On August 1, 2022, the New York State Department of Financial Services ("DFS" or "Department") issued a Consent Order, imposing a $30 million fine on Robinhood Crypto, LLC ("Robinhood"), a trading platform that allows customers to trade in cryptocurrency, for allegedly failing to comply with New York anti-money laundering ("AML") and cybersecurity regulations. In addition to the monetary penalty, Robinhood must retain an independent consultant to perform an 18-month "comprehensive review" to evaluate Robinhood's remediation efforts with respect to the identified compliance deficiencies. The case marks DFS's first enforcement action in the cryptocurrency sector.

Key Takeaways

  • Licensed virtual currency businesses in New York should be prepared for DFS's annual certification obligations and its safety and soundness examinations by being ready to demonstrate how their compliance programs meet the standards set forth in DFS regulations, particularly the Virtual Currency Regulation,1 the Money Transmitter Regulation,2 the Cybersecurity Regulation,3 and the Transactions Monitoring Regulation.4
  • DFS safety and soundness examinations that identify "serious deficiencies" may prompt DFS to launch an enforcement investigation related to the identified deficiencies.
  • DFS will closely examine whether virtual currency businesses are allocating adequate resources to their compliance programs, particularly with regard to the size and pace of a company's growth.

DFS's Regulation of Virtual Currency Business Activity

DFS is the primary regulator of financial services in New York State, licensing and overseeing financial institutions within the state. In June 2015, DFS issued Part 200 of the Regulations of the Superintendent of Financial Services (the "Virtual Currency Regulation") under the New York Financial Services Law.5 To engage in "virtual currency business activity" in New York, DFS requires entities to either apply for a "BitLicense" or for a charter under the New York Banking Law - for example, as a New York state limited purpose trust company - with authorization to conduct virtual currency business activities.

The Virtual Currency Regulation requires that DFS-regulated virtual currency entities establish an effective AML program.6 DFS regulations similarly require licensed money transmitters to establish, implement, and maintain an effective AML compliance program. In addition to the Virtual Currency Regulation, DFS's Cybersecurity Regulation7 requires licensees, including virtual currency businesses and money transmitters, to create and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems.

DFS's Investigation into Robinhood

In 2019, DFS approved Robinhood's applications for a virtual currency license and a money transmitter license.8 In 2020, DFS conducted a safety and soundness examination of Robinhood. According to the Consent Order, following the safety and soundness examination, DFS "began an enforcement investigation into the various compliance failures identified by the [e]xamination" and ultimately found that Robinhood failed to fully meet its legal obligations in two areas: (a) to maintain an effective Bank Secrecy Act and anti-money laundering ("BSA/AML") program, including an adequate transaction monitoring system, commensurate with its growth; and (b) to fully comply with DFS's Cybersecurity Regulation.

According to the Consent Order, among other things, DFS found that Robinhood inappropriately relied on its affiliate for management of Robinhood's BSA/AML program; did not structure the BSA/AML program to allow its chief compliance officer to formally report to Robinhood's directors or its audit or risk committees; did not have sufficient BSA/AML staff with the appropriate level of skills to support its BSA/AML compliance program, particularly given the size and pace of Robinhood's growth; did not have any automated AML transaction monitoring and case management system in place at the time of the safety and soundness examination, and did not timely transition its manual system to an automated transaction monitoring system; had a significant backlog in processing alerts of potentially suspicious transactions; and "employed an extremely high and arbitrary threshold amount to generate exception reports" for crypto-specific transaction monitoring rules.

According to the Consent Order, Robinhood also failed to employ adequate cybersecurity personnel to oversee its compliance with the Cybersecurity Regulation, despite the company's "tremendous growth." The Consent Order further alleges that Robinhood failed to establish sufficient policies and procedures in a variety of areas required by the Cybersecurity Regulation.

Based on these alleged violations, DFS further found that certifications that Robinhood filed attesting to its compliance with each of the Cybersecurity and Transactions Monitoring Regulations were improper. DFS also found that Robinhood was in violation of the Virtual Currency Regulation for failure to provide a telephone number to receive customer complaints on its website.

The Settlement and Consent Order

Robinhood first publicly disclosed the investigation and settlement with DFS a year ago in paperwork filed with the Securities and Exchange Commission.9 Under the Consent Order, Robinhood must pay a civil monetary penalty of $30 million. The Consent Order also requires Robinhood to engage an independent consultant for a term of 18 months to review, report on, and assist Robinhood in its efforts to remedy the compliance deficiencies identified by DFS.

"We have made significant progress building industry-leading legal, compliance, and cybersecurity programs, and will continue to prioritize this work to best serve our customers," Robinhood's associate general counsel of litigation and regulatory enforcement, Cheryl Crumpton, said in a recent statement.10 "We remain proud to offer a more accessible, lower-cost platform to buy and sell crypto and are excited to continue to grow our business in a responsible manner with new products and services that our customers want."11

Conclusion

The settlement with Robinhood is the first cryptocurrency-sector enforcement action by DFS. To avoid becoming the subject of a similar action, cryptocurrency businesses licensed in New York should establish a working relationship with DFS and be prepared to demonstrate their compliance with DFS regulations. As the cryptocurrency industry continues to grow, crypto businesses should take steps to make sure that their compliance programs are growing at the same pace as their business. As DFS Superintendent Adrienne A. Harris has stated: "DFS will continue to investigate and take action when any licensee violates the law or the Department's regulations, which are critical to protecting consumers and ensuring the safety and soundness of the institutions."12

Footnotes

1. 23 NYCRR Part 200.

2. 3 NYCRR Part 417.

3. 23 NYCRR Part 500.

4. 23 NYCRR Part 504.

5. 23 NYCRR Part 200.

6. 23 NYCRR § 200.15 (b), (d).

7. 23 NYCRR Part 500.

8. Press Release, DFS Continues to Advance Responsible Innovation in New York's FinTech Industry (Jan. 24, 2019), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1901241.

9. Robinhood Markets, Inc., Registration Statement (Form S-1) (July 1, 2021).

10. Mengqi Sun, Robinhood's Crypto Unit Fined $30 Million by New York's Top Financial Regulator, Wall St. J. (Aug. 2, 2022, 9:59 a.m.), https://www.wsj.com/articles/robinhoods-crypto-unit-fined-30-million-by-new-yorks-top-financial-regulator-11659445200?mod=business_minor_pos5.

11. Id.

12. Press Release, DFS Superintendent Harris Announces $30 Million Penalty on Robinhood Crypto for Significant Anti-Money Laundering, Cybersecurity & Consumer Protection Violations (Aug. 2, 2022), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202208021.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.