SoFi Technologies, Inc. — Risk Factors Analysis (10-K, FY2025)

SoFi Technologies, Inc.

TABLE OF CONTENTS

Item 1A. Risk Factors

In evaluating our company and our business, you should carefully consider the risks and uncertainties described below, together with the other information in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes and the section titled "Management's Discussion and Analysis of Financial Condition and Results of Operations". The occurrence of one or more of the events or circumstances described in these risk factors, alone or in combination with other events or circumstances, may have a material adverse effect on our business, reputation, revenue, financial condition, results of operations or future prospects, in which case the market price of our common stock could decline, and you could lose part or all of your investment. Unless otherwise indicated, references in this section and elsewhere in this Annual Report on Form 10-K to our business being adversely affected, negatively impacted or harmed will include an adverse effect on, or a negative impact or harm to, our business, reputation, financial condition, results of operations, revenue or our future prospects. The material and other risks and uncertainties summarized in this Annual Report on Form 10-K and described below are not intended to be exhaustive and are not the only ones we face. Additional risks and uncertainties not presently known to us or that we currently deem immaterial may also impair our business. This Annual Report on Form 10-K also contains forward-looking statements that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of a number of factors, including the risks described below. See the section titled "Cautionary Statement Regarding Forward-Looking Statements".

Summary Risk Factors

Our business is subject to numerous risks and uncertainties, which illuminate challenges that we face in connection with the successful implementation of our strategy and the growth of our business. Our business, prospects, financial condition or operating results could be harmed by any of these risks, as well as other risks not currently known to us or that we currently consider immaterial. These risks are discussed more fully below and include, but are not limited to:

Business, Financial and Operational Risks

•our ability to successfully identify and address the risks and uncertainties we face, particularly with respect to certain rapidly evolving industries, including digital asset and blockchain innovations, and with respect to continued expansion abroad;

•demands on our resources, intense and increasing competition, and the success of our business model;

•legislative and regulatory policies and related actions that apply or may apply to us, particularly as a result of our operating a bank and as a bank holding company, in connection with our digital asset and blockchain offerings and student loans, from our continued expansion abroad, given our brokerage and investment advisory activity, or related to services provided by our technology platform;

•loss of one or more significant purchasers of our loans or additional significant technology platform clients;

•adverse developments affecting the financial services industry, such as actual events or concerns involving liquidity, defaults, or non-performance by financial institutions or transactional counterparties;

•uncertainty of macroeconomic conditions and the impact of macroeconomic factors, including changes in governmental policy, regulatory responses, applicable laws and regulations, fluctuating inflation and interest rates, delinquency rates on consumer debt, changes in consumer discretionary spending and economic uncertainty;

•failure of third-party service providers or systems on which we rely or, in the event we move certain services or systems in-house, our ability to successfully perform those services or implement and operate those systems;

•cyberattacks and other security breaches that may harm our brand and reputation and the expense of which may stress our resources;

Risks Related to Market and Interest Rates

•cost and availability of funding in the capital markets and fluctuations in interest rates could impact our ability to operate our business;

•higher than expected payment rates of loans have in the past and could in the future negatively impact our returns as the holder of the residual interests in securitization trusts;

•decreased demand for certain lending products due to changes in interest rates, such as student loans and home loans, could negatively impact our results of operations;

•an inability to maintain a competitive annual percentage yield on deposits could cause members to transfer checking and savings account balances to our competitors;

29

SoFi Technologies, Inc.

TABLE OF CONTENTS

Risks Related to Strategic and New Products

•potential and past acquisitions that require significant attention could disrupt our business and adversely affect our financials;

•we may fail to innovate or respond to evolving technological or other changes;

•we may experience an increase in fraudulent activity, particularly in connection with our personal loans product, credit card and SoFi Money;

•inability to increase fee-based, capital-light revenue sources and continue to expand our Loan Platform Business;

•we are subject to increased business, economic and regulatory risks from continued expansion abroad, given our brokerage and investment advisory activity, or related to services provided by our technology platform;

Credit Market Related Risks

•we could be adversely impacted by worsening economic conditions, including general economic uncertainty, fluctuating inflation and interest rates, market volatility, the cyclical nature of our industry, and our ability to maintain expected levels of liquidity;

•our inability to make accurate credit and pricing decisions or effectively forecast our loss rates;

•the discharge of qualified student loans in bankruptcy in certain circumstances;

•the failure of our third-party service providers to perform functions related to the origination and servicing of loans;

•financial issues or liquidity issues experienced by our technology platform clients could result in termination of, or inability to pay for, the services we provide;

Risks Related to Funding and Liquidity

•our ability to retain, increase or secure new or alternative financing, including through deposits, to finance our business and the receivables that we originate or other assets that we hold;

•termination of one or more of our warehouse facilities;

•our ability to sell the loans we originate to third parties;

•increases in member loan default rates or the possibility of being required to repurchase loans or indemnify the purchasers of our loans;

Regulatory, Tax and Other Legal Risks

•our exposure to evolving laws, rules, regulations and government enforcement policies, and potential enforcement actions, litigation, investigations, exams or inquiries or impairment of licenses;

•changes in business, economic or political conditions;

•failure to comply with laws and regulations, including related to banks and bank holding companies, consumer financial protection, anti-money laundering, anti-corruption or privacy, information security and data protection;

•increased regulatory scrutiny of the services provided by our technology platform;

•application of regulations and supervision under banking and securities laws and regulations;

•our ability to efficiently protect our intellectual property rights;

•failure to comply with open source licenses for open source software included in our or any of our subsidiaries' platforms;

•the risk that we are, or any of our subsidiaries is, determined to have been subject to registration as an investment company under the Investment Company Act;

Personnel and Business Continuity Risks

•the loss of key management members or key employees, or an inability to hire key personnel;

•natural disasters, power outages, telecommunications failures, man-made problems and similar events;

•employee misconduct;

Risk Management and Financial Reporting Risks

•our ability to effectively mitigate risk exposure;

•our ability to establish and maintain proper and effective internal control over risk management processes and procedures and financial reporting;

30

SoFi Technologies, Inc.

•adjustments to our key business metrics, including adjustments to the total number of members or products in the event a member is removed in accordance with our terms of service which may not be reflected in the current period;

•changes in accounting principles generally accepted in the United States;

•incorrect estimates or assumptions by management in connection with the preparation of our financial statements;

Information Technology and Data Risks

•breach or violation of law by a third party on which we depend;

•cyberattacks and other security breaches or disruptions of our systems or third-party systems on which we rely, including our cloud computing services arrangement, disruptions that may impact our ability to collect loan payments and maintain accurate accounts, or our ability to provide services to our technology platform clients;

•cyber breaches or intrusions, including successful social engineering attacks, such as phishing, that imperil the confidential information of our members, prospective members, technology platform clients and the customers of our technology platform clients, and employees and third-party service providers, and may harm our reputation and brand;

•technology challenges related to the collection, processing, use, storage and transmission of personal data;

•liabilities related to the data, models, and use of artificial intelligence ("AI") in products or business processes;

Risks Related to Ownership of Our Securities

•volatility in the price of our common stock, changes in analyst ratings or expectations, and future dilution of our stockholders;

•possibility of securities litigation, which is expensive and time consuming; and

•failure to comply with Nasdaq continued listing standards.

Business, Financial and Operational Risks

We operate in rapidly evolving industries and have limited experience in parts of our Financial Services and Technology Platform segments, which may make it difficult for us to successfully identify and address the risks and uncertainties we face.

We operate in rapidly evolving industries which may make it difficult to successfully identify risks to our business and evaluate our future prospects. In addition, in recent years, we have rapidly expanded our operations to include or grow, among other things, deposit accounts, credit cards, investment services, technology solutions, home loan originations, small business financing solutions, loan platform business solutions, alternative investments, digital asset and blockchain innovations, and international operations, and we have limited experience in these areas. In the first quarter of 2022, we acquired a bank charter and face risks as a result of our lack of experience operating a bank and as a bank holding company. We also acquired Technisys in the first quarter of 2022, which furthered our international expansion into Latin America and introduced new risks due to our limited history of operations in certain Latin American countries. In 2023, we acquired Wyndham, a fintech mortgage lender, which expanded our home loan business. In 2024, we adopted our Technology Platform's Cyberbank Core in connection with the launch of a commercial payment services sponsor bank program. In 2025, SoFi Bank launched SoFi Crypto in the U.S., and SoFi Securities (Hong Kong) Limited launched crypto trading in Hong Kong, giving members the ability to buy, sell and hold digital assets, and we launched self-serve global remittance services in over thirty countries, allowing SoFi members to seamlessly and securely transfer money internationally. In addition, in 2025, SoFi Bank launched SoFi Smart Card, a charge card secured by the member's SoFi Money checking and savings Account, to SoFi Plus members.

In addition to the events above, we face numerous challenges to our success, including our ability to:

•increase or maintain the number, volume and types of, and add new features to, the loans we extend to our members as the market for loans evolves and as we face new and increasing competitive threats;

•successfully integrate our past and future acquisitions;

•increase the number of members utilizing our non-lending products, including our direct deposit feature, and maintain and build on the loyalty of existing members by increasing their use of new or additional products;

•continue to increase our fee-based revenue within our Loan Platform Business, including fees earned for originating loans on behalf of third-party partners and fees earned for referring loans to be originated by third party partners;

•successfully maintain and enhance our diversified funding strategy, including through deposits, securitization financing from consolidated and nonconsolidated VIEs, whole loan sales, and debt warehouse facilities;

31

SoFi Technologies, Inc.

•further establish, diversify and refine our checking and savings, credit card, investment and brokerage offerings to meet evolving consumer needs and preferences, such as the introduction of products based on digital asset and blockchain innovations and the SoFi Smart Card;

•offer an attractive annual percentage yield on our deposits compared to our competitors and manage deposit costs;

•diversify our revenue streams across our products and services;

•favorably compete as a service provider with other companies and banks, including traditional and alternative technology-enabled lenders, financial service providers, broker-dealers, social media and other commerce platforms and applications that offer peer-to-peer, in-app and social commerce payment capabilities, and technology platform;

•continue to realize the benefits of operating a bank;

•introduce new products or other offerings, as well as new or improved technologies, to meet the needs of our existing and prospective members and clients or to keep pace with competitive lending, checking and savings, credit card, investment, technology, including digital asset, blockchain and AI innovations, and other developments;

•successfully navigate the evolving regulatory environment for digital assets and blockchain technology;

•maintain or increase the effectiveness of our direct marketing and other sales and marketing efforts, and maintain our brand;

•successfully design, develop, integrate, operate and maintain technology systems at scale and with a high degree of reliability that support our member growth and product adoption;

•successfully navigate economic conditions and fluctuations in the credit markets, including fluctuating inflation and interest rates, and economic uncertainty;

•continue to add new clients and new products to existing clients in our technology platform as a service business;

•successfully identify financial issues or liquidity issues experienced by our technology platform clients that could result in termination of, or their inability to pay for, our technology platform services;

•successfully diversify our technology platform clients into new industry verticals and new geographies;

•successfully identify a slowdown or acceleration in the business growth of our technology platform clients to ensure aligned costs and capabilities;

•successfully navigate the evolving regulatory environment for a technology platform as a service provider;

•establish fraud prevention strategies that proactively identify threat vectors and mitigate losses;

•defend our platform from information security vulnerabilities, cyberattacks or malicious attacks;

•effectively manage the growth of our business;

•effectively manage our expenses;

•obtain debt or equity capital on attractive terms or at all;

•successfully continue to expand internationally;

•adequately respond to macroeconomic and other exogenous challenges, including fluctuating interest rates, market volatility, particularly in the financial services industry, changes in consumer confidence, consumer discretionary spending and loan delinquency rates, pandemics or other health-related crises, the confrontation in Venezuela, the ongoing conflict in the Middle East, the ongoing war in Ukraine, and significant changes related to governmental policy, rules and regulations or executive actions;

•maintain successful relationships with our governmental regulatory agencies and law enforcement authorities, as well as self-regulatory agencies; and

•anticipate and react to changes in an evolving regulatory and political environment.

We may not be able to successfully address the risks and uncertainties we face, which could negatively impact our business, financial condition, results of operations, cash flows and future prospects.

We have a history of losses and may experience net losses in the future and there is no assurance that our revenue and business model will be successful.

We have a history of net losses prior to the fourth quarter of 2023. We may incur net losses in the future, and any such losses may fluctuate significantly from quarter to quarter. We will need to continue to generate and sustain significant revenues

32

SoFi Technologies, Inc.

for our business generally and achieve greater scale and generate increasing operating cash flows from our Financial Services and Technology Platform segments, in particular, in future periods, as well as successfully navigate the macroeconomic environment, in order to maintain or increase our level of profitability. We intend to continue to invest in new products and businesses, which has in the past and may in the future cause us to fund and operate aspects of our business at a loss. We also intend to continue to invest in sales and marketing, technology, and additional products and services in order to enhance our brand, our brand recognition and our value proposition to our members, prospective members and clients in our technology platform business, and these continued investments and costs could create further challenges to maintaining or increasing profitability. Our general and administrative expenses have in the past and may in the future increase to meet the increased compliance and other requirements associated with operating as a public company and a bank holding company, operating a bank, and evolving regulatory requirements and policy changes. See "Regulatory, Tax and Other Legal Risks-As a bank holding company, we are subject to extensive supervision and regulation, and changes in laws and regulations applicable to bank holding companies could limit or restrict our activities and could have a material adverse effect on our operations".

We are continuously refining our revenue and business model, which is premised on creating a virtuous cycle for our members to engage with more products across our platform, a strategy we refer to as the Financial Services Productivity Loop, and, with respect to our Technology Platform segment, adoption by clients of additional platform as a service offerings. There is no assurance that our revenue and business model, or any changes to our revenue and business model to better position us with respect to our competitors, will be successful. Our efforts to continue to grow our business may be more costly than we expect, and we may not be able to maintain or increase our revenue sufficiently to offset our higher operating expenses. We may incur future losses and we may be unable to maintain profitability, for a number of reasons, including the risks described in this Annual Report on Form 10-K, unforeseen expenses, difficulties, complications and delays, differences between our assumptions and estimates and results, the effects of macroeconomic conditions and other unknown events.

We have experienced rapid growth in recent years, including through the addition of new products and lines of business and entry into new geographies, which may place significant demands on our operational, risk management, sales and marketing, technology, compliance, and finance and accounting resources.

Our rapid growth in certain areas of our business in recent years, primarily within our Financial Services and Technology Platform segments, as well as operating a bank and as a bank holding company, has placed significant demands on our operational, risk management, sales and marketing, technology, compliance, and finance and accounting infrastructure, and has resulted in increased expenses, a trend that we expect to continue as our business grows. In addition, we are required to continuously develop and adapt our systems and infrastructure in response to the increasing sophistication of the consumer financial services market, changing technologies, an evolving fraud, privacy and information security landscape, and regulatory developments, both domestically and internationally, relating to our existing and projected business activities. Our future growth will depend on, among other things, our ability to maintain an operating platform and management system able to address such growth, our ability to grow and optimize deposit balances, and our ongoing ability to demonstrate to our regulators that our risk management and compliance practices are growing and evolving in a commensurate fashion, all of which has required, and we expect will continue to require, us to incur significant additional expenses, expand our workforce and commit additional time from senior management and operational resources. We may not be able to manage supporting and expanding our operations effectively, and any failure to do so would adversely affect our ability to increase the scale of our business, generate projected revenue and control expenses.

Our results of operations and future prospects depend on our ability to retain existing members and attract new members. We face intense and increasing competition and, if we do not compete effectively, our competitive positioning and our operating results will be harmed.

We operate in a rapidly changing and highly competitive industry, and our results of operations and future prospects depend on, among others:

•the continued growth and engagement of our member base;

•our ability to further monetize our member base, including through the use of additional products by our existing members;

•our ability to acquire members at a lower cost; and

•our ability to increase the overall value to us of each of our members while they remain on our platform (which we refer to as a member's lifetime value).

We expect our competition to continue to increase, as there are no substantial barriers to entry to certain of the markets we serve. Certain of our current and potential competitors have longer operating histories, particularly with respect to our financial services products, including digital asset and blockchain offerings, significantly greater financial, technical, marketing

33

SoFi Technologies, Inc.

and other resources, and a larger customer base than we do. This allows them to potentially offer more competitive pricing or other terms or features, a broader range of financial products, or a more specialized set of specific products or services, as well as respond more quickly than we can to new or emerging technologies and changes in member preferences. In addition to established enterprises, we may also face competition from early-stage companies, or companies in industries not typically associated with financial services, such as social media and other commerce platforms, attempting to capitalize on the same, or similar, opportunities as we are. Our existing or future competitors may develop products or services that are similar to our products and services or that achieve greater market acceptance than our products and services. This could attract current or potential members away from our services and reduce our market share in the future. Additionally, when new competitors seek to enter our markets, or when existing market participants seek to increase their market share, these competitors sometimes undercut, or otherwise exert pressure on, the pricing terms prevalent in that market, which could adversely affect our market share and/or our ability to capitalize on market opportunities.

We currently compete at multiple levels with a variety of competitors, including:

•other personal loan, student loan refinancing, in-school student loan and home loan lenders, including other banks and other financial institutions, as well as credit card issuers, that can offer more competitive interest rates or terms;

•banks and other financial institutions, with respect to our checking and savings accounts;

•rewards credit cards provided by other financial institutions, with respect to our SoFi Credit Card;

•other brokerage firms, including online or mobile platforms, and other companies for our SoFi Invest accounts;

•other mortgage lenders, including fintech-focused lenders, and other companies for our home loans;

•social media and other commerce platforms and applications that offer peer-to-peer, in-app and social commerce payment capabilities;

•other digital asset and global remittance service providers for our SoFi Crypto and self-serve global remittance products;

•other technology platforms with respect to the enterprise services we provide, such as technology products and solutions via Galileo and Technisys;

•other content providers for subscribers to our financial services content, including content from alternative providers available to our subscribers through our Lantern service, which is a financial services aggregator providing marketplace lending products, and various enterprise partnerships; and

•other financial services firms offering employers a comprehensive platform for employees to build financial well-being through student loan and 529 educational plan contributions, educational tools, and financial resources, all of which we provide through SoFi At Work.

We believe that our ability to compete depends upon many factors both within and beyond our control, including, among others, the following:

•the size, diversity and lifetime value of our member base and technology platform clients;

•our ability to introduce successful new products and services, as well as new or improved technologies, or to iterate and innovate on existing products or services to satisfy evolving member and technology platform client preferences or to keep pace with market trends;

•our ability to diversify our revenue streams across our products and services, and cost effectively acquire new members and technology platform clients;

•the timing and market acceptance of our products and services, including developments and enhancements to those products and services, offered by us and our competitors;

•member and technology platform client service and support efforts;

•selling, marketing and promotional efforts;

•our ability to continue to expand the Loan Platform Business with existing and new loan origination partners;

•our ability to continue to increase our fee-based revenue and diversify our revenue base;

•our ability to compete on price, particularly with respect to SoFi Invest and the Technology Platform where demand for our products and services may be affected if we are unable to compete with other brokerages or technology-as-a-service providers on price;

•our ability to offer competitive interest rates on deposit accounts;

34

SoFi Technologies, Inc.

•the ease of use, performance, price and reliability of solutions developed either by us or our competitors;

•our ability to attract and retain talent;

•changes in economic conditions, and regulatory and policy developments;

•our ability to successfully operate a national bank, grow deposits and realize the potential benefits to our members;

•our ability to successfully scale our products and services and execute on our Financial Services Productivity Loop strategy and our other business plans, including successfully integrating our acquisitions and diversifying our technology platform clients into new industry verticals and new geographies;

•general market conditions and their impact on our liquidity and ability to access funding;

•the impact of macroeconomic conditions, including changes in interest rates, stock market volatility, changes in consumer confidence, consumer discretionary spending, and any changes in loan default rates, and related developments on the lending and financial services markets we serve; and

•our brand strength relative to our competitors.

Our current and future business prospects demand that we act to meet these competitive challenges but, in doing so, our revenues and results of operations could be adversely affected if we, for example, increase marketing or other expenditures or make new expenditures in other areas. Competitive pressures could also result in us reducing the annual percentage rate on the loans we originate, increasing the annual percentage rate we pay on the checking and savings product, charging fees for services we currently provide for free, such as SoFi Plus, incurring higher member or technology platform client acquisition costs, or make it more difficult for us to grow our loan originations in both number of loans and volume by principal balance for new as well as existing members or expand the adoption of additional products by our current, or acquire new, technology platform clients. All of the foregoing factors and events could adversely affect our business, financial condition, results of operations, cash flows and future prospects.

Market volatility and adverse changes in financial market conditions may increase our market risk.

Our liquidity, competitive position, business, results of operations and financial condition are affected by market risks such as changes in interest rates, fluctuations in equity, commodity and futures prices, the implied volatility of interest rates and credit spreads and other economic and business factors. These market risks may adversely affect, among other things, the value of our securities, the cost of debt capital and our access to credit markets, customer allocation of capital among investment alternatives, and our competitiveness with respect to deposit pricing, and may negatively impact customer confidence in the safety and soundness of banks. In times of market stress or other unforeseen circumstances, previously uncorrelated indicators may become correlated, which may limit the effectiveness of our strategies to manage these risks.

Our future growth depends significantly on our branding and marketing efforts, and if our marketing efforts are not successful or we receive negative publicity, our business and results of operations will be harmed.

We have invested significantly in our brand and believe that maintaining and enhancing our brand identity is critical to our success. Our ability to attract members depends in large part on the success of these marketing efforts and the success of the marketing channels we use to promote our products. Our marketing channels include, but are not limited to, earned media through press, social media and search engine optimization, as well as paid advertising, such as online affiliations, search engine marketing, digital marketing, social media marketing, influencer marketing, offline partnerships, out-of-home, direct mail, lifecycle marketing and television and radio advertising. Our ability to compete for, attract and maintain members, lending counterparties, Loan Platform Business counterparties, marketing partners and other partners relies to a large extent on their trust in our business, our reputation and the value of our brand. While our goal remains to increase the strength, recognition and trust in our brand by increasing our member base and expanding our products and services, if any of our current marketing channels becomes less effective, if regulatory requirements, including the CFPB and FDIC's advertising rules, restrict or diminish our ability to use these channels, if we are unable to continue to use any of these channels, if we receive negative publicity or fail to maintain our brand, if the cost of using these channels significantly increases or if we are not successful in generating new channels, we may not be able to attract new members or increase the activity of our existing members on our platform in a cost-effective manner. For example, in February 2024, the CFPB released a Consumer Financial Protection Circular, warning digital comparison-shopping tool operators and lead generators that marketing practices that take unreasonable advantage of a consumer's reasonable reliance on the operator or lead generator to act in the consumer's interests may violate the CFPA prohibition on abusive acts or practices. Such unreasonable advantage can include distorting the shopping experience for a consumer financial product or service by giving preferential treatment to an operator or lead generator's own or other products or services through steering or enhanced product placement, for financial or other benefits. If we are unable to recover our marketing costs through increases in the size, value or the overall number of loans we originate, or member selection and utilization of other SoFi products such as SoFi Money, SoFi Invest, SoFi Credit Card and SoFi Crypto, it

35

SoFi Technologies, Inc.

could have a material adverse effect on our business, financial condition, results of operations, cash flows and future prospects. In addition, negative publicity can adversely affect our reputation and damage our brand, and may arise from many sources, including actual or alleged misconduct, errors or improper business practices by employees, employee claims of discrimination or harassment, product failures, existing or future litigation or regulatory actions, inadequate protection of consumer information by us or our third-party service providers, data breaches, matters related to or affecting our financial reporting or compliance with SEC and Nasdaq listing requirements and media coverage, whether accurate or not. Negative publicity or allegations could reduce demand for our products, result in a decrease in the price of our stock, undermine the loyalty of our members and the confidence of our lending counterparties and technology platform clients, impact our partnerships, reduce our ability to recruit and retain employees or lead to greater regulatory scrutiny, all of which could lead to the attrition of our members, lending counterparties, Loan Platform Business counterparties and/or technology platform clients and harm our results of operations. In addition, we and our officers, directors and/or employees have been, and may in the future be, named or otherwise involved in litigation or claims, including employment-related claims such as workplace discrimination or harassment, which could result in negative publicity and/or adversely impact our business, even if we are ultimately successful in defending against or litigating such claims.

Reputational harm, including as a result of our actual or alleged conduct or public opinion of the financial services industry generally, could adversely affect our business, results of operations, and financial condition.

Reputation risk, or the risk to our business, earnings and capital from negative public opinion, is inherent in our business and continues to increase substantially because of our size and profile in the financial services industry. Moreover, negative public opinion has in the past and could in the future result from actions by the financial services industry generally, including due to the failure of one or more additional banks, or by certain members or individuals in the industry and can adversely affect our reputation with no actual or alleged actions on our part. For example, public opinion of the financial services industry was negatively impacted following the 2023 closures of Silicon Valley Bank, Signature Bank, and First Republic Bank and generally resulted in decreases in the stock prices of financial services companies.

Negative public opinion could result from our actual or alleged conduct in any number of activities, including sales and marketing practices; consumer lending practices; loan origination or servicing activities; mortgage foreclosure actions; management of client accounts or investments; lending, investing or other business relationships; identification and management of potential conflicts of interest from transactions; obligations and interests with and among our members or customers; environmental, social and governance practices; litigation or regulatory actions taken by us or to which we are a party; regulatory compliance; risk management; incentive compensation practices; and disclosure, sharing or inadequate protection or improper use of member or customer information, and from actions taken by government regulators and community or other organizations in response to that conduct. Although we have policies and procedures in place intended to detect and prevent conduct by us, our employees and third-party service providers that could potentially harm members or customers or our reputation, there is no assurance that such policies and procedures will be fully effective in preventing such conduct.

Furthermore, our actual or perceived failure to address or prevent any such conduct or otherwise to effectively manage our business or operations could result in significant reputational harm. For example, our marketing strategy includes an emphasis on social media. Social media provides a powerful medium for consumers, employees and others to communicate their approval of or displeasure with a business. This aspect of social media is especially challenging because it allows any individual to reach a broad audience with an ability to respond or react, in near real time, with comments that are often not filtered or checked for accuracy. We monitor social media metrics for their impact on our business but if we are unable to quickly and effectively respond, any negative publicity could "go viral", causing nearly immediate and potentially significant harm to our brand and reputation, and our business, whether or not factually accurate, including a significant withdrawal of deposits from SoFi Bank within a short period of time.

Our reputation and/or business could be negatively impacted by ESG matters and/or our reporting of such matters.

We communicate certain ESG-related initiatives regarding our employees, climate-related commitments, governance-related metrics, including for executive compensation, and other matters in our ESG Report, on our website, in our filings with the SEC, and elsewhere. These initiatives and commitments could be difficult to achieve and costly to implement. We could fail to achieve, or be perceived to fail to achieve, our ESG-related initiatives or commitments. In addition, we could be criticized for the timing, scope or nature of these initiatives or commitments, or for any revisions to them. To the extent that our required and voluntary disclosures about ESG matters change, we could be criticized for the accuracy, adequacy, or completeness of such disclosures. Our actual or perceived failure with respect to our ESG-related initiatives or commitments could negatively impact our reputation, result in ESG-focused investors not purchasing and holding our stock, or otherwise materially harm our business.

36

SoFi Technologies, Inc.

We also face risk from evolving standards, regulations and disclosure requirements related to ESG, which we may fail to satisfactorily meet. For example, a number of state legislators and regulators have adopted or are currently considering proposing or adopting other rules, regulations, directives, initiatives and laws requiring ESG-related disclosures or conduct, including California laws S.B. 253, S.B. 261 and A.B. 1305. The adoption of these and similar laws could require us to, among other things, expend material capital resources in connection with compliance efforts. Furthermore, there continues to be a lack of consistent proposed climate change and ESG-related legislation and guidance, which creates regulatory and economic uncertainty. Such matters can affect the willingness or ability of investors to make an investment in our Company, as well as our ability to meet regulatory requirements. Any failure, or perceived failure, to meet evolving regulations and industry standards could have an adverse effect on us.

In addition, in recent years "anti-ESG" sentiment has gained momentum across the U.S., with several states and Congress having proposed or enacted "anti-ESG" policies, legislation, or initiatives or issued related legal opinions, and President Trump having issued an executive order discouraging diversity equity and inclusion ("DEI") initiatives in the private sector. Such anti-ESG and anti-DEI-related policies, legislation, initiatives, litigation, legal opinions, and scrutiny could result in volatility of our stock price and the Company facing additional compliance obligations, becoming the subject of investigations and enforcement actions, or sustaining reputational harm.

We may experience fluctuations in our quarterly operating results.

We may experience fluctuations in our quarterly operating results due to a number of factors, including changes in the fair values of our instruments (including, but not limited to, our loans), the level of our expenses, the degree to which we encounter competition in our markets, general economic conditions, significant changes in default rates on loans, including credit card receivables, the rate and credit market environment and our ability to raise our coupon rates along with interest rates that are higher than those in the recent past, legal or regulatory developments, changing demographics, and legislative, regulatory or policy changes. In light of these factors, results for any period should not be relied upon as being indicative of performance in future periods.

We sell our loans to a concentrated number of whole loan purchasers and the loss of one or more significant purchasers could have a negative impact on our operating results.

Although we continue to hold loans on-balance sheet for longer periods, when we sell our personal loans, student loans and home loans, we sell to a concentrated number of whole loan purchasers. There are inherent risks whenever a large percentage of a business is concentrated with a limited number of parties. It is not possible for us to predict the future level of demand for our loans by these or other purchasers. In addition, purchases of our loans by these purchasers have historically fluctuated and may continue to fluctuate based on a number of factors, certain of which may be outside of our control, including economic conditions, the availability of alternative investments, changes in the terms of the loans, loans offered by competitors, prevailing interest rates and a change in business plan, liquidity or strategy by the purchaser. If any of these purchasers significantly reduces the dollar amount of the loans it purchases from us, we may be unable to sell those loans to another purchaser on favorable terms or at all, which may require us to reduce originations or hold additional loans on our balance sheet and may reduce our flexibility in making financing decisions. In addition, the loss of one or more significant purchasers of our loans could increase the volatility of the mark-to-market methodology we use to determine the fair value of the loans we hold on balance sheet. This may have a material adverse effect on our revenues, results of operations, capital requirements, liquidity and cash flows.

We originate personal loans under the Loan Platform Business for a concentrated number of counterparties, and the loss of one or more significant Loan Platform Business counterparties could have a negative impact on our operating results.

