement policy with respect to a range of regulatory compliance matters. For example, on January 6, 2022, the CFPB announced a new initiative to scrutinize so-called consumer "junk fees." Since then, the CFPB issued guidance to banks on how to avoid charging unlawful overdraft and depositor fees, confirmed their policy against "pay to pay" fees or charging any fees not expressly authorized and properly disclosed in a consumer agreement, issued a final rule limiting credit card penalty fees, which was stayed pending ongoing litigation, and launched an inquiry into junk fees in mortgage closing costs. The CFPB has also identified additional unfair, deceptive, and abusive acts or practices that could violate the CFPA, including certain billing and collection practices after bankruptcy discharges of certain student loan debt, taking unreasonable advantage of a consumer's reasonable reliance on an operator or lead generator to act in the consumer's interests, and including unclear or unenforceable terms and conditions in consumer contracts or fine print. The CFPB has also focused on student borrower harms from servicing failures, program disruptions, college banking and credit card agreements, and a variety of illegal practices and has been active in litigation against student loan servicers and others, including Climb Credit and its largest shareholder 1/0, Ejudicate, Navient, Prehired, the National Collegiate Student Loan Trusts and Pennsylvania Higher Education Assistance Agency, Western Benefits Group, Student Loan Pro and its owner, Judith Noh, and Performant Recovery, Inc. for CFPA and other violations. Increased enforcement or rules from the CFPB could increase our legal and financial compliance costs, require us to evaluate or amend certain activities or products in light of evolving compliance standards, make some activities more difficult, time-consuming and costly, and increase demand on our systems and resources. In addition, the change of administration in January 2025 has brought uncertainty as to the future of the CFPB and the aggressiveness of its enforcement policies.
We hold lending licenses or similar authorizations in multiple states, each of which has the authority to supervise and examine our activities. As a licensed consumer lender, mortgage lender, loan broker, collection agency, Money Services Business ("MSB") and loan servicer in certain states, we are subject to examinations by state agencies in those states. Similarly, we are subject to licensure requirements and regulations as an education loan servicer in multiple states. An administrative proceeding, litigation, investigation or regulatory proceeding relating to allegations or findings of the violation of such laws by us, any sub-servicer we engage, or our collection agents, could impair our ability to service and collect on our loans or could result in requirements that we pay damages, fines or penalties and/or cancel the balance or other amounts owing under one or more of our loans. There is no assurance that allegations of violations of the provisions of applicable federal or state consumer protection laws will not be asserted against us, any sub-servicers or collection agents we engage or other prior owners of our loans in the future. To the extent it is determined that any of our loans were not originated in accordance with all applicable laws, we may be obligated to repurchase such loan from a whole loan buyer, securitization trust or warehouse facility.
We must comply with federal, state and local consumer protection laws including, among others, the federal and state UDAAP laws, the Federal Trade Commission Act, the Truth in Lending Act, the CRA, the Real Estate Settlement Procedures Act, the ECOA, the FHA, the HMDA, the Secure and Fair Enforcement for Mortgage Licensing Act, FCRA, the Fair Debt Collection Practices Act, the Servicemembers Civil Relief Act, the Military Lending Act, the Electronic Fund Transfer Act, the GLBA, the CARES Act and the Dodd-Frank Act. We must also comply with laws on advertising, as well as privacy laws, including the TCPA, the Telemarketing Sales Rule, the CAN-SPAM Act, the Personal Information Protection and Electronic Documents Act, applicable laws and regulations of Hong Kong including the Personal Data (Privacy) Ordinance and the Personal Data (Privacy) (Amendment) Ordinance 2012 and the CCPA and other state privacy laws. Privacy and data security concerns, data collection and transfer restrictions, contractual obligations and U.S. laws and regulations related to data privacy, security and protection could materially and adversely affect our business, financial condition and results of operations. Compliance with applicable laws is costly, and our failure to comply with applicable federal, state and local laws could lead to:
56
SoFi Technologies, Inc.
•loss of our licenses and approvals to engage in our lending and servicing businesses;
•damage to our reputation in the industry;
•governmental investigations and enforcement actions;
•administrative fines and penalties and litigation;
•civil and criminal liability, including class action lawsuits;
•inability to enforce loan agreements;
•diminished ability to sell loans that we originate or purchase, requirements to sell such loans at a discount compared to other loans or repurchase or address indemnification claims from purchasers of such loans;
•loss or restriction of warehouse facilities to fund loans;
•inability to raise capital; and
•inability to execute on our business strategy, including our growth plans.
The CRA, to which SoFi Bank is subject, presents a useful example of how a failure to comply with applicable laws could hamper our growth. On January 1, 2023, SoFi Bank began operating under a five-year CRA strategic plan which includes measurable goals relating to: (i) CD Lending and CD Investments, (ii) CD Contributions, (iii) CD Services, (iv) Small Business Lending, and (v) Retail Services and Products. On October 23, 2023, the Federal Reserve, OCC and FDIC approved changes to their CRA regulations, maintaining the existing CRA ratings (Outstanding, Satisfactory, Needs to Improve, and Substantial Noncompliance) but modifying the evaluation framework to replace the existing tests generally applicable to banks with at least $2 billion in assets (the lending, investment, and services tests) with four new tests and associated performance metrics. The new CRA regulations, which become effective on January 1, 2026, increase the geographic areas in which banks will be evaluated for CRA performance and may be particularly burdensome on banks focused on mobile and digital banking such as SoFi Bank. The implementation of the new CRA regulations is currently paused pending the resolution of legal challenges to the new regulations. The OCC's assessment of our compliance with the CRA is taken into account when evaluating any application we submit for, among other things, a merger or the acquisition of another financial institution. Our failure to satisfy our CRA obligations could, at a minimum, result in the denial of such applications and limit our growth.
In the first quarter of 2019, we were subject to a consent order from the FTC (the "FTC Consent Order"), which resolved allegations that we misrepresented how much money student loan borrowers have saved or would save from financing their loans with us, in violation of the Federal Trade Commission Act. Under the FTC Consent Order, we are prohibited from misrepresenting to consumers how much money they would save by using our products, unless the claims are backed up by reliable evidence.
While we have developed and monitor policies and procedures designed to assist in compliance with laws and regulations, no assurance can be given that our compliance policies and procedures will be effective and that we will not be subject to fines and penalties, including with respect to any alleged noncompliance with the FTC Consent Order. Ambiguities in applicable statutes and regulations may leave uncertainty with respect to permitted or restricted conduct and may make compliance with laws, and risk assessment decisions with respect to compliance with laws, difficult and uncertain. In addition, ambiguities make it difficult, in certain circumstances, to determine if, and how compliance violations may be cured. We have in the past and may in the future fail to comply with applicable statutes and regulations even if acting in good faith, or because governmental bodies or courts interpret existing laws or regulations in a more restrictive manner, which have in the past and may in the future lead to regulatory investigations, governmental enforcement actions or private causes of action with respect to our compliance. To resolve issues raised in examinations or other governmental actions, we may be required to take various corrective actions, including changing certain business practices, making refunds or taking other actions that could be financially or competitively detrimental to us. In some cases, regardless of fault, it may be less time-consuming or costly to settle these matters, which may require us to implement certain changes to our business practices, provide remediation to certain individuals or make a settlement payment to a given party or regulatory body. There is no assurance that any future settlements will not have a material adverse effect on our business.
We hold state licenses that result in substantial compliance costs, and our business would be adversely affected if our licenses are impaired as a result of noncompliance with those requirements.
We currently hold state licenses in connection with our lending activities, student loan servicing activities, securities business, and prior MSB activities. Although we have transitioned our lending products to SoFi Bank, for as long as SoFi Lending Corp. originates, brokers, purchases or master services or services loans, we must comply with certain state licensing requirements and varying compliance requirements. In addition, although we have transferred our digital assets business and relinquished our state money transmitter licenses, we still hold our MSB license. Changes in licensing laws may result in
57
SoFi Technologies, Inc.
increased disclosure requirements, increased fees, or may impose other conditions to licensing that we or our personnel are unable to meet. In most states in which we operate, a regulatory agency or agencies regulate and enforce laws relating to loan servicers, brokers, and originators, collection agencies, and MSBs. We are subject to periodic examinations by state and other regulators in the jurisdictions in which we conduct business, which can result in increases in our administrative costs and refunds to borrowers of certain fees earned by us, and we may be required to pay substantial penalties imposed by those regulators due to compliance errors, or we may lose our license or our ability to do business in the jurisdiction otherwise may be impaired. Fines and penalties incurred in one jurisdiction may cause investigations or other actions by regulators in other jurisdictions.
We may not be able to obtain or maintain all currently required licenses and permits. If we change or expand our business activities, we may be required to obtain additional licenses before we can engage in those activities. If we apply for a new license, a regulator may determine that we were required to do so at an earlier point in time, and as a result, may impose penalties or refuse to issue the license, which could require us to modify or limit our activities in the relevant state. For example, we have been fined in the past by state regulators for engaging in financial services related activities prior to obtaining a license. Based on changes to our businesses, we may also forfeit certain of our licenses that are no longer required. Regulators may impose conditions, requirements or penalties in connection with the forfeiture of any of our licenses.
States may also expand or otherwise modify their current regulations and if such states so act, we may not be able to comply with such updated regulations or maintain all requisite licenses and permits in such states or our costs of compliance with and maintenance of such licenses or permits may materially increase. For example, California, Colorado and Maine have implemented additional regulations related to student loan servicers which impose additional registration, reporting and disclosure requirements and which, if applicable to us, may increase our costs of originating and servicing loans in those states.
In addition, the states that currently do not provide extensive regulation of our business may later choose to do so, and if such states so act, we may not be able to obtain or maintain all requisite licenses and permits, which could require us to modify or limit our activities in the relevant state or states. The failure to satisfy those and other regulatory requirements could result in a default under our warehouse facilities, other financial arrangements and/or servicing agreements and thereby have a material adverse effect on our business, financial condition and results of operations.
Our compliance and risk management policies and procedures as a bank, bank holding company and otherwise regulated financial services company may not be fully effective in identifying or mitigating compliance and risk exposure in all market environments or against all types of risk.
As a bank, a bank holding company and a financial services company operating in the banking and securities industry, among others, our business exposes us to a number of heightened risks. We have devoted significant resources to developing our compliance and risk management policies and procedures and will continue to do so, but there can be no assurance these are sufficient, especially as our business is rapidly growing and evolving. Nonetheless, our limited operating history in many of the products we offer, our evolving business and our rapid growth make it difficult to predict all of the risks and challenges we may encounter and may increase the risk that our policies and procedures that serve to identify, monitor and manage compliance risks may not be fully effective in mitigating our exposure in all market environments or against all types of risk. Further, some controls are manual and are subject to inherent limitations and errors in oversight. This could cause our compliance and other risk management strategies to be ineffective. Other compliance and risk management methods depend upon the evaluation of information regarding markets, customers, catastrophic occurrences or other matters that are publicly available or otherwise accessible to us, which may not always be accurate, complete, up-to-date or properly evaluated. Insurance and other traditional risk-shifting tools may be held by or available to us in order to manage certain exposures, but they are subject to terms such as deductibles, coinsurance, limits and policy exclusions, as well as risk of counterparty denial of coverage, default or insolvency. Any failure to maintain effective compliance and other risk management strategies could have an adverse effect on our business, financial condition and results of operations.
We are also exposed to heightened regulatory risk because our business is subject to extensive regulation and oversight in a variety of areas, and such regulations are subject to evolving interpretations and application and it can be difficult to predict how they may be applied to our business, particularly as we introduce new products and services and expand into new jurisdictions. Additionally, the regulatory landscape involving digital assets is constantly evolving. Although we have exited our digital assets business, the Company, including SoFi Digital Assets, LLC, may still be subject to regulatory scrutiny related to our prior business practices.
Also, due to market volatility, it is difficult to predict how much capital we will need in the future to meet net capital requirements. Any perceived or actual breach of laws and regulations could negatively impact our business, financial condition or results of operations. It is possible that these laws and regulations could be interpreted or applied in a manner that would prohibit, alter or impair our existing or planned products and services.
58
SoFi Technologies, Inc.
Regulatory scrutiny of banking as a service, or BaaS, solutions has increased and may require us to devote significant resources to enhancing our Technology Platform policies, procedures, operations, controls and products, and the failure to satisfy such increased scrutiny may cause regulators to take action against us or our BaaS partners, or result in a loss of one or more of our BaaS partners.
Our Technology Platform facilitates the provision of BaaS products and services to third parties through various card, deposit, payment, transfer, credit and lending solutions that allow financial technology companies or other third parties to, among other things, connect to sponsor banks' systems directly via application programming interfaces and cloud infrastructure so they can build banking offerings on top of the sponsor banks' regulated infrastructure. In addition, our Technology Platform offers an end-to-end core banking platform solution with integrated payment processing. Furthermore, in connection with our Technology Platform's BaaS solutions, we sometimes offer certain program management, data, analytics, compliance and risk management functions. The third parties that use these BaaS solutions include a variety of financial entities, including banks, fintech companies and other financial intermediaries. SoFi Bank is one of the sponsor banks that utilizes our BaaS products and services and may continue to do so in the future.
