The New York Department of Financial Services (DFS) announcement its first-ever sanction against a cryptocurrency platform this week, with a whopping $30 million fine imposed on Robinhood Crypto, LLC (RHC) for what it described as “material failures in the areas of the Bank Secrecy/Anti-Money Laundering and Cybersecurity Obligations Act which resulted in violations of the Department’s Virtual Currency Regulations (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), the Transaction Monitoring Regulation (23 NYCRR Part 504) and the Cybersecurity Regulation (23 NYCRR Part 500).
As a result of DFS’s supervisory review and enforcement investigation, it was found that RHC’s compliance program “did not fully address RHC’s operational risks, and that specific policies within of the program did not fully comply with several provisions of the Department’s Cybersecurity and Virtual Currency Regulations.”
In particular, all entities regulated by DFS must annually certify that they have complied with DFS regulations, including its cybersecurity regulations. According to DFS, RHC has certified to DFS that it complies with DFS cybersecurity regulations. However, DFS stated in its press release that “[D]Despite these weaknesses in its transaction monitoring and cybersecurity programs, RHC incorrectly certified compliance with the Department’s Transaction Monitoring Regulations and Cybersecurity Regulations. In accordance with these regulations, companies should only certify to DFS if their programs are fully compliant with the applicable regulations. In light of the program’s shortcomings, the 2019 RHC certifications to the Department attesting to compliance with these regulations should not have been made and therefore violated the law.
In addition to the monetary penalty, the settlement requires that RHC be overseen by an independent consultant who will perform “a comprehensive assessment” of RHC’s compliance and remediation efforts in response to violations identified by DFS.
The deficiencies discovered and the resulting penalty remind DFS-regulated entities that annual certification to DFS will be reviewed and enforced.
Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XII, Number 216