We originate personal loans under the Loan Platform Business for a concentrated number of counterparties. Although Loan Platform Business counterparties agree to purchase on a largely committed basis, there are inherent risks whenever a large percentage of a business is concentrated with a limited number of parties. It is not possible for us to predict the future level of demand for our personal loans by these or other Loan Platform Business counterparties. In addition, purchases of our personal loans by these Loan Platform Business counterparties have historically fluctuated and may continue to fluctuate based on a number of factors, certain of which may be outside of our control, including economic conditions, the availability of alternative investments, changes in the terms of the personal loans, personal loans offered by competitors, prevailing interest rates and a change in business plan, liquidity or strategy by the counterparty. If any of these counterparties significantly reduces the dollar amount of the Loan Platform Business loans it orders from us, we may be unable to find another counterparty for the Loan Platform Business on favorable terms or at all, which may require us to reduce originations under the Loan Platform Business or hold additional loans on balance sheet and may reduce our flexibility in making financing decisions. This may have a material adverse effect on our revenues, results of operations, capital requirements, liquidity and cash flows.

37

SoFi Technologies, Inc.

Galileo and Technisys depend on a small number of clients, the loss or disruptions in operations of any of which could have a material adverse effect on their businesses and financial results, and negatively impact our financial results and results of operations.

Galileo and Technisys revenue from clients is highly concentrated and a significant Galileo client recently moved to a competitor. There are inherent risks whenever a large percentage of net revenue is concentrated with a limited number of clients, including fluctuations in revenue, the loss of any one or more of those clients as a result of bankruptcy or insolvency proceedings involving the client, the loss of additional clients to a competitor, harm to that client's reputation or financial prospects or other reasons, including adverse general economic conditions affecting Galileo and Technisys clients many of which are fintechs and other financial services firms. Any further reduction in the amount of revenue that we derive from these clients, without an offsetting increase in new sales to other clients, has had and could have a material adverse effect on our operating results in the future. A significant change in the liquidity or financial position of our clients could also have a material adverse effect on our liquidity and our future operating results. In addition, disruptions in the operations of certain of Galileo's key clients have had an adverse impact on Galileo, and any future disruptions in the operations of any key Galileo or Technisys clients could be material and have an adverse impact on our results of operations.

We rely on third parties to perform certain key functions, and their failure to perform those functions could adversely affect our business, financial condition and results of operations.

We rely on certain third-party computer systems or third-party service providers, including cloud technology providers such as AWS, internet service providers, payment services providers, including for our self-serve global remittance product, market and third-party data providers, regulatory and compliance services providers, clearing systems, market makers and other liquidity providers, exchange systems, banking technology systems, co-location facilities, communications facilities and other facilities to run our platform, facilitate trades by our members and support or carry out certain functions. For example, to provide our checking and savings account, cash management account, credit cards and other products and services, we rely on third parties that we do not control, such as payment card networks, our acquiring and issuing processors, payment card issuers, various financial institution partners, systems like the ACH, and other partners. We rely on these third parties for a variety of services, including the transmission of transaction data, processing of chargebacks and refunds, settlement of funds, and the provision of information and other elements of our services. In addition, external content providers provide us with financial information, market news, charts, option and stock quotes, digital assets quotes, research reports and other fundamental data that we provide to our members. Any interruption in these third-party services, or deterioration in the quality of their service or performance, could be disruptive to our business. Furthermore, third parties may rely on AI or machine learning for the services they provide us and, given that the regulatory framework relating to the use of AI and machine learning services in the provision of financial services is still developing, the third parties' use of such technologies may impact their ability to carry out certain functions or impact the quality of their service or performance.

Our third-party service providers are susceptible to, and have experienced, operational, technological and security vulnerabilities, including security incidents and breaches and outages, which may impact our business, and our ability to monitor our third-party service providers' data security is limited. In addition, these third-party service providers may rely on subcontractors to provide services to us that face similar risks.

Failures or security incidents or breaches by or of our third-party service providers or their subcontractors that result in an interruption in service, unauthorized access, misuse, loss or destruction of data or other similar occurrences could interrupt our business, have in the past and could in the future cause us to incur losses, result in decreased member or client satisfaction and increase member or client attrition, subject us to member or client complaints, significant fines, litigation, disputes, claims, regulatory investigations or other inquiries and harm our reputation. Through contractual provisions and third-party risk management processes, we take steps to require that our providers, and their subcontractors, protect our data and information, including personal data. However, due to the size and complexity of our technology platform and services, the amount of data that we store and the number of members, technology platform clients, employees and third-party service providers with access to personal data, we, our third-party service providers and their subcontractors are potentially vulnerable to a variety of intentional and inadvertent cybersecurity breaches and other security-related incidents and threats, which could result in a material adverse effect on our business, financial condition and results of operations. Furthermore, any contractual protections we may have from our third-party service providers may not be sufficient to adequately protect us against such consequences, and we may be unable to enforce any such contractual protections. For example, certain of our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our privacy and data security obligations.

In addition, there is no assurance that our third-party service providers or their subcontractors will be able to continue to provide these services to meet our current needs in an efficient, cost-effective manner or that they will be able to adequately

38

SoFi Technologies, Inc.

expand their services to meet our needs in the future. Certain of our vendor agreements are terminable on short or no notice, and if current vendors were to stop providing services to us on acceptable terms, we may be unable to procure alternatives from other vendors in a timely and efficient manner and on acceptable terms, or at all. An interruption in or the cessation of service by our third-party service providers or their subcontractors, coupled with our possible inability to make alternative arrangements in a smooth, cost-effective and timely manner, could have adverse effects on our business, financial condition and results of operations.

Certain aspects of the services we provide also rely and depend upon the ability of third parties with whom we do not contract directly to perform specified tasks or execute certain functions. For example, our customers access trading venues like securities exchanges through third parties like clearing brokers. If a trading venue experiences a system error and/or a failure of controls, subsequent trades may be impacted, such as trading executed at anomalous pricing. Similarly, if a trading venue experiences an outage, our customer's ability to place trades or our ability to effect transactions in securities on behalf of customers via our broker-dealer may be impacted. As a result of these impacts, we might experience customer complaints, loss of revenue or other financial loss, or we may have to respond to regulatory inquiries related to such outages.

If a service provider or their subcontractor fails to either provide the services required or expected or meet applicable contractual or regulatory requirements such as service levels or compliance with applicable laws, the failure could negatively impact our business. Such a failure could also adversely affect the perception of the reliability of our networks and services and the quality of our brand, which could materially adversely affect our business and results of operations.

Further, we may, from time to time, decide to modify or terminate relationships with third-party service providers and to perform certain functions and/or services internally. For example, we historically used a third party bank to issue the SoFi Money debit cards and sponsor access to debit networks for payment transactions, funding transactions and associated settlement of funds, and sponsor and support ACH, check and wire transactions along with associated funds settlement. However, after gaining direct access to debit networks, we directly perform certain services previously sponsored by the third party bank. Although we have performed these services satisfactorily to date, there is no guarantee we will be able to continue to do so. Additionally, the migration of any such functions and/or services may introduce additional risks and could cause disruption to our business.

Our oversight of third-party service providers is subject to regulation, supervision and examination by our prudential and other regulators, and if our oversight is found to be lacking, it may adversely affect our business.

Because we are a bank holding company subject to regulation, supervision and examination by the Federal Reserve, and because SoFi Bank is subject to regulation, supervision and examination by the OCC and the FDIC, and SoFi Bank and its affiliates are subject to regulations issued by the CFPB, our and SoFi Bank's oversight of third-party service providers is subject to regulatory oversight. In 2024, the Federal Reserve, OCC and FDIC increased their focus on regulating banks' relationships and oversight over third-party service providers. For example, these agencies published interagency guidance and a joint statement on banks' vendor management practices and arrangements with third parties to deliver bank products and services in May 2024 and July 2024, respectively, and these and other regulatory authorities continued to scrutinize and take enforcement actions against banks and their business partners for insufficient third-party management programs in 2024.

In addition, because Galileo provides technology services to SoFi Bank, we are subject to additional regulatory scrutiny under Regulation W which requires, among other things, that arrangements between a bank and its affiliates are on market terms. If a regulatory authority found our or SoFi Bank's service provider oversight to be deficient or otherwise lacking, the regulatory authority could require that we or SoFi Bank implement corrective action, including limiting or terminating certain relationships with service providers, which could be costly and disruptive to our business and have an adverse effect on our regulatory affairs, reputation and results of operations.

A cyberattack or other security incident could result in significant costs and adversely affect our business, financial condition and results of operations.

We face risks related to cyberattacks and other security incidents, including unauthorized access to or disruption of our information systems and those of our third-party service providers and social engineering schemes that target our employees to gain access to our systems. A successful cyberattack, data breach, or other security incident could result in significant costs and adversely affect our business, financial condition, and results of operations. These costs include expenses for incident response, forensic investigations, system and member remediation, data recovery, and business interruption, as well as legal, regulatory, and contractual costs, including costs associated with required notifications, regulatory investigations, fines or penalties, litigation, settlements, and judgments. In addition, a cybersecurity incident could result in increased cybersecurity and insurance costs, including higher premiums or reduced availability of coverage. Any of the foregoing could materially and adversely

39

SoFi Technologies, Inc.

affect our business, financial condition, and results of operations. Further, we may face damages resulting from a cybersecurity incident in excess of our insurance policy limits.

Beyond these direct costs, a cybersecurity incident could cause reputational harm, loss of member, prospective member, technology platform client, employee or other third-party partner confidence, reduced demand for our products or services, and diversion of management and employee resources. Any of the foregoing could materially and adversely affect our business, financial condition, and results of operations. See "Information Technology and Data Risks-Cyberattacks and other security incidents and compromises could have an adverse effect on our business and systems, harm our brand and our reputation and expose us to liability. Efforts to prevent and respond to these attacks and incidents are costly" for additional information on the risks of cyberattacks and other security incidents to our business.

The conditional conversion feature of our convertible notes, if triggered, may adversely affect our financial condition.

Holders of our convertible notes issued in October 2021 and due in 2026 and our convertible notes issued in March 2024 and due in 2029 (collectively, the "notes") may be entitled to convert the notes during specified periods at their option. If one or more holders elect to convert their notes, we may settle converted principal through the payment of cash and/or shares of common stock, which could adversely affect our financial results and liquidity and could result in a decline in our stock price.

The Capped Call Transactions may affect the value of the notes and our common stock.

In connection with the issuance of the notes, we entered into privately negotiated capped call transactions (the "Capped Call Transactions") with certain financial institutions (the "Capped Call Counterparties"). The Capped Call Transactions are expected generally to reduce the potential dilutive effect on our common stock upon any conversion of the notes and/or offset any potential cash payments we are required to make in excess of the principal amount of converted notes, as the case may be, with such reduction and/or offset subject to a cap. In connection with establishing their initial hedges of the Capped Call Transactions, the Capped Call Counterparties or their respective affiliates entered into various derivative transactions with respect to our common stock and/or purchased shares of our common stock concurrently with or shortly after the pricing of the notes.

In addition, the Capped Call Counterparties and/or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions following the pricing of the notes and from time to time prior to the maturity of the notes (and are likely to do so following any conversion of the notes, any repurchase of the notes by us on any fundamental change repurchase date, any redemption date or any other date on which the notes are retired by us, in each case if we exercise the relevant election to terminate the corresponding portion of the Capped Call Transactions). This activity could also cause or avoid an increase or a decrease in the market price of our common stock or the notes. The potential effect, if any, of these transactions and activities on the market price of our common stock or the notes will depend, in part, on market conditions and cannot be ascertained at this time. Any of these activities could adversely affect the value of our common stock.

We are subject to counterparty risk with respect to the Capped Call Transactions, and the Capped Call Transactions may not operate as planned.

The Capped Call Counterparties are financial institutions or affiliates of financial institutions, and we will be subject to the risk that any or all of them might default under the Capped Call Transactions. Our exposure to the credit risk of the Capped Call Counterparties will not be secured by any collateral. Global economic conditions have, from time to time, resulted in the actual or perceived failure or financial difficulties of many financial institutions. If a Capped Call Counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at that time under our transactions with that Capped Call Counterparty. Our exposure will depend on many factors, but, generally, an increase in our exposure will be correlated with increases in the market price or the volatility of our common stock. In addition, upon a default by a Capped Call Counterparty, we may suffer more dilution than we currently anticipate with respect to our common stock. We can provide no assurances as to the financial stability or viability of any Capped Call Counterparty.

In addition, the Capped Call Transactions are complex, and they may not operate as planned. For example, the terms of the Capped Call Transactions may be subject to adjustment, modification or, in certain cases, renegotiation if certain corporate or other transactions occur. Accordingly, these transactions may not operate as we intend if we are required to adjust their terms as a result of transactions in the future or upon unanticipated developments that may adversely affect the functioning of the Capped Call Transactions.

40

SoFi Technologies, Inc.

Market and Interest Rate Risks

Our business and results of operations have in the past and may in the future be adversely affected by the financial markets, fiscal, monetary, and regulatory policies, and economic conditions generally.

Our business and results of operations are directly affected by elements beyond our control, including general economic, political, social and health conditions in the U.S. and in countries abroad. These elements can arise suddenly and the full impact can remain unknown or result in adverse effects, including, but not limited to, extreme volatility in credit, equity and foreign currency markets, changes to buying patterns of our members and prospective members or reductions in the credit quality of our members, and changes to the financial condition of our technology platform clients and prospective clients.

In particular, markets in the U.S. or abroad have been and may in the future be affected by the level and volatility of interest rates, availability and market conditions of financing, recessionary pressures, inflation and hyperinflation, supply chain disruptions, changes in consumer spending, employment levels, labor shortages, changes to fiscal policy, including expansion of U.S. federal deficit spending and resultant debt issuance, federal government shutdowns, developments related to the U.S. federal debt ceiling, changes in legislation, regulations or policy, energy prices, home prices, commercial property values, bankruptcies, a default by a significant market participant or class of counterparties, market volatility, liquidity of the global financial markets, the growth of global trade and commerce, exchange rates, trade policies, the availability and cost of capital and credit, disruption of communication, transportation or energy infrastructure and investor sentiment and confidence. Additionally, global markets have been and may in the future be adversely affected by the current or anticipated impact of climate change, extreme weather events or natural disasters, the emergence or continuation of widespread health emergencies or pandemics, cyberattacks or campaigns, military conflict (e.g., the confrontation in Venezuela, the ongoing conflict in the Middle East and the ongoing war in Ukraine), terrorism or other geopolitical events which may affect our results of operations. For example, although we do not have operations in the locations impacted by these conflicts, the ongoing conflict in these locations has led and could in the future lead to macroeconomic effects, including volatility in commodity prices and the supply of energy resources, instability in financial markets, supply chain interruptions, political and social instability, as well as an increase in cyberattacks and espionage. Also, any sudden or prolonged market downturn in the U.S. or abroad, as a result of the above factors or otherwise, could adversely affect our business, results of operations and financial condition, including capital and liquidity levels. We are not able to predict with any certainty the ultimate impact that any of these events, as well as any other future events, may have on our business.

Significant downturns in the securities markets or in general economic and political conditions have in the past and may in the future also decrease the demand for our products and services and could in the future result in our members reducing their engagement with our platform. In addition, such significant downturns may cause default rates on our loans to increase and cause funding and liquidity concerns for our current and prospective technology platform clients reducing their adoption and use of our platform as a service products and services. Conversely, significant upturns in the securities markets or in general economic and political conditions may cause individuals to be less proactive in seeking ways to improve the returns on their trading or investment decisions and, thus, decrease the demand for our products and services. Any of these changes could cause our future performance to be uncertain or unpredictable, and could have an adverse effect on our business, financial condition and results of operations. In addition, a prolonged weakness in the U.S. equity markets or a general extended economic downturn could cause our members or technology platform clients to incur losses, which in turn could cause our brand and reputation to suffer. If our reputation is harmed, the willingness of our existing members or technology platform clients and potential new members or clients to do business with us could be negatively impacted, which would adversely affect our business, financial condition and results of operations.

Our business is sensitive to interest rates and interest rates are highly sensitive to many factors that are beyond our control, including global, domestic and local economic conditions and the policies of various governmental and regulatory agencies and, in particular, the Federal Reserve. The Federal Reserve increased interest rates throughout 2022 and 2023 before lowering interest rates in 2024 and 2025, and we are unable to predict whether interest rates will increase or decrease in the future. Further changes to prevailing interest rates could influence not only the interest we receive on loans and investments and the amount of interest we pay on deposits and borrowings, but such changes have in the past and could in the future also affect (i) our ability to originate loans at competitive rates; (ii) our ability to pay a competitive variable annual percentage yield for deposits; (iii) the fair value of our financial assets and liabilities; (iv) the average duration of our loan portfolios and other interest-earning assets; (v) the mix of lending products we originate which is influenced by demand for refinancing products; and (vi) the competition faced by our SoFi Money deposit product from other investment products which may become more attractive as interest rates rise. See "Changing expectations for inflation and fluctuations in interest rates could decrease demand for our lending products and negatively affect loan performance, as well as increase certain operating costs, such as employee compensation" for additional information on the risks of interest rate fluctuations to our business.

41

SoFi Technologies, Inc.

Interest rate changes and other actions, including balance sheet management, lending facilities, and various quantitative measures and similar actions taken by the Federal Reserve or other central banks, are beyond our control and difficult to predict. These actions affect interest rates and the value of financial instruments, increase the likelihood of a more volatile market, influence the strength or weakness of the U.S. dollar and the resulting direction of change in gross domestic product, and affect other assets and liabilities and can impact our members and technology platform clients. Any economic downturn, especially in the regions in which we operate, may adversely affect our asset quality, deposit levels, loan demand and results of operations.

Changes or uncertainty with respect to existing laws, regulations and policies, including changes in guidance and interpretation by regulatory authorities, and evolving priorities, including those related to financial regulation, taxation, international trade, fiscal policy, cybersecurity and privacy, digital assets, climate change (including any required reduction of greenhouse gas emissions) and healthcare, may adversely impact U.S. or global economic activity and our members, our technology platform clients, our counterparties and our earnings and operations. For example, changes, or proposed changes, to certain U.S. trade and international investment policies, particularly with important trading partners (including China and the European Union (the "EU")) have in recent years negatively impacted financial markets. Actions taken by other countries, particularly China, to restrict the activities of businesses, could also negatively affect financial markets. An escalation of tensions, such as a trade war between certain countries or a further escalation in conflict in the Middle East or Eastern Europe or new conflict in Latin America, could lead to further measures that adversely affect financial markets, disrupt world trade and commerce and lead to trade retaliation, including through the use of duties and tariffs, foreign exchange measures or the large-scale sale of U.S. Treasury Bonds.

Any of these developments could adversely affect our business, our members, our technology platform clients, our other counterparties, the value of our loan portfolios, our level of charge-offs and provision for credit losses, our capital levels, our liquidity and our results of operations.

We have the option of pursuing a gain-on-sale origination model and, consequently, our business is affected by the cost and availability of funding in the capital markets.

In addition to the issuance of equity, historically we have funded our operations and capital expenditures through sales of our loans, secured and unsecured borrowing facilities and securitizations. We have the option of pursuing a gain-on-sale origination model and, consequently, our earnings and financial condition are largely dependent on the price we can obtain for our products in the capital markets, which has been and may be negatively impacted by interest rates that are higher than those in the recent past combined with longer periods during which we have held, and may continue to hold, loans on-balance sheet. These capital markets risks may be partially mitigated by the availability of bank deposits and other corporate cash (if any) to temporarily hold the loans on our balance sheet, and by utilizing our Loan Platform Business to originate and sell loans, in certain instances on a fixed fee basis. However, bank deposits and corporate cash have not historically been our primary source of funding and can be impacted by a number of factors, and our Loan Platform Business is new and does not have a significant performance history. Our ability to obtain financing in the capital markets depends, among other things, on our development efforts, business plans, operating performance, lending activities, public perceptions of the financial services industry, and condition of, and our access to, the capital markets at the time we seek financing. The capital markets have from time-to-time experienced periods of significant volatility, including, most recently, volatility driven by benchmark interest rate movements, uncertainty in the financial services sector, the confrontation in Venezuela, the ongoing conflict in the Middle East and the ongoing war in Ukraine, among other things. This volatility can dramatically and adversely affect financing costs when compared to historical norms or make funding unavailable. Additional factors that could make financing more expensive or unavailable to us include, but are not limited to, financial losses, events that have an adverse impact on our reputation, lawsuits challenging our business practices, adverse regulatory changes, changes in the activities of our business partners, loan performance, events that have an adverse impact on the financial services industry generally, counterparty availability, negative credit rating actions with respect to our rated securities, corporate and regulatory actions, interest rate changes, general economic conditions, including changing expectations for inflation, and the legal, regulatory and tax environments governing funding transactions, including existing or future securitization transactions. If financing is difficult, expensive or unavailable, our business, financial condition, results of operations, cash flows and future prospects could be materially and adversely affected.

Changing expectations for inflation and fluctuations in interest rates could decrease demand for our lending products and negatively affect loan performance, as well as increase certain operating costs, such as employee compensation.

The U.S. economy has remained strong despite facing certain headwinds, including, but not limited to, changing U.S. consumer spending patterns, fluctuating inflation and interest rates, reduced consumer discretionary spending, and weakening wage growth, but there is no guarantee that future changes will not have an impact. For example, the Federal Reserve increased

42

SoFi Technologies, Inc.

interest rates throughout 2022 and 2023 before lowering interest rates in 2024 and 2025. We are unable to predict whether interest rates will increase or decrease in the future. Continued elevated interest rates may decrease borrower demand for certain of our lending products, even as inflation places pressure on consumer spending, borrowing and saving habits as consumers evaluate their prospects for future income growth and employment opportunities in the current economic environment, and as borrowers face uncertainty about the impact of elevated prices on their ability to repay a loan. A change in demand for our lending products and any steps we may take to mitigate such change could impact our credit quality and overall growth. For example, we have experienced lower demand for our home loans in an elevated interest rate environment, as our historical demand has primarily resulted from refinancing, which is less attractive in a higher interest rate environment. We have also focused on personal loan originations to offset the lower demand in other lending products. Personal loans are a higher risk product than home loans or student loans and we have continued to see an increase in the amount of personal loans that we originate which may increase the inherent risk in our overall portfolio. In addition, fluctuating interest rates may increase our cost of capital and ability to offer a competitive interest rate on our loans. Although we closely monitor these increased risks, there is no guarantee we will make the correct adjustments to our originations or make adjustments quickly enough. Furthermore, economic pressure resulting in the inability of a borrower to repay a loan could translate into increased loan defaults, foreclosures and charge-offs and negatively affect our business, financial condition, results of operations, cash flows and future prospects.

Additionally, an inflationary environment has increased and may continue to increase the cost of labor, technology, professional services, marketing and other operating inputs, which could lead to higher wages and benefits, increased vendor and third-party service costs, and rising prices for goods and services necessary to support our operations. For example, an inflationary environment combined with a healthy labor market and decreases in the market value of our equity awards could make it more costly for us to attract or retain employees. In order to meet the compensation expectations of our prospective and current employees due to inflationary and other factors, we have in the past and may in the future be required to increase our operating costs or risk losing skilled workers to competitors. See "Personnel and Business Continuity Risks-The job market and the optimization of our workforce creates a challenge and potential risk as we strive to attract and retain a highly skilled workforce" for more information on the risks posed by a competitive labor market. While we may seek to mitigate these impacts through cost controls or efficiency initiatives, there can be no assurance that such measures will be successful or sufficient. If we are unable to offset higher operating expenses with corresponding revenue growth, our margins, profitability, and cash flows could be materially and adversely affected.

Fluctuations in interest rates could negatively affect the demand for our checking and savings product.

Falling, low or fluctuating interest rates, including declining interest rates in 2024 and 2025, could have had in the past, and may in the future have, a negative impact on the demand for our checking and savings product. Checking and savings provides members a digital banking experience that offers a variable annual percentage yield, which is at our discretion. If we are not able to offer competitive interest rates on deposit accounts, demand for our checking and savings product may decrease, which may impact our ability to access deposits as a more cost-effective source of funding for our loans. Although we have been in an elevated interest rate environment in recent years, interest rates declined in 2024 and 2025 and there is no guarantee that the interest rate we offer on our deposit accounts will remain competitive and in a falling or low interest rate environment, account holders and prospective account holders may be discouraged from using these products, which would adversely affect our business, financial condition, results of operations, cash flows and future prospects.

Higher than expected payment speeds of loans could negatively impact the fair market value of the lending portfolio and our returns as the holder of the residual interests in securitization trusts holding personal and student loans. These factors could materially alter our net revenue or the value of our residual interest holdings.

The rate at which borrowers prepay their loans can have a material impact on our net revenue, the value of our lending portfolio and the value of our residual interests in securitization trusts. Prepayment rates are subject to a variety of economic, social, competitive and other factors, including fluctuations in interest rates, availability of alternative financings, legislative, regulatory or policy changes affecting the student loan market, the home loan market, consumer lending generally and the general economy, including changing expectations for inflation. For example, interest rates continued to decline in 2025, and a lower interest rate environment may lead to higher prepayment rates on loans.

While we anticipate some variability in prepayment rates, extraordinary or extended increases or decreases in prepayment rates could materially affect our liquidity and net revenue. For example, when, as a result of unanticipated prepayment levels, loans within a securitization trust amortize faster than originally contracted due to prepayments, the trust's pool balance may decline at a rate faster than the prepayment rate assumed when the trust's bonds were originally issued. If the trust's pool balance declines faster than originally anticipated, in most of our securitization structures, the bonds issued by that

43

SoFi Technologies, Inc.

trust will also be repaid faster than originally anticipated. In such cases, our net revenue may decrease, inclusive of our servicing revenue and the diminished value of any retained residual interest by us in the trust.

Finally, in instances of significant slowdowns in payment rates, rating agencies may place bonds on watch or change their ratings on (or their ratings methodology for) the bonds issued by a securitization trust, possibly raising or lowering their ratings, based upon these prepayment rates and their perception of the risk posed by those rates to the timing of the trust cash flows. Placing bonds on watch, changing ratings negatively, proposing or making changes to ratings methodology could: (i) affect our liquidity, (ii) impede our access to the securitization markets, (iii) require changes to our securitization structures, and (iv) raise or lower the value of the residual interests of our future securitization transactions.

We are exposed to financial risks that may be partially mitigated but cannot be eliminated by our hedging activities, which carry their own risks.

We continue to use, and may in the future use, financial instruments for hedging and risk management purposes in order to protect against possible fluctuations in interest rates, or for other reasons that we deem appropriate. In particular, we expect our interest rate risk to increase with our home loans business which continues to grow. However, any current and future hedges we enter into will not completely eliminate the risk associated with fluctuating interest rates and our hedging activities may prove to be ineffective.

The success of our hedging strategy will be subject to our ability to correctly assess counterparty risk and the degree of correlation between the performance of the instruments used in the hedging strategy and any changes in interest rates, along with our ability to continuously recalculate, readjust and execute hedges in an efficient and timely manner. Therefore, though we may enter into transactions to seek to reduce risks, unanticipated changes may create a more negative consequence than if we had not engaged in any such hedging transactions. Moreover, for a variety of reasons, we may not seek to establish a perfect correlation between such hedging instruments and the instruments being hedged. Any such imperfect correlation may prevent us from achieving the effect of the intended hedge and expose us to risk of loss. Any failure to manage our hedging positions properly or inability to enter into hedging instruments under acceptable terms, or any other unintended or unanticipated economic consequences of our hedging activities, could affect our financial condition and results of operations.

Our financial condition and results of operations have been and may in the future be adversely impacted by an epidemic or pandemic.

Occurrences of epidemics or pandemics, depending on their scale, may cause different degrees of disruption to the regional, state and local economies in which we offer our products and services. For example, the COVID-19 pandemic caused changes in consumer and student behavior, as well as economic disruptions. Any future pandemic or public health crisis may result in, among other impacts, worker shortages, supply chain issues, inflationary pressures, and the reinstatement and subsequent lifting of restrictions and health and safety related measures. Any future epidemics or pandemics or other public health crises could adversely affect our business, operations and financial condition, as well as the business, operations and financial conditions of our members, other customers and partners.

See "Our business and results of operations have in the past and may in the future be adversely affected by the financial markets, fiscal, monetary, and regulatory policies, and economic conditions generally" and "Management's Discussion and Analysis of Financial Condition and Results of Operations-Key Business Metrics" and "-Consolidated Results of Operations" for further discussion of the impact of macroeconomic conditions in recent periods on our business and operating results.

Strategic and New Product Risks

We have in the past consummated, and from time to time we may evaluate and potentially consummate, acquisitions, which could require significant management attention, disrupt our business and adversely affect our financial results.

Our success depends, in part, on our ability to expand our business. In certain circumstances, we may determine to do so through the acquisition of complementary assets, businesses and technologies rather than through internal development. For example: (i) in April 2020, we acquired 8 Limited, an investment business in Hong Kong, (ii) in May 2020, we acquired Galileo, a company that provides technology platform services to financial and non-financial institutions, (iii) in February 2022, we acquired Golden Pacific, a bank holding company, (iv) in March 2022, we acquired Technisys, a cloud-native digital multi-product core banking platform, and (v) in April 2023, we acquired Wyndham, a mortgage lender. The identification of suitable

44

SoFi Technologies, Inc.

acquisition candidates can be difficult, time-consuming and costly, and we may not be able to successfully complete identified acquisitions. The risks we face in connection with acquisitions include, among others:

•diversion of management time and focus from operating our business to evaluating acquisition targets and addressing acquisition integration challenges;

•coordination of technology, product development, risk management, compliance, sales and marketing and other general administration functions;

•retention of employees from the acquired company and retention of our employees due to cultural challenges associated with integrating employees from the acquired company into our organization;

•integration of the acquired company's accounting, management information, human resources, third-party risk management and other administrative systems;

•the need to implement or improve controls, procedures and policies at a business that prior to the acquisition may have lacked effective controls, information security and cybersecurity safeguards, procedures and policies, including third-party risk management practices;

•write-offs or impairments of intangible assets, goodwill or other assets recognized in connection with the acquisition;

•liability for activities of the acquired company before the acquisition, including patent and trademark infringement claims, violations of laws, including employment laws, commercial disputes, tax liabilities and other known and unknown liabilities;

•litigation or other claims in connection with the acquired company, including claims from terminated or current employees, customers, former stockholders or other third parties; and

•known and unknown regulatory compliance risks resulting from geographic expansion, including elevated risk factors for tax compliance, money laundering and sanctions controls, and supervisory controls oversight.