Federal bank regulators have increasingly focused on the risks related to BaaS solutions, including risk management, oversight, internal controls, information security, change management and information technology operational resilience, as well as potential systemic risk posed by BaaS solutions to the larger banking industry. Recently, regulators have even brought enforcement actions against financial entities that have allegedly not adequately addressed these concerns while growing their BaaS offerings. Regulators have specifically required these financial entities to enhance oversight of third-party fintech partnerships, improve control frameworks related to anti-money laundering and Bank Secrecy Act compliance, and adopt, implement and adhere to revised and expanded risk-based policies, procedures and processes. If we or any of the fintech clients or sponsor bank partners supported by our Technology Platform were to face regulatory actions that limit the growth of our or their fintech business, or if we were forced to stop growing our Technology Platform, or if any of our fintech clients or sponsor banks were to limit or cease their participation in BaaS solutions, this could have a negative impact on our revenue and results of operation for the Technology Platform segment.
Furthermore, regulatory scrutiny of BaaS solutions extends directly to middleware providers, such as our Technology Platform, which, in certain circumstances, bear accountability for their partners' compliance and risk management, including with respect to penalties, fines, and other measures that bank regulatory agencies take in the event of non-compliant activity or risks that are not well controlled. This is particularly true when the BaaS solution includes program management, and compliance and risk management controls, including managing anti-money laundering and fraud risks. In addition, as our fintech and sponsor bank partners face increased regulatory scrutiny, their scrutiny of our services will likely increase and our inability to satisfactorily respond to partner demands could result in those partners moving to different solutions. Assessing and managing risk for our Technology Platform clients in the face of regulatory and client scrutiny has in the past and will continue to require us to devote significant resources to enhancing relevant policies, procedures, operations and products. Finally, as a subsidiary of a bank holding company, any failure of our Technology Platform's BaaS solutions to withstand regulatory scrutiny could reflect badly on our relationship with our regulators and on our overall reputation.
While we believe we are a leader in managing, monitoring and overseeing BaaS relationships with third parties and corresponding technologies, if we are not successful in continuing to enhance our controls for assessing and managing the third-party, anti-money laundering, fraud and information technology risks stemming from certain of our fintech and sponsor bank partnerships, we could be subject to additional regulatory scrutiny with respect to that portion of our business which could subject us to regulatory fines or other penalties, or business or reputational harm, and could adversely affect our financial condition and results of operations.
We may become subject to enforcement actions or litigation as a result of our failure to comply with laws and regulations, even though noncompliance was inadvertent or unintentional.
We maintain systems and procedures designed to ensure that we comply with applicable laws and regulations; however, some legal/regulatory frameworks provide for the imposition of fines or penalties for noncompliance even though the noncompliance was inadvertent or unintentional and even though there were systems and procedures designed to ensure compliance in place at the time.
For example, we engage in outbound telephone and text communications with consumers, and accordingly must comply with a number of federal and state statutes and regulations that regulate certain such communications, including the TCPA and Telemarketing Sales Rules. The U.S. Federal Communications Commission (the "FCC"), and the FTC have responsibility for regulating various aspects of some of these federal laws. Among other requirements, the TCPA requires us to obtain prior express written consent for certain telemarketing calls and to adhere to "do-not-call" registry requirements which, in part, mandate we maintain and regularly update lists of consumers who have chosen not to be called and restrict certain calls
59
SoFi Technologies, Inc.
to consumers who are on the national do-not-call list. Further, in late 2023 and early 2024, the FCC introduced various new TCPA requirements relating to, among other things, lead generation, prior express written consent to marketing calls made with certain telephony technology and processing opt-outs and do not call requests. These new requirements went into effect in January 2025. In addition to federal laws, many states also have mini-TCPA and other similar consumer protection laws regulating certain telemarketing directed to their residents. Collectively, these federal and state laws limit our ability to communicate with consumers through calls and text messages and reduce the effectiveness of our marketing programs. As currently construed, the TCPA and several state mini-TCPA laws do not distinguish between voice and data, and, as such, SMS/MMS messages are also "calls" for the purpose of these laws.
For violations of the TCPA, the law provides for a private right of action under which a plaintiff may recover monetary statutory damages of $500 for each call or text made in violation of the statute. A court may treble the $500 amount upon a finding of a willful or knowing violation. There is no statutory cap on maximum aggregate exposure for TCPA violations (although some courts have applied in TCPA class actions constitutional limits on excessive penalties). Like the TCPA, several mini-TCPA and other similar state laws also provide for a private right of action under which a plaintiff may recover statutory damages of $500 or more for each violative call or text and enhanced statutory if the violation is knowing or willful. An action may be brought by the FCC, a state attorney general, an individual, or a class of individuals. Like other companies that rely on telephone and text communications, we may be subject to putative class action suits alleging violations of the TCPA, and state mini-TCPA and other similar state laws. If in the future we are found to have violated any federal or state law regulating telemarketing, the amount of damages and potential liability could be extensive and adversely impact our business.
In addition, we use credit reports in our credit decisioning processes and, accordingly, must comply with FCRA which requires a permissible purpose to obtain a consumer credit report and requires persons that furnish loan payment information to credit bureaus to report such information accurately. We are also required to perform a reasonable investigation in the event we receive indirect disputes from the credit bureaus about the accuracy of our credit reporting for a particular consumer and to update any inaccurate information we discover. Although we have policies and procedures in place to comply with FCRA, we are subject to lawsuits alleging that we failed under FCRA to adequately investigate indirect disputes over credit reporting which we receive from one or more credit bureaus. We have experienced an increase in such FCRA claims since our business has grown and even if we are ultimately successful in defending against such suits, they could involve substantial time and expense to analyze and respond to, could divert management's attention and other resources from running our business, and could lead to settlements, judgments, fines, penalties or injunctive relief.
Changes in applicable laws and regulations, as well as changes in government enforcement policies and priorities, may negatively impact the management of our business, results of operations, ability to offer certain products or the terms and conditions upon which they are offered, and ability to compete.
Financial services regulation is constantly changing, and new laws or regulations, or new interpretations of existing laws or regulations, could have a materially adverse impact on our ability to operate as currently intended, and cause us to incur significant expense in order to ensure compliance. Federal and state financial services regulators are also enforcing existing laws, regulations, and rules aggressively and enhancing their supervisory expectations regarding the management of legal and regulatory compliance risks. These regulatory changes and uncertainties make our business planning more difficult and could result in changes to our business model and potentially adversely impact our results of operations. Furthermore, to the extent applicable, these laws can impose specific statutory liabilities upon creditors who fail to comply with their provisions and may affect the enforceability of a loan.
Proposals to change the statutes affecting financial services companies are frequently introduced in Congress and state legislatures that, if enacted, may affect their operating environment in substantial and unpredictable ways. In addition, numerous federal and state regulators and SROs have the authority to promulgate or change regulations that could have a similar effect on our operating environment. We cannot determine with any degree of certainty whether any such legislative or regulatory proposals will be enacted and, if enacted, the ultimate impact that any such potential legislation or implementing regulations, or any such potential regulatory actions by federal or state regulators, would have upon our business.
New laws, regulations, policy or changes in enforcement of existing laws or regulations applicable to our business, or reexamination of current practices, could adversely impact our profitability, limit our ability to continue existing or pursue new business activities, require us to change certain of our business practices, affect retention of key personnel, or expose us to additional costs (including increased compliance costs and/or customer remediation). These changes have in the past and may in the future require us to invest significant resources, and devote significant management attention, to make any necessary changes and could adversely affect our business. For example, the SEC proposed Regulation Best Execution, along with other proposals related to equity market structure, in December 2022. If adopted as proposed, Regulation Best Execution and other proposals would substantially alter existing order routing, execution incentives and business practices. In March 2023, the SEC
60
SoFi Technologies, Inc.
proposed multiple rules related to privacy and cybersecurity. The SEC's proposed Rule 10 relating to cybersecurity for market entities (including broker-dealers) would impose additional requirements related to incident reporting, the establishment and periodic review of policies and procedures designed to address cybersecurity risks, and disclosure about cybersecurity risks and significant incidents. On October 13, 2023, the SEC adopted rules relating to providing additional disclosures in the securities lending market. These rules require any covered person that loans a reportable security on behalf of itself or another person to report certain material terms of those loans and related information to FINRA by the end of the day on which the loan is effected. FINRA in turn will make certain information it receives publicly available by the next business day. These regulations could make securities lending more costly, leading to less overall lending activity and a decrease in revenue. On February 22, 2024, the SEC adopted amendments to Rule 605 under Exchange Act that requires disclosures for order executions in national market system ("NMS") stocks. The amendments modify the type of information required to be disclosed under Rule 605 and expand the scope of reporting entities subject to Rule 605 to include broker-dealers who introduce or carry 100,000 or more customer accounts. Complying with Rule 605 is a new requirement for us. In addition, the Rule itself has been modified to include new definitions, new and modified categories of order types, and new statistical measures of execution quality and other metrics. In May 2024, the SEC adopted amendments to Regulation S-P ("Reg S-P"). The finalized amendments to Reg S-P are designed to address the expanded use of technology and corresponding risks that have emerged since Reg S-P's original adoption and modernize and improve the protection of consumer financial information by certain financial institutions, also known as "covered institutions" (including broker-dealers and investment advisers). As adopted, amended Reg S-P (i) requires covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information; (ii) requires that the response program include procedures for covered institutions to provide timely notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization; and (iii) broadens the scope of information covered by Regulation S-P's requirements. On September 18, 2024, the SEC adopted rules that would (i) amend Rule 612 of Regulation NMS to establish a new minimum pricing increment, also known as a tick size, of $0.005 for the quoting of certain NMS stocks; (ii) reduce the access fee caps applicable to stock exchanges under Rule 610 of Regulation NMS (from $0.003 per share (i.e., 30 mils) to $0.001 per share (i.e., 10 mils) and require national securities exchanges to make the amounts of all fees and rebates determinable at the time of execution; and (iii) accelerate the implementation of the round lot and odd-lot information definitions adopted in 2020 under the Market Data Infrastructure Rules ("MDI Rules") and add information about the best odd-lot order to the definition of odd-lot information. On December 20, 2024, the SEC adopted changes to SEC Rule 15c3-3 and 15c3-1 that modify how broker-dealers protect customer assets and calculate their minimum required "net capital." These changes, particularly the amendments to Rule 612 and 610 of Regulation NMS, will likely affect the economics for orders executed on national stock exchanges and as a result may impact order routing and order execution decisions by market participants, including third parties on which we rely, like clearing brokers. See "Business, Financial and Operational Risks - We rely on third parties to perform certain key functions, and their failure to perform those functions could adversely affect our business, financial condition and results of operations". Compliance with this rule may impose additional cost on our business. In addition, SoFi Securities' ability to generate revenue may be impacted as a result of the changes in stock exchange fee caps and the resulting potential changes in order routing and execution decisions. The ultimate effect of these potential changes is uncertain and may impact how SoFi Securities manages and evaluates its compliance with other obligations, such as its obligation to achieve best execution for customer orders.
See also "Lawmakers, regulators and other public officials have signaled an increased focus on new or additional laws or regulations that could impact our broker-dealer business and require us to make significant changes to our business model and practices and could result in significant costs to our business or loss of current revenue streams". Compliance with each of these rules, when applicable and if required, would impose additional costs on our business. To the extent such proposals affect the equity market structure more broadly, our ability to generate revenue may be impaired. There is also the risk that, despite our best efforts, the SEC or FINRA does not view our compliance measures as sufficient. This risk is substantially elevated where regulators adopt a substantial number of new rules in a short time frame. In addition, non-compliance with any adopted requirements would likely result in enforcement action by the SEC or FINRA.
Extensive regulation and supervision have a negative impact on our ability to compete in a cost-effective manner and may subject us to material compliance costs and penalties.
The Company, primarily through its subsidiary SoFi Bank and certain non-bank subsidiaries, is subject to extensive federal and state regulation and supervision. Banking regulations are primarily intended to protect depositors' funds, federal deposit insurance funds and the banking system as a whole. Many laws and regulations affect our lending practices, capital structure, investment practices, dividend policy and growth, among other things. They encourage us to ensure a satisfactory level of lending in defined areas and establish and maintain comprehensive programs relating to anti-money laundering and customer identification. Congress, state legislatures, and federal and state regulatory agencies continually review banking laws, regulations and policies for possible changes. Changes to statutes, regulations or regulatory policies, including changes in interpretation or implementation of statutes, regulations or policies, could affect us in substantial and unpredictable ways. Such
61
SoFi Technologies, Inc.
changes could subject us to additional costs, limit the types of financial services and products it may offer and/or increase the ability of non-banks to offer competing financial services and products, among other things. Failure to comply with laws, regulations or policies could result in sanctions by regulatory agencies, civil money penalties and/or reputation damage, which could have a material adverse effect on our business, financial condition and results of operations.
We are subject to the risk that regulatory or enforcement agencies and/or consumer advocacy groups may assert that our business practices may violate certain rules, laws and regulations, including anti-discrimination statutes.
Anti-discrimination statutes, such as the FHA and the ECOA and state law equivalents, prohibit creditors from discriminating against loan applicants and borrowers based on certain characteristics, such as race, religion and national origin. Various federal regulatory and enforcement departments and agencies, including the Department of Justice and CFPB, take the position that these laws apply not only to intentional discrimination, but also to facially neutral practices that have a disparate impact on a group that shares a characteristic that a creditor may not consider in making credit decisions. State and federal regulators, as well as consumer advocacy groups and plaintiffs' attorneys, are focusing greater attention on "disparate impact" claims. Similarly, these regulatory agencies and litigants could take the position that the geographical footprint within which we conduct lending activity or the manner in which we advertise loans, disproportionately excludes potential borrowers belonging to a protected class, and constitutes unlawful "redlining". Although we utilize an automated underwriting process to originate loans, we frequently adjust pricing strategies which increases our risk of inadvertently violating the FHA and the ECOA. These regulatory agencies could also take the position that the underwriting or credit models or algorithms we use produce disparate outcomes or do not produce sufficient information about a credit decision to satisfy applicant notification requirements under ECOA. In addition to reputational harm, violations of the FHA and the ECOA can result in actual damages, punitive damages, injunctive or equitable relief, attorneys' fees and civil money penalties.
