On August 1, 2022, the New York State Department of Financial Services (“DFS” or “Department”) issued a consent order, imposing a $30 million fine on Robinhood Crypto, LLC (“Robinhood” ), a trading platform that allows customers to trade cryptocurrencies, for allegedly failing to comply with New York’s anti-money laundering (“AML”) and cybersecurity regulations. In addition to the monetary penalty, Robinhood must retain the services of an independent consultant to perform an 18-month “comprehensive review” to assess Robinhood’s remediation efforts with respect to identified compliance deficiencies. The case marks DFS’s first enforcement action in the cryptocurrency industry.
Key points to remember
- Virtual currency businesses licensed in New York should be prepared for DFS’s annual certification requirements and its security and soundness reviews by being prepared to demonstrate how their compliance programs meet the standards set forth in the DFS Regulations, in particular virtual currency regulations,1 the Regulation respecting money transfer companies,2 the Cybersecurity Regulations,3and the Transaction Monitoring Regulation.4
- DFS security and robustness reviews that identify “serious deficiencies” may prompt DFS to initiate an enforcement investigation related to identified deficiencies.
- DFS will take a close look at whether virtual currency companies allocate adequate resources to their compliance programs, particularly with respect to a company’s size and rate of growth.
Regulation by DFS of commercial activity in virtual currency
DFS is the primary financial services regulator in New York State, licensing and overseeing financial institutions in the state. In June 2015, DFS issued Part 200 of the Superintendent of Financial Services Rules (the “Virtual Currency Rules”) under the New York Financial Services Act.5 To engage in “virtual currency business activity” in New York, DFS requires entities to apply for a “BitLicense” or charter under New York banking law – for example, as a trust company in New York State limited purpose – with permission to conduct business in virtual currency.
The Virtual Currency Regulation requires virtual currency entities regulated by DFS to establish an effective AML program.6 Similarly, DFS regulations require licensed money service companies to establish, implement and maintain an effective AML compliance program. In addition to the Virtual Currency Regulation, the DFS Cybersecurity Regulationsevenrequires licensees, including virtual currency businesses and money transmitters, to create and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of information systems.
DFS’s investigation of Robinhood
In 2019, DFS approved Robinhood’s applications for a virtual currency license and a money transfer license.8 In 2020, DFS conducted a security and robustness review of Robinhood. According to the consent order, following the security and soundness review, DFS “began an enforcement investigation into the various compliance breaches identified by the
[e]xamination” and ultimately concluded that Robinhood had failed to fully meet its legal obligations in two areas: (a) maintaining an effective bank secrecy law and anti-money laundering program (“BSA/AML” ), including an adequate transaction monitoring system commensurate with its growth; and (b) to fully comply with DFS’s cybersecurity regulations.
According to the Consent Order, among other things, DFS found that Robinhood improperly relied on its subsidiary to administer Robinhood’s BSA/AML program; failed to structure the BSA/AML program to allow its chief compliance officer to formally report to Robinhood’s directors or its audit or risk committees; did not have enough BSA/AML personnel with the appropriate skill level to support its BSA/AML compliance program, particularly given the size and rate of growth of Robinhood; did not have an automated system for monitoring transactions and managing AML cases at the time of the security and robustness review, and did not timely migrate its manual system to an automated transaction monitoring system; had a significant backlog in processing potentially suspicious transaction alerts; and “used an extremely high and arbitrary threshold amount to generate exception reports” for crypto-specific transaction monitoring rules.
According to the consent order, Robinhood also failed to employ adequate cybersecurity personnel to oversee its compliance with cybersecurity regulations, despite the company’s “significant growth”. The consent order further alleges that Robinhood failed to establish sufficient policies and procedures in various areas required by cybersecurity regulations.
Based on these alleged violations, DFS further found that the certifications filed by Robinhood attesting to its compliance with each of the cybersecurity and transaction monitoring regulations were inappropriate. DFS also found that Robinhood violated virtual currency regulations for failing to provide a phone number to receive customer complaints on its website.
The settlement and consent order
Robinhood first publicly disclosed the investigation and settlement with DFS a year ago in filings with the Securities and Exchange Commission.9 Under the consent order, Robinhood must pay a civil penalty of $30 million. The Consent Order also requires Robinhood to engage an independent consultant for an 18-month term to review, report on, and assist Robinhood in its efforts to address compliance deficiencies identified by DFS.
“We have made significant progress in building industry-leading legal, compliance and cybersecurity programs, and we will continue to prioritize this work to better serve our clients,” said Cheryl Crumpton. , Robinhood’s associate general counsel for litigation and enforcement, in a recent statement. .ten “We remain proud to provide a more accessible, lower-cost platform to buy and sell crypto and are excited to continue to responsibly grow our business with new products and services our customers want.”11
The settlement with Robinhood is the first cryptocurrency industry enforcement action by DFS. To avoid similar action, cryptocurrency businesses licensed in New York must establish a working relationship with DFS and be prepared to demonstrate compliance with DFS regulations. As the cryptocurrency industry continues to grow, crypto businesses should take steps to ensure that their compliance programs grow at the same rate as their business. As DFS Superintendent Adrienne A. Harris said, “DFS will continue to investigate and take action when a licensee violates the law or Department regulations, which are essential to protect consumers and ensuring the security and soundness of institutions.”12
1. 23 NYCRR Part 200.
2. 3 NYCRR Part 417.
3. 23 NYCRR Part 500.
4. 23 NYCRR Part 504.
5. 23 NYCRR Part 200.
6. 23 NYCRR § 200.15 (b), (d).
7. 23 NYCRR Part 500.
8. Press release, DFS Continues to Advance Responsible Innovation in New York’s FinTech Industry (January 24, 2019), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1901241.
9. Robinhood Markets, Inc., Registration Statement (Form S-1) (July 1, 2021).
10. Mengqi Sun, Robinhood’s crypto unit fined $30 million by New York’s top financial regulator, Wall St. J. (August 2, 2022, 9:59 AM), https://www .wsj.com/articles/robinhoods-crypto-unit-fined-30-million-by-new-yorks-top-financial-regulator-11659445200?mod=business_minor_pos5.
12. Press Release, DFS Superintendent Harris Announces $30 Million Penalty on Robinhood Crypto for Important Anti-Money Laundering, Cybersecurity & Consumer Protection Violations (August 2, 2022), https://www.dfs.ny.gov/reports_and_publications/press_releases/ pr202208021.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.