Our failure to address these risks or other problems encountered in connection with our acquisitions and investments could cause us to fail to realize the anticipated benefits of these acquisitions or investments, cause us to incur unanticipated liabilities and harm our business generally. Future acquisitions could also result in dilutive issuances of our equity securities, the incurrence of debt, contingent liabilities, regulatory obligations to further capitalize our business, goodwill and intangible asset impairments, and increased regulatory scrutiny, any of which could harm our financial condition and negatively impact our stockholders. To the extent we pay the consideration for any future acquisitions or investments in cash, it would reduce the amount of cash available to us for other purposes.

Demand for our products may decline if we do not continue to innovate or respond to evolving technological or other changes.

We operate in a dynamic industry characterized by rapidly evolving technology, frequent product introductions, and competition based on product availability, pricing and other differentiators. We continue to explore new product offerings and may rely on our proprietary technology to make our platform available to members, to service member accounts, to provide our technology platform as a service to clients and to introduce new products, which both fosters innovation and introduces new potential liabilities and risks. In addition, we may increasingly rely on technological innovation as we introduce new types of products, expand our current products into new markets, and continue to streamline our platform. For example, we have begun, and expect to continue, to integrate AI into our technology to improve the experience of our members. In 2025, we launched and integrated an AI-driven feature that analyzes users' SoFi and external accounts to identify suboptimal cash utilization and provides personalized, data-driven recommendations, including recommendations to reallocate funds, reduce balances, and improve overall financial health. In addition, with the introduction of digital asset trading in the U.S. and Hong Kong, and self-serve global remittance, we are utilizing digital assets and blockchain innovations to provide our members with new products and services. However, even if we enhance our current products or release new products that incorporate AI and blockchain innovations, there can be no assurance that our products will be successful or that we will innovate effectively to keep pace with the rapid evolution of AI and blockchain technology. Our ability to integrate AI, blockchain technology or other new technologies may also be limited by new laws or regulatory guidance. See "The launch of digital asset trading in the U.S. and Hong Kong and use of blockchain technology in our product offerings, subjects us to laws and regulations relating to cryptocurrencies and blockchain technology in various jurisdictions where we conduct our business, and to other risks. Such laws and regulations can be complex, are subject to change, and complying with them across various jurisdictions imposes operational, time, and cost constraints on our business. Our actual or perceived failure to comply with such obligations or to address other risks related to these technologies could harm our business and/or result in reputational harm, loss of customers, material financial penalties and legal liabilities" for additional information on the legal and regulatory environment surrounding digital assets. The process of developing new technologies and products is complex, and if we are unable to

45

SoFi Technologies, Inc.

successfully innovate and continue to deliver a superior member and technology platform client experience, members' and clients' demand for our products may decrease and our growth and operations may be harmed.

An increase in fraudulent activity could lead to reputational damage to our brand and material legal, regulatory and financial exposure (including fines and other penalties), and could reduce the use and acceptance of SoFi Money, SoFi Credit Card and SoFi Crypto.

Financial institutions like us, as well as our members, technology platform clients, colleagues, regulators, vendors and other third parties, have experienced a significant increase in fraudulent activity in recent years and will likely continue to be the target of increasingly sophisticated fraudsters and fraud rings in the future. This is particularly true for our newer products where we have limited experience evaluating customer behavior and performing tailored risk assessments, such as checking and savings, credit card and digital assets.

We develop and maintain systems and processes aimed at detecting and preventing fraudulent activity, which require significant investment, maintenance and ongoing monitoring and updating as technologies and regulatory requirements change and as efforts to overcome security and anti-fraud measures become more sophisticated. Despite our efforts, we have in the past and may in the future be subject to fraudulent activity, which may affect our results of operations. For example, our general and administrative expenses in the past have included charges related to fraud events. The possibility of fraudulent or other malicious activities and human error or malfeasance cannot be eliminated entirely and will evolve as new and emerging technology is deployed, including the increasing use of personal mobile and computing devices that are outside of our network and control environments, particularly as a large part of our workforce works remotely. Risks associated with each of these include theft of funds and other monetary loss, the effects of which could be compounded if not detected quickly. Fraudulent activity may not be detected until well after it occurs and the severity and potential impact may not be fully known for a substantial period of time after it has been discovered.

Fraudulent activity and other actual or perceived failures to maintain a product's integrity and/or security has led to increased regulatory scrutiny and may lead to regulatory investigations and intervention (such as mandatory card reissuance), increased litigation (including class action litigation), remediation, fines and response costs, negative assessments of us and our subsidiaries by regulators and rating agencies, reputational and financial damage to our brand, and reduced usage of our products and services, all of which could have a material adverse impact on our business. In addition, we offer certain fraud and compliance and risk management services to technology platform clients as part of our platform as a service offerings and regulatory scrutiny of these types of services has increased recently. Any failure in these services provided to technology platform clients could result in regulatory actions or fines, and potential loss of client accounts.

Our SoFi Crypto offering exposes us to additional fraud risk. Cryptocurrency transactions and related activities are subject to elevated fraud risks due to factors such as pseudonymity, rapid transaction settlement, limited ability to reverse transactions, evolving fraud techniques, and the use of decentralized or third-party platforms that may be outside our control. Fraudulent activities may include account takeovers, social engineering schemes, scams, theft of private keys, malware attacks, and misuse of our platforms to facilitate illicit activity.

While we employ fraud detection, monitoring, and compliance controls designed to mitigate these risks, such controls may be less effective in identifying or preventing cryptocurrency-related fraud compared to traditional financial products, particularly as fraudsters continue to adapt their methods. If fraud occurs, we may incur financial losses, increased operational and compliance costs, customer remediation expenses, regulatory scrutiny, reputational harm, and potential legal liability. Any failure to effectively prevent, detect, or respond to cryptocurrency-related fraud could materially and adversely affect our business and results of operations.

Successful fraudulent activity and other incidents related to the actual or perceived failures to maintain the integrity of our processes and controls could negatively affect us, including harming the market perception of the effectiveness of our security measures or harming the reputation of the financial system in general, which could result in reduced use of our products and services. Such events could also result in legislation and additional regulatory requirements. Although we maintain insurance, including specifically with respect to our digital asset products, there can be no assurance that liabilities or losses we may incur will be covered under such policies or that the amount of insurance will be adequate.

We may be unable to realize the anticipated benefits of acquiring Technisys.

We closed the Technisys acquisition in March 2022 and its operations have been largely integrated into our business. The success of the Technisys acquisition, including anticipated benefits and cost savings and potential additional revenue opportunities, will depend, in part, on our ability to realize various benefits, including, among other things, the development of an end-to-end vertically integrated banking technology stack to support multiple products and enable the combined company to

46

SoFi Technologies, Inc.

meet the expanding needs of existing customers and serve additional established banks, fintechs and non-financial brands looking to enter financial services. The inability to realize our expected cost savings in connection with the Technisys' acquisition could have an adverse effect on our business, financial condition, operating results and prospects. Failure to achieve these anticipated benefits could result in increased costs, decreases in the amount of expected revenues, lost cost savings and incremental revenue opportunities and diversion of management's time and energy and could have an adverse effect on our business, financial condition, operating results and prospects.

We may continue to expand operations abroad where we have limited operating experience and may be subject to increased business, economic and regulatory risks that could adversely impact our financial results.

In April 2020, we undertook our first international expansion by acquiring 8 Limited, an investment business in Hong Kong. Additionally, with the acquisition of Galileo in May 2020, we gained clients in Canada, Mexico and Colombia and, with the acquisition of Technisys in March 2022, we further expanded our operations into Latin America. In 2025, we expanded our consumer banking product with the introduction of self-serve global remittance services in over thirty countries. We may, in the future, continue to pursue further international expansion of our business operations, either organically or through acquisitions, in new international markets where we have limited or no experience in marketing, selling and deploying our products and services. If we fail to deploy or manage our operations in these countries successfully, our business and operations may suffer. In addition, we are subject to a variety of risks inherent in doing business internationally, including:

•political, social and/or economic instability or military conflict;

•risks related to governmental regulations in foreign jurisdictions, including regulations relating to privacy, and unexpected changes in regulatory requirements and enforcement;

•fluctuations in currency exchange rates and global market volatility;

•higher levels of credit risk and fraud;

•enhanced difficulties of integrating foreign acquisitions;

•burdens of enforcing and complying with a variety of foreign laws;

•reduced protection for intellectual property rights in certain countries;

•difficulties in staffing and managing global operations and the increased travel, infrastructure and legal compliance costs associated with multiple international locations and subsidiaries;

•different regulations and practices with respect to employee/employer relationships, existence of workers' councils and labor unions, and other challenges caused by distance, language, and cultural differences, making it harder to do business in certain international jurisdictions;

•compliance with statutory equity requirements; and

•management of tax consequences.

If we are unable to manage the complexity of global operations successfully, our financial performance and operating results could suffer.

The launch of digital asset trading in the U.S. and Hong Kong and use of blockchain technology in our product offerings, subjects us to laws and regulations relating to cryptocurrencies and blockchain technology in various jurisdictions where we conduct our business, and to other risks. Such laws and regulations can be complex, are subject to change, and complying with them across various jurisdictions imposes operational, time, and cost constraints on our business. Our actual or perceived failure to comply with such obligations or to address other risks related to these technologies could harm our business and/or result in reputational harm, loss of customers, material financial penalties and legal liabilities.

In 2025, we launched SoFi Crypto in the U.S. and digital asset trading in Hong Kong, allowing our members to buy, sell and hold digital assets, which, along with any additional cryptocurrency products and other products that utilize blockchain technology that we may offer in the future, subjects us to additional regulations, licensing requirements, and other obligations. Compliance with any such regulations, requirements, or obligations may be complex and costly. Cryptocurrencies are not considered legal tender, are not backed by most governments, and have experienced technological flaws and various law enforcement and regulatory interventions. In addition, in the U.S. and certain other jurisdictions, certain cryptocurrencies may be deemed to be securities and subject to the securities laws of the relevant jurisdictions. Furthermore, our crypto offering in Hong Kong is subject to evolving regulatory requirements under Hong Kong's licensing and virtual asset regime. Although Hong Kong has established a licensing framework for virtual asset trading platforms and related services, these rules are complex, subject to change, and may impose additional compliance obligations on firms engaging in crypto activities. The rapidly evolving regulatory landscape with respect to cryptocurrencies may subject us to registrations, inquiries, or

47

SoFi Technologies, Inc.

investigations from regulators and governmental authorities; require us to make product changes; restrict or discontinue product offerings; and implement additional and potentially costly controls. If we fail to comply with regulations, requirements, prohibitions or other obligations applicable to us, we could face regulatory or other enforcement actions and potential fines or reputational harm, be forced to cease offering cryptocurrency products, and other consequences, including significant financial losses.

Cryptocurrencies have in the past and may in the future experience periods of extreme price volatility. These uncertainties, as well as future accounting and tax developments, or other requirements relating to cryptocurrencies could expose us to litigation, regulatory action and possible liability, and have an adverse effect on our business.

As we enter into and expand our cryptocurrency product and service offerings, the risks associated with failing to safeguard and manage cryptocurrencies held by us or our custodians, or that our service providers transfer on behalf of our customers, may increase. In addition, a number of errors could occur in the process of depositing or withdrawing cryptocurrencies such as typos, mistakes or failure to include information required by the blockchain network, or any other internal failures or deficiencies in our own systems or those of any custodian or other third party provider we may use, could, in each case, materially and adversely affect our members and our operations. In addition, cryptocurrencies and blockchain technologies have been, and might in the future be, subject to security breaches, hacking or other malicious activities. Failures in internal controls or key management practices, whether by us or a service provider, could lead to irreversible asset loss or unauthorized transfers. Defaults by counterparties or systemic stress in crypto-asset markets may also pose significant liquidity, settlement, or valuation risks. Any such failure or event could result in reputational harm, significant financial losses, lead customers to discontinue or reduce their use of our services, and result in significant penalties and fines and additional restrictions.

In addition, we may rely on third parties for certain aspects of cryptocurrency offerings and reliance on third parties involves risks. For example, inappropriate access to, theft, destruction or other loss of cryptocurrency assets held by any counterparty we may use, insufficient insurance coverage by us or any such counterparty to reimburse us for all such losses, such counterparty's failure to maintain effective controls over the custody, asset and settlement services provided to us, such counterparty's inability to purchase or liquidate cryptocurrency holdings, and defaults on financial or performance obligations by counterparty financial institutions, could materially and adversely affect our financial performance and significantly harm our business.

In addition, we plan to integrate blockchain technology from a third party provider into certain of our products. Any number of technical changes, software upgrades, cybersecurity incidents or other changes to the underlying blockchain networks might occur from time to time, causing incompatibility, technical issues, disruptions or security weaknesses to our products. If we or our third party provider are unable to identify, troubleshoot and resolve any such issues successfully, we might no longer be able to support such products, our customers' assets might be frozen or lost, the security of our products might be compromised and our platforms and technical infrastructure might be affected, all of which could cause revenue to decline and expose us to potential liability for customer losses.

We are new to global remittance services and engaging in such services exposes us to numerous risks, including compliance with complex laws and regulations across jurisdictions, and operational risks, each of which could materially and adversely affect our business, results of operations, and financial condition.

We recently launched global remittance services between the United States and thirty countries, including Mexico, India, Brazil and the European Union, and we expect to expand these and similar services to and between other international locations. The success of this product depends in part on our ability to provide global remittance services compliantly, efficiently and securely. Global remittance services involve complex regulatory, legal, and compliance requirements, including licensing, anti-money laundering, counter-terrorism financing, economic sanctions, data privacy and cybersecurity, customer disclosure, foreign exchange control laws, and monitoring, examination, and oversight by regulatory agencies across multiple jurisdictions. These frameworks differ significantly between countries and are subject to change, interpretation, and enforcement by various authorities. Failure to maintain compliance, or even the perception of noncompliance, may result in investigations, penalties, restrictions on our operations, or the loss of licenses and banking relationships necessary to provide global remittance services.

Our compliance and regulatory risk related to global remittance services is expected to increase as we expand our operations into additional jurisdictions because the provision of global remittance services is highly regulated, and the requirements vary from jurisdiction to jurisdiction. We are currently working with third-party partners who are licensed to provide global remittance services in the jurisdictions in which we operate and plan to operate. We may, as our global remittance services expand, obtain licenses directly in various jurisdictions. If we become licensed to provide these services by various governmental authorities, we would become subject to extensive financial, operational, and other regulatory

48

SoFi Technologies, Inc.

requirements to maintain our licenses and conduct business. If our licenses are not renewed or we are denied licenses in additional jurisdictions where we choose to apply for a license, we could be forced to change our business practices or to comply with the requirements of the additional jurisdictions, each of which could require us to bear substantial cost. Further, if we were found by these governmental authorities to be in violation of any applicable laws or regulations required to provide global remittance services, we could be subject to fines, penalties, lawsuits, and enforcement actions; additional compliance requirements; increased regulatory scrutiny of our business; restriction or suspension of our operations; or damage to our reputation or brand. Regulatory requirements are constantly evolving, and we cannot predict whether we will be able to meet changes to existing regulations or the introduction of new regulations without harming our business, financial condition, operating results, and future prospects.

Additionally, global remittance services are subject to higher operational risks, including delays, transaction errors, and fraudulent activities, particularly in regions with less developed financial infrastructure, including settlement timing differences, and exposure to local liquidity constraints which may impact the predictability and profitability of our global remittance services. Political instability, trade restrictions, current or new tax laws, or economic sanctions imposed on certain countries may further restrict our ability to provide global remittance services in specific markets.

Furthermore, we currently rely on third-party partners to facilitate global remittance services and may rely on additional third-parties in the future. In addition, our third-party partners may rely on local partners for delivery of their services. Any disruption, error, or compliance failure by these partners could lead to financial loss, reputational damage, and customer dissatisfaction, including related to the experience of our members' recipients. If the experience delivered to a recipient is deemed unsatisfactory for any reason, including if a third-party partner's processes take longer than expected, members may choose to not use our services in the future and our business could be harmed. Additionally, third-party partners charge fees, which may increase from time to time, and which could increase our costs. Banks currently determine the fees charged for bank-originated transactions and may increase the fees with little prior notice. U.S. federal, state, local or foreign governments could also mandate a tax on global remittance services, or require additional taxes or fees to be imposed upon our customers, or otherwise impact the manner in which we provide global remittance services. If fees increase, it may require us to change our product options, or take other measures that would impact our costs and profitability or cause us to lose members or otherwise limit our operations.

If we are unable to effectively manage these risks or adapt our operations to evolving international regulatory environments, our ability to further expand our global remittance services and similar services, and maintain compliance could be impaired, and our business, financial condition, and results of operations could be materially and adversely affected.

Credit Market Related Risks

We operate in a cyclical industry. In an economic downturn, member default rates may increase, there may be decreased demand for our products, and there may be adverse impacts to our business.

Recent macroeconomic factors, such as fluctuating interest rates, inflation, global events and market volatility and general uncertainty, may cause the economy to enter into a period of slower economic growth or a recession, the length and severity of which cannot be predicted. Such uncertainty and negative trends in general economic conditions can have a significant negative impact on our ability to generate adequate revenue and to absorb expected and unexpected losses. Many factors, including factors that are beyond our control, may result in higher default rates by our members and non-payment by our technology platform clients, a decline in the demand for our products, including a reduction in deposits, and potentially impact our ability to make accurate credit assessments, lending decisions or technology platform client selections. Any of these factors could have a detrimental impact on our financial performance and liquidity.

Our Lending and Financial Services segments may be particularly negatively impacted by worsening economic conditions that place financial stress on our members resulting in loan defaults or charge-offs. If a loan charges off while we are still the owner, the loan either enters a collections process or is sold to a third-party collection agency and, in either case, we will receive less than the full outstanding interest on, and principal balance of, the loan. Declining economic conditions may also lead to either decreased demand for our loans or demand for a higher yield on our loans, and consequently lower prices or a lower advance rate, from institutional whole loan purchasers, securitization investors and warehouse lenders on whom we rely for liquidity. Declining economic conditions and any resulting increase in charge-offs may also reduce demand for our personal loans by Loan Platform Business counterparties.

The longevity and severity of a downturn or recession would also place pressure on lenders under our debt warehouses, whole loan purchasers, Loan Platform Business counterparties and investors in our securitizations, each of whom may have less available liquidity to invest in our loans, and long-term market disruptions could negatively impact the

49

SoFi Technologies, Inc.

securitization market as a whole. Although certain of our debt warehouses contain committed terms, there can be no assurance that our financing arrangements or Loan Platform Business loan origination and sale arrangements will remain available to us through any particular business cycle or be renewed on the same terms. The timing and extent of a downturn may also require us to change, postpone or cancel our strategic initiatives or growth plans to pursue shorter-term sustainability. The longer and more severe an economic downturn, the greater the potential adverse impact on us.

An economic downturn or recession could also adversely affect our Financial Services products, including our deposit base and funding profile and assets held through SoFi Invest or SoFi Crypto. During periods of economic stress, members may experience job losses, reduced income, or increased uncertainty, which could lead them to draw down savings to meet living expenses or shift funds toward perceived safer or more liquid alternatives. These behaviors may result in deposit outflows, lower average balances in checking and savings accounts or lower average investments made through SoFi Invest or SoFi Crypto investments. In addition, heightened market volatility or concerns about the financial sector could increase member sensitivity to interest rates, safety perceptions, and liquidity needs, intensifying competition for deposits and increasing our funding costs. A sustained decline in deposits or an unfavorable shift in deposit composition could reduce our access to low-cost, stable funding and increase our reliance on alternative or wholesale funding sources, which may be more expensive or less available during a recession. Such conditions could adversely affect our net interest margin, liquidity position, and ability to grow or maintain our balance sheet. If these pressures are prolonged or severe, they could also constrain our ability to support member demand, comply with regulatory liquidity requirements, or pursue strategic initiatives, and could have a material adverse effect on our business, financial condition, and results of operations.

Our Technology Platform segment is also susceptible to worsening economic conditions that place financial stress on our current clients using our platform as a service products and services and potential new clients interested in such services. These clients and potential clients may experience liquidity and other financial issues or strategically slowdown growth, any of which could lead them to decrease or terminate their use of our technology platform services or delay or reject implementation of new or expanded products and services. Any such actions with respect to our technology platform products and services could have an adverse impact on our business.

There can be no assurance that economic conditions will be favorable for our business, that interest in purchasing our loans by financial institutions, the ability of members to invest in our products or investment by clients in our platform as a service products and services will remain at current levels, or that default rates by our members or instances of non-payment by our technology platform clients will not increase or that demand for our products will not decrease. Reduced demand, lower prices or a lower advance rate for our loan products from institutional whole loan purchasers, Loan Platform Business counterparties, securitization investors and warehouse lenders, increased default rates by our members, and reduced demand, lower prices and increased non-payment by our technology platform clients, may limit our access to capital, including debt warehouse facilities, Loan Platform Business loan origination and sale arrangements, securitizations and secured and unsecured borrowing facilities, and negatively impact our profitability. These impacts, in addition to limiting our access to capital and negatively impacting our profitability, could also in turn increase the volatility of the mark-to-market methodology and indicators of credit risk that we use to determine the fair value of certain loans and expected credit losses on credit card receivables that we hold on balance sheet, and consequently have a material adverse effect on our revenues, results of operations, capital requirements, liquidity and cash flows.

If we do not make accurate credit and pricing decisions or effectively forecast our loss rates, our business and financial results will be harmed, and the harm could be material.

In deciding whether to extend credit to prospective or existing members, we rely upon data to assess our ability to extend credit within our risk appetite, our debt servicing capacity, and overall risk level to determine lending exposure and loan pricing. If the decision components, rapidly deteriorating macroeconomic conditions or analytics are either unstable, biased, or missing key pieces of information, the wrong decisions will be made, which will negatively affect our financial results. If our credit decisioning strategy fails to adequately predict the creditworthiness of our members, including a failure to predict a member's true credit risk profile and ability to repay their loan or credit card balance, higher than expected loss rates will impact the fair value of certain loans and expected credit losses on credit card receivables. Additionally, if any portion of the information pertaining to the prospective member is false, inaccurate or incomplete, and our systems did not detect such falsities, inaccuracies or incompleteness, or any or all of the other components of our credit decision process fails, we may experience higher than forecasted losses, including losses attributed to fraud. Furthermore, we rely on credit reporting agencies to obtain credit reports and other information we rely upon in making underwriting and pricing decisions. If one of these third parties experiences an outage, if we are unable to access the third-party data used in our decision strategy, if such data contains inaccuracies or our access to such data is limited, our ability to accurately evaluate potential members will be compromised, and we may be unable to effectively predict credit losses inherent in our loan portfolio, which would negatively impact our results of operations, which could be material.

50

SoFi Technologies, Inc.

Additionally, if we make errors in the development, validation, or implementation of any of the underwriting models or tools that we use for the loans securing our debt warehouses or included in securitization transactions or whole loan sales, or originated and sold to Loan Platform Business counterparties, such loans may experience higher delinquencies and losses, which would negatively impact our debt warehouse financing terms and future securitization, whole loan sale transactions and Loan Platform Business loan origination and sale arrangements.

If the information provided to us by applicants is incorrect or fraudulent, we may misjudge an applicant's qualification to receive a loan or use one of our products, and our results of operations may be harmed.

Our lending and platform access decisions are based partly on information provided to us by applicants. To the extent that an applicant provides information to us in a manner that we are unable to verify, or the information provided by an applicant consists of data obtained under false pretenses by third parties, is a manufactured/synthetic identity, or is a stolen identity, our credit decisioning process may not accurately reflect the associated risk. In addition, data provided by third-party sources, including credit reporting agencies, is a significant component of our credit decisions and this data may contain inaccuracies. Inaccurate analysis of credit data that could result from false loan application information could harm our reputation, business and results of operations. Additionally, we rely on the accuracy of applicant information in approving applicants for our non-lending products, such as SoFi Money, SoFi Credit Card, SoFi Invest or SoFi Crypto accounts. If the information provided to us by these applicants is incorrect or fraudulent and we are unable to detect the inaccuracies, it increases our regulatory and fraud risk and the risk of identity theft to our members, and could harm our reputation, business and results of operations.

We use identity and fraud prevention tools to analyze data provided by external databases or automated physical identity document proofing technologies to authenticate each applicant's identity. These fraud prevention tools, scores, and data aggregators are reliant on sustained access to reliable data sources to facilitate robust verification which have reduced effectiveness with diminished data access. From time to time in the past, however, these checks have failed and there is a risk that these checks could fail in the future and fraud, which may be significant, may occur and go undetected. For example, in the past we have identified certain fraudulent activity related to our personal loan products. While the fraudulent activity was detected and the losses were recognized in our results of operations, there can be no assurance there will not be future instances of fraud, that we will be able to detect such fraudulent activity in a timely manner, or that such future fraudulent activity will not be material. We may not be able to recoup funds underlying loans made in connection with inaccurate statements, omissions of fact or fraud, in which case our revenue, results of operations and profitability will be harmed. Fraudulent activity or significant increases in fraudulent activity could also lead to regulatory intervention, which could negatively impact our results of operations, brand and reputation, and require us to take steps to reduce fraud risk, which could increase our costs.

Internet-based loan origination processes may give rise to greater risks than paper-based processes.

We use internet-based loan processes to obtain application information and distribute certain legally required notices to applicants for, and borrowers of, loans and to obtain electronically signed loan documents in lieu of paper documents with ink signatures obtained in person. These processes may entail greater risks than paper-based loan origination processes, including regarding the sufficiency of notice for compliance with consumer protection laws, risks that borrowers may challenge the authenticity of loan documents, or the validity of the borrower's electronic signature on loan documents, and risks that unauthorized changes are made to the electronic loan documents. If any of those factors were to cause our loans, or any of the terms of our loans, to be unenforceable against the relevant borrowers, or impair our ability to service our loans (as master servicer or servicer), the value of our loan assets would decrease significantly to us and to our whole loan purchasers, Loan Platform Business counterparties, securitization investors and warehouse lenders. In addition to increased default rates and losses on our loans, this could lead to the loss of whole loan purchasers, Loan Platform Business counterparties, and securitization investors and trigger terminations and amortizations under our debt warehouse facilities, each of which would materially adversely impact our business.

Student loans are subject to discharge in certain circumstances.

SoFi private education loans may be discharged in bankruptcy in certain situations, such as if a bankruptcy court determines that the loan is either not a qualified education loan (as defined in 225(d)(4)) of the Internal Revenue Code) or determines that not discharging the debt would impose an undue hardship on the debtor and the debtor's dependents. Changes in law, how courts apply the law, regulations or governmental policies could increase the number of student loans subject to discharge in certain circumstances which could adversely affect our business. A private education loan may also be generally dischargeable as a result of the death or disability of the borrower.

51

SoFi Technologies, Inc.

If a higher percentage of borrowers obtain relief under bankruptcy or other debtor relief laws in the future than is reflected in our historical experience, we could experience increased loan discharges, reduced recoveries, higher charge-offs, and increased litigation and compliance costs. In addition, adverse judicial developments could result in class action litigation, injunctions, or regulatory scrutiny relating to our servicing or collection practices with respect to such loans. Any such developments could negatively impact the value of our student loan portfolio, the performance of related securitizations, and our financial condition and results of operations. See "Regulatory, Tax and Other Legal Risks-Legislative and regulatory policies and related actions have had and could in the future have a material adverse effect on borrower behavior, our student loan portfolios and our student loan origination volume".

Home equity loans expose us to heightened credit, property value and interest rate risk.

Home equity loans are subject to subordinate liens on the related property. Subordinate lien loans are structurally riskier than first lien loans because, in the event of borrower default or foreclosure, holders of first lien mortgages are entitled to repayment before subordinate lien holders. As a result, recoveries on subordinate lien loans are more sensitive to declines in residential property values and may be limited or eliminated if property values decrease or if combined loan-to-value ratios increase, In addition, changes in interest rates may adversely affect the performance and value of these loans. Rising interest rates may increase borrower payment obligations for variable-rate loans and could contribute to higher delinquency or default rates. Conversely, declining interest rates may increase prepayment activity, which could reduce expected yields. Interest rate fluctuations may also negatively impact the fair value of home equity loans held on our balance sheet. If residential property values decline, interest rates increase, or broader economic conditions weaken, we may experience higher credit losses, increased delinquencies, reduced recoveries, and impairment charges on our home equity loan portfolio, which could adversely affect our financial condition and results of operations. In addition, our ability to sell home equity loans may be limited because these loans are not categorized as conventional for GSE purchasers.

We offer personal loans, which have a limited performance history, and therefore we have only limited prepayment, loss and delinquency data with respect to such loans on which to base projections.

The performance of the personal loans we offer is significantly dependent on the ability of the credit decisioning, income validation, and scoring models we use to originate such loans, which include a variety of factors, to effectively evaluate an applicant's credit profile and likelihood of default. Despite recession-readiness planning and stress forecasting, there is no assurance that our credit criteria can accurately predict loan performance under economic conditions such as a prolonged down-cycle or recessionary economic environment or the governmental response to periods of disruption, which may drive unexpected outcomes. If our criteria do not accurately reflect credit risk on the personal loans, greater than expected losses may result on these loans and our business, operating results, financial condition and prospects could be materially and adversely affected.

In addition, personal loans are dischargeable in a bankruptcy proceeding involving a borrower without the need for the borrower to file an adversary proceeding. The discharge of a significant amount of our personal loans could adversely affect our financial condition. Furthermore, other characteristics of personal loans may increase the risk of default or fraud and there are few restrictions on the uses that may be made of personal loans by borrowers, which may result in increased levels of credit consumption. We also originate a material portion of our personal loans through ACH deposits directly to the borrowers, which may result in a higher risk of fraud. The effect of these factors may be to reduce the amounts collected on our personal loans and adversely affect our operating results and financial condition.

We service all of the personal loans we originate and credit cards we issue, as well as other loans, and have limited servicing experience, and we rely on third-party service providers to service the student loans and home loans we originate, and to perform various other functions in connection with the origination and servicing of certain loans. If we or a third-party service provider fails to properly perform these functions, our business and our ability to service our loans may be adversely affected.