Our investment adviser and broker-dealer subsidiaries are subject to regulation by the SEC and FINRA.
We offer investment management services through SoFi Wealth which sponsors private investment funds that invest in asset-backed securitizations. SoFi Wealth (the "Investment Adviser") is registered as an investment adviser under the Investment Advisers Act of 1940, as amended (the "Advisers Act"), which does not imply any level of skill or training, and is subject to regulation by the SEC. SoFi Securities is an affiliated SEC-registered broker-dealer and FINRA member. We offer cash management accounts, which are brokerage products, through SoFi Securities.
The Investment Adviser operates in a highly regulated environment and is subject to, among other things, the anti-fraud provisions of the Advisers Act and to fiduciary duties derived from these provisions that apply to its relationships with our members who are its advisory clients, as well as the funds managed by the Investment Adviser. These provisions and duties also impose certain restrictions and obligations on us with respect to our dealings with our members, fund investors and our investments, including for example restrictions on transactions with our affiliates. Our Investment Adviser is also subject to other requirements under the Advisers Act and related regulations. These additional requirements relate to matters including, among others, maintaining an effective and comprehensive compliance programs and record-keeping and reporting and disclosure requirements. In recent years, the SEC proposed and, in some cases, adopted amendments to the Advisers Act rules, which present a number of additional significant and burdensome compliance challenges for registered investment advisers. In addition, our Investment Adviser has been in the past, and will be in the future, subject to SEC examination. Moreover, the Advisers Act generally grants the SEC broad administrative powers, including the power to limit or restrict an investment adviser from conducting advisory activities in the event it fails to comply with federal securities laws. The Investment Adviser is also subject to applicable state securities laws. Additional sanctions that may be imposed for failure to comply with applicable requirements include prohibitions of individuals from associating with an investment adviser, the revocation of registration and other censures and fines. Even if an investigation or proceeding did not result in a sanction or the sanction imposed against us or our personnel by a regulator was small in monetary amount, the adverse publicity relating to the investigation, proceeding or imposition of these sanctions could harm our reputation and cause us to lose existing members or fail to gain new members. See Part I, Item 3. "Legal Proceedings".
Our subsidiary, SoFi Securities, is an affiliated SEC-registered broker-dealer and FINRA member. The securities industry is highly regulated, including under federal, state and other applicable laws, rules and regulations, and we may be adversely affected by regulatory changes related to suitability of financial products, supervision, sales practices, advertising, application of fiduciary standards, best execution and market structure, any of which could limit our business and damage our reputation. FINRA has adopted extensive regulatory requirements relating to sales practices, advertising, registration of personnel, compliance and supervision, and compensation and disclosure, to which SoFi Securities and its personnel are subject. FINRA and the SEC also have the authority to conduct examinations of SoFi Securities and may also conduct administrative proceedings. Additionally, material expansions of the business in which SoFi Securities engages are subject to approval by FINRA. This could delay, or even prevent, the firm's ability to expand its securities and brokerage offerings in the
62
SoFi Technologies, Inc.
future. Furthermore, SoFi Securities is subject to increased governance in its role as an affiliate of a national bank under guidance from the OCC regarding RNDIPs. OCC guidance, which was further updated in June 2024, requires that banks implement effective oversight and monitoring of relevant RNDIP arrangements to ensure that, among other things, sales transactions and recommendations to retail investors comply with SEC regulations. Such oversight and monitoring may increase costs for SoFi Securities and SoFi Bank and could have a material adverse effect on our business, financial condition and results of operations, and any failure by SoFi Bank to effectively oversee and monitor such arrangements could result in harm to members and financial and reputational harm to us.
From time to time, SoFi Securities and the Investment Adviser may be threatened with or named as a defendant in lawsuits, arbitrations and administrative claims. As previously noted, these entities are also subject to regulatory examinations and inspections by regulators (including the SEC and FINRA, as applicable). Compliance and trading problems or other deficiencies or weaknesses that are reported to regulators, such as the SEC and FINRA, by dissatisfied members or others, or that are identified by regulators themselves are investigated by such regulators, and may, if pursued, result in formal claims being filed against SoFi Securities and the Investment Adviser by members or disciplinary action being taken by regulators against us or our personnel. Our failure to comply with applicable laws or regulations or our own policies and procedures could result in fines, litigation, suspensions of personnel or other sanctions, which could have a material effect on our overall financial results. For example, in December 2023, FINRA found that SoFi Securities failed to establish, maintain, and enforce a supervisory system reasonably designed to supervise its fully paid securities lending offerings. Even if a sanction imposed against us or our personnel is small in monetary amount, the adverse publicity arising from the imposition of sanctions against us by regulators could harm our reputation and our brand and lead to material legal, regulatory and financial exposure (including fines and other penalties), cause us to lose existing members or fail to gain new members. In addition, in the normal course of business, SoFi Securities and the Investment Adviser discuss matters raised by its regulators during regulatory examinations or otherwise upon their inquiry. These matters could also result in censures, fines, penalties or other sanctions.
In addition to the broker-dealer proposals described above under "Changes in applicable laws and regulations, as well as changes in government enforcement policies and priorities, may negatively impact the management of our business, results of operations, ability to offer certain products or the terms and conditions upon which they are offered, and ability to compete", a substantial number of proposed rules for investment advisers were introduced in 2023 and 2024 and may be adopted or re-proposed this year. These proposals cover material regulatory topics, including: (i) environmental, social, and governance issues for investment advisers and funds; (ii) outsourcing by investment advisers; (iii) safeguarding and custody of client assets; and (iv) expansion of the scope of activities and relationships that make a person an investment advice fiduciary under Section 3(21) of the Employee Retirement Income Security Act of 1974 and Section 4975 of the Internal Revenue Code. If enacted, compliance with each of these proposed rules would impose additional costs on our business. There is also the risk that, despite our best efforts, the SEC does not view our compliance measures as sufficient. This risk is substantially elevated where regulators adopt a substantial number of new rules in a short time frame.
We transferred our digital assets-related trading services to comply with regulations governing bank holding companies; this transfer could adversely impact our member relationships and our reputation.
Until early 2024, we offered virtual currency and digital asset-related trading services through SoFi Digital Assets, LLC, a subsidiary licensed and registered with various governmental authorities as a MSB, money transmitter, virtual currency business or the equivalent. In connection with our approval as a bank holding company in February 2022, the Federal Reserve determined that SoFi Digital Assets, LLC was engaged in certain digital asset-related activities that the Federal Reserve has not found to be permissible for a bank holding company under the Bank Holding Company Act and Regulation Y. Section 4(a)(2) of the Bank Holding Company Act permitted us to continue our digital assets related offering for a two-year conformance period from the date we became a bank holding company. In compliance with the requirement that we conform our activities to those permissible for a bank holding company, by the end of January 2024, we ceased offering digital-asset related trading services in all states. We provided a majority of our members with the option to either close their digital asset account or migrate their digital assets accounts to Blockchain.com. All transaction fees from any sales from digital assets accounts were reimbursed. As part of our transfer of our digital asset-related activities we entered into a referral arrangement with Blockchain.com, and we have and may continue to enter into additional referral arrangements with other companies that can provide digital-asset related trading services to our members. Although we do not expect the transfer of our digital asset-related activities or entry into the referral arrangements to have a material adverse impact on our business, results of operation or financial results, we cannot guarantee that our members will not experience a negative impact with respect to their digital asset positions. Furthermore, there is no guarantee we will not face member dissatisfaction or litigation, or harm to our reputation, or adverse regulatory consequences, from such transfer of digital assets-related trading services.
Furthermore, if our prior digital asset-related trading services are the subject of regulatory scrutiny or enforcement actions, it could have a material adverse effect on our business, results of operations and reputation. There has been a significant
63
SoFi Technologies, Inc.
amount of guidance, reports, and public statements issued by federal and state financial regulators regarding the legal permissibility of, and supervisory considerations relating to, financial institutions engaging in digital assets-related activities. Many U.S. regulators, including the SEC, FinCEN, the CFTC, the IRS, and state regulators including the New York State Department of Financial Services, have made official pronouncements, pursued cases against businesses in the digital assets space or issued guidance or rules regarding the treatment of Bitcoin and other digital currencies. Both federal and state agencies have instituted enforcement actions against those violating their interpretation of existing laws. Other U.S. and many state agencies have offered little or incomplete official guidance regarding the treatment of digital assets. If the SEC, CFTC or another federal or state regulator alleges that any assets we offered were securities or derivatives, or that we have violated any other federal or state securities or commodities law or regulation, we could face potential liability, including an enforcement action or private class action lawsuits, and face the costs of defending ourselves in the action, including potential fines, penalties, reputation harm, and potential loss of revenue. See "We may become subject to enforcement actions or litigation as a result of our failure to comply with laws and regulations, even though noncompliance was inadvertent or unintentional".
Failure to comply with anti-money laundering, economic and trade sanctions regulations, and similar laws could subject us to penalties and other adverse consequences.
Various laws and regulations in the U.S. and abroad, such as the BSA, the Dodd-Frank Act, the USA PATRIOT Act, and the Credit Card Accountability Responsibility and Disclosure Act, impose certain anti-money laundering requirements on companies that are financial institutions or that provide financial products and services. Under these laws and regulations, financial institutions are broadly defined to include banks and MSBs such as money transmitters. In 2013, FinCEN issued guidance regarding the applicability of the BSA to administrators and exchangers of convertible virtual currency, clarifying that they are MSBs, and more specifically, money transmitters. The BSA requires banks and MSBs to develop and implement risk-based anti-money laundering programs, report large cash transactions and suspicious activity, and maintain transaction records, among other requirements. State regulators may impose similar requirements on licensed money transmitters. In addition, our contracts with financial institution partners and other third parties may contractually require us to maintain an anti-money laundering program. SoFi Bank is subject to the regulatory and supervisory jurisdiction of the OCC with respect to the BSA and its implementing regulations applicable to banks. Our subsidiary, SoFi Digital Assets, LLC, remains registered with FinCEN as an MSB. Registration as an MSB subjects us to the regulatory and supervisory jurisdiction of FinCEN and the IRS, the anti-money laundering provisions of the BSA and its implementing regulations applicable to MSBs. Although we have exited our digital assets business, the Company, including SoFi Digital Assets, LLC, may still be subject to regulatory scrutiny related to our prior business practices.
We are also subject to economic and trade sanctions programs administered by OFAC, which prohibit or restrict transactions to or from or dealings with specified countries, their governments, and in certain circumstances, their nationals, and with individuals and entities that are specially-designated nationals of those countries, narcotics traffickers, terrorists or terrorist organizations, and other sanctioned persons and entities.
Our failure to comply with anti-money laundering, economic and trade sanctions regulations, and similar laws could subject us to substantial civil and criminal penalties, or result in the loss or restriction of our national bank charter, MSB or broker-dealer registrations and state licenses, or liability under our contracts with third parties, which may significantly affect our ability to conduct some aspects of our business. Changes in this regulatory environment, including changing interpretations and the implementation of new or varying regulatory requirements by the government, may significantly affect or change the manner in which we currently conduct some aspects of our business.
We are subject to anti-corruption, anti-bribery and similar laws, and noncompliance with such laws can subject us to significant adverse consequences, including criminal or civil liability, and harm our business.
We are subject to the Foreign Corrupt Practices Act, U.S. domestic bribery laws and other U.S. and foreign anti-corruption laws. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly to generally prohibit companies, their employees and their third-party intermediaries from authorizing, offering or providing, directly or indirectly, improper payments or benefits to recipients in the public sector. These laws also require that we keep accurate books and records and maintain internal controls and compliance procedures designed to prevent any such actions. Although our operations are currently concentrated in the U.S., as we increase our international cross-border business and expand operations abroad, we have engaged and may further engage with business partners and third-party intermediaries to market our services and to obtain necessary permits, licenses and other regulatory approvals. In addition, we or our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities. We can be held liable for the corrupt or other illegal activities of these third-party intermediaries, our employees, representatives, contractors, partners, and agents, even if we do not explicitly authorize such activities. The
64
SoFi Technologies, Inc.
failure to comply with any such laws could subject us to criminal or civil liability, cause us significant reputational harm and have an adverse effect on our business, financial condition and results of operations.
We conduct our business operations through subsidiaries and may in the future rely on dividends from our subsidiaries for a substantial amount of our cash flows.
