On August 2, 2022, the New York State Department of Financial Services (DFS) entered into a $30 million settlement with Robinhood Crypto LLC (RHC or the Company), a DFS-licensed virtual currency business and money transmitter, for alleged deficiencies with its anti-money laundering compliance program.1 Over the course of six months, DFS conducted an audit of RHS's procedures, leading to the settlement for violations of the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) rules.

The AML claims made by DFS centered around RHC's alleged failure to maintain an effective BSA/AML program, including an adequate transaction monitoring system commensurate with its growth. The settlement is emblematic of an uptick in regulatory actions in the digital asset space, such as the Securities and Exchange Commission's insider trading action against a former Coinbase manager and related individuals.

This regulatory and enforcement activity serves as a cautionary tale for digital assets firms to be diligent in adhering to federal and state AML rules.

Why This Matters

  • Rapid growth and volatility in the digital asset space, combined with regulatory uncertainty, make it difficult for digital asset firms to know what standards to follow.
  • Regulators have started scrutinizing how digital assets are managed, purchased and sold with recent enforcement actions simultaneously imposing substantial fines but also providing insight into how the space may be regulated in the future.
  • Digital asset companies and their partners should ensure that policies, procedures, and operations are properly scaled, as failure to do so can result in enforcement actions.

Reliance on Affiliates

Throughout DFS's investigation, it found that RHC relied on its affiliates to help comply with AML guidelines. As DFS stated in its consent order, failing to institute an "enterprise wide" AML compliance system is "not inherently violative of DFS requirements."2 However, RHC's reliance was deemed a weakness because neither of the programs it relied upon from Robinhood Markets, Inc. (RHM), its parent, and its affiliate Robinhood Financial, LLC (RHF), was compliant with New York state regulations, according to the DFS.3 The DFS also alleged that these programs failed to address specific risks associated with virtual currency businesses.4

The DFS specifically cited organizational oversights, such as RHC's chief compliance officer (CCO) reporting to its director of product operations "instead of a legal or compliance executive at RHM or RHF."5 The DFS found that RHC lacked access to decision makers such as board members or independent audit or risk committees,6 which allegedly contributed to a series of compounding problems, such as an inability to appropriately staff internal teams.7 In addition to understaffing, the DFS referenced inexperienced employees who lacked appropriate skills or resources to support the Company's compliance programs and manage capable technologies.8

Inadequacy of Technology and Human Capital

During the audit, the DFS found several inadequacies related to the Company's AML compliance policies and procedures. When analyzing the Company's transaction monitoring, a "cornerstone of an effective BSA/AML program," the DFS found that RHC was an anomaly amongst its peers by relying upon a fully manual transaction process and case management system.9 The DFS stated that while a manual AML transaction monitoring system was not per se violative of any regulations, RHC grew to a point where the manual system "was not adequate to support a compliant AML program, particularly in light of the staffing inadequacies."10

Conclusion

The RHC audit and subsequent settlement illustrate the seriousness with which the DFS examines their licensees for BSA/AML compliance and should forewarn New York virtual currency firms and other New York money services business licensees that such compliance must be a top priority. At the very least, virtual currency (and other money services) businesses serving customers in New York should ensure that:

  • internal programs, policies, staffing, and training scale with the growth of the company;
  • if an enterprise-wide compliance system is used, subsidiaries must have access to risk and audit committees, legal or compliance executives, and/or boards;
  • responses to regulatory inquiries need to be timely and adequate; and
  • suggestions of third-party consultants are taken seriously by a licensee.

Footnotes

1. In the Matter of Robinhood Crypto, LLC (N.Y. Dep't. of Fin. Serv., Aug. 1, 2022).

2. Id. para. 30.

3. Id.

4. Id.

5. Id. para. 31-35.

6. Id.

7. Id.

8. Id.

9. Id. para. 39-41.

10. Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.