We service all of the personal loans we originate as well as certain loans originated by third parties and, in all material respects, all of the credit cards we issue, and we have limited experience with such servicing. We may begin servicing the student loans that we originate in the future. We rely on sub-servicers to service all of our student loans, our home loans that we deliver to GSEs and do not sell servicing-released and certain home equity loans, and to perform certain back-up servicing functions with respect to our personal loans. In addition, we rely on third-party service providers to perform various functions relating to our loan origination and servicing business, including fraud detection, marketing, operational functions, cloud infrastructure services, information technology, telecommunications and processing remotely created checks. While we oversee these service providers to ensure they service our loans in accordance with our agreements and regulatory requirements, we do not have control over the operations of any of the third-party service providers that we utilize. In the event that a third-party service provider for any reason fails to perform such functions, including through negligence, willful misconduct or fraud, our

52

SoFi Technologies, Inc.

ability to process payments and perform other operational functions for which we currently rely on such third-party service providers will suffer and our business, cash flows and future prospects may be negatively impacted. Such third-party service provider failures could also result in, among other things, increased regulatory scrutiny of our third-party service provider oversight, costly investigations, required corrective action and remediation, regulatory enforcement actions, class action lawsuits, and harm to our reputation.

Any failure on our part or on the part of third parties on whom we rely to perform functions related to our servicing activities to properly service our loans or the loans originated by third parties could result in us being removed as the servicer on the loans, including loans financed by our warehouse facilities or sold into our whole loan sales channel and securitization transactions or to Loan Platform Business counterparties. If we fail to monitor our student loan sub-servicer and ensure that such sub-servicer complies with its obligations under state laws that require student loan servicers to be licensed, we may face civil claims for damages under such state laws. Because we receive revenue from such servicing activities, any such removal as the servicer or master servicer, could adversely affect our business, operating results, financial condition or prospects, as would the cost of onboarding a new servicer. Furthermore, we have agreed in our servicing agreements to service loans in accordance with the standards set forth therein and may be obligated to repurchase loans or indemnify the buyer of any such loans if we fail to meet those standards.

Additionally, if one or more key third-party service providers were to cease to exist, to become a debtor in a bankruptcy or an insolvency proceeding or to seek relief under any debtor relief laws or to terminate its relationship with us, there could be delays in our ability to process payments and perform other operational functions for which we are currently relying on such third-party service provider, and we may not be able to promptly replace such third-party service provider with a different third-party service provider that has the ability to promptly provide the same services in the same manner and on the same economic terms. As a result of any such delay or inability to replace such key third-party service provider, our ability to process payments and perform other business functions could suffer and our business, cash flows and future prospects may be negatively impacted.

We perform and manage the loan origination process for all of the home loans that we originate. If we fail to properly perform these functions, our home loans business may be adversely affected.

In April 2023, we acquired Wyndham, a mortgage lender, expanding our home loans business. In connection with the acquisition of Wyndham, we adopted loan origination technology which facilitates performing many functions in connection with the origination of home loans, including processing, underwriting, pricing, vendor management, closing, and additional functions for loan origination that we previously outsourced to third-party providers, and we now directly manage loan underwriters and loan processors which are services previously managed by third-party providers. In the event that we fail for any reason to perform or manage such functions in accordance with all applicable requirements, including through human errors, technology errors, negligence, willful misconduct or fraud, our ability to originate home loans will suffer and our business, cash flows and future prospects may be negatively impacted, and we could incur penalties or liabilities including obligations to repurchase loans from investors to whom we sold the loans. Additionally, if we fail to perform such functions or properly manage our new resources, we may be unable to complete, or be delayed in the completion of, the origination of home loans in our pipeline and to originate new home loans, and we may not be able to onboard a replacement service provider that has the ability to promptly provide the same services in the same manner and on the same economic terms.

Potential geographic concentration of our members may increase the risk of loss on the loans that we originate and negatively impact our business.

Any concentration of our members in specific geographic areas may increase the risk of loss on our loans. Certain regions of the U.S. from time to time will experience weaker economic conditions and higher unemployment and, consequently, will experience higher rates of delinquency and loss than on similar loans in other regions of the country. Moreover, a further deterioration in economic conditions or a recession, outbreaks of disease, the continued increase in extreme weather conditions and other natural events (such as hurricanes, tornadoes, floods, drought, wildfires, mudslides, earthquakes and other extreme conditions) and other factors could adversely affect the ability and willingness of borrowers in affected regions to meet their payment obligations under their loans and may consequently affect the delinquency and loss experience of such loans. In addition, we, as master servicer for all student loans and home loans and as servicer of our personal loans, have offered in the past, and may in the future offer, hardship forbearance or other relief programs in certain circumstances to affected borrowers.

Conversely, an improvement in economic conditions in one or more of the geographic areas in which we have members could result in higher prepayments of their payment obligations under their loans in such states. As a result, we and the whole loan purchasers and Loan Platform Business counterparties who hold our loans or securitization investors or warehouse lenders who hold securities backed by our loans may receive principal payments earlier than anticipated, and fewer

53

SoFi Technologies, Inc.

interest payments than anticipated, and face certain reinvestment risks, such as the inability to acquire loans on equally attractive terms as the prepaid loans. In addition, higher prepayments than anticipated may have a negative impact on our servicing revenue which could cause our operating results and financial condition to be materially and adversely affected.

Further, the concentration of our loans in one or more geographic locations may have a disproportionate effect on us or investors in our loans or securities backed by our loans if governmental authorities in any of those areas take action against us as originator, master servicer or servicer of those loans or take action affecting our ability as master servicer or servicer to service those loans.

Funding and Liquidity Risks

If we are unable to successfully manage our assets and liabilities on the balance sheet and our funding costs, including with respect to deposit-based funding, our ability to finance additional loans and introduce new products may be negatively impacted.

We fund our operations and capital expenditures primarily through SoFi Bank deposits, warehouse funding, common equity capital, convertible debt, a corporate revolving credit facility, securitizations, and other financings, including Loan Platform Business transactions. Through SoFi Bank, we utilize deposits which generally has a lower borrowing cost of funds than warehouse financing, and we have the ability to access other funding sources, such as the FHLB and certain brokered deposit channels established by SoFi Bank. Because we rely on each of these outlets for liquidity, if we are unable to successfully manage our assets and liabilities and funding costs as described above, or if we experience a loss or reduction of these liquidity outlets, our business could be materially adversely impacted. For example, certain banks have faced operational difficulties in accessing the Federal Reserve discount window and there is no guarantee that we will not face the same or similar issues. In addition, there can be no assurance that we will be able to successfully access the securitization markets at any given time, and in the event of a sudden or unexpected shortage of funds in the banking and financial system, we cannot be sure that we will be able to maintain necessary levels of funding without incurring high funding costs, a reduction in the term of funding instruments, an increase in the amount of equity we are required to hold or the liquidation of certain assets. Furthermore, there is a risk that there will be no market at all for our loans either from whole loan buyers, the Loan Platform Business or through investments in securities backed by our loans.

We may require capital in excess of amounts we currently anticipate, and depending on market conditions and other factors, we may not be able to maintain our capital or obtain additional capital for our current operations or anticipated future growth on reasonable terms or at all. As the volume of loans that we originate, and the increased suite of products that we make available to members, increases, we may be required to expand the size of our debt warehousing facilities or seek additional sources of capital. The availability of these financing sources depends on many factors, certain of which are outside of our control. We may also experience the occurrence of events of default or breaches of financial performance or other covenants under our whole loan sale, Loan Platform Business or debt agreements, which could reduce or terminate our access to those buyers and to institutional funding.

As we think about managing our assets and liabilities on the balance sheet and our funding costs, our deposit growth may slow. If we are unable to satisfactorily manage our current sources of funding, including deposits, or, if needed, secure new or alternative methods of financing, our ability to finance additional loans and to develop and offer new products may be negatively impacted. If deposit growth slows, we may need to turn to higher cost of funds. The interest rates, advance rates and other costs of new, renewed or amended facilities may also be higher than those currently in effect. If we are unable to renew or otherwise replace these facilities or generally arrange new or alternative methods of financing on favorable terms, we may be forced to curtail our origination of loans or reduce lending or other operations, which would have a material adverse effect on our business, financial condition, operating results and cash flows.

If one or more of our warehouse facilities, on which we are highly dependent, is terminated or otherwise becomes unavailable, we may be unable to find replacement financing on favorable terms, or at all, which would have a material adverse effect on our business and financial condition.

We require a significant amount of short-term funding capacity for loans we originate. Consistent with industry practice, our existing warehouse facilities generally require periodic renewal. If any of our committed warehouse facilities are terminated or are not renewed or our uncommitted facilities are not honored, we may be unable to find replacement financing on favorable terms, or at all, and we might not be able to originate an acceptable or sustainable volume of loans, which would have a material adverse effect on our business. Additionally, as our business continues to expand, including our home loan business, we may need additional warehouse funding capacity for the loans we originate. There can be no assurance that, in the future, we will be able to obtain additional warehouse funding capacity on favorable terms, on a timely basis, or at all.

54

SoFi Technologies, Inc.

If we fail to meet or satisfy any of the financial or other covenants included in our warehouse facilities, we would be in default under one or more of these facilities and our lenders could elect to declare all amounts outstanding under the facilities to be immediately due and payable, enforce their interests against loans pledged under such facilities and restrict our ability to make additional borrowings. Certain of these facilities also contain cross-default provisions. These restrictions may interfere with our ability to obtain financing or to engage in other business activities, which could materially and adversely affect us. There can be no assurance that we will maintain compliance with all financial and other covenants included in our warehouse facilities in the future.

In addition, our agreements with our warehouse lenders contain various concentration limits and triggers, including related to excess spread. High interest rates have in the past and may in the future place pressure on our net cost of funds for loans held at SoFi Lending Corp., which do not benefit from deposit funding through SoFi Bank, and increase the likelihood of reaching an excess spread limit. A breach of such limits or other similar terms of such agreements could result in an inability to place loans in the relevant warehouse facilities and require us to pursue other forms of financing. If we are unable to find replacement financing on favorable terms, or at all, our operations could be impacted materially.

Increases in member default rates on loans could make us and our loans less attractive to whole loan buyers, Loan Platform Business counterparties, lenders under debt warehouse facilities and investors in securitizations, which may adversely affect our access to financing and our business.

Increases in member default rates, due to deteriorating economic conditions or other factors, could make us and our loans less attractive to our existing or prospective funding sources, including whole loan buyers, Loan Platform Business counterparties, securitization investors and lenders under debt warehousing facilities. If our existing funding sources do not achieve their desired financial returns or if they suffer losses, they or prospective funding sources may increase the cost of providing future financing or refuse to provide future financing or purchase loans on terms acceptable to us or at all.

Our securitizations are nonrecourse to the Company and are collateralized by the pool of our loans pledged to the relevant securitization issuer. If the loans securing our securitizations fail to perform as expected, rating agencies have in the past and may in the future place our bonds on watch or change their ratings on (or their ratings methodology for) the bonds issued by our securitization trusts. Our loans performance and any actions taken by the rating agencies could result in the lenders under our warehouse facilities, the whole loan purchasers who purchase our loans, the investors in our securitizations who purchase securities backed by our loans, or future lenders, whole loan purchasers, Loan Platform Business counterparties or securitization investors in similar arrangements, increasing the cost of providing future financing or refusing to provide future financing or purchase loans on terms acceptable to us or at all.

While this risk may be partially mitigated by our ability to hold loans on our balance sheet and to quickly modify the origination volume under the Loan Platform Business, in sufficient volume, high member default rates would negatively impact our financial condition. Consequently, if we were to be unable to arrange new or alternative methods of financing on favorable terms, we may have to curtail or cease our origination of loans, which could have a material adverse effect on our business, financial condition, operating results and cash flows.

We make representations and warranties in connection with the transfer of loans to whole loan purchasers, Loan Platform Business counterparties, government-sponsored enterprises, and our debt warehouse lenders and securitization trusts. If such representations and warranties are not correct, we could be required to repurchase loans or indemnify the purchaser, which could have an adverse effect on our ability to operate and fund our business.

We sell and finance the loans we originate to and with third parties, including, with respect to home loans, counterparties like GSEs, and we make certain representations and warranties to those third parties in connection with the transfer of loans described below. In the ordinary course of business, we are exposed to liability under these representations and warranties made to purchasers of loans. Such representations and warranties typically include, among other things, that the loans were originated and serviced in compliance with the law and with our credit risk origination policy and servicing guidelines, and, in connection with transfers to GSEs, that the loans were originated in compliance with the guidelines of the relevant GSE, and that, to the best of our knowledge, each loan was originated by us without any fraud or misrepresentation on our part or on the part of the borrower or any other person. In addition, purchasers require loans to meet strict underwriting and loan term criteria in order to be eligible for purchase. If those representations and warranties are breached as to a given loan, or if a certain loan we sell does not meet the relevant eligibility criteria, we will be obligated to repurchase the loan, typically at a purchase price equal to the then-outstanding principal balance of such loan, plus accrued interest and any premium. We may also be required to indemnify the purchaser for losses resulting from the breach of representations and warranties. With regard to home loans insured by the Federal Housing Administration or the VA, and to the extent that any of our home loans do not comply with Federal Housing Administration or VA guidelines, we could also face claims under the False Claims Act. In connection with our whole loan sales and certain Loan Platform Business sales, we also typically covenant to repurchase any

55

SoFi Technologies, Inc.

loan that enters delinquent status within the first thirty to sixty days following origination of the loan. Any significant increase in our obligation to repurchase loans or indemnify purchasers of loans could have a significant adverse impact on our cash flows, even if they are reimbursable, and could also have a detrimental effect on our business and financial condition. If any such repurchase event occurs on a large scale, we may not have sufficient funds to meet our repurchase obligations, which would result in a default under the underlying agreements. Moreover, we may not be able to resell or refinance loans repurchased due to a breach of a representation or warranty or we may be forced to sell such loans below par. Any such event could have an adverse impact on our business, operating results, financial condition and prospects. In addition, in the acquisition of Wyndham, we also acquired Wyndham's liability to its loan investors and loan insurers for mortgage loans originated by Wyndham, including repurchase obligations that might not be contingent upon the investor proving an error by Wyndham.

In addition to loan level representations and warranties, our agreements with the lenders and investors on our securitizations, debt warehouse facilities and corporate revolving debt contain a number of corporate financial covenants and early payment triggers and performance covenants. These facilities, together with deposits, are the primary funding sources available to support the maintenance and growth of our business and our liquidity would be materially adversely affected by our inability to comply with the various covenants and other specified requirements set forth in our agreements with our lenders and investors, which could result in the early amortization, default and/or acceleration of our existing facilities. Such covenants and requirements include financial covenants, portfolio performance covenants and other events. For a description of these covenants, requirements and events, see "Management's Discussion and Analysis of Financial Condition and Results of Operations - Liquidity and Capital Resources".

During an early amortization period or occurrence of a termination event or an event of default, principal collections from the loans in our warehouse facilities would be applied to repay principal under such facilities rather than being available to fund newly originated loans. During the occurrence of a termination event or an event of default under any of our facilities, the applicable lenders could accelerate the related debt and such lenders' commitments to extend further credit under the related facility, if any, would terminate. If we were unable to repay the amounts due and payable under such facilities and securitizations, the applicable lenders and noteholders could seek remedies, including against the collateral pledged under such facilities and by the securitization trust. An acceleration of the debt under certain facilities could also lead to a default under other facilities and, in certain instances, our hedging arrangements, due to cross-default and cross-acceleration provisions.

An early amortization event or event of default would negatively impact our liquidity, including our ability to originate new loans, and require us to rely on alternative funding sources, which might increase our funding costs or which might not be available when needed. If we were unable to arrange new or alternative methods of financing on favorable terms, we might have to hold loans on balance sheet in an amount that may negatively impact our financial condition, or curtail or cease the origination of loans, which could impair our growth, and, in each case, have a material adverse effect on our business, financial condition, operating results and cash flows, which in turn could have a material adverse effect on our ability to meet our obligations under our facilities.

We require substantial capital and, in the future, may require additional capital, to pursue our business objectives and achieve recurring profitability. If adequate capital is not available to us or is unavailable on favorable terms, including due to the cost and availability of funding in the capital markets, our business, operating results and financial condition may be harmed.

Since our founding and as recently as 2025, we have raised substantial equity and debt financing to support the growth of our business. We may require additional capital to pursue our business objectives and growth strategy and respond to business opportunities, challenges or unforeseen circumstances, including supporting our lending operations, increasing our marketing expenditures to attract new members and technology platform clients and improve our brand awareness, developing our products, introducing new services, further expanding internationally in existing or new countries or further improving existing offerings and services, enhancing our operating infrastructure and potentially acquiring complementary businesses and technologies, and complying with the increased regulatory requirements for bank holding companies and banks. Accordingly, on a regular basis we need, or we may need, to engage in additional debt or equity financings to secure additional funds. However, additional funds may not be available when we need them, in amounts we need, or permitted to be applied to specific use cases, on terms that are acceptable to us or at all. Volatility in the credit markets in general or in the market for personal, student and home loans and credit cards in particular may also have an adverse effect on our ability to obtain debt financing. Although our borrowing costs have trended lower following the acquisition of a national bank charter, the cost of our borrowing could increase due to market volatility, interest rates that, while decreasing, remain higher than those in the recent past, changes in the risk premiums required by lenders or the unavailability of traditional sources of debt capital. Volatility or depressed valuations or trading prices in the equity markets may similarly adversely affect our ability to obtain equity financing. Furthermore, if we raise additional funds through further issuances of equity or convertible debt securities, our existing

56

SoFi Technologies, Inc.

stockholders could suffer significant dilution and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock.

We are required to serve as a source of financial strength for SoFi Bank, which is subject to minimum capital requirements imposed by federal regulators, which means that we may be required to provide capital or liquidity support to SoFi Bank, even at times when we may not have the resources to provide such support. In addition, maintaining adequate liquidity is crucial to our securities brokerage, including key functions such as transaction settlement, custody requirements and margin lending. Our broker-dealer subsidiary, SoFi Securities, is subject to Rule 15c3-1 under the Exchange Act, which specifies minimum capital requirements intended to ensure the general financial soundness and liquidity of broker-dealers, and SoFi Securities is subject to Rule 15c3-3 under the Exchange Act, which requires broker-dealers to maintain certain liquidity reserves. We meet our liquidity needs primarily from working capital, deposits and cash generated by member activity, as well as from external debt and equity financing. Increases in the number of members, fluctuations in member cash or deposit balances, as well as market conditions or changes in regulatory treatment of member deposits, may affect our ability to meet our liquidity needs.

A reduction in our liquidity position could reduce our members' confidence in us, which could result in the withdrawal of member assets, including deposits held at SoFi Bank, and loss of members, or could cause us to fail to satisfy minimum capital requirements for SoFi Bank, or broker-dealer or other regulatory capital guidelines, which may result in immediate suspension of banking and other securities activities, regulatory prohibitions against certain business practices, increased regulatory inquiries and reporting requirements, increased costs, fines, penalties or other sanctions, by the Federal Reserve, the OCC, the SEC, FINRA or other SROs or state regulators, and could ultimately lead to the liquidation of SoFi Bank or our broker-dealer or other regulated entities. Factors which may adversely affect our liquidity position include temporary liquidity demands due to timing differences between brokerage transaction settlements and the availability of segregated cash balances, fluctuations in cash held in member accounts, a significant increase in our margin lending activities, increased regulatory capital requirements, changes in regulatory guidance or interpretations, or Federal Housing Administration or VA guidelines, other regulatory changes or a loss of market or member confidence resulting in unanticipated withdrawals of member assets. We expect that we will continue to use our available cash to fund our lending activities and help scale our Financial Services segment. To supplement our cash resources, we may seek to enter into additional securitizations and whole loan sale agreements and Loan Platform Business origination and sale agreements or increase the size of existing debt warehousing facilities, increase the size of, or replace, our revolving credit facility, continue to grow deposits and pursue other potential options. In addition, a reduction in our liquidity position could impair our technology platform clients' confidence in us and our platform as a service products and services, many of which require capital investments and ongoing platform maintenance by us, which could result in decisions by our technology platform clients to terminate or not renew their existing contracts or to not add new products to their account.

If we are unable to adequately maintain our cash resources, we may delay non-essential capital expenditures, implement cost cutting procedures, delay or reduce future hiring, discontinue the pursuit of our strategic objectives and growth strategies or reduce our rate of future originations compared to the current level. There can be no assurance that we can obtain sufficient sources of external capital to support the growth of our business. Delays in doing so or failure to do so may require us to reduce loan originations or reduce our operations, which would harm our ability to pursue our business objectives as well as harm our business, operating results and financial condition.

We are unable to finance all of the receivables that we originate or other assets that we hold, and that illiquidity could result in a negative impact on our financial condition.

We have the option of pursuing a gain-on-sale origination model, the success of which is tied to our ability to finance the assets that we originate. Certain of our assets, however, are ineligible for sale to a whole loan buyer, Loan Platform Business counterparty or securitization trust, or are ineligible for, or are subject to a lower advance rate under, warehouse funding, each of which has specific eligibility criteria for receivables it purchases or holds as collateral. Ineligible receivables include, among others, those in default or that are delinquent, receivables with defects in their origination or servicing, including fraud, or receivables generated under origination guidelines and credit policies that are no longer in effect. In addition, many of our warehouse funding sources and certain of our Loan Platform Business arrangements contain excess concentration limits for loans in forbearance or with specific loan level characteristics such as time-to-maturity or loan type. Once these limits have been exceeded, the advance rate applied to those receivables becomes less advantageous to us or, under such Loan Platform Business arrangements, we are prohibited from selling such loans to the relevant counterparty. If we are unable to sell or reasonably fund these receivables, we are required to hold them on our consolidated balance sheet which, in sufficient volume, negatively impacts our financial condition.

57

SoFi Technologies, Inc.

In addition to the receivables described above, we also hold on our consolidated balance sheet certain risk retention assets with respect to which we have a reduced ability to receive financing. These risk retention assets include residuals from our securitization trusts that are either ineligible for transfer or are subject to EU regulations. The illiquidity of these positions may negatively impact our financial condition.

Our checking and savings product is expected to continue to provide us with an important source of cost-efficient funding and any failure to scale the product due to our limited experience or a competitive marketplace could have a negative impact on our business, operating results and financial condition.

We expect that checking and savings, a deposit account product, will continue to provide us with an important source of deposits to use for cost-effective funding of loan originations and other activities. However, revenue growth for checking and savings is dependent on increasing the volume of members who open an account and on growing balances in those accounts. Although our checking and savings account product has grown since its introduction in the first quarter of 2022, there is no guarantee that account openings and the amount on deposit in those accounts will continue to grow. In addition, although we have invested in a number of initiatives to attract new checking and savings account holders and capture a greater share of our members' savings, including offering a competitive annual percentage yield on deposits and offering SoFi Plus membership benefits to certain deposit holders, there can be no assurance that these investments to acquire and retain members, provide differentiated features and services and spur usage of our deposit account product will be effective or cost effective. There are also no assurances that we will be able to maintain a competitive annual percentage yield on deposits, and members can easily transfer checking and savings account balances to our competitors. Further, developing our service offerings and marketing the checking and savings product in additional customer acquisition channels could have higher costs than anticipated or be less effective than anticipated, and could adversely impact our results or dilute our brand. Finally, our checking and savings product faces competition from similar products offered by our competitors which may offer more attractive features, including a higher interest rate on deposits, which may impact the success of the product. In the event we are unable to sufficiently grow the checking and savings product, we may be required to find alternative, higher-cost funding for our lending and other activities, or we might not be able to originate an acceptable or sustainable volume of loans, either of which could have a negative impact on our business, operating results and financial condition. See "Market and Interest Rate Risks - Fluctuations in interest rates could negatively affect the demand for our checking and savings product".

Any failure to accurately capture credit risk or to execute our funding strategy for SoFi Credit Card could have a negative impact on our business, operating results and financial condition.

In October 2024, we expanded our credit card program by launching two new credit cards: SoFi Everyday Cash Rewards and SoFi Essential, and in December 2025, we launched the SoFi Smart Card, a charge card secured by the member's SoFi Checking and Savings Account. The performance of these new credit cards and the existing SoFi Unlimited 2% Credit Card product is significantly dependent on the ability of the credit and fraud decisioning and scoring models we use to originate the product, which includes a variety of factors, to effectively prevent fraud, evaluate an applicant's credit profile and likelihood of default. Despite establishing a defined risk appetite and leveraging third-party stress testing of product loss forecasts, there is no assurance that our credit criteria can accurately predict repayment and loss profiles. If our criteria do not accurately prevent fraud or reflect credit risk on the SoFi Credit Card products, greater than expected losses may result and our business, operating results, financial condition and prospects could be materially and adversely affected.

The success of the SoFi Credit Card program is also dependent on our ability to grow revenue which is, in turn, dependent on increasing the volume of members who open an account and on growing loan balances on those accounts. Over time we will continue to invest in a number of new product initiatives to attract new SoFi Credit Card members and capture a greater share of our members' total spending and borrowings, including through rewards programs. However, the operation of our rewards program for certain of the SoFi Credit Card products could have a negative impact on the revenue for our Credit Card program. In addition, revenue growth for SoFi Credit Card may also be adversely affected by proposed restrictions on credit card interest. On January 9, 2026, President Trump announced his intent to fulfill a campaign promise to cap credit card interest at 10.00% for one year, to be effective on January 20, 2026, though no formal executive order or proposed rule was issued at that time. Although the proposed cap on credit card interest may provide opportunities in other segments of our business, if enforced, it would likely adversely impact the SoFi Credit Card program. The proposal currently faces an unclear enforcement path and significant industry opposition, with many questioning whether it would actually reduce credit availability for consumers.

While we have generally seen increases in revenue from SoFi Credit Card, there can be no assurance that our investments in SoFi Credit Card to acquire members, provide differentiated features and services and spur usage of our cards will continue to be effective, and developing our service offerings and forming new partnerships could have higher costs than anticipated, and could adversely impact our results or dilute our brand.

58

SoFi Technologies, Inc.

Furthermore, the success of the SoFi Credit Card products depends on our ability to execute on our funding strategy for the resulting credit card receivables. We may establish a credit card receivable securitization program in the future. There is no guarantee, however, that we will be successful in establishing a securitization program for these assets. In the event we are unable to finance our credit card receivables, we may be required to hold those assets on our consolidated balance sheet or sell them for a loss, either of which could have a negative impact on our business, operating results and financial condition.

Regulatory, Tax and Other Legal Risks

As a bank holding company, we are subject to extensive supervision and regulation, and changes in laws and regulations applicable to bank holding companies could limit or restrict our activities and could have a material adverse effect on our operations.

As a bank holding company, we are subject to regulation, supervision and examination by the Federal Reserve, and SoFi Bank is subject to regulation, supervision and examination by the OCC and the FDIC, as well as regulations issued by the CFPB. Federal laws and regulations govern numerous matters affecting us, including changes in the ownership or control of banks and bank holding companies, maintenance of adequate capital and the financial condition of a financial institution, permissible types, amounts and terms of extensions of credit and investments, permissible nonbanking activities, the level of reserves against deposits and restrictions on dividend payments. The OCC possesses the power to issue cease and desist orders to prevent or remedy unsafe or unsound practices or violations of law by banks subject to their regulation, and the Federal Reserve possesses similar powers with respect to bank holding companies. In general, the bank supervisory framework is intended to protect insured depositors and the safety, soundness and stability of the U.S. financial system and not shareholders in depository institutions or their holding companies.

In connection with applying for approval to become a bank holding company, we developed a financial and bank capitalization plan and enhanced our governance, compliance, controls and management infrastructure and capabilities in order to ensure compliance with all applicable regulations, which required, and will continue to require, substantial time, monetary and human resource commitments. If any new regulations or interpretations of existing regulations to which we are subject impose requirements on us that are impractical or that we cannot satisfy, our financial performance, and our stock price, may be adversely affected.

Federal regulations establish minimum capital requirements for insured depository institutions, including minimum risk-based capital and leverage ratios, and define "capital" for calculating these ratios. The minimum capital requirements are: (i) a common equity Tier 1 capital ratio of 4.5%; (ii) a Tier 1 to risk-based assets capital ratio of 6%; (iii) a total capital ratio of 8%; and (iv) a Tier 1 leverage ratio of 4%. The regulations also establish a "capital conservation buffer" of 2.5% of common equity Tier 1 capital. An institution will be subject to limitations on paying dividends, engaging in share repurchases and paying discretionary bonuses if its capital level falls below the capital conservation buffer amount. The federal banking regulators could also require the Company and/or SoFi Bank, as applicable, to hold capital that exceeds minimum capital requirements for insured depository institutions. The application of these capital requirements could, among other things, require us to maintain higher capital resulting in lower returns on equity, and we may be required to obtain additional capital, or face regulatory actions if we are unable, to comply with such requirements.

We are also subject to the requirements in Sections 23A and 23B of the Federal Reserve Act and the Federal Reserve's implementing Regulation W, which regulate loans, extensions of credit, purchases of assets, and certain other transactions between an insured depository institution (such as SoFi Bank) and its affiliates. The statute and regulation require us to impose certain quantitative limits, collateral requirements and other restrictions on "covered transactions" between SoFi Bank and its affiliates and require all transactions be on "market terms" and conditions consistent with safe and sound banking practices. For example, Galileo's provision of technology services to SoFi Bank is subject to Regulation W, including the requirement that the arrangement is on market terms. If we fail to comply with the requirements of Sections 23A and 23B of the Federal Reserve Act and Regulation W for any reason, we may be subject to significant penalties, including substantial civil fines, mandatory consent orders, restrictions on SoFi Bank's activities and, potentially, be required to divest subsidiaries.

The laws, rules, regulations, and supervisory guidance and policies applicable to us are subject to regular modification and change, including increased regulation as a result of the turmoil in the banking industry. These changes could adversely and materially impact us. For example, the Dodd-Frank Act and other federal banking laws subject companies with $10 billion or more of consolidated assets to additional regulatory requirements. Section 1075 of the Dodd-Frank Act, which is commonly known as the "Durbin Amendment", amended the Electronic Fund Transfer Act to restrict the amount of interchange fees that may be charged and prohibit network exclusivity for debit card transactions. SoFi Bank is required to comply with the restrictions on interchange fees that went into effect on July 1, 2023, which may negatively impact future interchange fees we

59

SoFi Technologies, Inc.

collect. In addition, in November 2023, the Federal Reserve proposed changes to the regulations implementing the Electronic Fund Transfer Act that would further restrict the amount of interchange fees that may be charged and require biennial reviews of those fees.