We may in the future depend on dividends, distributions and other payments from our subsidiaries to fund payments on our obligations, including any debt obligations we may incur. Regulatory and other legal restrictions may limit our ability to transfer funds to or from certain subsidiaries, including SoFi Securities and SoFi Bank. In addition, certain of our subsidiaries are subject to laws and regulations that authorize regulatory bodies to block or reduce the flow of funds to us, or that prohibit such transfers altogether in certain circumstances. These laws and regulations may hinder our ability to access funds that we may need to make payments on our obligations, including any debt obligations we may incur and otherwise conduct our business by, among other things, reducing our liquidity in the form of corporate cash. In addition to negatively affecting our business, a significant decrease in our liquidity could also reduce investor confidence in us. Certain rules and regulations of the SEC and FINRA may limit the extent to which our broker-dealer subsidiaries may distribute capital to us. For example, under FINRA rules applicable to SoFi Securities, a dividend in excess of 10% of a member firm's excess net capital may not be paid without FINRA's prior written approval. In addition, the OCC has the authority to use its enforcement powers to prohibit a bank from paying dividends if, in its opinion, the payment of dividends would constitute an unsafe or unsound practice. Federal law also prohibits the payment of dividends by a bank that will result in the bank failing to meet its applicable capital requirements on a pro forma basis. In addition, under the National Bank Act, SoFi Bank generally may, without prior approval of the OCC, declare a dividend but only so long as the total amount of all dividends (common and preferred), including the proposed dividend, in the current year do not exceed net income for the current year to date plus retained net income for the prior two years. Compliance with these rules may impede our ability to receive dividends, distributions and other payments from SoFi Securities and SoFi Bank.
We have in the past, continue to be, and may in the future be subject to inquiries, exams, pending investigations, or enforcement matters.
The financial services industry is subject to extensive regulation and oversight under federal, state, and applicable international laws. From time to time, in the normal course of business, we have received and may receive or be subject to inquiries or investigations by state and federal regulatory or enforcement agencies and bodies, such as the CFPB, SEC, the Federal Reserve, the OCC, the FDIC, the FHFA, the VA, the state attorneys general, state financial regulatory agencies, other state or federal agencies and SROs like FINRA. We also have in the past and may in the future receive inquiries from state regulatory agencies regarding requirements to obtain licenses from or register with those states, including in states where we have previously determined that we are not required to obtain such a license or be registered with the state. In addition, we have been threatened with or named as a defendant in lawsuits, arbitrations and administrative claims involving securities, consumer financial services and other matters. We are also subject to periodic regulatory examinations and inspections. Compliance and trading problems or other deficiencies or weaknesses that are reported to regulators, such as the OCC, SEC, FINRA, the CFPB or state regulators, by dissatisfied customers or others, or that are identified by regulators themselves, are investigated by such regulators, and may, if pursued, result in formal claims being filed against us by customers or disciplinary action being taken against us or our employees by regulators or enforcement agencies. In addition, we could be required to disclose such federal, state, or local government actions or court orders to the CFPB's registry of corporate offenders that have broken consumer laws, which could be time-consuming and costly, increase our legal and compliance costs, increase demand on our systems and resources, and adversely impact our reputation. To resolve issues raised in examinations or other governmental actions, we may be required to take various corrective actions, including changing certain business practices, making refunds or taking other actions that could be financially or competitively detrimental to us.
Any such inquiries, investigations, lawsuits, arbitrations, administrative claims or other inquiries have in the past and could in the future involve substantial time and expense to analyze and respond to, divert management's attention and other resources from running our business, and lead to fines, penalties, injunctive relief, and the need to obtain additional licenses that we do not currently possess. Our involvement in any such matters, whether tangential or otherwise and even if the matters are ultimately determined in our favor, could also cause significant harm to our reputation, lead to additional investigations and enforcement actions from other agencies or litigants, and further divert management attention and resources from the operation of our business. As a result, the outcome of legal and regulatory actions arising out of any state or federal inquiries we receive could have a material adverse effect on our business, financial condition or results of operations.
65
SoFi Technologies, Inc.
Lawmakers, regulators and other public officials have signaled an increased focus on new or additional laws or regulations that could impact our broker-dealer business and require us to make significant changes to our business model and practices and could result in significant costs to our business or loss of current revenue streams.
Various lawmakers, regulators and other public officials have made statements about business practices in which we and other broker-dealers engage, including SoFi Securities, and signaled potential new or additional laws or regulations that, if acted upon, could impact our business. For example, a focus by regulators and lawmakers on PFOF, exchange rebates, and related conflicts of interest have resulted in new proposed rules. Additionally, the SEC has proposed new requirements regarding best execution (Regulation Best Execution), PFOF and a rule to prohibit volume-based transaction pricing in connection with the execution of agency-related orders in national market system stock. The SEC also issued an order in September 2023 directing the equity exchanges and FINRA to file a new national marketing system plan and the SEC is soliciting comments on the proposed national marketing system plan. This order and other proposals have the potential to substantially reshape U.S. equities markets in intended and unintended ways, and to substantially alter existing order routing, execution incentives and business practices.
To the extent that the SEC, FINRA or other regulatory authorities or legislative bodies adopt additional regulations or legislation in respect of any of these areas or relating to any other aspect of our business, we could face a heightened risk of potential regulatory violations and could be required to make significant changes to our business model and practices, which changes may not be successful. Any of these outcomes could have an adverse effect on our business, financial condition and results of operations. Additionally, any negative publicity surrounding PFOF practices generally, or our implementation of this practice, could harm our brand and reputation. For more information about the potential impact of legal and regulatory changes, see "We may become subject to enforcement actions or litigation as a result of our failure to comply with laws and regulations, even though noncompliance was inadvertent or unintentional".
Regulations relating to privacy, information security and data protection could increase our costs, affect or limit how we collect and use personal information, and adversely affect our business opportunities.
We are subject to various privacy, information security and data protection laws, including requirements concerning security breach notification, and we could be negatively impacted by them. For example, we are subject to the GLBA and implementing regulations and guidance. Among other things, the GLBA (i) imposes certain limitations on the ability to share consumers' nonpublic personal information with nonaffiliated third parties and (ii) requires certain disclosures to consumers about our practices for the collection, sharing and safeguarding of their information and their right to "opt out" of the institution's disclosure of their personal financial information to nonaffiliated third parties (with certain exceptions). The GLBA and other state laws also require that we implement and maintain certain security measures, policies and procedures to protect personal information.
Furthermore, legislators and/or regulators are increasingly adopting new and/or amending existing privacy, information security and data protection laws that potentially could have a significant impact on our current and planned privacy, data protection and information security-related practices; our policies and practices related to the collection, use, sharing, retention and safeguarding of consumer and/or employee information; and some of our current or planned business activities. New requirements, originating from new or amended laws, could also increase our costs of compliance and business operations and could reduce income from certain business initiatives. The CFPB, for example, finalized its Personal Financial Data Rights Rule, which could require us to build an application that allows our customers to obtain their personal financial information and for authorized third parties to obtain our customers' information. This could increase our compliance costs, volatility in our customer base, and the risk of fraudulent access to consumers' personal financial information.
Compliance with current or future privacy, information security and data protection laws (including those regarding security breach notification) affecting customer and/or employee data to which we are subject could result in higher compliance and technology costs and could restrict our ability to provide certain products and services (such as products or services that involve sharing information with third parties or storing sensitive credit card information), which could materially and adversely affect our profitability. A failure by us or a third-party contractor providing services to us to comply with applicable data privacy and security laws, regulations, self-regulatory requirements or industry guidelines, or our terms of use with our users, may result in sanctions, statutory or contractual damages or litigation (including class actions) and may subject us to reputational harm. Additionally, there is always a danger that regulators can attempt to assert authority over our business in the area of privacy, information security and data protection. Furthermore, if our vendors and/or service providers are or become subject to laws and regulations in the jurisdictions that have enacted more stringent and expansive legislation applicable to privacy, information and/or data protection, the costs that these vendors and service providers must incur in becoming compliant may be passed along to us, resulting in increasing costs on our business.
66
SoFi Technologies, Inc.
Concerns in our ability, perceived or otherwise, to protect the privacy and security of personal information may affect our ability to retain and engage new and existing members, clients, investors, and employees, and thereby affect our financial condition. Furthermore, failure to comply or perceived failure to comply with applicable privacy or data protection laws, rules, and regulations may subject us to examinations, investigations, and general heightened scrutiny that may cause us to modify or cease certain operations or practices, significant liabilities or regulatory fines, penalties or other sanctions. Any of these could damage our reputation and adversely affect our business, financial condition, and results of operations.
Privacy requirements, including notice and opt-out requirements, under the GLBA and FCRA are enforced by the FTC, the OCC and by the CFPB through UDAAP and are a standard component of OCC and CFPB compliance and examinations. State entities also may initiate actions for alleged violations of privacy or security requirements under state law. Our failure to comply with privacy, information security and data protection laws could result in potentially significant regulatory investigations and government actions, litigation, fines or sanctions, consumer or merchant actions and damage to our reputation and brand, all of which could have a material adverse effect on our business.
If we collect and process personal data relating to individuals in the EU or the United Kingdom (the "UK") as a result of either offering goods or services into the EU or UK, or monitoring the behavior of EU and UK individuals, we will be required to comply with stringent privacy and data protection laws. Within the EU, legislators have adopted the General Data Protection Regulation (the "EU GDPR"), which became effective in May 2018. The EU GDPR will impose additional obligations and risks upon our business when we collect and process personal data about individuals from the EU and UK, which may increase substantially the penalties to which we could be subject in the event of any noncompliance. For example, the EU GDPR imposes a broad range of strict requirements on companies subject to the EU GDPR, including requirements relating to having legal bases and conditions for processing personal data and transferring such personal data outside the European Economic Area ("EEA") or the UK, including to the U.S., providing details to those individuals regarding the processing of their personal data, keeping personal data secure, having data processing agreements with third parties who process personal data, responding to individuals' requests to exercise their rights in respect of their personal data, where required reporting security breaches involving personal data to the competent national data protection authority and affected individuals, where required, appointing data protection officers, where required conducting data protection impact assessments for high risk processing, and record-keeping. We may incur substantial expense in complying with obligations imposed by the EU GDPR and we may be required to make significant changes in our business operations, all of which may adversely affect our revenues and our business overall.
In addition, further to the UK's exit from the EU on January 31, 2020, the EU GDPR ceased to apply in the UK at the end of the transition period on December 31, 2020. However, as of January 1, 2021, the UK's European Union (Withdrawal) Act 2018 incorporated the GDPR (as it existed on December 31, 2020 but subject to certain UK specific amendments) into UK law, referred to as the "UK GDPR". The UK GDPR and the UK Data Protection Act 2018 set out the UK's data protection regime, which is independent from but aligned to the EU's data protection regime. Noncompliance with the UK GDPR may result in significant monetary penalties. Although the UK is regarded as a third country under the EU GDPR, the EC has issued a decision recognizing the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EU to the UK remain unrestricted. The UK Government introduced a Data Protection and Digital Information Bill which failed in the UK legislative process. A new Data (Use and Access) Bill ("UK Bill") has been introduced into parliament. If passed, the final version of the UK Bill may have the effect of further altering the similarities between the UK and EEA data protection regime and threaten the UK Adequacy Decision from the EC. Further, this may lead to additional compliance costs and could increase our overall risk. Like the EU GDPR, the UK GDPR restricts personal data transfers outside the UK to countries not regarded by the UK as providing adequate protection. The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing.
In addition, around the world many jurisdictions outside of Europe are also considering and/or have enacted comprehensive data protection legislation. For example, we are subject to stringent privacy and data protection requirements in Hong Kong. Also, many jurisdictions where we may seek to expand our business in the future are also considering and/or have enacted comprehensive data protection legislation. Additional jurisdictions with stringent data protection laws include Brazil and China.
The regulatory framework governing the collection, processing, storage, use and sharing of certain information, particularly financial and other personal information, is rapidly evolving and is likely to continue to be subject to uncertainty and varying interpretations. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with laws in other jurisdictions or with our existing data management practices or the features of our services and platform capabilities. We therefore cannot yet fully determine the impact existing and/or future laws, rules, regulations and industry standards may have on our business or operations. Any failure or perceived failure by us, or any third parties with which we do business, to comply with our posted privacy policies, changing consumer expectations, evolving laws, rules and regulations,
67
SoFi Technologies, Inc.
industry standards, or contractual obligations to which we or such third parties are or may become subject, may result in actions or other claims against us by governmental entities or private actors, the expenditure of substantial costs, time and other resources or the imposition of significant fines, penalties or other liabilities. In addition, any such action, particularly to the extent we were found to be guilty of violations or otherwise liable for damages, would damage our reputation and adversely affect our business, financial condition and results of operations.
Any such laws, rules, regulations and industry standards may be inconsistent among different jurisdictions, subject to differing interpretations or may conflict with our current or future practices. Additionally, our customers may be subject to differing privacy laws, rules and legislation, which may mean that they require us to be bound by varying contractual requirements applicable to certain other jurisdictions. Adherence to such contractual requirements may impact our collection, use, processing, storage, sharing and disclosure of various types of information including financial information and other personal information, and may mean we become bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules and regulations evolve. Complying with these requirements and changing our policies and practices may be onerous and costly, and we may not be able to respond quickly or effectively to regulatory, legislative and other developments. These changes may in turn impair our ability to offer our existing or planned features, products and services and/or increase our cost of doing business. As we expand our customer base, these requirements may vary from customer to customer, further increasing the cost of compliance and doing business.
We publicly post documentation regarding our practices concerning the collection, processing, use and disclosure of data. Although we endeavor to comply with our published policies and documentation, we may at times fail to do so or be alleged to have failed to do so. Any failure or perceived failure by us to comply with our privacy policies or any applicable privacy, security or data protection, information security or consumer-protection related laws, regulations, orders or industry standards could expose us to costly litigation, significant awards, fines or judgments, civil and/or criminal penalties or negative publicity, and could materially and adversely affect our business, financial condition and results of operations. The publication of our privacy policy and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices, which could, individually or in the aggregate, materially and adversely affect our business, financial condition and results of operations.
It may be difficult and costly to protect our intellectual property rights, and we may not be able to ensure their protection.
