On August 1, the New York State Department of Financial Services (“NYDFS” or “DFS”) announced a consent order and a $30 million fine against Robinhood Crypto, LLC (“RHC”), the wholly-owned cryptocurrency trading unit of the popular investment app Robinhood Financial LLC. In the Order, NYDFS alleges that RHC failed to comply with NYDFS rules related to the Federal Bank Secrecy Act and state and federal anti-money laundering (“BSA/AML”) rules and the NYDFS Cyber Security Regulations. . according to a Press release issued by the DFS, the investigation revealed “significant deficiencies” in RHC’s BSA/AML compliance program and “critical flaws” in the company’s cybersecurity program.
Compliance Program Insufficiencies
In the Consent Order, NYDFS asserts that an investigation of RHC’s BSA/AML program revealed a number of deficiencies. In accordance with the NYDFS federal BSA/AML regulations, organizations must implement and maintain policies and procedures to detect and report suspicious activity and block transactions prohibited by the US Treasury Department’s Office of Financial Assets Control Regulations. However, DFS alleges that RHC failed to implement adequate policies and procedures to meet these requirements. In particular, DFS alleges that RHC failed to maintain a BSA/AML program “commensurate with the licensee’s risk profile,” noting that RHC continued to rely on a manual internal reporting system even though RHC processed an average of 106,000 transactions. , for a total of $5.3 million per day as of September 30, 2019. As a result of the manual reporting system and lack of staff, the NYDFS states that “that [RHC’s] AML staff simply couldn’t keep up with transaction alerts, resulting in [a] significant delay” in the processing of alerts. RHC apparently knew that its BSA/AML policies and procedures were inadequate, due to the fact that the company had hired an outside consultant (the “Consultant”) to review its BSA/AML program in December 2019. During the engagement, the Consultant informed RHC that its BSA/AML procedures were of “minimum value”. Still, RHC’s Chief Compliance Officer certified compliance with the New York Transaction Monitoring Regulation for calendar year 2019.
The NYDFS also identified insufficiencies in RHC’s cybersecurity program. Among other failings, DFS blamed RHC for RHC’s over-reliance on its parent company’s policies and procedures, which did not fully address RHC’s operations, risks and reporting lines, or the full requirements of the RHC Regulations. Cyber Security. Among other deficiencies, the DFS investigation found that RHC: (i) did not employ sufficient cybersecurity personnel to manage its cybersecurity risks and to perform core functions specified in the Cybersecurity Regulations; (ii) did not have sufficiently detailed policies and procedures to guide its data governance and classification, IT asset management, business continuity and disaster recovery planning, system operations, system and network monitoring, system and application development , risk assessment and incident response activities; and (iii) did not carry out risk assessments that met the requirements of the Cybersecurity Regulation.
In addition to the identified compliance failures, NYDFS questioned RHC’s cooperation and candor in the investigation, noting that RHC failed to disclose investigations conducted by federal and state regulators, in violation of RHC’s DFS Oversight Agreement.
Consent Order Requirements
Under the Consent Order, RHC must pay a $30 million civil money penalty to DFS. In particular, the Order prohibits RHC from recovering the cost of the sanction through any insurance policy, indemnity, or tax deduction. RHC must also re-engage its existing Consultant to conduct a comprehensive review and assist RHC with enhancements to RHC’s current compliance programs against the requirements of the Cybersecurity Regulations and BSA/AML. Under the new commitment, the Consultant will be required to provide periodic reports to DFS on the RHC’s compliance with the Regulations.
The financial services industry has been subject to strict regulation for many years, and startups are not exempt from these obligations. Innovative organizations in non-traditional industries often face unique compliance challenges (for example, increased risk of fraud, money laundering, and illegal activity in the cryptocurrency space, along with similar cybersecurity challenges faced by traditional financial institutions) . Exponential growth is every organization’s dream, but rapid expansion often also means a higher compliance burden (and potentially regulatory scrutiny). Consequently, organizations must engage in well-thought-out compliance assessments and promptly remediate any identified gaps to ensure they are in compliance with applicable statutory, regulatory and contractual requirements. When conducting such assessments, organizations should consider engaging consultants and other providers through legal counsel, to protect privileged assessment findings and prevent their further production in legal or regulatory investigations, to the extent possible. Assessments are for legal as well as information technology and compliance purposes, and conducting such assessments under the supervision of an attorney allows the attorney to provide the organization with legal advice on compliance with applicable laws and regulations.
© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 215