Furthermore, guidance from regulators of the Company and SoFi Bank can subject its non-bank affiliates to increased governance. For example, the OCC's guidance on retail non-deposit investment products, or RNDIPs, applies to referral arrangements that SoFi Bank may have with an affiliate, including SoFi Securities. This guidance, which was further updated in June 2024 to align with the SEC's Regulation BI, requires that banks implement and maintain effective oversight and monitoring of relevant RNDIP arrangements to ensure that, among other things, sales transactions and recommendations to retail investors comply with SEC regulations. In addition, our platform as a service activities engaged in through our Technology Platform, are subject to increased regulatory governance by the Federal Reserve, including related to anti-money laundering and sanctions compliance obligations, because Galileo and Technisys are non-bank subsidiaries of a bank holding company. Changes in laws, rules, regulations and supervisory guidance and policies could, among other things, subject us to additional costs, including costs of compliance; limit the types of financial services and products we may offer; and/or increase the ability of non-banks to offer competing financial services and products. Failure to comply with laws, regulations, policies, or supervisory guidance could result in enforcement and other legal actions by federal and state authorities, including criminal and civil penalties, the loss of FDIC insurance, revocation of a banking charter or registration as a broker-dealer and investment adviser, other sanctions by regulatory agencies, civil money penalties, and/or reputational damage, which could have a material adverse effect on our business, financial condition, and results of operations.

Finally, we have recently introduced and intend to continue to explore other products for SoFi Bank over time, including digital assets and blockchain products, and expect to expand SoFi Bank's product offering internationally. Certain of those products and international activities may require, or be deemed to require, additional data, procedures, partnerships, regulatory approvals, or capabilities that we have not yet obtained or developed. Should we fail to expand and evolve SoFi Bank products and activities in a successful manner, or should these new products, or new regulations or interpretations of existing regulations, impose requirements on us that are cumbersome or that we cannot satisfy, our business may be materially and adversely affected.

The U.S. Congress, the U.S. Presidential administration, or any new administration may make substantial changes to fiscal, tax, and other federal policies that may adversely affect our business.

The current U.S. Presidential administration has made and continues to call for significant changes to U.S. trade, healthcare, immigration and government regulatory policy and has implemented policy changes at a rapid pace. Changes to U.S. policy implemented by the U.S. Congress, the current U.S. Presidential administration or any new administration have impacted among other things, the U.S. and global economy, international trade relations, unemployment, immigration, healthcare, taxation, the U.S. regulatory environment, inflation, defense and other areas. Although we cannot predict the impact, if any, of these changes to our business, they could adversely affect our business. Until we know what policy changes are made, whether those policy changes are challenged and subsequently upheld by the court system and how those changes impact our business and the business of our competitors over the long term, we will not know if, overall, we will benefit from them or be negatively affected by them.

Failure to comply with applicable laws, regulations or commitments, or to satisfy our regulators' supervisory expectations, could subject us to, among other things, supervisory or enforcement action, which could adversely affect our business, financial condition and results of operations.

If we do not comply with applicable laws, regulations or commitments, if we are deemed to have engaged in unsafe or unsound conduct, or if we do not satisfy our regulators' supervisory expectations, then we may be subject to increased scrutiny, supervisory criticism, governmental or private litigation and/or a wide range of potential monetary penalties or consequences, enforcement actions, criminal liability and/or reputational harm. Such actions could be public or of a confidential nature, and arise even if we are acting in good faith or operating under a reasonable interpretation of the law and could include, for example, monetary penalties, payment of damages or other monetary relief, restitution or disgorgement of profits, directives to take remedial action or to cease or modify practices, restrictions on growth or expansionary proposals, denial or refusal to accept applications, removal of officers or directors, prohibition on dividends or capital distributions, increases in capital or liquidity requirements and/or termination of SoFi Bank's deposit insurance. Additionally, compliance with applicable laws, regulations and commitments requires significant investment of management attention and resources. Any failure to comply with applicable laws, regulations or commitments could have an adverse effect on our business, financial condition and results of operations.

60

SoFi Technologies, Inc.

An inability to accept or maintain deposits due to regulatory constraints could materially adversely affect our liquidity position and our ability to fund our business.

SoFi Bank accepts deposits and uses the proceeds as a source of funding, with our direct retail deposits becoming a larger proportion of our funding over time. Our deposit product has several features designed to attract consumers, including competitive interest rates, the availability of the SoFi Insured Deposit Program, whereby funds (up to $3 million) are deposited into deposit accounts at banks which are insured by the FDIC up to the applicable limits, and SoFi Plus rewards opportunities. Despite these features, we continue to face strong competition with regard to deposits, and our ability to accept and maintain deposit funding and offer competitive interest rates on deposits is dependent on, among other things, SoFi Bank's capital levels. The FDIA's brokered deposit provisions and related FDIC rules in certain circumstances prohibit banks from accepting or renewing brokered deposits and apply other restrictions, such as a cap on interest rates that can be paid. For example, while SoFi Bank met the definition of "well-capitalized" as of December 31, 2025 and currently has no restrictions regarding acceptance of brokered deposits or setting of interest rates, there can be no assurance that we will continue to meet this definition. Additionally, our regulators can adjust applicable capital requirements at any time and have authority to place limitations on our deposit business. An inability to attract or maintain deposits in the future due to regulatory constraints could materially adversely affect our ability to fund our business.

Legislative and regulatory policies and related actions have had and could in the future have a material adverse effect on borrower behavior, our student loan portfolios and our student loan origination volume.

Recent and evolving changes to federal student loan laws, regulations, and Department of Education policies-including material changes adopted in 2025 and scheduled to take effect in 2026-could adversely affect our student loan-related businesses (including origination, refinancing, servicing, collections, and ancillary products) by changing borrower repayment behavior, demand for refinanced student loan and other student loan credit products, and broader economic trends, and could materially impact our financial condition and results of operations. In particular, recent developments include (i) significant legislative changes enacted in 2025 that are expected to restructure aspects of federal borrowing and repayment beginning July 1, 2026, including the introduction of a new income-driven repayment option (commonly described as a "Repayment Assistance Plan"), changes to borrowing limits and program design, and the elimination of the GRAD Plus program, (ii) continued policy and litigation-driven disruption associated with the Biden administration SAVE repayment plan, including Department of Education actions tied to court injunctions and subsequent program transitions, and (iii) changes to federal default and involuntary collection practices, including a recently announced pause on wage garnishment and tax refund offsets for certain borrowers in default while the Department of Education implements repayment system changes. The Department of Education has also finalized additional program regulations with effective dates in 2026 (including regulations affecting Public Service Loan Forgiveness).

These developments-and any further changes adopted by Congress, the Department of Education, the CFPB, or the courts-may increase uncertainty and volatility in borrower behavior and the economics of both federal and private student loan products. For example, modifications to repayment options, forgiveness eligibility, and default collection policies may change borrowers' incentives to refinance federal loans into private loans; reduce demand for our products; increase prepayment or extension risk; and shift delinquency, default, and cure patterns in ways that are difficult to predict. Similarly, although it may appear that the elimination of the GRAD Plus federal loan program will increase demand for our private student loan product, there is no guarantee that this will occur. In addition, program changes may increase operational complexity (including system updates, borrower communications, and training), elevate complaint volume and regulatory scrutiny, and heighten litigation and enforcement risk-particularly if borrowers experience payment shocks, confusion regarding plan transitions, or disputes over eligibility and servicing practices. Because the scope, implementation timing, and interpretation of these changes remain uncertain-and could be further modified through additional rulemaking, sub-regulatory guidance, appropriations actions, or court decisions-we may be required to make rapid changes to products, underwriting, servicing, loss mitigation, and compliance processes, and we may incur increased costs to do so. Any failure to timely and effectively adapt, or any adverse effect on borrower performance, demand, or competitive dynamics, could materially and adversely affect our business, reputation, results of operations, and financial condition.

Furthermore, these policy shifts may influence the overall financial well-being and creditworthiness of individuals carrying student debt. For example, the replacement of multiple income-driven repayment options with narrower alternatives, changes to forgiveness eligibility, and increased default collection activity could raise monthly payment burdens or accelerate delinquency for certain borrowers, potentially reducing consumer spending, increasing financial stress, or altering borrowing patterns. In addition, uncertainty around future student loan policy-such as ongoing litigation, shifting program eligibility criteria, or potential future reforms-may affect borrower confidence and decision-making. These conditions could lead to

61

SoFi Technologies, Inc.

variations in demand for consumer financial products, increased credit risk, or changes in macroeconomic consumption patterns that negatively impact our business operations, loan portfolios, liquidity, or financial results.

Finally, although repayment requirements for federal student loans have resumed since October 2023, following multiple extensions of the CARES Act's pause on student loan repayments, which began in March 2020, and despite current uncertainty as to the future of the Department of Education itself and to prior policy proposals related to student debt relief and federal student loan programs, policymakers continue to face political pressure to reduce or cancel student loans or accrued interest at a significant scale. If this political pressure results in the revival of any student debt relief policy proposals, it could reduce demand for our student loan refinancing product and have a negative impact on our loan origination volume and revenue. If in the future, student loans were forgiven or canceled in any meaningful scale, or if federal loan borrowers were permitted to refinance at lower interest rates, our student loan refinancing business within our Lending segment would be materially and adversely affected and our profitability, results of operations, financial condition, cash flows or future business prospects could be materially and adversely affected as a result. In addition, proposals to make student loans dischargeable in bankruptcy or similar proposals could make whole loan purchasers less likely to purchase our student loans, securitization investors less likely to purchase securities backed by our student loans or warehouse lenders less likely to lend against our student loans at attractive advance rates. As a result of any material adverse effect to our Lending segment, our overall profitability, results of operations, financial condition, cash flows or future business prospects may be adversely affected.

Although we continue to evaluate the ultimate impact of local, state and federal legislation, regulation and politics, guidance and actions, future legislative, regulatory and executive actions, and the ongoing impact of our own forbearance measures on our financial results, business operations and strategies, there is no guarantee that our estimates will be accurate or that any actions we take based on such estimates will be successful. Furthermore, we believe that the cost of responding to, and complying with, evolving laws and regulations, as well as any guidance from enforcement actions, will continue to increase, as will the risk of penalties and fines from any enforcement actions that may be imposed on our businesses. Our profitability, results of operations, financial condition, cash flows or future business prospects could be materially and adversely affected as a result.

If we fail to comply with federal and state consumer protection laws, rules, regulations and guidance, our business could be adversely affected.

We must comply with federal, state and local consumer protection laws including, among others, the federal and state UDAAP laws, the Federal Trade Commission Act, the Truth in Lending Act, the CRA, the Real Estate Settlement Procedures Act, the ECOA, the FHA, the HMDA, the Secure and Fair Enforcement for Mortgage Licensing Act, FCRA, state law versions of the Fair Debt Collection Practices Act, the Servicemembers Civil Relief Act, the Military Lending Act, the Electronic Fund Transfer Act, the GLBA, the CARES Act and the Dodd-Frank Act. We must also comply with laws on advertising, as well as privacy laws, including the TCPA, the Telemarketing Sales Rule, the CAN-SPAM Act, the Personal Information Protection and Electronic Documents Act, applicable laws and regulations of Hong Kong including the Personal Data (Privacy) Ordinance and the Personal Data (Privacy) (Amendment) Ordinance 2012 and the CCPA and other state privacy laws. Privacy and data security concerns, data collection and transfer restrictions, contractual obligations and U.S. laws and regulations related to data privacy, security and protection could materially and adversely affect our business, financial condition and results of operations. Compliance with applicable laws is costly, and our failure to comply with applicable federal, state and local laws could lead to:

•loss of our licenses and approvals to engage in our lending and servicing businesses;

•damage to our reputation in the industry;

•governmental investigations and enforcement actions;

•administrative fines and penalties and litigation;

•civil and criminal liability, including class action lawsuits;

•inability to enforce loan agreements;

•diminished ability to sell loans that we originate or purchase, requirements to sell such loans at a discount compared to other loans or repurchase or address indemnification claims from purchasers of such loans;

•loss or restriction of warehouse facilities to fund loans;

•loss of Loan Platform Business counterparties and whole loan purchasers to purchase loans;

•inability to raise capital; and

•inability to execute on our business strategy, including our growth plans.

62

SoFi Technologies, Inc.

For example, we rely on a variety of direct marketing techniques, including email and telephone marketing. These activities are regulated by legislation such as the CAN-SPAM Act and TCPA. Any failure by us to comply fully with the CAN-SPAM Act and/or TCPA may leave us subject to substantial fines and penalties. In addition, any future restrictions in laws such as the CAN-SPAM Act and TCPA, and various United States state laws, or new federal laws regarding marketing and solicitation or international data protection laws that govern these activities could adversely affect the continuing effectiveness of our marketing efforts and could force changes in our marketing strategies. If this occurs, we may not be able to develop adequate alternative marketing strategies, which could have a material adverse impact on our results of operations.

The CRA, to which SoFi Bank is subject, presents another useful example of how a failure to comply with applicable laws could hamper our growth. On January 1, 2023, SoFi Bank began operating under a five-year CRA strategic plan which includes measurable goals relating to: (i) CD Lending and CD Investments, (ii) CD Contributions, (iii) CD Services, (iv) Small Business Lending, and (v) Retail Services and Products. The OCC's assessment of our compliance with the CRA is taken into account when evaluating any application we submit for, among other things, a merger or the acquisition of another financial institution. Our failure to satisfy our CRA obligations could, at a minimum, result in the denial of such applications and limit our growth.

In addition, SoFi Bank and its affiliates are subject to supervision and regulation by the CFPB, an agency which oversees compliance with and enforces federal consumer financial protection laws, with respect to federal consumer protection laws, including laws relating to fair lending and the prohibition of UDAAP in connection with the offer, sale or provision of consumer financial products and services. As part of its regulatory oversight, the CFPB may seek a range of remedies, including rescission of contracts, refund of money, return of real property, restitution, disgorgement of profits or other compensation for unjust enrichment, damages, public notification of the violation and "conduct" restrictions (i.e., future limits on the target's activities or functions). Under the Biden administration, the CFPB pursued an aggressive enforcement policy with respect to a range of regulatory compliance matters. For example, on January 6, 2022, the CFPB announced an initiative to scrutinize so-called consumer "junk fees." Since then, the CFPB has issued guidance to banks on how to avoid charging unlawful overdraft and depositor fees, confirmed their policy against "pay to pay" fees or charging any fees not expressly authorized and properly disclosed in a consumer agreement, issued a final rule limiting credit card penalty fees, which was stayed pending ongoing litigation, and launched an inquiry into junk fees in mortgage closing costs. The CFPB has also identified additional unfair, deceptive, and abusive acts or practices that could violate the CFPA, including certain billing and collection practices after bankruptcy discharges of certain student loan debt, taking unreasonable advantage of a consumer's reasonable reliance on an operator or lead generator to act in the consumer's interests, and including unclear or unenforceable terms and conditions in consumer contracts or fine print. Notably, the CFPB rescinded guidance on substantially all of these topics in May 2025. However, the positions taken in the now-rescinded guidance still represent potentially valid interpretations of existing law, which may be enforced or pursued by the CFPB or other federal or state regulators, or private plaintiffs, now or in the future. The CFPB previously focused on student borrower harms from servicing failures, program disruptions, college banking and credit card agreements, and a variety of illegal practices and has been active in litigation against student loan servicers and others, including Climb Credit and its largest shareholder 1/0, Ejudicate, Navient, Prehired, the National Collegiate Student Loan Trusts and Pennsylvania Higher Education Assistance Agency, Western Benefits Group, Student Loan Pro and its owner, Judith Noh, and Performant Recovery, Inc. for CFPA and other violations. Increased enforcement or rules from the CFPB could increase our legal and financial compliance costs, require us to evaluate or amend certain activities or products in light of evolving compliance standards, make certain activities more difficult, time-consuming and costly, and increase demand on our systems and resources.

Furthermore, we hold lending licenses or similar authorizations in multiple states, each of which has the authority to supervise and examine our activities. As a licensed consumer lender, mortgage lender, loan broker, collection agency, and loan servicer in certain states, we are subject to examinations by state agencies in those states. Similarly, we are subject to licensure requirements and regulations as an education loan servicer in multiple states. An administrative proceeding, litigation, investigation or regulatory proceeding relating to allegations or findings of the violation of such laws by us, any sub-servicer we engage, or our collection agents, could impair our ability to service and collect on our loans or could result in requirements that we pay damages, fines or penalties and/or cancel the balance or other amounts owing under one or more of our loans. There is no assurance that allegations of violations of the provisions of applicable federal or state consumer protection laws will not be asserted against us, any sub-servicers or collection agents we engage or other prior owners of our loans in the future. To the extent it is determined that any of our loans were not originated in accordance with all applicable laws, we may be obligated to repurchase such loan from a whole loan buyer, Loan Platform Business counterparty, securitization trust or warehouse facility.

While we have developed and monitor policies and procedures designed to assist in compliance with laws and regulations, no assurance can be given that our compliance policies and procedures will be effective and that we will not be subject to fines and penalties. For example, in 2019, we were subject to a consent order from the FTC (the "FTC Consent Order"), which resolved allegations that we misrepresented how much money student loan borrowers have saved or would save

63

SoFi Technologies, Inc.

from financing their loans with us, in violation of the Federal Trade Commission Act. Under the FTC Consent Order, we are prohibited from misrepresenting to consumers how much money they would save by using our products, unless the claims are backed up by reliable evidence. Ambiguities in applicable statutes and regulations may leave uncertainty with respect to permitted or restricted conduct and may make compliance with laws, and risk assessment decisions with respect to compliance with laws, difficult and uncertain. In addition, ambiguities make it difficult, in certain circumstances, to determine if, and how compliance violations may be cured. We have in the past and may in the future fail to comply with applicable statutes and regulations even if acting in good faith, or because governmental bodies or courts interpret existing laws or regulations in a more restrictive manner, which have in the past and may in the future lead to regulatory investigations, governmental enforcement actions or private causes of action with respect to our compliance. To resolve issues raised in examinations or other governmental actions, we may be required to take various corrective actions, including changing certain business practices, making refunds or taking other actions that could be financially or competitively detrimental to us. In certain cases, regardless of fault, it may be less time-consuming or costly to settle these matters, which may require us to implement certain changes to our business practices, provide remediation to certain individuals or make a settlement payment to a given party or regulatory body. There is no assurance that any future settlements will not have a material adverse effect on our business.

We hold state licenses that result in substantial compliance costs, and our business would be adversely affected if our licenses are impaired as a result of noncompliance with those requirements.

We currently hold state licenses in connection with our lending activities, student loan servicing activities, and securities business. Although we have transitioned our lending products to SoFi Bank, for as long as SoFi Lending Corp. brokers, purchases or master services or services loans, we must comply with certain state licensing requirements and varying compliance requirements. Changes in licensing laws may result in increased disclosure requirements, increased fees, or may impose other conditions to licensing that we or our personnel are unable to meet. In most states in which we operate, a regulatory agency or agencies regulate and enforce laws relating to loan servicers, brokers, and originators, and collection agencies. We are subject to periodic examinations by state and other regulators in the jurisdictions in which we conduct business, which can result in increases in our administrative costs and refunds to borrowers of certain fees earned by us, and we may be required to pay substantial penalties imposed by those regulators due to compliance errors, or we may lose our license or our ability to do business in the jurisdiction otherwise may be impaired. Fines and penalties incurred in one jurisdiction may cause investigations or other actions by regulators in other jurisdictions.

We may not be able to obtain or maintain all currently required licenses and permits. If we change or expand our business activities, we may be required to obtain additional licenses before we can engage in those activities. If we apply for a new license, a regulator may determine that we were required to do so at an earlier point in time, and as a result, may impose penalties or refuse to issue the license, which could require us to modify or limit our activities in the relevant state. For example, we have been fined in the past by state regulators for engaging in financial services related activities prior to obtaining a license. Based on changes to our businesses, we may also forfeit certain of our licenses that are no longer required. Regulators may impose conditions, requirements or penalties in connection with the forfeiture of any of our licenses.

States may also expand or otherwise modify their current regulations and if such states so act, we may not be able to comply with such updated regulations or maintain all requisite licenses and permits in such states or our costs of compliance with and maintenance of such licenses or permits may materially increase. For example, California, Colorado and Maine have implemented additional regulations related to student loan servicers which impose additional registration, reporting and disclosure requirements and which, if applicable to us, may increase our costs of servicing loans in those states.

In addition, the states that currently do not provide extensive regulation of our business may later choose to do so, and if such states so act, we may not be able to obtain or maintain all requisite licenses and permits, which could require us to modify or limit our activities in the relevant state or states. The failure to satisfy those and other regulatory requirements could result in a default under our warehouse facilities, other financial arrangements and/or servicing agreements and thereby have a material adverse effect on our business, financial condition and results of operations.

Our compliance and risk management policies and procedures as a bank, bank holding company and otherwise regulated financial services company may not be fully effective in identifying or mitigating compliance and risk exposure in all market environments or against all types of risk.

As a bank, a bank holding company and a financial services company operating in the banking and securities industry, among others, our business exposes us to a number of heightened risks. We have devoted significant resources to developing our compliance and risk management policies and procedures and will continue to do so, but there can be no assurance these are sufficient, especially as our business is rapidly growing and evolving. Nonetheless, our limited operating history in many of the products we offer, our evolving business and our rapid growth make it difficult to predict all of the risks and challenges we may encounter and may increase the risk that our policies and procedures that serve to identify, monitor and manage compliance

64

SoFi Technologies, Inc.

risks may not be fully effective in mitigating our exposure in all market environments or against all types of risk. Further, certain controls are manual and are subject to inherent limitations and errors in oversight. This could cause our compliance and other risk management strategies to be ineffective. Other compliance and risk management methods depend upon the evaluation of information regarding markets, customers, catastrophic occurrences or other matters that are publicly available or otherwise accessible to us, which may not always be accurate, complete, up-to-date or properly evaluated. Insurance and other traditional risk-shifting tools may be held by or available to us in order to manage certain exposures, but they are subject to terms such as deductibles, coinsurance, limits and policy exclusions, as well as risk of counterparty denial of coverage, default or insolvency. Any failure to maintain effective compliance and other risk management strategies could have an adverse effect on our business, financial condition and results of operations.

We are also exposed to heightened regulatory risk because our business is subject to extensive regulation and oversight in a variety of areas, and such regulations are subject to evolving interpretations and application and it can be difficult to predict how they may be applied to our business, particularly as we introduce new products and services and expand into new jurisdictions. For example, the regulatory landscape involving digital assets is constantly evolving and we recently relaunched our digital assets offering.

Also, due to market volatility, it is difficult to predict how much capital we will need in the future to meet net capital requirements. Any perceived or actual breach of laws and regulations could negatively impact our business, financial condition or results of operations. It is possible that these laws and regulations could be interpreted or applied in a manner that would prohibit, alter or impair our existing or planned products and services.

Regulatory scrutiny of banking as a service, or BaaS, solutions has increased and may require us to devote significant resources to enhancing our Technology Platform policies, procedures, operations, controls and products, and the failure to satisfy such increased scrutiny may cause regulators to take action against us or our BaaS partners, or result in a loss of one or more of our BaaS partners.

Our Technology Platform facilitates the provision of BaaS products and services to third parties through various card, deposit, payment, transfer, credit and lending solutions that allow financial technology companies or other third parties to, among other things, connect to sponsor banks' systems directly via application programming interfaces and cloud infrastructure so they can build banking offerings on top of the sponsor banks' regulated infrastructure. In addition, our Technology Platform offers an end-to-end core banking platform solution with integrated payment processing. Furthermore, in connection with our Technology Platform's BaaS solutions, we sometimes offer certain program management, data, analytics, compliance and risk management functions, including managing anti-money laundering and fraud risks. The third parties that use these BaaS solutions include a variety of financial entities, including banks, fintech companies and other financial intermediaries. SoFi Bank is one of the sponsor banks that utilizes our BaaS products and services and may continue to do so in the future.

Federal bank regulators have increasingly focused on the risks related to BaaS solutions, including risk management, oversight, internal controls, information security, change management and information technology operational resilience, as well as potential systemic risk posed by BaaS solutions to the larger banking industry. Recently, regulators have even brought enforcement actions against financial entities that have allegedly not adequately addressed these concerns while growing their BaaS offerings. Regulators have specifically required these financial entities to enhance oversight of third-party fintech partnerships, improve control frameworks related to anti-money laundering and BSA compliance, and adopt, implement and adhere to revised and expanded risk-based policies, procedures and processes. If we or any of the fintech clients or sponsor bank partners supported by our Technology Platform were to face regulatory actions that limit the growth of our or their fintech business, or if we were forced to stop growing our Technology Platform, or if any of our fintech clients or sponsor banks were to limit or cease their participation in BaaS solutions, this could have a negative impact on our revenue and results of operation for the Technology Platform segment.

Furthermore, regulatory scrutiny of BaaS solutions extends directly to middleware providers, such as our Technology Platform, which, in certain circumstances, bear accountability for their partners' compliance and risk management, including with respect to penalties, fines, and other measures that bank regulatory agencies take in the event of non-compliant activity or risks that are not well controlled. This is particularly true when the BaaS solution includes program management, and compliance and risk management controls, including managing anti-money laundering and fraud risks. In addition, as our fintech and sponsor bank partners face increased regulatory scrutiny, their scrutiny of our services will likely increase and our inability to satisfactorily respond to partner demands could result in those partners moving to different solutions. Assessing and managing risk for our Technology Platform clients in the face of regulatory and client scrutiny has in the past and will continue to require us to devote significant resources to enhancing relevant policies, procedures, operations and products. Finally, as a subsidiary of a bank holding company, any failure of our Technology Platform's BaaS solutions to withstand regulatory scrutiny could reflect badly on our relationship with our regulators and on our overall reputation.

65

SoFi Technologies, Inc.

While we believe we are a leader in managing, monitoring and overseeing BaaS relationships with third parties and corresponding technologies, if we are not successful in continuing to enhance our controls for assessing and managing the third-party, anti-money laundering, fraud and information technology risks stemming from certain of our fintech and sponsor bank partnerships, we could be subject to additional regulatory scrutiny with respect to that portion of our business which could subject us to regulatory fines or other penalties, or business or reputational harm, and could adversely affect our financial condition and results of operations.

We may become subject to enforcement actions or litigation as a result of our failure to comply with laws and regulations, even though noncompliance was inadvertent or unintentional.

We maintain systems and procedures designed to ensure that we comply with applicable laws and regulations; however, certain legal/regulatory frameworks provide for the imposition of fines or penalties for noncompliance even though the noncompliance was inadvertent or unintentional and even though there were systems and procedures designed to ensure compliance in place at the time.

For example, we engage in outbound telephone and text communications with consumers, and accordingly must comply with a number of federal and state statutes and regulations that regulate certain such communications, including the TCPA and Telemarketing Sales Rules. The U.S. Federal Communications Commission (the "FCC"), and the FTC have responsibility for regulating various aspects of certain of these federal laws. Among other requirements, the TCPA requires us to obtain prior express written consent for certain telemarketing calls and to adhere to "do-not-call" registry requirements which, in part, mandate we maintain and regularly update lists of consumers who have chosen not to be called and restrict certain calls for marketing purposes to consumers whose numbers are properly registered on the national do-not-call list. Further, in late 2023 and early 2024, the FCC introduced various new TCPA requirements relating to, among other things, lead generation, prior express written consent to marketing calls made with certain telephony technology and processing opt-outs and do not call requests. These new requirements went into effect in January 2025. In addition to federal laws, many states also have mini-TCPA and other similar consumer protection laws regulating certain telemarketing calls directed to their residents. Collectively, these federal and state laws limit our ability to communicate with consumers through calls and text messages and reduce the effectiveness of our marketing programs. As construed by certain courts, the TCPA and certain state mini-TCPA laws do not distinguish between voice and data, and, as such, SMS/MMS messages are also "calls" for the purpose of these laws. Other state mini-TCPA laws expressly include SMS/MMS messages within their scope.

For violations of the TCPA, the law provides for a private right of action under which a plaintiff may recover monetary statutory damages of $500 for each call or text made in violation of the statute. A court may treble the $500 amount upon a finding of a willful or knowing violation. There is no statutory cap on maximum aggregate exposure for TCPA violations (although certain courts have applied in TCPA class actions constitutional limits on excessive penalties). Like the TCPA, several mini-TCPA and other similar state laws also provide for a private right of action under which a plaintiff may recover statutory damages of $500 or more for each violative call or text and enhanced statutory damages if the violation is knowing or willful. An action may be brought by the FCC, a state attorney general, an individual, or a class of individuals. Like other companies that rely on telephone and text communications, we may be subject to putative class action suits alleging violations of the TCPA, and state mini-TCPA and other similar state laws. If in the future we are found to have violated any federal or state law regulating telemarketing, the amount of damages and potential liability could be extensive and adversely impact our business.

In addition, we use credit reports in our credit decisioning processes and, accordingly, must comply with FCRA which requires a permissible purpose to obtain a consumer credit report and requires persons that furnish loan payment information to credit bureaus to report such information accurately. We are also required to perform a reasonable investigation in the event we receive indirect disputes from the credit bureaus about the accuracy of our credit reporting for a particular consumer and to update any inaccurate information we discover. Although we have policies and procedures in place to comply with FCRA, we are subject to lawsuits alleging that we failed under FCRA to adequately investigate indirect disputes over credit reporting which we receive from one or more credit bureaus. We have experienced an increase in such FCRA claims since our business has grown and even if we are ultimately successful in defending against such suits, they could involve substantial time and expense to analyze and respond to, could divert management's attention and other resources from running our business, and could lead to settlements, judgments, fines, penalties or injunctive relief. We are also subject to contractual requirements governing our use of credit reports established by the credit bureaus from whom we receive the reports. If credit reporting data is accessed, used, disclosed, or retained in a manner that is inconsistent with those contractual requirements - whether due to employee misconduct, system error, third-party service provider failure, cyberattack, or otherwise - we could be subject to contractual claims, indemnification obligations, and remediation costs. In addition, we could be required to suspend or limit access to certain data sources, which could adversely affect our underwriting, fraud prevention, marketing, or servicing

66

SoFi Technologies, Inc.

operations. Any such event could also result in reputational damage, loss of consumer trust, adverse media coverage, increased compliance costs, and harm to our business, financial condition, and results of operations.

Changes in applicable laws and regulations, as well as changes in government enforcement policies and priorities, may negatively impact the management of our business, results of operations, ability to offer certain products or the terms and conditions upon which they are offered, and ability to compete.