Our ability to provide our products and services to our members and technology platform clients depends, in part, upon our proprietary technology. We may be unable to protect our proprietary technology effectively, which would allow competitors to duplicate our business processes and know-how, and adversely affect our ability to compete with them. A third party may attempt to reverse engineer or otherwise obtain and use our proprietary technology without our consent. The pursuit of a claim against a third party for infringement of our intellectual property could be costly, and there can be no guarantee that any such efforts would be successful.
In addition, our platform or those of third-party service providers that we utilize may infringe upon claims of third-party intellectual property, and we may face intellectual property challenges from such other parties. We may not be successful in defending against any such challenges or in obtaining licenses to avoid or resolve any intellectual property disputes, or in receiving amounts due to us under indemnification obligations from third-party service providers. The costs of defending any such claims or litigation could be significant and, if we are unsuccessful, could result in a requirement that we pay significant damages or licensing fees, which would negatively impact our financial performance. If we cannot protect our proprietary technology from intellectual property challenges, our ability to maintain our platform could be adversely affected.
Some aspects of our platform include open source software, and any failure to comply with the terms of one or more of these open source licenses could negatively affect our business.
We incorporate open source software into our proprietary platform and into other processes supporting our business. Such open source software may include software covered by licenses like the GNU General Public License and the Apache License or other open source licenses. The terms of various open source licenses have not been interpreted by U.S. courts, and there is a risk that such licenses could be construed in a manner that limits our use of the software, inhibits certain aspects of our platform and negatively affects our business operations.
Some open source licenses contain requirements that we make available source code for modifications or derivative works we create based upon the type of open source software we use. If portions of our proprietary platform are determined to be subject to an open source license, or if the license terms for the open source software that we incorporate change, we could be required to publicly release the affected portions of our source code, re-engineer all or a portion of our platform or change our business activities. In addition to risks related to license requirements, the use of open source software can lead to greater
68
SoFi Technologies, Inc.
risks than the use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of the software. Many of the risks associated with the use of open source software cannot be eliminated and could adversely affect our business.
Litigation, regulatory actions and compliance issues could subject us to significant fines, penalties, judgments, remediation costs, negative publicity, changes to our business model, and requirements resulting in increased expenses.
Our business is subject to increased risks of litigation and regulatory actions as a result of a number of factors and from various sources, including as a result of the highly regulated nature of the financial services industry and the focus of state and federal enforcement agencies on the financial services industry.
From time to time, we are also involved in, or the subject of, reviews, requests for information, investigations and proceedings (both formal and informal) by state and federal governmental agencies and SROs, regarding our business activities and our qualifications to conduct our business in certain jurisdictions, which has in the past and could in the future subject us to significant fines, penalties, obligations to change our business practices and other requirements resulting in increased expenses and diminished earnings. Our involvement in any such matter also has in the past and could in the future cause significant harm to our reputation and divert management attention from the operation of our business, even if the matters are ultimately determined in our favor. Moreover, any settlement, or any consent order or adverse judgment in connection with any formal or informal proceeding or investigation by a government agency, may prompt litigation or additional investigations or proceedings as other litigants or other government agencies begin independent reviews of the same activities. See "If we fail to comply with federal and state consumer protection laws, rules, regulations and guidance, our business could be adversely affected" for a discussion of the FTC Consent Order.
In addition, a number of participants in the financial services industry have been the subject of: putative class action lawsuits; state attorney general actions and other state regulatory actions; federal regulatory enforcement actions, including actions relating to alleged unfair, deceptive or abusive acts or practices; violations of state licensing and lending laws, including state usury laws; actions alleging discrimination on the basis of race, ethnicity, gender or other prohibited bases; and allegations of noncompliance with various state and federal laws and regulations relating to originating and servicing consumer finance loans. For example, we entered into a settlement agreement on April 18, 2022 related to a putative class action in which it was alleged that we engaged in unlawful lending discrimination through policies and practices by making applicants who are conditional permanent residents or DACA holders ineligible for loans or eligible only with a co-signer who is U.S. citizen or lawful permanent resident. We made an aggregate payment to the class and the class counsel in an immaterial amount. In addition, as a financial services company, errors in performing settlement functions, including clerical, technological and other errors related to the handling of funds and securities could lead to censures, fines or other sanctions imposed by applicable regulatory authorities as well as losses and liabilities in related lawsuits and proceedings brought by transaction counterparties and others.
The environment of increased regulatory compliance efforts and enhanced regulatory enforcement in the past few years has resulted in significant operational and compliance costs and may prevent us from providing certain products and services. There is no assurance that these regulatory matters or other factors will not, in the future, affect how we conduct our business and, in turn, have a material adverse effect on our business. In particular, legal proceedings brought under state consumer protection statutes or under several of the various federal consumer financial services statutes may result in a separate fine for each violation of the statute, which, particularly in the case of class action lawsuits, could result in damages substantially in excess of the amounts we earned from the underlying activities.
In addition, from time to time, through our operational and compliance controls, we identify compliance and other issues that require us to make operational changes and, depending on the nature of the issue, result in financial remediation to impacted members. These self-identified issues and voluntary remediation payments could be significant, depending on the issue and the number of members impacted, and also could generate litigation or regulatory investigations that subject us to additional risk. See Part I, Item 3. "Legal Proceedings".
Changes in tax law and differences in interpretation of tax laws and regulations may adversely impact our financial statements.
We operate in multiple jurisdictions and are subject to tax laws and regulations of the U.S. federal, state and local and non-U.S. governments. U.S. federal, state and local and non-U.S. tax laws and regulations are complex and subject to varying interpretations. U.S. federal, state and local and non-U.S. tax authorities may interpret tax laws and regulations differently than we do and challenge tax positions that we have taken. This may result in differences in the treatment of revenues, deductions, credits and/or differences in the timing of these items. The differences in treatment may result in payment of additional taxes, interest or penalties that could have an adverse effect on our financial condition and results of operations. Further, future
69
SoFi Technologies, Inc.
changes to U.S. federal, state and local and non-U.S. tax laws and regulations could increase our tax obligations in jurisdictions where we do business or require us to change the manner in which we conduct some aspects of our business. Proposals to reform U.S. and foreign tax laws could significantly impact how U.S. multinational corporations are taxed on foreign earnings and could increase the U.S. corporate tax rate. Several of the proposals currently being considered, if enacted, could have an adverse impact on our future effective tax rate, income tax expense, and cash flows. Further, the Organisation for Economic Co-operation and Development (the "OECD") has issued guidelines that change long-standing tax principles and certain countries have adopted OECD guidelines. These guidelines create tax uncertainty as countries amend their tax laws to adopt certain parts of the guidelines.
We will be adversely affected if we, or any of our subsidiaries, are determined to have been subject to registration as an investment company under the Investment Company Act.
We are currently not deemed to be an "investment company" subject to regulation under the Investment Company Act of 1940, as amended (the "Investment Company Act"). No opinion or no-action position has been requested of the SEC on our status as an Investment Company. There is no guarantee we will continue to be exempt from registration under the Investment Company Act and were we to be deemed to be an investment company under the Investment Company Act, and thus subject to regulation under the Investment Company Act, the increased reporting and operating requirements could have an adverse impact on our business, operating results, financial condition and prospects.
In addition, if the SEC or a court of competent jurisdiction were to find that we are in violation of the Investment Company Act for having failed to register as an investment company thereunder, possible consequences include, but are not limited to, the following: (i) the SEC could apply to a district court to enjoin the violation; (ii) we could be sued by investors in us and in our securities for damages caused by the violation; and (iii) any contract to which we are a party that is made in, or whose performance involves a, violation of the Investment Company Act would be unenforceable by any party to the contract unless a court were to find that under the circumstances enforcement would produce a more equitable result than nonenforcement and would not be inconsistent with the purposes of the Investment Company Act. Should we be subjected to any or all of the foregoing, our business would be materially and adversely affected.
Personnel and Business Continuity Risks
We rely on our management team and will require additional key personnel to grow our business, and the loss of key management members or key employees, or an inability to hire key personnel, could harm our business.
We believe our success has depended, and continues to depend, on the efforts and talents of our senior management, who have significant experience in the financial services and technology industries, are responsible for our core competencies and would be difficult to replace. Our future success depends on our continuing ability to attract, develop, motivate and retain highly qualified and skilled employees. Qualified individuals are usually in high demand even in an uncertain economy, and we may incur significant costs to attract and retain them. In addition, the loss of any of our senior management or key employees could materially adversely affect our ability to execute our business plan and strategy, and we may not be able to find adequate replacements on a timely basis, or at all, and our other employees may be required to take on additional responsibilities. Furthermore, many candidates evaluate year over year stock growth trends for a sense of the potential long-term value of their proposed stock awards. The volatility of the market price of our common stock could harm our ability to attract and retain talent. Our executive officers and other employees are at-will employees, which means they may terminate their employment relationship with us at any time, and their knowledge of our business and industry would be extremely difficult to replace. We cannot ensure that we will be able to retain the services of any members of our senior management or other key employees. If we do not succeed in attracting well-qualified employees or retaining and motivating existing employees, our business could be materially and adversely affected.
The job market and the optimization of our workforce creates a challenge and potential risk as we strive to attract and retain a highly skilled workforce.
Competition for certain of our employees, including highly skilled technology and product professionals responsible for the design, engineering and operation of systems, is competitive, which can present a risk as we compete for experienced candidates, especially if the competition is able to offer more attractive financial terms of employment. This risk extends to our current employee population. We also invest significant time and expense in engaging and developing our employees, which also increases their value to other companies that may seek to recruit them. Turnover can result in significant replacement costs and lost productivity.
70
SoFi Technologies, Inc.
In addition, from time to time, we implement organizational changes to pursue greater efficiency and realign our business and strategic priorities. For example, in the past, we laid off a relatively small number of employees even though we intend to continue to hire in other areas. As our organization continues to evolve, and we are required to implement and optimize our business and organizational structures, we may find it difficult to maintain the benefits of our corporate culture, including our ability to quickly develop and launch new and innovative products. This could negatively affect our business performance. See also "We transitioned to a flexible-first workforce model, which could subject us to increased business continuity and cyber risks, as well as other operational challenges and risks that could significantly harm our business and operations" for more information on the impact of a flexible workforce model on corporate culture and employee retention.
In addition, U.S. immigration policy has made it more difficult for qualified foreign nationals to obtain or maintain work visas under the H-1B classification. These H-1B visa limitations make it more difficult and/or more expensive for us to hire the skilled professionals we need to execute our growth strategy, especially engineering, data analytics and risk management personnel, and may adversely impact our business.
We transitioned to a flexible-first workforce model, which could subject us to increased business continuity and cyber risks, as well as other operational challenges and risks that could significantly harm our business and operations.
We offer most of our employees the choice of working full time in the office, a hybrid approach, or full-time remote. In 2023 we announced an increase in in-office collaboration for non-remote employees who are returning to the office for a specified number of days per month, varying by business team. This return to the office for non-remote employees is limited, and we expect many employees to continue to work remotely for a number of days per week. As a result, we expect to continue to be subject to the challenges and risks of having a remote workforce, as well as new challenges and risks from operating with a hybrid workforce. For example, our employees are accessing our servers remotely through home or other networks to perform their job responsibilities. Such security systems may be less secure than those used in our offices, which may subject us to increased security risks, including cybersecurity-related events, and expose us to risks of data or financial loss and associated disruptions to our business operations. Additionally, employees who access company data and systems remotely may not have access to technology that is as robust as that in our offices, which could place additional pressure on our user infrastructure and third parties that are not easily mitigated. These risks include home internet availability affecting work continuity and efficiency, and additional dependencies on third-party communication tools, such as instant messaging and online meeting platforms. We may also be exposed to risks associated with the locations of remote employees, including compliance with local laws and regulations or exposure to compromised internet infrastructure. Allowing our employees to work remotely may create intellectual property risk if employees create intellectual property on our behalf while residing in a jurisdiction with unenforced or uncertain intellectual property laws. Further, if employees fail to inform us of changes in their work location, we may be exposed to additional risks without our knowledge. While most of our operations can be performed remotely and we believe have operated effectively, there is no guarantee that this will continue or that we will continue to be as effective while operating a flexible-first workforce model because our team is dispersed.
Additionally, operating our business with both remote and in-person workers, or workers who work in flexible locations and on flexible schedules, could have a negative impact on our corporate culture, decrease the ability of our workforce to collaborate and communicate effectively, decrease innovation and productivity, or negatively affect workforce morale. If we are unable to manage the cybersecurity and other risks of a flexible-first workforce model, and maintain our corporate culture and workforce morale, our business could be harmed or otherwise adversely impacted.
Our business is subject to the risks of natural disasters, power outages, telecommunications failures and similar events, including public health crises, and to interruptions by human-made problems such as terrorism, cyberattacks, and other actions, which may impact the demand for our products or our members' ability to repay their loans.
