New York State Department of Financial Services Imposes $30 Million Fine in First Cryptocurrency Enforcement Action

Alert
|
9 min read

On August 2, in its first ever cryptocurrency enforcement action, the New York State Department of Financial Services ("NYDFS") announced it had imposed a $30 million fine on Robinhood Crypto, LLC ("RHC") for failures in its Bank Secrecy Act and anti-money laundering program ("BSA/AML Program") and its cybersecurity program, and for non-compliance with notice requirements in its January 2019 supervisory agreement with the NYDFS ("Supervisory Agreement"), which RHC entered into with the NYDFS as a condition of obtaining its virtual currency business license.

The NYDFS charged RHC, the cryptocurrency trading division of Robinhood Markets, Inc. ("RHM"), with violating the Department's Cybersecurity Regulation (23 NYCRR Part 500), Virtual Currency Regulation (NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), and Transaction Monitoring Regulation (23 NYCRR Part 504). RHC holds a Virtual Currency license ("BitLicense") in New York under 23 NYCRR § 200. As a BitLicense holder, RHC is subject to NYDFS-mandated BSA/AML Program and cybersecurity requirements, among other things.  

As part of the settlement, in addition to the monetary penalty, the NYDFS also requires RHC to engage an independent consultant to evaluate its remediation of regulatory shortcomings and to perform a compliance assessment.

The alleged BSA/AML Program and cybersecurity failures discussed in the Consent Order between the NYDFS and RHC ("Consent Order") provide illuminating examples as to the types of alleged corner-cutting and negligent management decisions that lead to alleged material compliance failures and significant regulatory scrutiny and enforcement. One factor the NYDFS cited in several of the alleged compliance violations was an inadequacy of resources and authority RHC dedicated to its compliance functions, especially given its rapid growth.

In the NYDFS statement announcing the RHC fine, Superintendent Adrienne A. Harris declared that the Department "will continue to investigate and take action when any [virtual currency] licensee violates the law or the Department's regulations, which are critical to protecting consumers and ensuring the safety and soundness of the institutions."

The NYDFS Enforcement Investigation and Findings of Compliance Deficiencies

The NYDFS initiated its enforcement investigation after its routine 2020 safety and soundness examination, which covered RHC's operations from January through September 2019.  The investigation revealed multiple alleged deficiencies in RHC's compliance function. The Consent Order found that RHC failed:

  • to implement an adequate BSA/AML Program, in particular with respect to its transaction monitoring; 
  • to fully comply with NYDFS Cybersecurity Regulations, with inadequate staffing, policies, and procedures; and
  • to comply with certain terms of its Supervisory Agreement with the NYDFS.

BSA/AML Governance Failures and Transaction Monitoring Deficiencies

The Consent Order details numerous alleged failures of RHC's BSA/AML Program. Aside from specific instances of BSA/AML Program deficiencies, explained below, the NYDFS observed at the outset that "RHC's overall approach to its compliance obligations substantially contributed to such deficiencies." Of particular concern was RHC's reliance on RHM and its affiliate (Robinhood Financial, LLC or "RHF") for "substantial aspects of its compliance program." As noted by the NYDFS, such reliance is not "inherently violative of [NYDFS] requirements," but RHM's and RHF's programs allegedly were not themselves compliant with New York State regulations and did not address the risks applicable to a BitLicense holder. 

In addition, RHC's Chief Compliance Officer ("CCO") did not report directly to any legal or compliance executive at RHC, RHM, or RHF. Instead, the CCO reported to RHC's Director of Product Operations and did not participate in any formal reporting to the Board of Directors or independent audit or risk committees at the parent or affiliate. As a result, "RHC played no meaningful role in compliance efforts at the entity level, resulting in a lack of an ability to influence staffing and resources, or to timely and adequately adopt measures that would assure full compliance with [NYDFS] Regulations."

The NYDFS also found that RHC conducted itself in a manner that was inconsistent with the NYDFS's expectations of a BitLicense holder. Specifically, the NYDFS cited information RHC provided that was "either delayed, insufficient, or both" and stated that RHC "failed to disclose investigations by federal and state regulators of an RHC affiliated entity, in violation of reporting obligations governed by RHC's Supervisory Agreement." According to the NYDFS, although RHC stated that its BSA/AML Program, relying on its parent and affiliates, was sufficient to meet applicable NYDFS requirements, it "initially claimed during the Examination, erroneously, that the [NYDFS] did not have authority to examine policies or practices of RHC's parent and affiliates" and that "any weaknesses in its programs were overstated because RHC relied on more robust programs of its parent and affiliate, when in reality such programs were not compliant with various aspects of the [NYDFS's] laws and regulations."