Financial services regulation is constantly changing, and new laws or regulations, or new interpretations of existing laws or regulations, could have a materially adverse impact on our ability to operate as currently intended, and cause us to incur significant expense in order to ensure compliance. Federal and state financial services regulators are also enforcing existing laws, regulations, and rules aggressively and enhancing their supervisory expectations regarding the management of legal and regulatory compliance risks. These regulatory changes and uncertainties make our business planning more difficult and could result in changes to our business model and potentially adversely impact our results of operations. Furthermore, to the extent applicable, these laws can impose specific statutory liabilities upon creditors who fail to comply with their provisions and may affect the enforceability of a loan.

Proposals to change the statutes affecting financial services companies are frequently introduced in Congress and state legislatures that, if enacted, may affect their operating environment in substantial and unpredictable ways. In addition, numerous federal and state regulators and SROs have the authority to promulgate or change regulations that could have a similar effect on our operating environment. We cannot determine with any degree of certainty whether any such legislative or regulatory proposals will be enacted and, if enacted, the ultimate impact that any such potential legislation or implementing regulations, or any such potential regulatory actions by federal or state regulators, would have upon our business.

New laws, regulations, policy or changes in enforcement of existing laws or regulations applicable to our business, or reexamination of current practices, could adversely impact our profitability, limit our ability to continue existing or pursue new business activities, require us to change certain of our business practices, affect retention of key personnel, or expose us to additional costs (including increased compliance costs and/or customer remediation). These changes have in the past and may in the future require us to invest significant resources, and devote significant management attention, to make any necessary changes and could adversely affect our business. For example, on October 13, 2023, the SEC adopted rules relating to providing additional disclosures in the securities lending market. These rules require any covered person that loans a reportable security on behalf of itself or another person to report certain material terms of those loans and related information to FINRA by the end of the day on which the loan is effected. FINRA in turn will make certain information it receives publicly available by the next business day. These regulations could make securities lending more costly, leading to less overall lending activity and a decrease in revenue. On February 22, 2024, the SEC adopted amendments to Rule 605 under the Exchange Act that requires disclosures for order executions in national market system ("NMS") stocks. The amendments modify the type of information required to be disclosed under Rule 605 and expand the scope of reporting entities subject to Rule 605 to include broker-dealers who introduce or carry 100,000 or more customer accounts. Modifications to Rule 605 include new definitions, new and modified categories of order types, and new statistical measures of execution quality and other metrics. New execution quality reporting requires granular, public monthly reports, including fractional shares and stop orders. Errors or unfavorable public metrics could harm our reputation and result in enforcement risk. In May 2024, the SEC adopted amendments to Regulation S-P ("Reg S-P") which went into effect for large covered institutions (including SEC-registered investment advisers with $1.5 billion in assets under management, investment companies with $1 billion in net assets and all broker-dealers that are not small institutions under the Exchange Act) in December 2025, and will go into effect for all other covered institutions in June 2026. The finalized amendments to Reg S-P are designed to address the expanded use of technology and corresponding risks that have emerged since Reg S-P's original adoption and modernize and improve the protection of consumer financial information by certain financial institutions, also known as "covered institutions" (including broker-dealers and investment advisers). As adopted, amended Reg S-P (i) requires covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information; (ii) requires that the response program include procedures for covered institutions to provide timely notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization; and (iii) broadens the scope of information covered by Regulation S-P's requirements. Failure to meet these obligations, or the failures of vendors on whom we rely, could lead to enforcement actions, litigation and significant costs. On September 18, 2024, the SEC adopted rules that would (i) amend Rule 612 of Regulation NMS to establish a new minimum pricing increment, also known as a tick size, of $0.005 for the quoting of certain NMS stocks; (ii) reduce the access fee caps applicable to stock exchanges under Rule 610 of Regulation NMS (from $0.003 per share (i.e., 30 mils) to $0.001 per share (i.e., 10 mils) and require national securities exchanges to make the amounts of all fees and rebates determinable at the time of execution; and (iii) accelerate the implementation of the round lot and odd-lot information definitions adopted in 2020 under the Market Data Infrastructure Rules ("MDI Rules") and add information about the best odd-lot order to the definition of odd-lot information. On December 20, 2024, the SEC adopted changes to SEC Rule

67

SoFi Technologies, Inc.

15c3-3 and 15c3-1 that modify how broker-dealers protect customer assets and calculate their minimum required "net capital." These changes, particularly the amendments to Rule 612 and 610 of Regulation NMS, will likely affect the economics for orders executed on national stock exchanges and as a result may impact order routing and order execution decisions by market participants, including third parties on which we rely, like clearing brokers. See "Business, Financial and Operational Risks - We rely on third parties to perform certain key functions, and their failure to perform those functions could adversely affect our business, financial condition and results of operations". Compliance with this rule may impose additional cost on our business. In addition, SoFi Securities' ability to generate revenue may be impacted as a result of the changes in stock exchange fee caps and the resulting potential changes in order routing and execution decisions. The ultimate effect of these potential changes is uncertain and may impact how SoFi Securities manages and evaluates its compliance with other obligations, such as its obligation to achieve best execution for customer orders.

See also "Lawmakers, regulators and other public officials have signaled an increased focus on new or additional laws or regulations that could impact our broker-dealer business and require us to make significant changes to our business model and practices and could result in significant costs to our business or loss of current revenue streams". Compliance with each of these rules, when applicable and if required, would impose additional costs on our business. To the extent such proposals affect the equity market structure more broadly, our ability to generate revenue may be impaired. There is also the risk that, despite our best efforts, the SEC or FINRA does not view our compliance measures as sufficient. This risk is substantially elevated where regulators adopt a substantial number of new rules in a short time frame. In addition, non-compliance with any adopted requirements would likely result in enforcement action by the SEC or FINRA.

Extensive regulation and supervision have a negative impact on our ability to compete in a cost-effective manner and may subject us to material compliance costs and penalties.

The Company, primarily through its subsidiary SoFi Bank and certain non-bank subsidiaries, is subject to extensive federal and state regulation and supervision. Banking regulations are primarily intended to protect depositors' funds, federal deposit insurance funds and the banking system as a whole. Many laws and regulations affect our lending practices, capital structure, investment practices, dividend policy and growth, among other things. They encourage us to ensure a satisfactory level of lending in defined areas and establish and maintain comprehensive programs relating to anti-money laundering and customer identification. Congress, state legislatures, and federal and state regulatory agencies continually review banking laws, regulations and policies for possible changes. Changes to statutes, regulations or regulatory policies, including changes in interpretation or implementation of statutes, regulations or policies, could affect us in substantial and unpredictable ways. Such changes could subject us to additional costs, limit the types of financial services and products it may offer and/or increase the ability of non-banks to offer competing financial services and products, among other things. Failure to comply with laws, regulations or policies could result in sanctions by regulatory agencies, civil money penalties and/or reputation damage, which could have a material adverse effect on our business, financial condition and results of operations.

We are subject to the risk that regulatory or enforcement agencies and/or consumer advocacy groups may assert that our business practices may violate certain rules, laws and regulations, including anti-discrimination statutes.

Anti-discrimination statutes, such as the FHA and the ECOA and state law equivalents, prohibit creditors from discriminating against loan applicants and borrowers based on certain characteristics, such as race, religion and national origin. Various federal regulatory and enforcement departments and agencies, including the Department of Justice and CFPB, take the position that these laws apply not only to intentional discrimination, but also to facially neutral practices that have a disparate impact on a group that shares a characteristic that a creditor may not consider in making credit decisions. State and federal regulators, as well as consumer advocacy groups and plaintiffs' attorneys, are focusing greater attention on "disparate impact" claims. Similarly, these regulatory agencies and litigants could take the position that the geographical footprint within which we conduct lending activity or the manner in which we advertise loans, disproportionately excludes potential borrowers belonging to a protected class, and constitutes unlawful "redlining". Although we utilize an automated underwriting process to originate loans, we frequently adjust pricing strategies which increases our risk of inadvertently violating the FHA and the ECOA. These regulatory agencies could also take the position that the underwriting or credit models or algorithms we use produce disparate outcomes or do not produce sufficient information about a credit decision to satisfy applicant notification requirements under ECOA. In addition to reputational harm, violations of the FHA and the ECOA can result in actual damages, punitive damages, injunctive or equitable relief, attorneys' fees and civil money penalties.

Our investment adviser and broker-dealer subsidiaries are subject to regulation by the SEC and FINRA.

We offer investment management services through the Investment Adviser which offers investment management services in connection with our robo-advisory accounts. The Investment Adviser is registered as an investment adviser under the Advisers Act, which does not imply any level of skill or training, and is subject to regulation by the SEC. SoFi Securities is

68

SoFi Technologies, Inc.

an affiliated SEC-registered broker-dealer and FINRA member. We offer cash management accounts, which are brokerage products, through SoFi Securities.

The Investment Adviser operates in a highly regulated environment and is subject to, among other things, the anti-fraud provisions of the Advisers Act and to fiduciary duties derived from these provisions that apply to its relationships with our members who are its advisory clients. These provisions and duties also impose certain restrictions and obligations on us with respect to our dealings with our members and our investments, including for example restrictions on transactions with our affiliates. Our Investment Adviser is also subject to other requirements under the Advisers Act and related regulations. These additional requirements relate to matters including, among others, maintaining an effective and comprehensive compliance programs and record-keeping and reporting and disclosure requirements. In recent years, the SEC proposed and, in certain cases, adopted amendments to the Advisers Act rules, which present a number of additional significant and burdensome compliance challenges for registered investment advisers. In addition, our Investment Adviser has been in the past, and will be in the future, subject to SEC examination. Moreover, the Advisers Act generally grants the SEC broad administrative powers, including the power to limit or restrict an investment adviser from conducting advisory activities in the event it fails to comply with federal securities laws. The Investment Adviser is also subject to applicable state securities laws. Additional sanctions that may be imposed for failure to comply with applicable requirements include prohibitions of individuals from associating with an investment adviser, the revocation of registration and other censures and fines. Even if an investigation or proceeding did not result in a sanction or the sanction imposed against us or our personnel by a regulator was small in monetary amount, the adverse publicity relating to the investigation, proceeding or imposition of these sanctions could harm our reputation and cause us to lose existing members or fail to gain new members. See Part I, Item 3. "Legal Proceedings".

Our subsidiary, SoFi Securities, is an affiliated SEC-registered broker-dealer and FINRA member. The securities industry is highly regulated, including under federal, state and other applicable laws, rules and regulations, and we may be adversely affected by regulatory changes related to suitability of financial products, supervision, sales practices, advertising, application of fiduciary standards, best execution and market structure, any of which could limit our business and damage our reputation. FINRA has adopted extensive regulatory requirements relating to sales practices, advertising, registration of personnel, compliance and supervision, and compensation and disclosure, to which SoFi Securities and its personnel are subject. For example, FINRA's 2026 Annual Regulatory Oversight Report included new topics, such as the third party risk landscape, extended hours trading, and registered index-linked annuities, and expanded guidance on AI, cybersecurity, AML/sanctions, and best execution/order routing disclosures, among others. FINRA is explicitly focused on vendor outages and cyber incidents, generative AI-enabled fraud, and controls over fractional shares and after hours trading. The SEC 2026 exam priorities also identify areas such as generative AI and Regulation Best Interest ("Reg BI") as focus areas. Our use of any AI-enabled tools could draw scrutiny, or failures in any of these areas could result in examination findings, sanctions or customer harm. In addition, sales of complex products and account type recommendations face heightened enforcement under Reg BI. Both the SEC and FINRA remain focused on surveilling off-channel communications and associated recordkeeping violations. If associated persons use unapproved channels (e.g., personal messaging apps) and records are not preserved, we could face substantial penalties and remediation costs. FINRA and the SEC also have the authority to conduct examinations of SoFi Securities and may also conduct administrative proceedings. Additionally, material expansions of the business in which SoFi Securities engages are subject to approval by FINRA. This could delay, or even prevent, the firm's ability to expand its securities and brokerage offerings in the future. Furthermore, SoFi Securities is subject to increased governance in its role as an affiliate of a national bank under guidance from the OCC regarding RNDIPs. OCC guidance, which was further updated in June 2024, requires that banks implement effective oversight and monitoring of relevant RNDIP arrangements to ensure that, among other things, sales transactions and recommendations to retail investors comply with SEC regulations. Such oversight and monitoring may increase costs for SoFi Securities and SoFi Bank and could have a material adverse effect on our business, financial condition and results of operations, and any failure by SoFi Bank to effectively oversee and monitor such arrangements could result in harm to members and financial and reputational harm to us.

From time to time, SoFi Securities and the Investment Adviser may be threatened with or named as a defendant in lawsuits, arbitrations and administrative claims. As previously noted, these entities are also subject to regulatory examinations and inspections by regulators (including the SEC and FINRA, as applicable). Compliance and trading problems or other deficiencies or weaknesses that are reported to regulators, such as the SEC and FINRA, by dissatisfied members or others, or that are identified by regulators themselves are investigated by such regulators, and may, if pursued, result in formal claims being filed against SoFi Securities and the Investment Adviser by members or disciplinary action being taken by regulators against us or our personnel. Our failure to comply with applicable laws or regulations or our own policies and procedures could result in fines, litigation, suspensions of personnel or other sanctions, which could have a material effect on our overall financial results. For example, in December 2023, FINRA found that SoFi Securities failed to establish, maintain, and enforce a supervisory system reasonably designed to supervise its fully paid securities lending offerings. Even if a sanction imposed against us or our personnel is small in monetary amount, the adverse publicity arising from the imposition of sanctions against us by regulators could harm our reputation and our brand and lead to material legal, regulatory and financial exposure

69

SoFi Technologies, Inc.

(including fines and other penalties), cause us to lose existing members or fail to gain new members. In addition, in the normal course of business, SoFi Securities and the Investment Adviser discuss matters raised by its regulators during regulatory examinations or otherwise upon their inquiry. These matters could also result in censures, fines, penalties or other sanctions.

In addition to the broker-dealer proposals described above under "Changes in applicable laws and regulations, as well as changes in government enforcement policies and priorities, may negatively impact the management of our business, results of operations, ability to offer certain products or the terms and conditions upon which they are offered, and ability to compete", a substantial number of proposed rules for investment advisers were introduced in 2023 and 2024 and subsequently withdrawn in 2025. These withdrawn proposed rules covered material regulatory topics, including: (i) environmental, social, and governance issues for investment advisers and funds; (ii) outsourcing by investment advisers; and (iii) safeguarding and custody of client assets. A fourth proposed rule regarding expansion of the scope of activities and relationships that make a person an investment advice fiduciary under Section 3(21) of the Employee Retirement Income Security Act of 1974 and Section 4975 of the Internal Revenue Code (the "Retirement Security Rule") was stayed by two Fifth Circuit federal district courts, and the Department of Labor (the "DOL") decided not to appeal the decisions. The DOL's regulatory agenda for Spring 2025, however, included a new "fiduciary rule" set to be issued by May 2026. If any of the foregoing rules is re-proposed and enacted, compliance would impose additional costs on our business. There is also the risk that, despite our best efforts, the SEC does not view our compliance measures as sufficient.

Failure to comply with anti-money laundering, economic and trade sanctions regulations, and similar laws could subject us to penalties and other adverse consequences.

Various laws and regulations in the U.S. and abroad, such as the BSA, the Dodd-Frank Act, the USA PATRIOT Act, and the Credit Card Accountability Responsibility and Disclosure Act, impose certain anti-money laundering requirements on companies that are financial institutions or that provide financial products and services. Under these laws and regulations, financial institutions are broadly defined to include banks and MSBs such as money transmitters. In 2013, FinCEN issued guidance regarding the applicability of the BSA to administrators and exchangers of convertible virtual currency, clarifying that they are MSBs, and more specifically, money transmitters. The BSA requires banks and MSBs to develop and implement risk-based anti-money laundering programs, report large cash transactions and suspicious activity, and maintain transaction records, among other requirements. In addition, our contracts with financial institution partners and other third parties may contractually require us to maintain an anti-money laundering program. SoFi Bank is subject to the regulatory and supervisory jurisdiction of the OCC with respect to the BSA and its implementing regulations applicable to banks, and the Company and its non-bank subsidiaries, including our technology platform, are subject to the regulatory and supervisory jurisdiction of the Federal Reserve with respect to anti-money laundering and sanctions regulations.

We are also subject to economic and trade sanctions programs administered by OFAC, which prohibit or restrict transactions to or from or dealings with specified countries, their governments, and in certain circumstances, their nationals, and with individuals and entities that are specially-designated nationals of those countries, narcotics traffickers, terrorists or terrorist organizations, and other sanctioned persons and entities.

Our failure to comply with anti-money laundering, economic and trade sanctions regulations, and similar laws could subject us to substantial civil and criminal penalties, or result in the loss or restriction of our national bank charter or broker-dealer registrations and state licenses, or liability under our contracts with third parties, which may significantly affect our ability to conduct certain aspects of our business. Changes in this regulatory environment, including changing interpretations and the implementation of new or varying regulatory requirements by the government, may significantly affect or change the manner in which we currently conduct certain aspects of our business.

We are subject to anti-corruption, anti-bribery and similar laws, and noncompliance with such laws can subject us to significant adverse consequences, including criminal or civil liability, and harm our business.

We are subject to the Foreign Corrupt Practices Act, U.S. domestic bribery laws and other U.S. and foreign anti-corruption laws. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly to generally prohibit companies, their employees and their third-party intermediaries from authorizing, offering or providing, directly or indirectly, improper payments or benefits to recipients in the public sector. These laws also require that we keep accurate books and records and maintain internal controls and compliance procedures designed to prevent any such actions. Although our operations are currently concentrated in the U.S., as we increase our international cross-border business and expand operations abroad, we have engaged and may further engage with business partners and third-party intermediaries to market our services and to obtain necessary permits, licenses and other regulatory approvals. In addition, we or our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities. We can be held liable for the corrupt or other illegal activities of these third-party intermediaries, our employees, representatives, contractors, partners, and agents, even if we do not explicitly authorize such activities. The

70

SoFi Technologies, Inc.

failure to comply with any such laws could subject us to criminal or civil liability, cause us significant reputational harm and have an adverse effect on our business, financial condition and results of operations.

We conduct our business operations through subsidiaries and may in the future rely on dividends from our subsidiaries for a substantial amount of our cash flows.

We may in the future depend on dividends, distributions and other payments from our subsidiaries to fund payments on our obligations, including any debt obligations we may incur. Regulatory and other legal restrictions may limit our ability to transfer funds to or from certain subsidiaries, including SoFi Securities and SoFi Bank. In addition, certain of our subsidiaries are subject to laws and regulations that authorize regulatory bodies to block or reduce the flow of funds to us, or that prohibit such transfers altogether in certain circumstances. These laws and regulations may hinder our ability to access funds that we may need to make payments on our obligations, including any debt obligations we may incur and otherwise conduct our business by, among other things, reducing our liquidity in the form of corporate cash. In addition to negatively affecting our business, a significant decrease in our liquidity could also reduce investor confidence in us. Certain rules and regulations of the SEC and FINRA may limit the extent to which our broker-dealer subsidiaries may distribute capital to us. For example, under FINRA rules applicable to SoFi Securities, a dividend in excess of 10% of a member firm's excess net capital may not be paid without FINRA's prior written approval. In addition, the OCC has the authority to use its enforcement powers to prohibit a bank from paying dividends if, in its opinion, the payment of dividends would constitute an unsafe or unsound practice. Federal law also prohibits the payment of dividends by a bank that will result in the bank failing to meet its applicable capital requirements on a pro forma basis. In addition, under the National Bank Act, SoFi Bank generally may, without prior approval of the OCC, declare a dividend but only so long as the total amount of all dividends (common and preferred), including the proposed dividend, in the current year do not exceed net income for the current year to date plus retained net income for the prior two years. Compliance with these rules may impede our ability to receive dividends, distributions and other payments from SoFi Securities and SoFi Bank.

We have in the past, continue to be, and may in the future be subject to inquiries, exams, pending investigations, or enforcement matters.

The financial services industry is subject to extensive regulation and oversight under federal, state, and applicable international laws. From time to time, in the normal course of business, we have received and may receive or be subject to inquiries or investigations by state and federal regulatory or enforcement agencies and bodies, such as the CFPB, SEC, the Federal Reserve, the OCC, the FDIC, the FHFA, the VA, the state attorneys general, state financial regulatory agencies, other state or federal agencies and SROs like FINRA. We also have in the past and may in the future receive inquiries from state regulatory agencies regarding requirements to obtain licenses from or register with those states, including in states where we have previously determined that we are not required to obtain such a license or be registered with the state. In addition, we have been threatened with or named as a defendant in lawsuits, arbitrations and administrative claims involving securities, consumer financial services and other matters. We are also subject to periodic regulatory examinations and inspections. Compliance and trading problems or other deficiencies or weaknesses that are reported to regulators, such as the OCC, SEC, FINRA, the CFPB or state regulators, by dissatisfied customers or others, or that are identified by regulators themselves, are investigated by such regulators, and may, if pursued, result in formal claims being filed against us by customers or disciplinary action being taken against us or our employees by regulators or enforcement agencies. In addition, we could be required to disclose such federal, state, or local government actions or court orders to others who have supervisory or enforcement authority over us, which could be time consuming and costly, increase demand on our systems and resources and adversely impact our reputation. To resolve issues raised in examinations or other governmental actions, we may be required to take various corrective actions, including changing certain business practices, making refunds or taking other actions that could be financially or competitively detrimental to us.

Any such inquiries, investigations, lawsuits, arbitrations, administrative claims or other inquiries have in the past and could in the future involve substantial time and expense to analyze and respond to, divert management's attention and other resources from running our business, and lead to fines, penalties, injunctive relief, and the need to obtain additional licenses that we do not currently possess. Our involvement in any such matters, whether tangential or otherwise and even if the matters are ultimately determined in our favor, could also cause significant harm to our reputation, lead to additional investigations and enforcement actions from other agencies or litigants, and further divert management attention and resources from the operation of our business. As a result, the outcome of legal and regulatory actions arising out of any state or federal inquiries we receive could have a material adverse effect on our business, financial condition or results of operations.

71

SoFi Technologies, Inc.

Lawmakers, regulators and other public officials have signaled an increased focus on new or additional laws or regulations that could impact our broker-dealer business and require us to make significant changes to our business model and practices and could result in significant costs to our business or loss of current revenue streams.

Various lawmakers, regulators and other public officials have made statements about business practices in which we and other broker-dealers engage, including SoFi Securities, and signaled potential new or additional laws or regulations that, if acted upon, could impact our business. For example, a focus by regulators and lawmakers on PFOF, exchange rebates, and related conflicts of interest have resulted in new proposed rules. Additionally, the SEC has proposed new requirements regarding PFOF and a rule to prohibit volume-based transaction pricing in connection with the execution of agency-related orders in national market system stock. The SEC also issued an order in September 2023 directing the equity exchanges and FINRA to file a new national marketing system plan, on which the SEC is soliciting comments. This order and other proposals have the potential to substantially reshape U.S. equities markets in intended and unintended ways, and to substantially alter existing order routing, execution incentives and business practices.

To the extent that the SEC, FINRA or other regulatory authorities or legislative bodies adopt additional regulations or legislation in respect of any of these areas or relating to any other aspect of our business, we could face a heightened risk of potential regulatory violations and could be required to make significant changes to our business model and practices, which changes may not be successful. Any of these outcomes could have an adverse effect on our business, financial condition and results of operations. Additionally, any negative publicity surrounding PFOF practices generally, or our implementation of this practice, could harm our brand and reputation. For more information about the potential impact of legal and regulatory changes, see "We may become subject to enforcement actions or litigation as a result of our failure to comply with laws and regulations, even though noncompliance was inadvertent or unintentional".

Regulations relating to privacy, information security and data protection could increase our costs, affect or limit how we collect and use personal information, and adversely affect our business opportunities.

We are subject to various privacy, information security and data protection laws, including requirements concerning security breach notification, and we could be negatively impacted by them. For example, we are subject to the GLBA and implementing regulations and guidance. Among other things, the GLBA (i) imposes certain limitations on the ability to share consumers' nonpublic personal information with nonaffiliated third parties and (ii) requires certain disclosures to consumers about our practices for the collection, sharing and safeguarding of their information and their right to "opt out" of the institution's disclosure of their personal financial information to nonaffiliated third parties (with certain exceptions). The GLBA and other state laws also require that we implement and maintain certain security measures, policies and procedures to protect personal information.

Furthermore, legislators and/or regulators are increasingly adopting new and/or amending existing privacy, information security and data protection laws that potentially could have a significant impact on our current and planned privacy, data protection and information security-related practices; our policies and practices related to the collection, use, sharing, retention and safeguarding of consumer and/or employee information; and certain of our current or planned business activities. New requirements, originating from new or amended laws, could also increase our costs of compliance and business operations and could reduce income from certain business initiatives. The CFPB, for example, finalized its Personal Financial Data Rights Rule, which could require us to build an application that allows our customers to obtain their personal financial information and for authorized third parties to obtain our customers' information and to implement privacy protections if we seek consumer financial data from another financial institution, as an authorized third party of a consumer. Although the rule's original compliance deadlines are currently stayed as part of ongoing litigation, and are not being enforced while the CFPB reconsiders the rule, if implemented this could increase our compliance costs, volatility in our customer base, and the risk of fraudulent access to consumers' personal financial information.

Compliance with current or future privacy, information security and data protection laws (including those regarding security breach notification) affecting customer and/or employee data to which we are subject could result in higher compliance and technology costs and could restrict our ability to provide certain products and services (such as products or services that involve sharing information with third parties or storing sensitive credit card information), which could materially and adversely affect our profitability. A failure by us or a third-party contractor providing services to us to comply with applicable data privacy and security laws, regulations, self-regulatory requirements or industry guidelines, or our terms of use with our users, may result in sanctions, statutory or contractual damages or litigation (including class actions) and may subject us to reputational harm. Additionally, there is always a danger that regulators can attempt to assert authority over our business in the area of privacy, information security and data protection. Furthermore, if our vendors and/or service providers are or become subject to laws and regulations in the jurisdictions that have enacted more stringent and expansive legislation applicable to

72

SoFi Technologies, Inc.

privacy, information and/or data protection, the costs that these vendors and service providers must incur in becoming compliant may be passed along to us, resulting in increasing costs on our business.

Concerns in our ability, perceived or otherwise, to protect the privacy and security of personal information may affect our ability to retain and engage new and existing members, clients, investors, and employees, and thereby affect our financial condition. Furthermore, failure to comply or perceived failure to comply with applicable privacy or data protection laws, rules, and regulations may subject us to examinations, investigations, and general heightened scrutiny that may cause us to modify or cease certain operations or practices, significant liabilities or regulatory fines, penalties or other sanctions. Any of these could damage our reputation and adversely affect our business, financial condition, and results of operations.

Privacy requirements, including notice and opt-out requirements, under the GLBA and FCRA are enforced by the FTC, the OCC and by the CFPB through UDAAP and are a standard component of OCC and CFPB compliance and examinations. State entities also may initiate actions for alleged violations of privacy or security requirements under state law. Our failure to comply with privacy, information security and data protection laws could result in potentially significant regulatory investigations and government actions, litigation, fines or sanctions, consumer or merchant actions and damage to our reputation and brand, all of which could have a material adverse effect on our business.

If we collect and process personal data relating to individuals in the EU or the United Kingdom (the "UK") as a result of either offering goods or services into the EU or UK, or monitoring the behavior of EU and UK individuals, we will be required to comply with stringent privacy and data protection laws. Within the EU, legislators have adopted the General Data Protection Regulation (the "EU GDPR"), which became effective in May 2018. The EU GDPR will impose additional obligations and risks upon our business when we collect and process personal data about individuals from the EU and UK, which may increase substantially the penalties to which we could be subject in the event of any noncompliance. For example, the EU GDPR imposes a broad range of strict requirements on companies subject to the EU GDPR, including requirements relating to having legal bases and conditions for processing personal data and transferring such personal data outside the European Economic Area ("EEA") or the UK, including to the U.S., providing details to those individuals regarding the processing of their personal data, keeping personal data secure, having data processing agreements with third parties who process personal data, responding to individuals' requests to exercise their rights in respect of their personal data, where required reporting security breaches involving personal data to the competent national data protection authority and affected individuals, where required, appointing data protection officers, where required conducting data protection impact assessments for high risk processing, and record-keeping. We may incur substantial expense in complying with obligations imposed by the EU GDPR and we may be required to make significant changes in our business operations, all of which may adversely affect our revenues and our business overall.

In addition, further to the UK's exit from the EU on January 31, 2020, the EU GDPR ceased to apply in the UK at the end of the transition period on December 31, 2020. However, as of January 1, 2021, the UK's European Union (Withdrawal) Act 2018 incorporated the GDPR (as it existed on December 31, 2020 but subject to certain UK specific amendments) into UK law, referred to as the "UK GDPR". The UK GDPR and the UK Data Protection Act 2018 set out the UK's data protection regime, which is independent from but aligned to the EU's data protection regime. Noncompliance with the UK GDPR may result in significant monetary penalties. Although the UK is regarded as a third country under the EU GDPR, the EC has issued a decision recognizing the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EU to the UK remain unrestricted. The Data (Use and Access) Act 2025 has been enacted in the UK which has the effect of altering the similarities between the UK and EEA data protection regime. The EU has, however, extended the UK's Adequacy Decision from the EC to December 27, 2031. This may lead to additional compliance costs and could increase our overall risk. Like the EU GDPR, the UK GDPR restricts personal data transfers outside the UK to countries not regarded by the UK as providing adequate protection. The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing.

In addition, around the world many jurisdictions outside of Europe are also considering and/or have enacted comprehensive data protection legislation. For example, we are subject to stringent privacy and data protection requirements in Hong Kong. Also, many jurisdictions where we may seek to expand our business in the future are also considering and/or have enacted comprehensive data protection legislation. Additional jurisdictions with stringent data protection laws include Brazil and China.

The regulatory framework governing the collection, processing, storage, use and sharing of certain information, particularly financial and other personal information, is rapidly evolving and is likely to continue to be subject to uncertainty and varying interpretations. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with laws in other jurisdictions or with our existing data management practices or the features of our services and platform capabilities. We therefore cannot yet fully determine the impact existing and/or future laws, rules, regulations and industry

73

SoFi Technologies, Inc.

standards may have on our business or operations. Any failure or perceived failure by us, or any third parties with which we do business, to comply with our posted privacy policies, changing consumer expectations, evolving laws, rules and regulations, industry standards, or contractual obligations to which we or such third parties are or may become subject, may result in actions or other claims against us by governmental entities or private actors, the expenditure of substantial costs, time and other resources or the imposition of significant fines, penalties or other liabilities. In addition, any such action, particularly to the extent we were found to be guilty of violations or otherwise liable for damages, would damage our reputation and adversely affect our business, financial condition and results of operations.