Events beyond our control may damage our ability to maintain our platform and provide services to our members. Such events include, but are not limited to, hurricanes, earthquakes, fires, floods and other natural disasters, public health crises, power or other outages, telecommunications failures and similar events. Despite any precautions we may take, system interruptions and delays could occur if there is a natural disaster, if a third-party provider closes a facility we use without adequate notice for financial or other reasons, or if there are other unanticipated problems at our leased facilities. Because we rely heavily on our servers, computer and communications systems and the Internet to conduct our business and provide high-quality service to our members, disruptions could harm our ability to effectively run our business. Moreover, our members and customers face similar risks, which could directly or indirectly impact our business. We currently use AWS and would be unable to switch instantly to another system in the event of failure to access AWS. This means that an outage of AWS could result in our system being unavailable for a significant period of time. Terrorism, cyberattacks and other criminal, tortious or unintentional actions could also give rise to significant disruptions to our operations. In addition, the long-term effects of climate change on the global economy and our industry in particular are unclear, however we recognize that there are inherent
71
SoFi Technologies, Inc.
climate-related risks wherever business is conducted. For example, our offices may be vulnerable to the adverse effects of climate change. We have large offices located in the San Francisco Bay Area and Salt Lake City, Utah, regions that are prone to events such as seismic activity and severe weather, that have experienced and may continue to experience, climate-related events and at an increasing rate. Examples include drought and water scarcity, warmer temperatures, wildfires and air quality impacts and power shut-offs associated with wildfire prevention. The increasing intensity of drought throughout California and Utah and annual periods of wildfire danger increase the probability of planned power outages. Although we maintain a disaster response plan and insurance, such events could disrupt our business, the business of our partners or third-party suppliers, and may cause us to experience losses and additional costs to maintain and resume operations. Our business interruption insurance may not be sufficient to compensate us for losses that may result from interruptions in our service as a result of system failures or other disruptions. Comparable natural and other risks may reduce demand for our products or cause our members to suffer significant losses and/or incur significant disruption in their respective operations, which may affect their ability to satisfy their obligations towards us. All of the foregoing could materially and adversely affect our business, results of operations and financial condition.
Employee misconduct, which can be difficult to detect and deter, could harm our reputation and subject us to significant legal liability.
We operate in an industry in which integrity and the confidence of our members is of critical importance. We are subject to risks of errors and misconduct by our employees that could adversely affect our business, including:
•engaging in misrepresentation or fraudulent activities when marketing or performing online brokerage and other services to our members;
•improperly using or disclosing confidential information of our members, technology platform clients, or other parties;
•concealing unauthorized or unsuccessful activities; or
•otherwise not complying with applicable laws and regulations or our internal policies or procedures.
There have been numerous highly-publicized cases of fraud and other misconduct by financial services industry employees. The precautions that we take to detect and deter employee misconduct might not be effective. If any of our employees engage in illegal, improper, or suspicious activity or other misconduct, we could suffer serious harm to our reputation, financial condition, member relationships, and our ability to attract new members. We also could become subject to regulatory sanctions and significant legal liability, which could cause serious harm to our financial condition, reputation, member relationships and prospects of attracting additional members.
Risk Management and Financial Reporting Risks
If we fail to establish and maintain proper and effective internal control over financial reporting, our ability to produce accurate and timely financial statements could be impaired, investors may lose confidence in our financial reporting and the trading price of our common stock may decline.
Pursuant to Section 404 of the Sarbanes-Oxley Act, a report by management on internal control over financial reporting and an attestation of our independent registered public accounting firm are required. The rules governing the standards that must be met for management to assess internal control over financial reporting are complex and require significant documentation, testing and possible remediation. We are required, pursuant to Section 404 of the Sarbanes-Oxley Act, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting for our annual reports on Form 10-K. This assessment must include disclosure of any material weaknesses identified by our management in our internal control over financial reporting. Our independent registered public accounting firm must also attest to the effectiveness of our internal control over financial reporting in our annual reports on Form 10-K. We are required to disclose changes made in our internal controls and procedures on a quarterly basis. Failure to comply with the Sarbanes-Oxley Act could potentially subject us to sanctions or investigations by the SEC, the applicable stock exchange or other regulatory authorities, which would require additional financial and management resources.
The annual internal control assessment required by Section 404 of Sarbanes-Oxley has diverted, and may in the future divert, internal resources and we have and may experience higher operating expenses, higher independent auditor and consulting fees in the future. To comply with the Sarbanes-Oxley Act, the requirements of being a reporting company under the Exchange Act and any new or revised accounting rules in the future, as necessary, we have, and may in the future further, work to upgrade the Company's legacy information technology systems; implement additional financial and management controls, reporting systems and procedures; and hire additional accounting and finance staff. If we are unable to hire the additional accounting and finance staff necessary to comply with these requirements, we may need to retain additional outside consultants.
72
SoFi Technologies, Inc.
In addition, our current controls and any new controls that we develop may become inadequate because of poor design and changes in our business. For example, our continuing growth and expansion in globally dispersed markets, such as our acquisition of Technisys, has placed and may in the future place significant additional pressure on our system of internal control over financial reporting, as acquisition targets may not be in compliance with the provisions of the Sarbanes-Oxley Act. We do not conduct a formal evaluation of companies' internal control over financial reporting prior to an acquisition. We may be required to hire additional staff and incur substantial costs to implement the necessary new internal controls at companies we acquire. Any failure to implement and maintain effective internal controls over financial reporting could adversely affect the results of assessments by our independent registered public accounting firm and their attestation reports. If we or, if required, our independent registered public accounting firm, are unable to conclude that our internal control over financial reporting is effective, investors may lose confidence in our financial reporting, which could negatively impact the price of our securities.
As a result of any material weakness, restatement, change in accounting, or other matters raised or that may in the future be raised by the SEC, we may face potential litigation or other disputes, which may include, among others, claims invoking the federal and state securities laws, contractual claims or other claims arising from the restatement and material weaknesses in our internal control over financial reporting and the preparation of our financial statements. We can provide no assurance that litigation or disputes will not arise in the future. Any such litigation or dispute related to our financial statements or internal controls, whether successful or not, could have a material adverse effect on our business, results of operations and financial condition.
We cannot assure you that there will not be additional material weaknesses in our internal control over financial reporting now or in the future. Any failure to maintain internal control over financial reporting could cause us to fail to timely detect errors and severely inhibit our ability to accurately report our financial condition, results of operations or cash flows. If we are unable to conclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm determines that we have a material weakness in our internal control over financial reporting, investors may lose confidence in the accuracy and completeness of our financial reports, the market price of our common stock could decline, and we could be subject to sanctions or investigations by Nasdaq, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.
We adjust our total number of members in the event a member is removed in accordance with our terms of service, and our total member count in any one period may not yet reflect such adjustments.
We adjust our total number of members in the event a member is removed in accordance with our terms of service. This could occur for a variety of reasons-including fraud or pursuant to certain legal processes or if a member requests that we close their account in accordance with our terms of service-and, as our terms of service evolve together with our business practices, product offerings and applicable regulations, additional grounds for removing members from our total member count could occur. The determination that a member should be removed in accordance with our terms of service is subject to an evaluation process, following the completion, and based on the results, of which, relevant members and their associated products are removed from our total member count. However, depending on the length of the evaluation process, that removal may not take place in the same period in which the member was added to our member count or the same period in which the circumstances leading to their removal occurred. For this reason, our total member count in any one period may not yet reflect such adjustments. In any given period, we estimate that up to 10% of our members may be under evaluation for removal in accordance with our terms of service; however, we cannot assure you that this percentage in any period will not be more significant and have an adverse impact on our stock price or results of operations.
Our reported financial results may be adversely affected by changes in accounting principles generally accepted in the United States.
Generally accepted accounting principles in the United States are subject to interpretation by the Financial Accounting Standards Board, the American Institute of Certified Public Accountants, the SEC and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results and could affect the reporting of transactions completed before the announcement of a change.
We incur significant costs and expend significant time and effort, as a result of operating as a public company, and our management is required to devote substantial time to compliance initiatives and corporate governance practices.
We have incurred and will continue to incur increased costs as a result of operating as a public company, and our management intends to continue to devote substantial time to new risk management and compliance initiatives. As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Act, as well as rules adopted, and to be adopted, by the SEC and Nasdaq. Our management and other personnel devote a substantial
73
SoFi Technologies, Inc.
amount of time to these risk management and compliance initiatives. Furthermore, new rules and regulations or changes to existing rules and regulations in the future may increase our legal and financial compliance costs and make some activities more time-consuming and costly. The impact of these requirements could also make it more difficult for us to attract and retain qualified persons to serve on our Board of Directors, its board committees or as executive officers.
Dealing with the increasingly complex laws pertaining to public companies can be time consuming, which may result in our executive officers devoting less time to the management and growth of the business. We continue to evaluate whether we have adequate personnel with the appropriate level of knowledge, experience and training in the accounting policies, practices or internal control over financial reporting required of public companies. We have in the past and may in the future expand our employee base and hire additional employees to support our operations as a public company, which has caused and may in the future cause our operating costs to increase. See "If we fail to establish and maintain proper and effective internal control over financial reporting, our ability to produce accurate and timely financial statements could be impaired, investors may lose confidence in our financial reporting and the trading price of our common stock may decline".
Our risk management processes and procedures may not be effective.
Our risk management processes and procedures seek to appropriately balance risk and return and mitigate risks. We have established processes and procedures intended to identify, measure, monitor and control the types of risk to which we are subject, including interest rate risk, credit risk, deposit risk, market risk, foreign currency exchange rate risk, liquidity risk, strategic risk, operational risk, cybersecurity risk, and reputational risk. Credit risk is the risk of loss that arises when a loan obligor fails to meet the terms of a loan repayment obligation, the loan enters default, and if uncured results in financial loss of remaining principal and interest to the loan purchaser. Our exposure to credit risk mainly arises from our lending activities, including SoFi Credit Card. Deposit risk refers to accelerated availability of depositor funds, prior to settlement, risk of ACH returns or merchant settlements, and transactional limits that may be applied to deposit accounts. Market risk is the risk of loss due to changes in external market factors, such as interest rates, asset prices, and foreign exchange rates. Foreign currency exchange rate risk is the risk that our financial position or results of operations could be positively or negatively impacted by fluctuations in exchange rates. We may in the future be subject to increasing foreign currency exchange rate risk with our acquisition of Technisys, a foreign company, and we continue to pursue a diversified durable growth strategy with expansion via new products and geographies. Liquidity risk is the risk that financial condition or overall safety and soundness are adversely affected by an inability, or perceived inability, to meet obligations (e.g., current and future cash flow needs) and support business growth. We actively monitor our liquidity position at the broker-dealer and SoFi Bank. Strategic risk is the risk from changes in the business environment, ineffective business strategies, improper implementation of decisions or inadequate responsiveness to changes in the business and competitive environment.
Operational risk is the risk of loss arising from inadequate or failed internal processes, controls, people (e.g., human error or misconduct) or systems (e.g., technology problems), business continuity or external events (e.g., natural disasters), compliance, reputational, regulatory, cybersecurity or legal matters and includes those risks as they relate directly to us, fraud losses attributed to applications and any associated fines and monetary penalties as a result, transaction processing, or employees, as well as to third parties with whom we contract or otherwise do business. We believe operational risk is one of the most prevalent forms of risk in our risk profile. We strive to manage operational risk by establishing policies and procedures to accomplish timely and efficient processing, obtaining periodic internal control attestations from management, conducting internal process Risk Control Self-Assessments and audit reviews to evaluate the effectiveness of internal controls. Our operational risk, and the amount we invest in risk management, may increase as we introduce new products and product features, and as new threat actors and evolving threat vectors, such as account takeover tactics, increase and become more sophisticated. In order to be effective, among other things, our enterprise risk management capabilities must adapt and align to support any new product or loan features, capability, strategic development, or external change.
Cybersecurity risk is the risk of an unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, availability, or integrity of our systems and data, including, but not limited to, sensitive client data. Our technology and cybersecurity teams rely on a layered system of preventive and detective technologies, controls, and policies to detect, mitigate, and contain cybersecurity threats. In addition, our cybersecurity team, and the third-party consultants they engage, assess our cybersecurity risks and mitigation efforts. Cyberattacks can also result in financial and reputational risk.
Reputational risk is the risk arising from possible negative perceptions of us, whether true or not, among our current and prospective members, clients, counterparties, employees, and regulators. The potential for either enhancing or damaging our reputation is inherent in almost all aspects of business activity. We attempt to manage this risk through our commitment to a set of core values that emphasize and reward high standards of ethical behavior, maintaining a culture of compliance, and by being responsive to member and regulatory requirements.
74
SoFi Technologies, Inc.
Risk, including, but not limited to, the risks outlined above, is inherent in our business, and therefore, despite our efforts to manage risk, there can be no assurance that we will not sustain unexpected losses. We could incur substantial losses and our business operations could be disrupted to the extent our business model, operational processes, control functions, technological capabilities, risk analyses, and business/product knowledge do not adequately identify and manage potential risks associated with our strategic initiatives. There also may be risks that exist, or that develop in the future, that we have not appropriately anticipated, identified or mitigated, including when processes are changed or new products and services are introduced. If our risk management framework does not effectively identify and control our risks, we could suffer unexpected losses or be otherwise adversely affected, which could have a material adverse effect on our business.
Incorrect estimates or assumptions by management in connection with the preparation of our consolidated financial statements or forecasts could adversely affect our reported or forecasted assets, liabilities, income, revenues or expenses.
The preparation of our consolidated financial statements requires management to make critical accounting estimates and assumptions that affect the reported amounts of assets, liabilities, income, revenues or expenses during the reporting periods. Incorrect estimates and assumptions by management could adversely affect our reported amounts of assets, liabilities, income, revenues and expenses during the reporting periods. If we make incorrect assumptions or estimates, our reported financial results may be over- or understated, which could materially and adversely affect our business, financial condition and results of operations.