As alleged by the NYFDS, the weaknesses discussed above created an overall compliance environment at RHC that was prone to deficiencies and compliance violations. In addition to a governance structure that failed to hold RHC's compliance function accountable, the NYDFS found the CCO lacked sufficient experience, skills, or support staff (i.e., no direct support staff) to meet the compliance program needs of the company and its licensed business. 

RHC relied on a manual system for transaction monitoring, which became untenable as its business grew substantially during the period of concern. In 2019, RHC's third-party consultant observed that RHC's manual process had "minimal value" and recommended that RHC "move expeditiously on RHC's plans to implement the automated AML Software Program." RHC did not have any degree of automated AML transaction monitoring at the time of the 2020 examination, which the NYDFS intimated was an industry standard for companies of RHCs size, and "AML staff simply could not keep up with the transaction alerts." The NYDFS noted a "substantial backlog" of potentially suspicious transactions requiring evaluated for potential SAR filings – 4,378 alerts as of October 26, 2020. RHC's transaction-monitoring program was allegedly not compliant with NYDFS regulations as a direct result of these deficiencies. Despite those deficiencies, RHC's CCO erroneously filed a Certification of Compliance with the NYDFS attesting to compliance with applicable regulations for the year 2019. RHC waited until 2021 to launch and implement its automated AML transaction monitoring and, in doing so, the NYDFS noted that RHC's CCO was "insufficiently involved in [its] oversight." 

Cybersecurity Regulation Violations

RHC's cybersecurity program allegedly suffered from governance deficiencies similar to those of RHC's BSA/AML Program. At the time of the NYDFS initial safety and soundness examination, NYDFS found that RHC had adopted and relied solely on the cybersecurity program of its parent (RHM) and affiliates. While relying on an affiliate's cybersecurity program is not necessarily improper, NYDFS believed the RHM policies and procedures did not adequately address the operations and risks specific to RHC's cryptocurrency business. For example, RHM's procedures allegedly did not require an RHC Chief Information Security Officer to report at least annually to the RHC Board, which is required under Virtual Currency Regulation Section 200.16(d) and Cybersecurity Regulation Section 500.04(b).

NYDFS also claimed that its examination revealed that RHC did not have adequate policies and procedures governing data governance, IT asset control, business continuity planning, systems and network monitoring, physical security, and incident response, among other items. Because of these alleged deficiencies, NYDFS claimed that RHC's policies and procedures did not satisfy Cybersecurity Regulation Sections 500.08 and 500.09(b). According to the NYDFS, for the 2019 period covered in the examination, the company had also not conducted a risk assessment as required by the Cybersecurity Regulation.

The Consent Order also finds that, given the alleged deficiencies in its cybersecurity program, RHC improperly filed its 2019 Certification of Compliance.

The NYDFS claims in the Consent Order that although RHC had adopted new policies and procedures by November 2020 (in response to the ongoing investigation), its new Business Continuity and Disaster Recovery Plan still did not have adequate detail on critical systems and security, internal and external communications, data backup, and training and testing, as the Virtual Currency Regulations require.

NYDFS Settlement Terms

The August 2, 2022 settlement between the NYDFS and RHC includes a civil penalty of $30 million and ongoing oversight by an Independent Consultant, to be appointed by RMC but who will report to the NYDFS. The Independent Consultant must review, report on, and help RMC remedy the following:

  • BSA and AML and transaction monitoring policies and procedures; 
  • Compliance with the Virtual Currency Regulation, the Money Transmitter Regulation, the Cybersecurity Regulation, and the Transaction Monitoring Regulation;
  • Organizational structure, management oversight, and staffing of the compliance function; and
  • Proposed measures to improve BSA/AML compliance and transaction monitoring.

Implications and What Not to Do

The Consent Order provides the industry with a baseline understanding of what constitutes sufficient BSA/AML and cybersecurity compliance and adequate transaction monitoring in respect of the NYDFS regulations, including those applicable to BitLicense holders. The Consent Order underscores the importance of giving the person tasked with implementing a covered entity's cybersecurity program with the authority and resources to effectively comply with NYDFS cybersecurity regulations. Many of the issues raised by NYDFS stemmed from RHC's compliance staffing and reporting structure. For example, NYDFS claimed that RHC's CCO "played no meaningful role in compliance efforts at the entity level" because the CCO did not report to and was not held accountable by appropriate department heads or by RHC's or its parent's board of directors. 

It is clear from the Consent Order that compliance programs require an adequate level of compliance governance, including adapting a company's staffing, policies, and procedures to growth in the size and scope of its business. In addition, as would be expected, companies should only certify compliance to the NYDFS if they have complied with the regulations.

With the NYDFS issuing an increasing number of cryptocurrency-related licenses – more in the first half of 2022 than in all of 2021, according to Superintendent Harris – a close and watchful eye with the threat of enforcement can be expected to be a continuing focus of the NYDFS.

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2022 White & Case LLP

Top