Any such laws, rules, regulations and industry standards may be inconsistent among different jurisdictions, subject to differing interpretations or may conflict with our current or future practices. Additionally, our customers may be subject to differing privacy laws, rules and legislation, which may mean that they require us to be bound by varying contractual requirements applicable to certain other jurisdictions. Adherence to such contractual requirements may impact our collection, use, processing, storage, sharing and disclosure of various types of information including financial information and other personal information, and may mean we become bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules and regulations evolve. Complying with these requirements and changing our policies and practices may be onerous and costly, and we may not be able to respond quickly or effectively to regulatory, legislative and other developments. These changes may in turn impair our ability to offer our existing or planned features, products and services and/or increase our cost of doing business. As we expand our customer base, these requirements may vary from customer to customer, further increasing the cost of compliance and doing business.

We publicly post documentation regarding our practices concerning the collection, processing, use and disclosure of data. Although we endeavor to comply with our published policies and documentation, we may at times fail to do so or be alleged to have failed to do so. Any failure or perceived failure by us to comply with our privacy policies or any applicable privacy, security or data protection, information security or consumer-protection related laws, regulations, orders or industry standards could expose us to costly litigation, significant awards, fines or judgments, civil and/or criminal penalties or negative publicity, and could materially and adversely affect our business, financial condition and results of operations. The publication of our privacy policy and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices, which could, individually or in the aggregate, materially and adversely affect our business, financial condition and results of operations.

It may be difficult and costly to protect our intellectual property rights, and we may not be able to ensure their protection.

Our ability to provide our products and services to our members and technology platform clients depends, in part, upon our proprietary technology. We may be unable to protect our proprietary technology effectively, which would allow competitors to duplicate our business processes and know-how, and adversely affect our ability to compete with them. A third party may attempt to reverse engineer or otherwise obtain and use our proprietary technology without our consent. The pursuit of a claim against a third party for infringement of our intellectual property could be costly, and there can be no guarantee that any such efforts would be successful.

In addition, our platform or those of third-party service providers that we utilize may infringe upon claims of third-party intellectual property, and we have and may continue to face intellectual property challenges from such other parties. We may not be successful in defending against any such challenges or in obtaining licenses to avoid or resolve any intellectual property disputes, or in receiving amounts due to us under indemnification obligations from third-party service providers. The costs of defending any such claims or litigation could be significant and, if we are unsuccessful, could result in a requirement that we pay significant damages or licensing fees, which would negatively impact our financial performance. If we cannot protect our proprietary technology from intellectual property challenges, our ability to maintain our platform could be adversely affected.

Certain aspects of our platform include open source software, and any failure to comply with the terms of one or more of these open source licenses could negatively affect our business.

We incorporate open source software into our proprietary platform and into other processes supporting our business. Such open source software may include software covered by licenses like the GNU General Public License and the Apache License or other open source licenses. The terms of various open source licenses have not been interpreted by U.S. courts, and there is a risk that such licenses could be construed in a manner that limits our use of the software, inhibits certain aspects of our platform and negatively affects our business operations.

Certain open source licenses contain requirements that we make available source code for modifications or derivative works we create based upon the type of open source software we use. If portions of our proprietary platform are determined to

74

SoFi Technologies, Inc.

be subject to an open source license, or if the license terms for the open source software that we incorporate change, we could be required to publicly release the affected portions of our source code, re-engineer all or a portion of our platform or change our business activities. In addition to risks related to license requirements, the use of open source software can lead to greater risks than the use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of the software. Many of the risks associated with the use of open source software cannot be eliminated and could adversely affect our business.

Litigation, regulatory actions and compliance issues could subject us to significant fines, penalties, judgments, remediation costs, negative publicity, changes to our business model, and requirements resulting in increased expenses.

Our business is subject to increased risks of litigation and regulatory actions as a result of a number of factors and from various sources, including as a result of the highly regulated nature of the financial services industry and the focus of state and federal enforcement agencies on the financial services industry.

From time to time, we are also involved in, or the subject of, reviews, requests for information, investigations and proceedings (both formal and informal) by state and federal governmental agencies and SROs, regarding our business activities and our qualifications to conduct our business in certain jurisdictions, which has in the past and could in the future subject us to significant fines, penalties, obligations to change our business practices and other requirements resulting in increased expenses and diminished earnings. Our involvement in any such matter also has in the past and could in the future cause significant harm to our reputation and divert management attention from the operation of our business, even if the matters are ultimately determined in our favor. Moreover, any settlement, or any consent order or adverse judgment in connection with any formal or informal proceeding or investigation by a government agency, may prompt litigation or additional investigations or proceedings as other litigants or other government agencies begin independent reviews of the same activities. See "If we fail to comply with federal and state consumer protection laws, rules, regulations and guidance, our business could be adversely affected" for a discussion of the FTC Consent Order.

In addition, a number of participants in the financial services industry have been the subject of: putative class action lawsuits; state attorney general actions and other state regulatory actions; federal regulatory enforcement actions, including actions relating to alleged unfair, deceptive or abusive acts or practices; violations of state licensing and lending laws, including state usury laws; actions alleging discrimination on the basis of race, ethnicity, gender or other prohibited bases; and allegations of noncompliance with various state and federal laws and regulations relating to originating and servicing consumer finance loans. For example, we entered into a settlement agreement on April 18, 2022 related to a putative class action in which it was alleged that we engaged in unlawful lending discrimination through policies and practices by making applicants who are conditional permanent residents or DACA holders ineligible for loans or eligible only with a co-signer who is U.S. citizen or lawful permanent resident. We made an aggregate payment to the class and the class counsel in an immaterial amount. In addition, as a financial services company, errors in performing settlement functions, including clerical, technological and other errors related to the handling of funds and securities could lead to censures, fines or other sanctions imposed by applicable regulatory authorities as well as losses and liabilities in related lawsuits and proceedings brought by transaction counterparties and others.

The environment of increased regulatory compliance efforts and enhanced regulatory enforcement in the past few years has resulted in significant operational and compliance costs and may prevent us from providing certain products and services. There is no assurance that these regulatory matters or other factors will not, in the future, affect how we conduct our business and, in turn, have a material adverse effect on our business. In particular, legal proceedings brought under state consumer protection statutes or under several of the various federal consumer financial services statutes may result in a separate fine for each violation of the statute, which, particularly in the case of class action lawsuits, could result in damages substantially in excess of the amounts we earned from the underlying activities.

In addition, from time to time, through our operational and compliance controls, we identify compliance and other issues that require us to make operational changes and, depending on the nature of the issue, result in financial remediation to impacted members. These self-identified issues and voluntary remediation payments could be significant, depending on the issue and the number of members impacted, and also could generate litigation or regulatory investigations that subject us to additional risk. See Part I, Item 3. "Legal Proceedings".

Changes in tax law and differences in interpretation of tax laws and regulations may adversely impact our financial statements.

We operate in multiple jurisdictions and are subject to tax laws and regulations of the U.S. federal, state and local and non-U.S. governments. U.S. federal, state and local and non-U.S. tax laws and regulations are complex and subject to varying interpretations. U.S. federal, state and local and non-U.S. tax authorities may interpret tax laws and regulations differently than

75

SoFi Technologies, Inc.

we do and challenge tax positions that we have taken. This may result in differences in the treatment of revenues, deductions, credits and/or differences in the timing of these items. The differences in treatment may result in payment of additional taxes, interest or penalties that could have an adverse effect on our financial condition and results of operations. Further, future changes to U.S. federal, state and local and non-U.S. tax laws and regulations could increase our tax obligations in jurisdictions where we do business or require us to change the manner in which we conduct certain aspects of our business. Proposals to reform U.S. and foreign tax laws could significantly impact how U.S. multinational corporations are taxed on foreign earnings and could increase the U.S. corporate tax rate. Several of the proposals currently being considered, if enacted, could have an adverse impact on our future effective tax rate, income tax expense, and cash flows. Further, the Organisation for Economic Co-operation and Development (the "OECD") has issued guidelines that change long-standing tax principles and certain countries have adopted OECD guidelines. These guidelines create tax uncertainty as countries amend their tax laws to adopt certain parts of the guidelines.

We will be adversely affected if we, or any of our subsidiaries, are determined to have been subject to registration as an investment company under the Investment Company Act.

We are currently not deemed to be an "investment company" subject to regulation under the Investment Company Act of 1940, as amended (the "Investment Company Act"). No opinion or no-action position has been requested of the SEC on our status as an Investment Company. There is no guarantee we will continue to be exempt from registration under the Investment Company Act and were we to be deemed to be an investment company under the Investment Company Act, and thus subject to regulation under the Investment Company Act, the increased reporting and operating requirements could have an adverse impact on our business, operating results, financial condition and prospects.

In addition, if the SEC or a court of competent jurisdiction were to find that we are in violation of the Investment Company Act for having failed to register as an investment company thereunder, possible consequences include, but are not limited to, the following: (i) the SEC could apply to a district court to enjoin the violation; (ii) we could be sued by investors in us and in our securities for damages caused by the violation; and (iii) any contract to which we are a party that is made in, or whose performance involves a, violation of the Investment Company Act would be unenforceable by any party to the contract unless a court were to find that under the circumstances enforcement would produce a more equitable result than nonenforcement and would not be inconsistent with the purposes of the Investment Company Act. Should we be subjected to any or all of the foregoing, our business would be materially and adversely affected.

Personnel and Business Continuity Risks

We rely on our management team and will require additional key personnel to grow our business, and the loss of key management members or key employees, or an inability to hire key personnel, could harm our business.

We believe our success has depended, and continues to depend, on the efforts and talents of our senior management, who have significant experience in the financial services and technology industries, are responsible for our core competencies and would be difficult to replace. Our future success depends on our continuing ability to attract, develop, motivate and retain highly qualified and skilled employees. Qualified individuals are usually in high demand even in an uncertain economy, and we may incur significant costs to attract and retain them. In addition, the loss of any of our senior management or key employees could materially adversely affect our ability to execute our business plan and strategy, and we may not be able to find adequate replacements on a timely basis, or at all, and our other employees may be required to take on additional responsibilities. Furthermore, many candidates evaluate year over year stock growth trends for a sense of the potential long-term value of their proposed stock awards. The volatility of the market price of our common stock could harm our ability to attract and retain talent. Our executive officers and other employees are at-will employees, which means they may terminate their employment relationship with us at any time, and their knowledge of our business and industry would be extremely difficult to replace. We cannot ensure that we will be able to retain the services of any members of our senior management or other key employees. If we do not succeed in attracting well-qualified employees or retaining and motivating existing employees, our business could be materially and adversely affected.

The job market and the optimization of our workforce creates a challenge and potential risk as we strive to attract and retain a highly skilled workforce.

Competition for certain of our employees, including highly skilled technology and product professionals responsible for the design, engineering and operation of systems, is competitive, which can present a risk as we compete for experienced candidates, especially if the competition is able to offer more attractive financial terms of employment. This risk extends to our current employee population. We also invest significant time and expense in engaging and developing our employees, which

76

SoFi Technologies, Inc.

also increases their value to other companies that may seek to recruit them. Turnover can result in significant replacement costs and lost productivity.

In addition, from time to time, we implement organizational changes to pursue greater efficiency and realign our business and strategic priorities. For example, in the past, we laid off a relatively small number of employees even though we intend to continue to hire in other areas. As our organization continues to evolve, and we are required to implement and optimize our business and organizational structures, we may find it difficult to maintain the benefits of our corporate culture, including our ability to quickly develop and launch new and innovative products. This could negatively affect our business performance. See also "We transitioned to a flexible-first workforce model, which could subject us to increased business continuity and cyber risks, as well as other operational challenges and risks that could significantly harm our business and operations" for more information on the impact of a flexible workforce model on corporate culture and employee retention.

In addition, U.S. immigration policy has made it more difficult for qualified foreign nationals to obtain or maintain work visas under the H-1B classification. These H-1B visa limitations make it more difficult and/or more expensive for us to hire the skilled professionals we need to execute our growth strategy, especially engineering, data analytics and risk management personnel, and may adversely impact our business.

We transitioned to a flexible-first workforce model, which could subject us to increased business continuity and cyber risks, as well as other operational challenges and risks that could significantly harm our business and operations.

We offer most of our employees the choice of working full time in the office, a hybrid approach, or full-time remote. In 2023 we announced an increase in in-office collaboration for non-remote employees who are returning to the office for a specified number of days per month, varying by business team. This return to the office for non-remote employees is limited, and we expect many employees to continue to work remotely for a number of days per week. As a result, we expect to continue to be subject to the challenges and risks of having a remote workforce, as well as new challenges and risks from operating with a hybrid workforce. For example, our employees are accessing our servers remotely through home or other networks to perform their job responsibilities. Such security systems may be less secure than those used in our offices, which have in the past and may continue to subject us to increased security risks, including cybersecurity-related events, and expose us to risks of data or financial loss and associated disruptions to our business operations. Additionally, employees who access company data and systems remotely may not have access to technology that is as robust as that in our offices, which could place additional pressure on our user infrastructure and third parties that are not easily mitigated. These risks include home internet availability affecting work continuity and efficiency, and additional dependencies on third-party communication tools, such as instant messaging and online meeting platforms. We may also be exposed to risks associated with the locations of remote employees, including compliance with local laws and regulations or exposure to compromised internet infrastructure. Allowing our employees to work remotely may create intellectual property risk if employees create intellectual property on our behalf while residing in a jurisdiction with unenforced or uncertain intellectual property laws. Further, if employees fail to inform us of changes in their work location, we may be exposed to additional risks without our knowledge. While most of our operations can be performed remotely and we believe have operated effectively, there is no guarantee that this will continue or that we will continue to be as effective while operating a flexible-first workforce model because our team is dispersed.

Additionally, operating our business with both remote and in-person workers, or workers who work in flexible locations and on flexible schedules, could have a negative impact on our corporate culture, decrease the ability of our workforce to collaborate and communicate effectively, decrease innovation and productivity, or negatively affect workforce morale. If we are unable to manage the cybersecurity and other risks of a flexible-first workforce model, and maintain our corporate culture and workforce morale, our business could be harmed or otherwise adversely impacted.

Our business is subject to the risks of natural disasters, power outages, telecommunications failures and similar events, including public health crises, and to interruptions by human-made problems such as terrorism, cyberattacks, and other actions, which may impact the demand for our products or our members' ability to repay their loans.

Events beyond our control may damage our ability to maintain our platform and provide services to our members. Such events include, but are not limited to, hurricanes, earthquakes, fires, floods and other natural disasters, public health crises, power or other outages, telecommunications failures and similar events. Despite any precautions we may take, system interruptions and delays could occur if there is a natural disaster, if a third-party provider closes a facility we use without adequate notice for financial or other reasons, or if there are other unanticipated problems at our leased facilities. Because we rely heavily on our servers, computer and communications systems and the Internet to conduct our business and provide high-quality service to our members, disruptions could harm our ability to effectively run our business. Moreover, our members and customers face similar risks, which could directly or indirectly impact our business. We currently use AWS and would be unable to switch instantly to another system in the event of failure to access AWS. This means that an outage of AWS could result in our system being unavailable for a significant period of time. Terrorism, cyberattacks and other criminal, tortious or

77

SoFi Technologies, Inc.

unintentional actions could also give rise to significant disruptions to our operations. In addition, the long-term effects of climate change on the global economy and our industry in particular are unclear, however we recognize that there are inherent climate-related risks wherever business is conducted. For example, our offices may be vulnerable to the adverse effects of climate change. We have large offices located in the San Francisco Bay Area, Salt Lake City, Utah, and Jacksonville, Florida, regions that are prone to events such as seismic activity and severe weather, that have experienced and may continue to experience, climate-related events and at an increasing rate. Examples include drought and water scarcity, hurricanes, warmer temperatures, wildfires and air quality impacts and power shut-offs associated with wildfire prevention and hurricanes. The increasing intensity of drought throughout California and Utah and annual periods of wildfire danger, and the increasing intensity of hurricanes in Florida, increase the probability of planned power outages. Although we maintain a disaster response plan and insurance, such events could disrupt our business, the business of our partners or third-party suppliers, and may cause us to experience losses and additional costs to maintain and resume operations. Our business interruption insurance may not be sufficient to compensate us for losses that may result from interruptions in our service as a result of system failures or other disruptions. Comparable natural and other risks may reduce demand for our products or cause our members to suffer significant losses and/or incur significant disruption in their respective operations, which may affect their ability to satisfy their obligations towards us. All of the foregoing could materially and adversely affect our business, results of operations and financial condition.

Employee misconduct, which can be difficult to detect and deter, could harm our reputation and subject us to significant legal liability.

We operate in an industry in which integrity and the confidence of our members is of critical importance. We are subject to, and have experienced, risks of errors and misconduct by our employees that could adversely affect our business, including:

•engaging in misrepresentation or fraudulent activities when marketing or performing online brokerage and other services to our members;

•improperly using or disclosing confidential information of our members, technology platform clients, or other parties;

•concealing unauthorized or unsuccessful activities; or

•otherwise not complying with applicable laws and regulations or our internal policies or procedures.

There have been numerous highly-publicized cases of fraud and other misconduct by financial services industry employees. The precautions that we take to detect and deter employee misconduct might not be effective. If any of our employees engage in illegal, improper, or suspicious activity or other misconduct, we could suffer serious harm to our reputation, financial condition, member relationships, and our ability to attract new members. We also could become subject to regulatory sanctions and significant legal liability, which could cause serious harm to our financial condition, reputation, member relationships and prospects of attracting additional members.

Risk Management and Financial Reporting Risks

If we fail to establish and maintain proper and effective internal control over financial reporting, our ability to produce accurate and timely financial statements could be impaired, investors may lose confidence in our financial reporting and the trading price of our common stock may decline.

Pursuant to Section 404 of the Sarbanes-Oxley Act, a report by management on internal control over financial reporting and an attestation of our independent registered public accounting firm are required. The rules governing the standards that must be met for management to assess internal control over financial reporting are complex and require significant documentation, testing and possible remediation. We are required, pursuant to Section 404 of the Sarbanes-Oxley Act, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting for our annual reports on Form 10-K. This assessment must include disclosure of any material weaknesses identified by our management in our internal control over financial reporting. Our independent registered public accounting firm must also attest to the effectiveness of our internal control over financial reporting in our annual reports on Form 10-K. We are required to disclose changes made in our internal controls and procedures on a quarterly basis. Failure to comply with the Sarbanes-Oxley Act could potentially subject us to sanctions or investigations by the SEC, the applicable stock exchange or other regulatory authorities, which would require additional financial and management resources.

The annual internal control assessment required by Section 404 of Sarbanes-Oxley has diverted, and may in the future divert, internal resources and we have and may experience higher operating expenses, higher independent auditor and consulting fees in the future. To comply with the Sarbanes-Oxley Act, the requirements of being a reporting company under the

78

SoFi Technologies, Inc.

Exchange Act and any new or revised accounting rules in the future, as necessary, we have, and may in the future further, work to upgrade the Company's legacy information technology systems; implement additional financial and management controls, reporting systems and procedures; and hire additional accounting and finance staff. If we are unable to hire the additional accounting and finance staff necessary to comply with these requirements, we may need to retain additional outside consultants. In addition, our current controls and any new controls that we develop may become inadequate because of poor design and changes in our business. For example, our continuing growth and expansion in globally dispersed markets, such as our acquisition of Technisys, has placed and may in the future place significant additional pressure on our system of internal control over financial reporting, as acquisition targets may not be in compliance with the provisions of the Sarbanes-Oxley Act. We do not conduct a formal evaluation of companies' internal control over financial reporting prior to an acquisition. We may be required to hire additional staff and incur substantial costs to implement the necessary new internal controls at companies we acquire. Any failure to implement and maintain effective internal controls over financial reporting could adversely affect the results of assessments by our independent registered public accounting firm and their attestation reports. If we or, if required, our independent registered public accounting firm, are unable to conclude that our internal control over financial reporting is effective, investors may lose confidence in our financial reporting, which could negatively impact the price of our securities.

As a result of any material weakness, restatement, change in accounting, or other matters raised or that may in the future be raised by the SEC, we may face potential litigation or other disputes, which may include, among others, claims invoking the federal and state securities laws, contractual claims or other claims arising from the restatement and material weaknesses in our internal control over financial reporting and the preparation of our financial statements. We can provide no assurance that litigation or disputes will not arise in the future. Any such litigation or dispute related to our financial statements or internal controls, whether successful or not, could have a material adverse effect on our business, results of operations and financial condition.

We cannot assure you that there will not be additional material weaknesses in our internal control over financial reporting now or in the future. Any failure to maintain internal control over financial reporting could cause us to fail to timely detect errors and severely inhibit our ability to accurately report our financial condition, results of operations or cash flows. If we are unable to conclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm determines that we have a material weakness in our internal control over financial reporting, investors may lose confidence in the accuracy and completeness of our financial reports, the market price of our common stock could decline, and we could be subject to sanctions or investigations by Nasdaq, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.

We adjust our total number of members in the event a member is removed in accordance with our terms of service, and our total member count in any one period may not yet reflect such adjustments.

We adjust our total number of members in the event a member is removed in accordance with our terms of service. This could occur for a variety of reasons-including fraud or pursuant to certain legal processes or if a member requests that we close their account in accordance with our terms of service-and, as our terms of service evolve together with our business practices, product offerings and applicable regulations, additional grounds for removing members from our total member count could occur. The determination that a member should be removed in accordance with our terms of service is subject to an evaluation process, following the completion, and based on the results, of which, relevant members and their associated products are removed from our total member count. However, depending on the length of the evaluation process, that removal may not take place in the same period in which the member was added to our member count or the same period in which the circumstances leading to their removal occurred. For this reason, our total member count in any one period may not yet reflect such adjustments. In any given period, we estimate that up to 10% of our members may be under evaluation for removal in accordance with our terms of service; however, we cannot assure you that this percentage in any period will not be more significant and have an adverse impact on our stock price or results of operations.

Our reported financial results may be adversely affected by changes in accounting principles generally accepted in the United States.

Generally accepted accounting principles in the United States are subject to interpretation by the Financial Accounting Standards Board, the American Institute of Certified Public Accountants, the SEC and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results and could affect the reporting of transactions completed before the announcement of a change.

79

SoFi Technologies, Inc.

We incur significant costs and expend significant time and effort, as a result of operating as a public company, and our management is required to devote substantial time to compliance initiatives and corporate governance practices.

We have incurred and will continue to incur increased costs as a result of operating as a public company, and our management intends to continue to devote substantial time to new risk management and compliance initiatives. As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Act, as well as rules adopted, and to be adopted, by the SEC and Nasdaq. Our management and other personnel devote a substantial amount of time to these risk management and compliance initiatives. Furthermore, new rules and regulations or changes to existing rules and regulations in the future may increase our legal and financial compliance costs and make certain activities more time-consuming and costly. The impact of these requirements could also make it more difficult for us to attract and retain qualified persons to serve on our Board of Directors, its board committees or as executive officers.

Dealing with the increasingly complex laws pertaining to public companies can be time consuming, which may result in our executive officers devoting less time to the management and growth of the business. We continue to evaluate whether we have adequate personnel with the appropriate level of knowledge, experience and training in the accounting policies, practices or internal control over financial reporting required of public companies. We have in the past and may in the future expand our employee base and hire additional employees to support our operations as a public company, which has caused and may in the future cause our operating costs to increase. See "If we fail to establish and maintain proper and effective internal control over financial reporting, our ability to produce accurate and timely financial statements could be impaired, investors may lose confidence in our financial reporting and the trading price of our common stock may decline".

Our risk management processes and procedures may not be effective.

Our risk management system is defined in our Risk Governance Framework ("RGF") and includes our risk culture philosophy and risk governance structure through which our Board and management align strategic planning, execution, performance measurement, and compensation decisions with our values, behaviors, and risk appetite. Our RGF creates a consistent approach to how we identify, measure, monitor, and control the types of risk to which we are subject to, including interest rate risk, credit risk, deposit risk, market risk, foreign currency exchange rate risk, liquidity risk, strategic risk, operational risk and cybersecurity risk. Credit risk is the risk of loss that arises when a loan obligor fails to meet the terms of a loan repayment obligation, the loan enters default, and if uncured results in financial loss of remaining principal and interest to the loan purchaser. Our exposure to credit risk mainly arises from our lending activities, including SoFi Credit Card. Deposit risk refers to accelerated availability of depositor funds, prior to settlement, risk of ACH returns or merchant settlements, and transactional limits that may be applied to deposit accounts. Market risk is the risk of loss due to changes in external market factors, such as interest rates, asset prices, and foreign exchange rates. Foreign currency exchange rate risk is the risk that our financial position or results of operations could be positively or negatively impacted by fluctuations in exchange rates. We may in the future be subject to increasing foreign currency exchange rate risk with our acquisition of Technisys, a foreign company, and we continue to pursue a diversified durable growth strategy with expansion via new products and geographies. Liquidity risk is the risk that financial condition or overall safety and soundness are adversely affected by an inability, or perceived inability, to meet obligations (e.g., current and future cash flow needs) and support business growth. We actively monitor our liquidity position at the broker-dealer and SoFi Bank. Strategic risk is the risk from changes in the business environment, ineffective business strategies, improper implementation of decisions or inadequate responsiveness to changes in the business and competitive environment.

Operational risk is the risk of loss arising from inadequate or failed internal processes, controls, people (e.g., human error or misconduct) or systems (e.g., technology problems), business continuity or external events (e.g., natural disasters), compliance, reputational, regulatory, cybersecurity or legal matters and includes those risks as they relate directly to us, fraud losses attributed to applications and any associated fines and monetary penalties as a result, transaction processing, or employees, as well as to third parties with whom we contract or otherwise do business. We believe operational risk is one of the most prevalent forms of risk in our risk profile. We strive to manage operational risk by establishing policies and procedures to accomplish timely and efficient processing, obtaining periodic internal control attestations from management, conducting internal process Risk Control Self-Assessments and audit reviews to evaluate the effectiveness of internal controls. Our operational risk, and the amount we invest in risk management, may increase as we introduce new products and product features, and as new threat actors and evolving threat vectors, such as account takeover tactics, increase and become more sophisticated. In order to be effective, among other things, our enterprise risk management capabilities must adapt and align to support any new product or loan features, capability, strategic development, or external change.

Cybersecurity risk is the risk of an unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, availability, or integrity of our systems and data, including, but not limited to, sensitive client data. Our technology and cybersecurity teams rely on a layered system of preventive and detective technologies,

80

SoFi Technologies, Inc.

controls, and policies to detect, mitigate, and contain cybersecurity threats. In addition, our cybersecurity team, and the third-party consultants they engage, assess our cybersecurity risks and mitigation efforts. Cyberattacks have and may continue to result in financial and reputational risk.

Risk, including, but not limited to, the risks outlined above, is inherent in our business, and therefore, despite our efforts to manage risk, there can be no assurance that we will not sustain unexpected losses. We could incur substantial losses and our business operations could be disrupted to the extent our business model, operational processes, control functions, technological capabilities, risk analyses, and business/product knowledge do not adequately identify and manage potential risks associated with our strategic initiatives. There also may be risks that exist, or that develop in the future, that we have not appropriately anticipated, identified or mitigated, including when processes are changed or new products and services are introduced. If our risk management framework does not effectively identify and control our risks, we could suffer unexpected losses or be otherwise adversely affected, which could have a material adverse effect on our business.

Incorrect estimates or assumptions by management in connection with the preparation of our consolidated financial statements or forecasts could adversely affect our reported or forecasted assets, liabilities, income, revenues or expenses.

The preparation of our consolidated financial statements requires management to make critical accounting estimates and assumptions that affect the reported amounts of assets, liabilities, income, revenues or expenses during the reporting periods. Incorrect estimates and assumptions by management could adversely affect our reported amounts of assets, liabilities, income, revenues and expenses during the reporting periods. If we make incorrect assumptions or estimates, our reported financial results may be over- or understated, which could materially and adversely affect our business, financial condition and results of operations.

In addition, operating results are difficult to forecast because they generally depend on a number of factors, including the competition we face, and our ability to attract and retain members and enterprise partnerships, and macroeconomic risks, while generating sustained revenues through the Financial Services Productivity Loop. Additionally, our business may be affected by reductions in consumer borrowing, spending and investing, consumer deposits or investment by technology platform clients from time to time as a result of a number of factors, including the state of the overall economy, which may be difficult to predict. This may result in decreased revenue levels, and we may be unable to adopt measures in a timely manner to compensate for any unexpected shortfall in income. This inability could cause our operating results in a given quarter to be higher or lower than expected. These factors make creating accurate forecasts and budgets challenging and, as a result, we may fall materially short of our forecasts and expectations, which could cause our stock price to decline and investors to lose confidence in us.

We may fail to meet our publicly announced guidance or other expectations about our business and future operating results, which could cause our stock price to decline.

We typically release earnings guidance in our quarterly and annual earnings conference calls and quarterly and annual earnings releases, and may, from time to time, announce guidance otherwise, regarding our future performance that represents our management's estimates as of the date of release. This guidance includes forward-looking statements based on projections prepared by our management. Projections are based upon a number of assumptions and estimates that are based on information known when they are issued, and, while presented with numerical specificity, are inherently subject to significant business, economic and competitive uncertainties and contingencies relating to our business, many of which are beyond our control and are based upon specific assumptions with respect to future business decisions, certain of which will change.

Guidance is necessarily speculative in nature, and some or all of the assumptions underlying the guidance furnished by us may not materialize or may vary significantly from actual outcomes. Accordingly, our guidance is only an estimate of what management believes is realizable as of the date of release. Actual results may vary from our guidance and the variations may be material. In light of the foregoing, investors are urged not to rely upon our guidance in making an investment decision regarding our common stock.

Information Technology and Data Risks

Cyberattacks and other security incidents and compromises could have an adverse effect on our business and systems, harm our brand and our reputation and expose us to liability. Efforts to prevent and respond to these attacks and incidents are costly.

In the normal course of business, we collect, store, process and transmit non-public and confidential information regarding our members, prospective members, technology platform clients and the customers of our technology platform

81

SoFi Technologies, Inc.

clients, and employees and third-party service providers, as well as information required to access customer assets. We also have arrangements in place with certain third-party service providers that require us to share consumer information. We have built our reputation on the premise that we are helping members get their money right by offering a safe, secure way to store their money and build a financially sound future. As a result, any actual or perceived security breach of us or our third-party partners have and may in the future:

•harm our reputation and brand;

•result in our systems or services being unavailable and interrupt our operations;

•result in improper disclosure of data and violations of applicable privacy and data protection laws;

•result in significant regulatory scrutiny, investigations, fines, penalties, and other legal, regulatory, and financial exposure;

•cause us to incur significant remediation costs;

•lead to theft or irretrievable loss of our or our customers' assets;

•reduce customer confidence in, or decrease customer use of, our products and services;

•divert the attention of management from the operation of our business;

•result in significant compensation or contractual penalties payable by us to our customers or third parties as a result of losses to them or claims by them; and

•adversely affect our business, operating results, and financial condition.

