New York DFS Slaps Robinhood Crypto With $30 Million Compliance Fine

On August 1, the New York State Department of Financial Services (“NYDFS” or “DFS”) announced a consent order and a $30 million fine against Robinhood Crypto, LLC (“RHC”), the wholly-owned cryptocurrency trading unit of the popular investment app Robinhood Financial LLC. In the Order, NYDFS alleges that RHC failed to comply with NYDFS rules related to the Federal Bank Secrecy Act and state and federal anti-money laundering (“BSA/AML”) rules and the NYDFS Cyber ​​Security Regulations. . according to a Press release issued by the DFS, the investigation revealed “significant deficiencies” in RHC’s BSA/AML compliance program and “critical flaws” in the company’s cybersecurity program.

Compliance Program Insufficiencies

BSA/AML violations

In the Consent Order, NYDFS asserts that an investigation of RHC’s BSA/AML program revealed a number of deficiencies. In accordance with the NYDFS federal BSA/AML regulations, organizations must implement and maintain policies and procedures to detect and report suspicious activity and block transactions prohibited by the US Treasury Department’s Office of Financial Assets Control Regulations. However, DFS alleges that RHC failed to implement adequate policies and procedures to meet these requirements. In particular, DFS alleges that RHC failed to maintain a BSA/AML program “commensurate with the licensee’s risk profile,” noting that RHC continued to rely on a manual internal reporting system even though RHC processed an average of 106,000 transactions. , for a total of $5.3 million per day as of September 30, 2019. As a result of the manual reporting system and lack of staff, the NYDFS states that “that [RHC’s] AML staff simply couldn’t keep up with transaction alerts, resulting in [a] significant delay” in the processing of alerts. RHC apparently knew that its BSA/AML policies and procedures were inadequate, due to the fact that the company had hired an outside consultant (the “Consultant”) to review its BSA/AML program in December 2019. During the engagement, the Consultant informed RHC that its BSA/AML procedures were of “minimum value”. Still, RHC’s Chief Compliance Officer certified compliance with the New York Transaction Monitoring Regulation for calendar year 2019.

Cybersecurity deficiencies

The NYDFS also identified insufficiencies in RHC’s cybersecurity program. Among other failings, DFS blamed RHC for RHC’s over-reliance on its parent company’s policies and procedures, which did not fully address RHC’s operations, risks and reporting lines, or the full requirements of the RHC Regulations. Cyber ​​Security. Among other deficiencies, the DFS investigation found that RHC: (i) did not employ sufficient cybersecurity personnel to manage its cybersecurity risks and to perform core functions specified in the Cybersecurity Regulations; (ii) did not have sufficiently detailed policies and procedures to guide its data governance and classification, IT asset management, business continuity and disaster recovery planning, system operations, system and network monitoring, system and application development , risk assessment and incident response activities; and (iii) did not carry out risk assessments that met the requirements of the Cybersecurity Regulation.

In addition to the identified compliance failures, NYDFS questioned RHC’s cooperation and candor in the investigation, noting that RHC failed to disclose investigations conducted by federal and state regulators, in violation of RHC’s DFS Oversight Agreement.

Consent Order Requirements

Under the Consent Order, RHC must pay a $30 million civil money penalty to DFS. In particular, the Order prohibits RHC from recovering the cost of the sanction through any insurance policy, indemnity, or tax deduction. RHC must also re-engage its existing Consultant to conduct a comprehensive review and assist RHC with enhancements to RHC’s current compliance programs against the requirements of the Cybersecurity Regulations and BSA/AML. Under the new commitment, the Consultant will be required to provide periodic reports to DFS on the RHC’s compliance with the Regulations.

key takeaways

The financial services industry has been subject to strict regulation for many years, and startups are not exempt from these obligations. Innovative organizations in non-traditional industries often face unique compliance challenges (for example, increased risk of fraud, money laundering, and illegal activity in the cryptocurrency space, along with similar cybersecurity challenges faced by traditional financial institutions) . Exponential growth is every organization’s dream, but rapid expansion often also means a higher compliance burden (and potentially regulatory scrutiny). Consequently, organizations must engage in well-thought-out compliance assessments and promptly remediate any identified gaps to ensure they are in compliance with applicable statutory, regulatory and contractual requirements. When conducting such assessments, organizations should consider engaging consultants and other providers through legal counsel, to protect privileged assessment findings and prevent their further production in legal or regulatory investigations, to the extent possible. Assessments are for legal as well as information technology and compliance purposes, and conducting such assessments under the supervision of an attorney allows the attorney to provide the organization with legal advice on compliance with applicable laws and regulations.

In addition to existing laws requiring specific cybersecurity checks and assessments, many organizations will soon be required to conduct privacy impact assessments under upcoming California, Colorado, Connecticut, and Virginia privacy laws. Consequently, companies operating in multiple jurisdictions must establish a privacy policy Y security assessment programs to help ensure they meet the requirements set forth by applicable laws and regulations (including the proportionality, data minimization, and retention obligations contained in these laws). In addition, companies must be aware of applicable industry-specific obligations (such as AML in the financial services industry) and tailor their compliance programs to meet those needs as well. The SPB team has prepared a State Privacy Act of 2023 Compliance Guide. This free resource provides information on the requirements of each of the current state privacy laws, as well as sample workflows to help your compliance team plan and prepare for the new state privacy laws of 2023.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 215

Leave a Reply

Your email address will not be published.