In addition, operating results are difficult to forecast because they generally depend on a number of factors, including the competition we face, and our ability to attract and retain members and enterprise partnerships, and macroeconomic risks, while generating sustained revenues through the Financial Services Productivity Loop. Additionally, our business may be affected by reductions in consumer borrowing, spending and investing, consumer deposits or investment by technology platform clients from time to time as a result of a number of factors, including the state of the overall economy, which may be difficult to predict. This may result in decreased revenue levels, and we may be unable to adopt measures in a timely manner to compensate for any unexpected shortfall in income. This inability could cause our operating results in a given quarter to be higher or lower than expected. These factors make creating accurate forecasts and budgets challenging and, as a result, we may fall materially short of our forecasts and expectations, which could cause our stock price to decline and investors to lose confidence in us.
We may fail to meet our publicly announced guidance or other expectations about our business and future operating results, which could cause our stock price to decline.
We typically release earnings guidance in our quarterly and annual earnings conference calls and quarterly and annual earnings releases, and may, from time to time, announce guidance otherwise, regarding our future performance that represents our management's estimates as of the date of release. This guidance includes forward-looking statements based on projections prepared by our management. Projections are based upon a number of assumptions and estimates that are based on information known when they are issued, and, while presented with numerical specificity, are inherently subject to significant business, economic and competitive uncertainties and contingencies relating to our business, many of which are beyond our control and are based upon specific assumptions with respect to future business decisions, some of which will change.
Guidance is necessarily speculative in nature, and some or all of the assumptions underlying the guidance furnished by us may not materialize or may vary significantly from actual outcomes. Accordingly, our guidance is only an estimate of what management believes is realizable as of the date of release. Actual results may vary from our guidance and the variations may be material. In light of the foregoing, investors are urged not to rely upon our guidance in making an investment decision regarding our common stock.
Information Technology and Data Risks
Cyberattacks and other security incidents and compromises could have an adverse effect on our business, harm our reputation and expose us to liability and adversely affect our ability to collect payments and maintain accurate accounts. Efforts to prevent and respond to these attacks and incidents are costly.
In the normal course of business, we collect, process and retain non-public and confidential information regarding our members, prospective members, technology platform clients and the customers of our technology platform clients. We also have arrangements in place with certain third-party service providers that require us to share consumer information.
We likely will not be able to anticipate or prevent all security incidents or compromises even if we have implemented preventive measures, in which case there would be an increased risk of fraud or identity theft, and we have in the past and may
75
SoFi Technologies, Inc.
in the future experience losses on, or delays in the collection of amounts owed. Although we devote significant resources and management focus to work to ensure the integrity of our systems through information/cybersecurity and business continuity programs, our facilities and systems, and those of third-party service providers, have been and will likely continue to be targeted by external or internal threats.
We and our third-party service providers are at constant risk of cyber-attacks or cyber intrusions via viruses, worms, break-ins, malware, ransomware and other malicious software programs, phishing attacks, hacking, denial-of-service attacks or other attacks and similar disruptions from the unauthorized use of or access to computer systems (including from internal and external sources) that attack our products or otherwise exploit any vulnerabilities in our systems or those of our third-party service providers, or attempt to fraudulently induce our members, prospective members, technology platform clients and the customers of our technology platform clients, third-party service providers or others to disclose passwords or other sensitive information or unwittingly provide access to our systems or data. In addition, we expect the amount and sophistication of the perpetrators of these attacks to continue to expand, which could include nation-state actors. Any such incident could lead to interruptions, delays or website outages, causing loss of critical data or the unauthorized disclosure or use of personally identifiable or other confidential information.
Cyberattacks continue to be prevalent and pervasive across industries, including in our industry, and such attacks on our systems and those of our third-party service providers have occurred in the past and are expected to occur in the future. Security incidents or compromises could occur from outside our company, and also from the actions of persons inside our company who may have authorized or unauthorized access to our technology systems, despite our investment in security controls. In addition, security threats may increase as a result of geopolitical events, such as in connection with escalating conflict in the Middle East and the ongoing war in Ukraine, and recent changes to the U.S. presidential administration. These events could interrupt our business or operations, result in significant legal and financial exposure, supervisory liability, damage to our reputation and a loss of confidence in the security of our systems, products and services. Although the impact to date from these events has not had a material adverse effect on us, no assurance is given that this will continue to be the case in the future.
Cybersecurity risks in the financial services industry have increased, in part because of new technologies, artificial intelligence, the use of the Internet and telecommunications technologies (including mobile devices) to conduct financial and other business transactions and the increased sophistication and activities of organized criminals, perpetrators of fraud, hackers, terrorists and others. In addition to cyberattacks and other security incidents and compromises involving the theft of non-public and confidential information, hackers have engaged in attacks that are designed to disrupt key business services, such as consumer-facing websites. We may not be able to anticipate or implement effective preventive measures against all security incidents and compromises, especially because the techniques used change frequently and because attacks can originate from a wide variety of sources. We employ detection and response mechanisms designed to contain and mitigate security incidents, but there are no assurances that these mechanisms will be effective and early detection efforts may be thwarted by sophisticated attacks and malware designed to avoid detection. Despite our investments in detection strategy and a 24/7/365 security operations center, we also may fail to detect the existence of a security incident related to the information of our members.
The access by unauthorized persons to, or the improper disclosure by us of, confidential information regarding our members, prospective members, technology platform clients and the customers of our technology platform clients, or our proprietary information, software, methodologies and business secrets could interrupt our business or operations, result in significant legal and financial exposure, supervisory liability, damage to our reputation or a loss of confidence in the security of our systems, products and services, all of which could have a material adverse impact on our business. Because each loan that we originate involves, in part, our proprietary automated underwriting process, any failure of our computer systems involving our automated underwriting process and any technical or other errors contained in the software pertaining to our automated underwriting process could compromise our ability to accurately evaluate potential members, which could negatively impact our results of operations. Furthermore, any failure of our computer systems could cause an interruption in operations and result in disruptions in, or reductions in the amount of, collections from the loans we make to our members. Additionally, if threat actors were able to access our secure files, they might be able to gain access to the personal information of our members, prospective members, technology platform clients and the customers of our technology platform clients. If we are unable to prevent such activity, we may be subject to significant liability, negative publicity and a material loss of members or technology platform clients, all of which may negatively affect our business. In addition, there have in the past been a number of well-publicized attacks or incidents affecting companies in the financial services industry that have heightened concern by consumers, which could also intensify regulatory focus, cause users to lose trust in the security of the industry in general and result in reduced use of our services and increased costs, all of which could also have a material adverse effect on our business.
76
SoFi Technologies, Inc.
The processing of personal data and implementation of new technologies could give rise to liabilities as a result of federal, state and international laws and regulations, as well as our failure to adhere to the privacy and data security practices that we articulate to our members.
We collect, process, store, use, share and/or transmit a large volume of personal information and other non-public data from current, past and prospective members. There are federal, state, and foreign laws regarding privacy, data security and the collection, use, storage, protection, sharing and/or transmission of personal information and non-public data. Additionally, many states continue to enact legislation on matters of privacy, information security, cybersecurity, data breach and data breach notification requirements. For example, as of January 1, 2020, the CCPA granted additional consumer rights with respect to data privacy in California. The CCPA was amended by a California ballot initiative, the CPRA, in November 2020. The CCPA amendments, including expanded rights for consumers and obligations for businesses, went into effect on January 1, 2023. The CCPA, among other things, entitles California residents to know how their personal information is being collected and shared, to access or request the deletion of their personal information and to opt out of the sharing of their personal information. The amended CCPA also created a new state agency, the CPPA, and vested it with full administrative power, authority and jurisdiction to implement and enforce the CCPA. Generally, personal information that we process is subject to GLBA and thereby exempt from CCPA coverage. However, the CCPA regulates other personal information that we collect and process in connection with the business. While we have made modifications to our data collection and processing practices and policies to comply with the CCPA, we cannot predict their impact on our business, operations or financial condition.
Laws similar to the CCPA have been passed in numerous other states, a number of which will enter into force in 2025. Further, a number of other states have proposed new privacy laws, some of which would be comprehensive such as the CCPA and others which are more narrowly focused on particular types of data. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country would make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. In addition, laws in all 50 U.S. states require businesses to provide notice to individuals if certain of their personal information has been disclosed as a result of a qualifying data breach. These various privacy and security laws may impact our business activities, including our identification of research subjects, relationships with business partners and ultimately the marketing and distribution of our products. State laws are changing rapidly and U.S. Congress may in the future enact a comprehensive federal data privacy law to which we may likely become subject.
Outside the United States, an increasing number of laws, regulations, and industry standards apply to data privacy and security. For example, the EU GDPR, the UK GDPR, various Latin American ("LATAM") privacy laws such as Brazil's Lei Geral de Proteção de Dados Pessoais ("LGPD") and Argentina's Ley de Protección de los Datos Personales ("PDPA") impose strict requirements for the processing of personal data of individuals located, respectively, within the EEA, the UK and LATAM region. For example, under the EU GDPR, government regulators may impose temporary or definitive bans on data processing, as well as fines of up to 20 million Euros (£17.5 million in the UK) or 4% of the annual global revenue of the company, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. Certain jurisdictions, such as the EU, Switzerland, the UK and LATAM have enacted cross-border personal data transfers laws regulating personal data flows to third countries. For example, absent appropriate safeguards or other circumstances, the EU GDPR generally restricts the transfer of personal data to countries outside of the EEA, such as the United States, which the European Commission does not consider to be providing an adequate level of personal data protection. The European Commission has issued standard contractual clauses for data transfers from controllers or processors in the EU (or otherwise subject to the EU GDPR) to controllers or processors established outside the EU. The standard contractual clauses require exporters to assess the risk of a data transfer on a case-by-case basis, including an analysis of the laws in the destination country. The UK is not subject to the European Commission's standard contractual clauses but has published a UK-specific transfer mechanism, which enables transfers from the UK. The UK-specific mechanism, the "International Data Transfer Agreement", requires a similar risk assessment of the transfer as the standard contractual clauses. Further, the EU and United States have adopted its adequacy decision for the EU-U.S. Data Privacy Framework ("Framework"), which entered into force on July 11, 2023. This Framework provides that the protection of personal data transferred between the EU and the United States is comparable to that offered in the EU. This provides a further avenue to ensuring transfers to the United States are carried out in line with the EU GDPR. There has been an extension to the Framework to cover UK transfers to the United States. The Framework could be challenged like its predecessor frameworks. This complexity and the additional contractual burden may increase our overall risk exposure. In addition, laws in Switzerland and LATAM similarly restrict personal data transfers outside of those jurisdictions to countries such as the United States of America that do not provide an adequate level of personal data protection. In addition to European restrictions on cross-border personal data transfers, other jurisdictions have enacted or are considering similar cross-border personal data transfer laws and
77
SoFi Technologies, Inc.
local personal data residency laws, any of which could increase the cost and complexity of doing business. If we cannot implement a valid compliance mechanism for cross-border personal data transfers, we may face increased exposure to regulatory actions, substantial fines, and injunctions against processing or transferring personal data from Europe or elsewhere. Inability to import personal data to the United States may significantly and negatively impact our business operations, including by limiting our ability to collaborate with parties subject to European and other data protection laws or requiring us to increase our personal data processing capabilities in Europe and/or elsewhere at significant expense.
Separately, as the regulatory framework for machine learning technology and AI evolves, new state laws and regulations are emerging, such as the Colorado AI Act which will go into effect on February 1, 2026, and California's AB 2013, which requires generative AI developers to post information on their websites regarding the data used to train their AI systems. It is possible that other new laws and regulations will be adopted in the near future, or that existing laws and regulations may be interpreted in ways that would affect our business and the ways in which we may use AI and machine learning technology, our financial condition and our results of operations, including as a result of the cost to comply with such laws or regulations. For example, the EU's Artificial Intelligence Act ("AI Act") - the world's first comprehensive AI law - entered into force on August 1, 2024 and, with some exceptions, will begin to apply as of August 2, 2026. This legislation imposes significant obligations on providers and deployers of high-risk artificial intelligence systems, and encourages providers and deployers of artificial intelligence systems to account for EU ethical principles in their development and use of these systems. If we develop or use AI systems that are governed by the AI Act, it may necessitate ensuring higher standards of data quality, transparency, and human oversight, as well as adhering to specific ethical, accountability, and administrative requirements, some of which may increase our costs and compliance obligations. Further, potential government regulation related to AI use and ethics may also increase the cost of research and development in this area, and failure to properly remediate AI usage or ethics issues may cause public confidence in AI to be undermined, which could slow adoption of AI in our products and services.
Any violations of these laws and regulations may require us to change our business practices or operational structure, including limiting our activities in certain states and/or jurisdictions, address legal claims, and sustain monetary penalties, reputational damage and/or other harms to our business. Further, in certain cases we rely on the data processing, privacy, data protection and cybersecurity practices of our third-party service providers, including with regard to maintaining the confidentiality, security and integrity of data. If we fail to manage our third-party service providers or their relevant practices, or if they fail to meet any requirements with regard to data processing, privacy, data protection or cybersecurity required by applicable legal or contractual obligations that we face (including any applicable requirements of our clients), we may be liable in certain cases. Legal obligations relating to privacy, cybersecurity and data protection may require us to manage our third-party service providers and their practices and to enter into agreements with them in certain cases. We may face difficulties in binding our third-party service providers to these agreements and otherwise managing their relevant practices, which may subject us to claims, proceedings, and liabilities.
Furthermore, our online privacy policy and website make certain statements regarding our privacy, information security, and data security practices with regard to information collected from our members. Failure to adhere to such practices may result in regulatory scrutiny and investigation (including the potential for fines and monetary penalties), complaints by affected members, reputational damage and other harm to our business. If either we, or the third-party service providers with which we share member data, are unable to address privacy concerns, even if unfounded, or to comply with applicable laws and regulations, it could result in additional costs and liability, damage our reputation, and harm our business.