Despite the implementation of security measures, our internal computer and information technology systems and infrastructure and those of our third-party service providers and other contractors and consultants upon which our business relies have experienced and are at constant risk of cyber-attacks or cyber intrusions via viruses, worms, break-ins, breakdown, wrongful intrusions, wrongful conduct by insider employees or vendors, malware, ransomware and other malicious software programs, attacks enhanced or facilitated by AI, social engineering (including phishing attacks), business email compromises, hacking, data breaches, denial-of-service attacks or other attacks and similar disruptions from the unauthorized use of or access to computer systems (including from internal and external sources) that attack our products or otherwise exploit any vulnerabilities in our systems or those of our third-party service providers, or attempt to fraudulently induce our members, prospective members, technology platform clients and the customers of our technology platform clients, employees, third-party service providers or others to disclose passwords or other sensitive information or unwittingly provide access to our systems or data. Furthermore, these attempts to disrupt or gain unauthorized access to our and our third-party service providers' information systems from malicious third parties or insider threats may incorporate widely varying and frequently changing tactics, which may be enhanced or facilitated by AI. In addition, we expect the amount and sophistication of the perpetrators of these attacks to continue to expand, which could include nation-state actors. Such incidents have and could in the future lead to interruptions, delays or website outages, causing loss of critical data or the unauthorized disclosure or use of personally identifiable or other confidential information.

Cyberattacks continue to be prevalent and pervasive across industries, including in our industry, and such attacks on our systems and those of our third-party service providers have occurred in the past and are expected to occur in the future. Security incidents, data breaches, or compromises could occur from outside our company, and also from the actions of persons inside our company who may have authorized or unauthorized access to our technology systems, despite our investment in security controls. In addition, security threats may increase as a result of geopolitical events, such as in connection with the confrontation in Venezuela, the ongoing conflict in the Middle East and the ongoing war in Ukraine, and U.S. government actions and policies and regulatory priorities. These events could interrupt our business or operations, result in significant legal and financial exposure, supervisory liability, damage to our reputation and a loss of confidence in the security of our systems, products and services. Although the impact to date from these events has not had a material adverse effect on us, no assurance is given that this will continue to be the case in the future.

Cybersecurity risks in the financial services industry have increased, in part because of new technologies, AI, the use of the Internet and telecommunications technologies (including mobile devices) to conduct financial and other business transactions and the increased sophistication and activities of organized criminals, perpetrators of fraud, hackers, terrorists and others. In addition to cyberattacks and other security incidents and compromises involving the theft of non-public and confidential information, hackers have engaged in attacks that are designed to disrupt key business services, such as consumer-facing websites. We may not be able to anticipate or implement effective preventive measures against all security incidents, data breaches, and compromises, especially because the techniques used change frequently and because attacks can originate from a wide variety of sources. We employ detection and response mechanisms designed to contain and mitigate security

82

SoFi Technologies, Inc.

incidents, but there are no assurances that these mechanisms will be effective and early detection efforts may be thwarted by sophisticated attacks and malware designed to avoid detection. Despite our investments in detection strategy and a 24/7/365 security operations center, we also may fail to detect the existence of a security incident or data breach related to the information of our members, prospective members, technology platform clients and the customers of our technology platform clients, and employees and third-party service providers.

The access by unauthorized persons to, or the improper disclosure by us of, confidential information regarding our members, prospective members, technology platform clients and the customers of our technology platform clients, employees and third-party service providers, or our proprietary information, software, methodologies and business secrets, could interrupt our business or operations, result in significant legal and financial exposure, supervisory liability, damage to our reputation or a loss of confidence in the security of our systems, products and services, all of which could have a material adverse impact on our business. Because each loan that we originate involves, in part, our proprietary automated underwriting process, any failure of our computer systems involving our automated underwriting process and any technical or other errors contained in the software pertaining to our automated underwriting process could compromise our ability to accurately evaluate potential members, which could negatively impact our results of operations. Furthermore, any failure of our computer systems could cause an interruption in operations and result in disruptions in, or reductions in the amount of, collections from the loans we make to our members. Additionally, if threat actors were able to access our secure files, they might be able to gain access to the personal information of our members, prospective members, technology platform clients and the customers of our technology platform clients, and employees. If we are unable to prevent such activity, we may be subject to significant liability, negative publicity and a material loss of members or technology platform clients, all of which may negatively affect our business. In addition, there have in the past been a number of well-publicized attacks or incidents affecting companies in the financial services industry that have heightened concern by consumers, which could also intensify regulatory focus, cause users to lose trust in the security of the industry in general and result in reduced use of our services and increased costs, all of which could also have a material adverse effect on our business.

Further, the costs associated with a cyber attack or other security incident could materially adversely impact our cost of operations and our business. These costs include expenses for incident response, forensic investigations, system and member remediation, data recovery, and business interruption, as well as legal, regulatory, and contractual costs, including costs associated with required notifications, regulatory investigations, fines or penalties, litigation, settlements, and judgments. In addition, a cybersecurity incident could result in increased cybersecurity and insurance costs, including higher premiums or reduced availability of coverage. Any of the foregoing could materially and adversely affect our business, financial condition, and results of operations.

Our business is also subject to contractual obligations related to the protection, confidentiality, and security of data, including personal, financial, and confidential information belonging to our members, prospective members, technology platform clients and the customers of our technology platform clients, and employees and third-party service providers. Many of our contracts contain data protection, confidentiality, indemnification, limitation of liability, and service-level provisions that could be triggered by a cybersecurity incident or data breach. We have in the past experienced and may in the future experience a cyber breach and we may be required to indemnify technology platform clients or other counterparties for losses arising from the incident, provide credits, refunds, or other contractual remedies, or face claims for damages resulting from alleged failures to meet contractual security or availability commitments. Certain contracts may also permit counterparties to terminate or suspend services, seek injunctive relief, or pursue other remedies following a data breach. In addition, contractual liability arising from a cyber breach or other security incident could result in substantial defense costs, settlements, or judgments, as well as increased scrutiny during contract renewals or negotiations. Our contractual protections, including limitations of liability, exclusions, and insurance coverage, may be insufficient to fully mitigate these risks or may not apply in all circumstances. Any of the foregoing could materially and adversely affect our business, financial condition, and results of operations.

Further, although we maintain cyber liability insurance, this insurance may not provide adequate coverage against potential liabilities related to any experienced cybersecurity incident or breach.

The processing of personal data and implementation of new technologies could give rise to liabilities as a result of federal, state and international laws and regulations, as well as our failure to adhere to the privacy and data security practices that we articulate to our members.

We collect, process, store, use, share and/or transmit a large volume of personal information and other non-public data from current, past and prospective members. There are federal, state, and foreign laws regarding privacy, data security and the collection, use, storage, protection, sharing and/or transmission of personal information and non-public data. Additionally, many states continue to enact legislation on matters of privacy, information security, cybersecurity, data breach and data breach

83

SoFi Technologies, Inc.

notification requirements. For example, as of January 1, 2020, the CCPA granted additional consumer rights with respect to data privacy in California. The CCPA was amended by a California ballot initiative, the CPRA, in November 2020. The CCPA amendments, including expanded rights for consumers and obligations for businesses, went into effect on January 1, 2023. The CCPA, among other things, entitles California residents to know how their personal information is being collected and shared, to access or request the deletion of their personal information and to opt out of the sharing of their personal information. The amended CCPA also created a new state agency, the CPPA, and vested it with full administrative power, authority and jurisdiction to implement and enforce the CCPA. Generally, personal information that we process is subject to GLBA and thereby exempt from CCPA coverage. However, the CCPA regulates other personal information that we collect and process in connection with the business. While we have made modifications to our data collection and processing practices and policies to comply with the CCPA, we cannot predict their impact on our business, operations or financial condition.

Laws similar to the CCPA have entered into force in numerous other states. Further, a number of other states have proposed new privacy laws, certain of which would be comprehensive such as the CCPA and others which are more narrowly focused on particular types of data. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. Certain states have already passed laws regulating specific aspects of privacy. For example, a small number of states, such as Washington, Illinois and Texas, have enacted laws that specifically target the collection and use of biometric information. The existence of comprehensive privacy laws in different states in the country makes our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. In addition, laws in all 50 U.S. states require businesses to provide notice to individuals if certain of their personal information has been disclosed as a result of a qualifying data breach. These various privacy and security laws may impact our business activities, including our identification of research subjects, relationships with business partners and ultimately the marketing and distribution of our products. State laws are changing rapidly and U.S. Congress may in the future enact a comprehensive federal data privacy law to which we may likely become subject.

Regulators and legislators in the U.S. are increasingly scrutinizing and restricting certain personal data transfers and transactions involving foreign countries. For example, Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, as implemented by Department of Justice regulations issued in December 2024, prohibits data brokerage transactions involving certain sensitive personal data categories, including health data, genetic data, and biospecimens, to countries of concern, including China. The regulations also restrict certain investment agreements, employment agreements and vendor agreements involving such data and countries of concern, absent specified cybersecurity controls. Actual or alleged violations of these regulations may be punishable by criminal and/or civil sanctions and may result in exclusion from participation in federal and state programs.

Outside the United States, an increasing number of laws, regulations, and industry standards apply to data privacy and security, and we expect that there will continue to be new or amended laws, regulations, standards and obligations proposed and enacted in various foreign jurisdictions. For example, the EU GDPR, the UK GDPR, various Latin American ("LATAM") privacy laws such as Brazil's Lei Geral de Proteção de Dados Pessoais ("LGPD") and Argentina's Ley de Protección de los Datos Personales ("PDPA") impose strict requirements for the processing of personal data of individuals located, respectively, within the EEA, the UK and LATAM region. For example, under the EU GDPR, government regulators may impose temporary or definitive bans on data processing, as well as fines of up to 20 million Euros (£17.5 million in the UK) or 4% of the annual global revenue of the company, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. Certain jurisdictions, such as the EU, Switzerland, the UK and LATAM have enacted cross-border personal data transfers laws regulating personal data flows to third countries. For example, absent appropriate safeguards or other circumstances, the EU GDPR generally restricts the transfer of personal data to countries outside of the EEA, such as the United States, which the EC does not consider to be providing an adequate level of personal data protection. The EC has issued standard contractual clauses for data transfers from controllers or processors in the EU (or otherwise subject to the EU GDPR) to controllers or processors established outside the EU. The standard contractual clauses require exporters to assess the risk of a data transfer on a case-by-case basis, including an analysis of the laws in the destination country. The UK is not subject to the EC's standard contractual clauses but has published a UK-specific transfer mechanism, which enables transfers from the UK. The UK-specific mechanism, the "International Data Transfer Agreement", requires a similar risk assessment of the transfer as the standard contractual clauses. Further, the EU and United States have adopted its adequacy decision for the EU-U.S. Data Privacy Framework ("EU Framework"), which entered into force on July 11, 2023. The EU Framework provides that the protection of personal data transferred between the EU and the United States is comparable to that offered in the EU. This provides a further avenue to ensuring transfers to the United States are carried out in line with the EU GDPR. There has been an extension to the EU Framework to cover UK transfers to the United States and Switzerland has also agreed to a corresponding framework with the U.S. recognizing an adequate level of protection for personal data transfers under the Swiss-U.S. Data Privacy Framework.

84

SoFi Technologies, Inc.

These Frameworks could be challenged like predecessor frameworks. This complexity and the additional contractual burden may increase our overall risk exposure. In addition, laws in LATAM similarly restrict personal data transfers outside of those jurisdictions to countries such as the U.S. that do not provide an adequate level of personal data protection. In addition to European restrictions on cross-border personal data transfers, other jurisdictions have enacted or are considering similar cross-border personal data transfer laws and local personal data residency laws, any of which could increase the cost and complexity of doing business. If we cannot implement a valid compliance mechanism for cross-border personal data transfers, we may face increased exposure to regulatory actions, substantial fines, and injunctions against processing or transferring personal data from Europe or elsewhere. Inability to import personal data to the U.S. may significantly and negatively impact our business operations, including by limiting our ability to collaborate with parties subject to European and other data protection laws or requiring us to increase our personal data processing capabilities in Europe and/or elsewhere at significant expense.

Certain of our products and services are also subject to self-regulatory standards and industry certifications that may legally or contractually apply to us. These include the Payment Card Industry Data Security Standards ("PCI-DSS"), AICPA, and Security Organization Control 2 ("SOC 2"), which apply to or are maintained by certain of our solutions. In the event we fail to comply with the PCI-DSS or fail to maintain our SOC 2 certification, we could be in breach of our obligations under customer and other contracts, fines and other penalties could result, and we may suffer reputational harm and damage to our business. Further, our customers may expect us to comply with more stringent privacy, data storage and data security requirements than those imposed by laws, regulations or self-regulatory requirements, and we may be obligated contractually to comply with additional or different standards relating to our handling or protection of data.

Separately, the rapid evolution of AI will require the application of significant resources to design, develop, test and maintain our products and services to help ensure that AI is implemented in accordance with applicable law and regulation and in a socially responsible manner and to minimize any real or perceived unintended harmful impacts. As the regulatory framework for machine learning technology and AI evolves, new state laws and regulations are emerging and it is likely that other new laws and regulations will be adopted in the near future, or that existing laws and regulations may be interpreted in ways that would affect our business and the ways in which we may use AI and machine learning technology, our financial condition and our results of operations, including as a result of the cost to comply with such laws or regulations. For example, the EU's Artificial Intelligence Act ("AI Act"), the world's first comprehensive AI law, entered into force on August 1, 2024 and, with certain exceptions, will begin to apply as of August 2, 2026. As enacted, this legislation imposes significant obligations on providers and deployers of high-risk AI systems, and encourages providers and deployers of AI systems to account for EU ethical principles in their development and use of these systems. If we develop or use AI systems that are governed by the AI Act, it may necessitate ensuring higher standards of data quality, transparency, and human oversight, as well as adhering to specific ethical, accountability, and administrative requirements, certain of which may increase our costs and compliance obligations. Further, potential government regulation related to AI use and ethics may also increase the cost of research and development in this area, and failure to properly remediate AI usage or ethics issues may cause public confidence in AI to be undermined, which could slow adoption of AI in our products and services.

Likewise, in the U.S., the regulatory environment is complex and uncertain. The U.S. Presidential administration's Executive Order "Ensuring a National Policy Framework for Artificial Intelligence," effective December 11, 2025, directed federal agency reviews of state AI laws and coordination between White House advisors and Congress to reach a legislative proposal for a uniform federal AI policy framework. At the same time, several states, including Texas, Colorado and California, passed laws that regulate various facets of AI, certain of which have taken effect and will continue to take effect through 2026 and beyond. These laws address a wide range of AI-related topics, including consequential decisions, transparency, training data, among others, and it remains unclear which requirements, if any, will be superseded by the Executive Order. In addition, there continues to be uncertainty regarding the application of existing federal and state legal frameworks to uses and development of AI, and legal norms and market standards regarding AI continue to evolve. If we develop or use AI systems that are governed by these laws or regulations, we will need to meet higher standards of data quality, transparency, and human oversight, and we would need to adhere to specific and potentially burdensome and costly ethical, accountability, and administrative requirements. We may also be subject to significant enforcement or litigation in the event of any perceived non-compliance.

Any violations of these laws and regulations may require us to change our business practices or operational structure, including limiting our activities in certain states and/or jurisdictions, address legal claims, and sustain monetary penalties, reputational damage and/or other harms to our business. Further, in certain cases we rely on the data processing, privacy, data protection and cybersecurity practices of our third-party service providers, including with regard to maintaining the confidentiality, security and integrity of data. If we fail to manage our third-party service providers or their relevant practices, or if they fail to meet any requirements with regard to data processing, privacy, data protection or cybersecurity required by applicable legal or contractual obligations that we face (including any applicable requirements of our clients), we may be liable in certain cases. Legal obligations relating to privacy, cybersecurity and data protection may require us to manage our third-

85

SoFi Technologies, Inc.

party service providers and their practices and to enter into agreements with them in certain cases. We may face difficulties in binding our third-party service providers to these agreements and otherwise managing their relevant practices, which may subject us to claims, proceedings, and liabilities.

Furthermore, our online privacy policy and website make certain statements regarding our privacy, information security, and data security practices with regard to information collected from our members. Failure to adhere to such practices may result in regulatory scrutiny and investigation (including the potential for fines and monetary penalties), complaints by affected members, reputational damage and other harm to our business. If either we, or the third-party service providers with which we share member data, are unable to address privacy concerns, even if unfounded, or to comply with applicable laws and regulations, it could result in additional costs and liability, damage our reputation, and harm our business.

Disruptions in the operation of our computer systems and third-party data centers and service providers could have an adverse effect on our business.

Our ability to deliver products and services to our members and clients, and otherwise operate our business and comply with applicable laws, depends on the efficient and uninterrupted operation of our computer systems and third-party data centers, as well as third-party service providers. Our computer systems and third-party providers may encounter service interruptions at any time due to system or software failure or errors, employee misconfiguration of resources or misdirected communications, natural disasters, severe weather conditions, health pandemics, terrorist attacks, cyberattacks or other events. For example, in September 2023, the SoFi Invest platform experienced a service interruption that resulted in certain of our members being unable to view certain of their account information and unable to buy and sell securities and other financial products on our platform for a period of time. Any such events, including persistent interruptions or perceptions of such interruptions whether true or not, in our products and services could cause members to believe that our products and services are unreliable, leading them to switch to our competitors or to otherwise avoid our products and services, and otherwise have a negative effect on our business and technology infrastructure (including our computer network systems), which could lead to member dissatisfaction or long-term disruption of our operations. Additionally, our insurance policies might be insufficient to cover a claim made against us by any such members affected by any disruptions, outages, or other performance or infrastructure problems.

Additionally, our reliance on third-party providers may mean that we will not be able to resolve operational problems internally or on a timely basis, as our operations will depend upon such third-party service providers communicating appropriately and responding swiftly to their own service disruptions through industry standard best practices in business continuity and/or disaster recovery. As a last resort, we may rely on our ability to replace a third-party service provider if it experiences difficulties that interrupt operations for a prolonged period of time or if an essential third-party service terminates. If these service arrangements are terminated for any reason without an immediately available substitute arrangement, our operations may be severely interrupted or delayed. If such interruption or delay were to continue for a substantial period of time, our business, prospects, financial condition and results of operations could be adversely affected.

The implementation of technology changes and upgrades to maintain current and integrate new systems may cause service interruptions, transaction processing errors or system conversion delays and may cause us to fail to comply with applicable laws, all of which could have a material adverse effect on our business. We have made and expect to continue to make substantial and increasing investments in "observability", or the monitoring of our systems, but limitations or failures in those systems may exacerbate other problems by preventing us from anticipating or quickly detecting issues. In addition, our ability to monitor third party services and service providers is limited, and so our ability to anticipate, detect, and remediate anomalies in those services is also more limited when compared to our internal systems monitoring.

Although our current use of AI and machine learning is limited, our systems and those of our partners are increasingly reliant on AI machine learning systems, which are complex and may have errors or inadequacies that are not easily detectable. These systems may inadvertently reduce the efficiency of our systems, or may cause unintentional or unexpected outputs that are incorrect, do not match our business goals, do not comply with our policies, or otherwise are inconsistent with our brands, guiding principles and mission. Errors or breakdowns in our machine learning systems could also result in damage to our reputation, loss of members, loss of revenue or liability for damages, any of which could adversely affect our growth prospects and our business. Further, bad actors around the world use increasingly sophisticated methods, including the use of AI, to engage in illegal activities involving the theft and misuse of personal information, confidential information and intellectual property. Any of these effects could damage our reputation, result in the loss of valuable property and information, cause us to breach applicable laws and regulations and contractual obligations, and adversely impact our business.

We expect that new technologies and business processes applicable to the financial services industry will continue to emerge and that these new technologies and business processes may be better than those we currently use. There is no assurance that we will be able to successfully adopt new technology as critical systems and applications become obsolete and

86

SoFi Technologies, Inc.

better ones become available. A failure to maintain and/or improve current technology and business processes could cause disruptions in our operations or cause our solution to be less competitive, all of which could have a material adverse effect on our business.

Risks Related to Ownership of Our Securities

The price of our common stock has fluctuated and may be volatile in the future.

The price of our common stock has fluctuated and may continue to fluctuate due to a variety of factors, including:

•changes in the industry in which we operate, including public perception of such industry;

•developments involving our competitors;

•changes in laws and regulations affecting our business, or changes in policies with respect to student loans;

•variations in our operating performance and the performance of our competitors in general;

•actual or anticipated fluctuations in our quarterly or annual operating results;

•publication of research reports by securities analysts about us or our competitors or our industry;

•the public's reaction to our press releases, our other public announcements and our filings with the SEC or any changes in our reputation;

•actions by stockholders;

•additions and departures of key personnel;

•commencement of, or involvement in, litigation or regulatory enforcement investigations involving our company;

•the occurrence of an actual or perceived data or security breach;

•changes in our capital structure, such as future issuances of securities or the incurrence of additional debt, including in connection with acquisitions;

•any reverse stock split of our outstanding shares of common stock, which may increase the price of our common stock;

•volatility in capital markets and changes in the volume of shares of our common stock available for public sale; and

•general economic and political conditions, such as the effects of recessions, interest rates, tariffs, inflation, consumer confidence and spending, public perception of the financial services industry, availability of loans and liquidity in the capital markets, local and national elections, corruption, political instability and acts of war or terrorism, including the confrontation in Venezuela, the ongoing conflict in the Middle East and the ongoing war in Ukraine, and policy- and regulatory-related changes resulting from U.S. government actions and policies and regulatory priorities.

These market and industry factors, as well as others, may materially reduce the market price of our common stock regardless of our operating performance.

We do not intend to pay cash dividends on our common stock for the foreseeable future.

We currently intend to retain our future earnings, if any, to finance the further development and expansion of our business and do not intend to pay cash dividends on our common stock in the foreseeable future. Any future determination to pay dividends on our common stock will be at the discretion of our Board of Directors and will depend on obtaining regulatory approvals, if required, our financial condition, results of operations, capital requirements, restrictions contained in future agreements and financing instruments, business prospects and such other factors as our Board of Directors deems relevant.

If analysts publish inaccurate or unfavorable research, our stock price and trading volume could decline.

The trading market for our common stock depends in part on the research and reports that analysts publish about our business. We do not have any control over these analysts. If one or more of the analysts who cover us downgrade our common stock or publish inaccurate or unfavorable research about our business, as they have done in the past, the price of our common stock would likely decline. If few analysts cover us, demand for our common stock could decrease and our common stock price and trading volume may decline. Similar results may occur if one or more of these analysts stop covering us in the future or fail to publish reports on us regularly. In addition, analysts may establish and publish their own periodic projections for us. These projections may vary widely and may not accurately predict the results we actually achieve. Our share price may decline if our actual results do not match the projections of these research analysts. In addition, if the market for technology stocks or

87

SoFi Technologies, Inc.

financial services stocks or the broader stock market experiences a loss of investor confidence, the trading price of our common stock could decline for reasons unrelated to our business, financial condition or results of operations.

We may be subject to securities litigation, which is expensive and could divert management attention.

The market price of our common stock may be volatile and, in the past, companies that have experienced volatility in the market price of their stock have been subject to securities class action litigation. We may be the target of this type of litigation in the future. Securities litigation against us could result in substantial costs and divert management's attention from other business concerns, which could seriously harm our business.

Future resales of our common stock may cause the market price of our securities to drop significantly, even if our business is doing well.

Sales of a substantial number of shares of our common stock in the public market or the perception that these sales might occur, have in the past and could in the future depress the market price of our common stock and could impair our ability to raise capital through the sale of additional equity securities. Sales of a substantial number of shares, or the perception that such sales may occur, could have a material and adverse effect on the trading price of our common stock. Sales of a substantial number of shares of common stock in the public market could occur at any time. We have filed with the SEC, and the SEC has declared effective, a registration statement covering shares of our common stock issued in connection with the Agreement, including shares issued to the Third Party PIPE Investors, among others, to facilitate such sales and we have filed a registration statement on Form S-3 which allows us to sell securities from time to time. These sales, or the perception in the market that the holders of a large number of shares intend to sell shares, could cause the market price of our common stock to decline or increase the volatility in the market price of our common stock.

Our issuance of additional capital stock in connection with financings, acquisitions, investments, our stock incentive plans or otherwise will dilute all other stockholders.

Our issuance of additional capital stock in connection with financings, acquisitions, investments, our stock incentive plans or otherwise will dilute our stockholders. We expect to issue additional capital stock in the future that will result in dilution to all other stockholders. We expect to continue granting equity awards to employees, directors, and consultants under our stock incentive plans. We may also raise capital through equity financings in the future. As part of our business strategy, we may acquire or make investments in complementary companies, products, or technologies and issue equity securities to pay for any such acquisition or investment. Any such issuances of additional capital stock may cause stockholders to experience significant dilution of their ownership interests and the per share value of our common stock to decline.

There can be no assurance that we will be able to comply with the continued listing standards of Nasdaq.

If Nasdaq delists our shares of common stock from trading on its exchange for failure to meet Nasdaq's listing standards, we and our stockholders could face significant material adverse consequences, including:

•a limited availability of market quotations for our securities;

•reduced liquidity for our securities;

•a determination that our common stock is a "penny stock," which will require brokers trading in our common stock to adhere to more stringent rules and possibly result in a reduced level of trading activity in the secondary trading market for our securities;

•a limited amount of news and analyst coverage; and

•a decreased ability to issue additional securities or obtain additional financing in the future.

Delaware law and our organizational documents contain certain provisions, including anti-takeover provisions that limit the ability of stockholders to take certain actions and could delay or discourage takeover attempts that stockholders may consider favorable.

The General Corporation Law of the State of Delaware (the "DGCL") and our organizational documents contain provisions that could have the effect of rendering more difficult, delaying, or preventing an acquisition that stockholders may consider favorable, including transactions in which stockholders might otherwise receive a premium for their shares. These provisions could also limit the price that investors might be willing to pay in the future for shares of our common stock, and therefore depress the trading price of our common stock. Additionally, these provisions could also make it difficult for stockholders to take certain actions, including electing directors who are not nominated by the current members of our Board of

88

SoFi Technologies, Inc.

Directors or taking other corporate actions, including effecting changes in our management. Among other things, our organizational documents include provisions regarding:

•the ability of our Board of Directors to issue shares of preferred stock, including "blank check" preferred stock and to determine the price and other terms of those shares, including preferences and voting rights, without stockholder approval, which could be used to significantly dilute the ownership of a hostile acquirer;

•the prohibition of cumulative voting in the election of directors, which limits the ability of minority stockholders to elect director candidates;

•limitations on the liability of our directors, and the indemnification of our directors and officers;

•the ability of our Board of Directors to amend our bylaws, which may allow our Board of Directors to take additional actions to prevent an unsolicited takeover and inhibit the ability of an acquirer to amend our bylaws to facilitate an unsolicited takeover attempt; and

•advance notice procedures with which stockholders must comply to nominate candidates to our Board of Directors or to propose matters to be acted upon at a stockholders' meeting, which could preclude stockholders from bringing matters before annual or special meetings of stockholders and delay changes in our Board of Directors and also may discourage or deter a potential acquirer from conducting a solicitation of proxies to elect the acquirer's own slate of directors or otherwise attempting to obtain control of our company.

These provisions, alone or together, could delay or prevent hostile takeovers and changes in control or changes in the Board of Directors or management of our company.

The provisions of our bylaws requiring exclusive forum in the Court of Chancery of the State of Delaware and the federal district courts of the United States for certain types of lawsuits may have the effect of discouraging certain lawsuits, including derivative lawsuits and lawsuits against our directors and officers, by limiting plaintiffs' ability to bring a claim in a judicial forum that they find favorable.

Our bylaws provide that, to the fullest extent permitted by law, and unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware (or, in the event that such court does not have jurisdiction, the federal district court for the District of Delaware or other state courts of the State of Delaware) will be the sole and exclusive forum for any state law claims for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim for or based on a breach of a fiduciary duty owed by any of our current or former directors, officers or other employees to us or our stockholders, (iii) any action asserting a claim against us or any of our current or former directors, officers or other employees arising pursuant to any provision of the DGCL or our bylaws or Certificate of Incorporation (as either may be amended from time to time), (iv) any action asserting a claim related to or involving our company that is governed by the internal affairs doctrine, and (v) any action asserting an "internal corporate claim" as that term is defined in Section 115 of the DGCL (the "Delaware Forum Provision"). The Delaware Forum Provision, however, does not apply to actions or claims arising under the Exchange Act. Our bylaws also provide that, unless we consent in writing to the selection of an alternate forum, the sole and exclusive forum for the resolution of any complaint asserting a cause of action arising under the Securities Act of 1933, as amended, and the rules and regulations promulgated thereunder, will be the United States Federal District Courts (the "Federal Forum Provision"). Section 27 of the Exchange Act creates exclusive federal jurisdiction over all suits brought to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder; our stockholders cannot and will not be deemed to have waived compliance with the U.S. federal securities laws and the rules and regulations thereunder.

The Delaware Forum Provision and the Federal Forum Provision in our bylaws may impose additional litigation costs on stockholders in pursuing any such claims and may also impose additional litigation costs on stockholders who assert that either such provision is not enforceable or invalid. Additionally, these forum selection clauses may limit our stockholders' ability to bring a claim in a judicial forum that they find favorable for disputes with us or our directors, officers or employees, which may discourage the filing of lawsuits against us and our directors, officers and employees, even though an action, if successful, might benefit our stockholders. In addition, while the Delaware Supreme Court and other states courts have upheld the validity of federal forum selection provisions purporting to require claims under the Securities Act be brought in federal court, there is still uncertainty as to whether other courts will enforce our Federal Forum Provision. If the Federal Forum Provision is found to be unenforceable, we may incur additional costs associated with resolving such matters. The Court of Chancery of the State of Delaware and the federal district courts of the United States may reach different judgments or results than would other courts, including courts where a stockholder considering an action may be located or would otherwise choose to bring the action, and such judgments may be more or less favorable to us than our stockholders.