Disruptions in the operation of our computer systems and third-party data centers and service providers could have an adverse effect on our business.
Our ability to deliver products and services to our members and clients, and otherwise operate our business and comply with applicable laws, depends on the efficient and uninterrupted operation of our computer systems and third-party data centers, as well as third-party service providers. Our computer systems and third-party providers may encounter service interruptions at any time due to system or software failure or errors, employee misconfiguration of resources or misdirected communications, natural disasters, severe weather conditions, health pandemics, terrorist attacks, cyberattacks or other events. For example, in September 2023, the SoFi Invest platform experienced a service interruption that resulted in some of our members being unable to view certain of their account information and unable to buy and sell securities and other financial products on our platform for a period of time. Any such events, including persistent interruptions or perceptions of such interruptions whether true or not, in our products and services could cause members to believe that our products and services are unreliable, leading them to switch to our competitors or to otherwise avoid our products and services, and otherwise have a negative effect on our business and technology infrastructure (including our computer network systems), which could lead to member dissatisfaction or long-term disruption of our operations. Additionally, our insurance policies might be insufficient to
78
SoFi Technologies, Inc.
cover a claim made against us by any such members affected by any disruptions, outages, or other performance or infrastructure problems.
Additionally, our reliance on third-party providers may mean that we will not be able to resolve operational problems internally or on a timely basis, as our operations will depend upon such third-party service providers communicating appropriately and responding swiftly to their own service disruptions through industry standard best practices in business continuity and/or disaster recovery. As a last resort, we may rely on our ability to replace a third-party service provider if it experiences difficulties that interrupt operations for a prolonged period of time or if an essential third-party service terminates. If these service arrangements are terminated for any reason without an immediately available substitute arrangement, our operations may be severely interrupted or delayed. If such interruption or delay were to continue for a substantial period of time, our business, prospects, financial condition and results of operations could be adversely affected.
The implementation of technology changes and upgrades to maintain current and integrate new systems may cause service interruptions, transaction processing errors or system conversion delays and may cause us to fail to comply with applicable laws, all of which could have a material adverse effect on our business. We have made and expect to continue to make substantial and increasing investments in "observability", or the monitoring of our systems, but limitations or failures in those systems may exacerbate other problems by preventing us from anticipating or quickly detecting issues. In addition, our ability to monitor third party services and service providers is limited, and so our ability to anticipate, detect, and remediate anomalies in those services is also more limited when compared to our internal systems monitoring.
Although our current use of artificial intelligence and machine learning is limited, our systems and those of our partners are increasingly reliant on artificial intelligence machine learning systems, which are complex and may have errors or inadequacies that are not easily detectable. These systems may inadvertently reduce the efficiency of our systems, or may cause unintentional or unexpected outputs that are incorrect, do not match our business goals, do not comply with our policies, or otherwise are inconsistent with our brands, guiding principles and mission. Errors or breakdowns in our machine learning systems could also result in damage to our reputation, loss of members, loss of revenue or liability for damages, any of which could adversely affect our growth prospects and our business.
We expect that new technologies and business processes applicable to the financial services industry will continue to emerge and that these new technologies and business processes may be better than those we currently use. There is no assurance that we will be able to successfully adopt new technology as critical systems and applications become obsolete and better ones become available. A failure to maintain and/or improve current technology and business processes could cause disruptions in our operations or cause our solution to be less competitive, all of which could have a material adverse effect on our business.
Risks Related to Ownership of Our Securities
The price of our common stock has fluctuated and may be volatile in the future.
The price of our common stock has fluctuated and may continue to fluctuate due to a variety of factors, including:
•changes in the industry in which we operate, including public perception of such industry;
•developments involving our competitors;
•changes in laws and regulations affecting our business, or changes in policies with respect to student loan forgiveness;
•changes in interest rates and inflation;
•variations in our operating performance and the performance of our competitors in general;
•actual or anticipated fluctuations in our quarterly or annual operating results;
•publication of research reports by securities analysts about us or our competitors or our industry;
•the public's reaction to our press releases, our other public announcements and our filings with the SEC or any changes in our reputation;
•actions by stockholders;
•additions and departures of key personnel;
•commencement of, or involvement in, litigation or regulatory enforcement investigations involving our company;
79
SoFi Technologies, Inc.
•changes in our capital structure, such as future issuances of securities or the incurrence of additional debt, including in connection with acquisitions;
•any reverse stock split of our outstanding shares of common stock, which may increase the price of our common stock;
•volatility in capital markets and changes in the volume of shares of our common stock available for public sale; and
•general economic and political conditions, such as the effects of recessions, interest rates, tariffs, inflation, consumer confidence and spending, public perception of the financial services industry, availability of loans and liquidity in the capital markets, local and national elections, corruption, political instability and acts of war or terrorism, including escalating conflict in the Middle East and the ongoing war in Ukraine, and policy- and regulatory-related changes resulting from the recent changes to the U.S. presidential administration.
These market and industry factors, as well as others, may materially reduce the market price of our common stock regardless of our operating performance.
We do not intend to pay cash dividends on our common stock for the foreseeable future.
We currently intend to retain our future earnings, if any, to finance the further development and expansion of our business and do not intend to pay cash dividends on our common stock in the foreseeable future. Any future determination to pay dividends on our common stock will be at the discretion of our Board of Directors and will depend on obtaining regulatory approvals, if required, our financial condition, results of operations, capital requirements, restrictions contained in future agreements and financing instruments, business prospects and such other factors as our Board of Directors deems relevant.
If analysts publish inaccurate or unfavorable research, our stock price and trading volume could decline.
The trading market for our common stock depends in part on the research and reports that analysts publish about our business. We do not have any control over these analysts. If one or more of the analysts who cover us downgrade our common stock or publish inaccurate or unfavorable research about our business, as they have done in the past, the price of our common stock would likely decline. If few analysts cover us, demand for our common stock could decrease and our common stock price and trading volume may decline. Similar results may occur if one or more of these analysts stop covering us in the future or fail to publish reports on us regularly. In addition, analysts may establish and publish their own periodic projections for us. These projections may vary widely and may not accurately predict the results we actually achieve. Our share price may decline if our actual results do not match the projections of these research analysts. In addition, if the market for technology stocks or financial services stocks or the broader stock market experiences a loss of investor confidence, the trading price of our common stock could decline for reasons unrelated to our business, financial condition or results of operations.
We may be subject to securities litigation, which is expensive and could divert management attention.
The market price of our common stock may be volatile and, in the past, companies that have experienced volatility in the market price of their stock have been subject to securities class action litigation. We may be the target of this type of litigation in the future. Securities litigation against us could result in substantial costs and divert management's attention from other business concerns, which could seriously harm our business.
Future resales of our common stock may cause the market price of our securities to drop significantly, even if our business is doing well.
Sales of a substantial number of shares of our common stock in the public market or the perception that these sales might occur, have in the past and could in the future depress the market price of our common stock and could impair our ability to raise capital through the sale of additional equity securities. Sales of a substantial number of shares, or the perception that such sales may occur, could have a material and adverse effect on the trading price of our common stock. Sales of a substantial number of shares of common stock in the public market could occur at any time. We have filed with the SEC, and the SEC has declared effective, a registration statement covering shares of our common stock issued in connection with the Agreement, including shares issued to the Third Party PIPE Investors, among others, to facilitate such sales and we have filed a registration statement on Form S-3 which allows us to sell securities from time to time. These sales, or the perception in the market that the holders of a large number of shares intend to sell shares, could cause the market price of our common stock to decline or increase the volatility in the market price of our common stock.
80
SoFi Technologies, Inc.
Our issuance of additional capital stock in connection with financings, acquisitions, investments, our stock incentive plans or otherwise will dilute all other stockholders.
Our issuance of additional capital stock in connection with financings, acquisitions, investments, our stock incentive plans or otherwise will dilute our stockholders. We expect to issue additional capital stock in the future that will result in dilution to all other stockholders. We expect to continue granting equity awards to employees, directors, and consultants under our stock incentive plans. We may also raise capital through equity financings in the future. As part of our business strategy, we may acquire or make investments in complementary companies, products, or technologies and issue equity securities to pay for any such acquisition or investment. Any such issuances of additional capital stock may cause stockholders to experience significant dilution of their ownership interests and the per share value of our common stock to decline.
There can be no assurance that we will be able to comply with the continued listing standards of Nasdaq.
If Nasdaq delists our shares of common stock from trading on its exchange for failure to meet Nasdaq's listing standards, we and our stockholders could face significant material adverse consequences, including:
•a limited availability of market quotations for our securities;
•reduced liquidity for our securities;
•a determination that our common stock is a "penny stock," which will require brokers trading in our common stock to adhere to more stringent rules and possibly result in a reduced level of trading activity in the secondary trading market for our securities;
•a limited amount of news and analyst coverage; and
•a decreased ability to issue additional securities or obtain additional financing in the future.
Delaware law and our organizational documents contain certain provisions, including anti-takeover provisions that limit the ability of stockholders to take certain actions and could delay or discourage takeover attempts that stockholders may consider favorable.
The General Corporation Law of the State of Delaware (the "DGCL") and our organizational documents contain provisions that could have the effect of rendering more difficult, delaying, or preventing an acquisition that stockholders may consider favorable, including transactions in which stockholders might otherwise receive a premium for their shares. These provisions could also limit the price that investors might be willing to pay in the future for shares of our common stock, and therefore depress the trading price of our common stock. Additionally, these provisions could also make it difficult for stockholders to take certain actions, including electing directors who are not nominated by the current members of our Board of Directors or taking other corporate actions, including effecting changes in our management. Among other things, our organizational documents include provisions regarding:
•the ability of our Board of Directors to issue shares of preferred stock, including "blank check" preferred stock and to determine the price and other terms of those shares, including preferences and voting rights, without stockholder approval, which could be used to significantly dilute the ownership of a hostile acquirer;
•the prohibition of cumulative voting in the election of directors, which limits the ability of minority stockholders to elect director candidates;
•limitations on the liability of our directors, and the indemnification of our directors and officers;
•the ability of our Board of Directors to amend our bylaws, which may allow our Board of Directors to take additional actions to prevent an unsolicited takeover and inhibit the ability of an acquirer to amend our bylaws to facilitate an unsolicited takeover attempt; and
•advance notice procedures with which stockholders must comply to nominate candidates to our Board of Directors or to propose matters to be acted upon at a stockholders' meeting, which could preclude stockholders from bringing matters before annual or special meetings of stockholders and delay changes in our Board of Directors and also may discourage or deter a potential acquirer from conducting a solicitation of proxies to elect the acquirer's own slate of directors or otherwise attempting to obtain control of our company.
These provisions, alone or together, could delay or prevent hostile takeovers and changes in control or changes in the Board of Directors or management of our company.
81
SoFi Technologies, Inc.
The provisions of our bylaws requiring exclusive forum in the Court of Chancery of the State of Delaware and the federal district courts of the United States for certain types of lawsuits may have the effect of discouraging certain lawsuits, including derivative lawsuits and lawsuits against our directors and officers, by limiting plaintiffs' ability to bring a claim in a judicial forum that they find favorable.
Our bylaws provide that, to the fullest extent permitted by law, and unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware (or, in the event that such court does not have jurisdiction, the federal district court for the District of Delaware or other state courts of the State of Delaware) will be the sole and exclusive forum for any state law claims for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim for or based on a breach of a fiduciary duty owed by any of our current or former directors, officers or other employees to us or our stockholders, (iii) any action asserting a claim against us or any of our current or former directors, officers or other employees arising pursuant to any provision of the DGCL or our bylaws or Certificate of Incorporation (as either may be amended from time to time), (iv) any action asserting a claim related to or involving our company that is governed by the internal affairs doctrine, and (v) any action asserting an "internal corporate claim" as that term is defined in Section 115 of the DGCL (the "Delaware Forum Provision"). The Delaware Forum Provision, however, does not apply to actions or claims arising under the Exchange Act. Our bylaws also provide that, unless we consent in writing to the selection of an alternate forum, the sole and exclusive forum for the resolution of any complaint asserting a cause of action arising under the Securities Act of 1933, as amended, and the rules and regulations promulgated thereunder, will be the United States Federal District Courts (the "Federal Forum Provision"). Section 27 of the Exchange Act creates exclusive federal jurisdiction over all suits brought to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder; our stockholders cannot and will not be deemed to have waived compliance with the U.S. federal securities laws and the rules and regulations thereunder.
The Delaware Forum Provision and the Federal Forum Provision in our bylaws may impose additional litigation costs on stockholders in pursuing any such claims and may also impose additional litigation costs on stockholders who assert that either such provision is not enforceable or invalid. Additionally, these forum selection clauses may limit our stockholders' ability to bring a claim in a judicial forum that they find favorable for disputes with us or our directors, officers or employees, which may discourage the filing of lawsuits against us and our directors, officers and employees, even though an action, if successful, might benefit our stockholders. In addition, while the Delaware Supreme Court and other states courts have upheld the validity of federal forum selection provisions purporting to require claims under the Securities Act be brought in federal court, there is still some uncertainty as to whether other courts will enforce our Federal Forum Provision. If the Federal Forum Provision is found to be unenforceable, we may incur additional costs associated with resolving such matters. The Court of Chancery of the State of Delaware and the federal district courts of the United States may reach different judgments or results than would other courts, including courts where a stockholder considering an action may be located or would otherwise choose to bring the action, and such judgments may be more or less favorable to us than our stockholders.