SHARE

August 11, 2022

Crypto Compliance Matters: NYDFS Fines Robinhood $30M for Alleged AML, Cybersecurity, and Consumer Protection Violations

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Key Takeaways

  • This is not the first regulatory action RHC has faced. In 2020, the SEC fined RHC $65 million for misleading its customers about “payment for order flow” (a key source of revenue).

Case Involves Familiar But Instructive Regulatory Findings

The New York Department of Financial Services ("NYDFS") made clear last week that crypto companies can be held accountable for allegedly failing to comply with anti-money laundering ("AML") / Bank Secrecy Act ("BSA") regulations.  Federal and certain State laws require crypto companies like Robinhood Crypto, LLC ("RHC") to maintain effective AML programs, and to implement systems to identify suspicious activity and block illegal transactions on their platforms (which we have previously discussed, including here and here).  On August 2, 2022, NYDFS announced that it entered a Consent Order penalizing RHC $30 million for alleged AML, cybersecurity and consumer protection violations.  RHC also is required to retain an independent consultant to perform compliance assessments evaluating the Company's remediation efforts. 

This enforcement action is entirely consistent with the recent Guidance on Use of Blockchain Analytics issued by the NYDFS, directed to all virtual currency business entities that either have a NYDFS Bitlicense or are chartered as a limited purpose trust company under the New York Banking Law.  As we have blogged, the Guidance emphasizes "the importance of blockchain analytics to effective [AML] policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening."

The Consent Order contains a litany of alleged AML deficiencies, many of which have figured prominently in other enforcement actions.  We detail them below.  From a BSA/AML perspective, the key focus - not surprisingly - was on the adequacy of RHC's transaction monitoring systems.  Again, the message is:  written policies and programs may look great on their face, but actual execution is key.  The adequate funding and staffing of compliance functions is also critical.

RHC's Alleged Compliance Violations

According to its press release, NYDFS conducted a safety and soundness examination of RHC from January 2019 to September 2019, as well as a subsequent enforcement investigation, which revealed alleged failures across RHC's BSA/AML and cybersecurity programs.  This all followed on a Supervisory Agreement dated January 24, 2019, entered into between NYDFS and RHC, which pertained to capital requirements, protection of consumer assets, certain prohibitions on conduct, notice requirements, and an understanding that RHC is subject to NYDFS BSA/AML and transaction monitoring requirements - thereby confirming the general wisdom that regulatory actions often follow on the heels of an institution's perceived failure to heed prior warnings.

Specifically, NYDFS found that RHC's BSA/AML compliance program was inadequately staffed; relied on a manual transaction monitoring system inadequate for the company's size, customer profiles, and transaction volumes; and did not adequately resource its risk prevention programs.  NYDFS asserted that RHC's failures to cultivate a culture of compliance, and to devote sufficient resources to compliance, caused the violations, which were exacerbated by RHC's rapid growth.  Despite these compliance issues, RHC improperly certified that it had complied with NYDFS's Transaction Monitoring and Cybersecurity regulations in 2019, further violating the law.

The specific violations at issue arose under Part 200 (the "Virtual Currency Regulation"), Part 417 (the "Money Transmitter Regulation"), Part 500 (the "Cybersecurity Regulation"), and Part 504 (the "Transaction Monitoring Regulation") of the Superintendent's Regulations.  In addition, RHC also allegedly violated consumer protection laws by failing to maintain a phone number on its website to field consumer complaints, and violated certain reporting requirements under the terms of its Supervisory Agreement with NYDFS.

One of the primary structural weaknesses that NYDFS identified in the Consent Order was RHC's reliance on its (non-crypto) parent company and affiliates for "substantial aspects" of its compliance program.  Although such reliance does not inherently violate compliance requirements, it was detrimental to RHC's BSA/AML compliance programs because the parent and affiliate programs were also not compliant, nor did they address the crypto-specific risks RHC was responsible for mitigating.  NYDFS also noted that RHC's Chief Compliance Officer ("CCO") allegedly lacked the necessary experience to oversee a compliance program of this scale, and failed to properly implement the automated software program designed to provide the fraud prevention and AML programming necessary to comply with state and federal regulations.  NYDFS further stressed that the CCO reported to RHC's Director of Product Operations, "rather than reporting directly to a legal or compliance executive at the parent or affiliate."  The CCO therefore lacked sufficient prominence in the overall corporate organizational structure.  Similarly, the Consent Order repeats the now-familiar allegation in AML enforcement actions that there was inadequate staffing of compliance personnel.  These staffing issues were compounded, allegedly, by RHC's reliance on a manual (vs. automated) system for running its transaction monitoring system, resulting in a backlog of "alerts" requiring review for potential Suspicious Activity Report (SAR) filings.  To quantify this finding more concretely, the NYDFS found that a manual system - although "not inherently a violation of DFS's Transaction Monitoring Regulation" - was "unacceptable for a program that . . . averaged 106,000 transactions daily, totaling $5.3 million."

The Consent Order also sets forth another familiar story:  the hiring by the financial institution of an outside consultant, whose compliance report ultimately becomes a weapon used by the government against the financial institution.  Here, RHC's outside consultant identified in December 2019 RHC's alleged lack of an automated management software program as a weakness.  The fact that an improved AML software program was not implemented until April 2021 was problematic, particularly given the backlog in the review of alerts and SAR filings.

Also: not for the first time, the regulator's perception of the organization's response to the case was important to the outcome.  Here are two telling paragraphs from the Consent Order, which fairly or not, reflect NYDFS's view on how the regulated community should react to it:

  • RHC's compliance approach manifested not only substantive failures, but also contributed to a level of cooperation with the [NYDFS] that, at least initially, was less than what is expected of a licensee that enjoys the privilege of conducting business in the State of New York.  For example, information provided by RHC was either delayed, insufficient, or both.  In several instances, RHC failed to disclose investigations by federal state regulators of an RHC affiliated entity, in violation of reporting obligations governed by RHC's Supervisory Agreement with the Department.
  • RHC also initially claimed during the Examination, erroneously, that [the NYDFS] did not have the authority to examine policies or practices of RHC's parent and affiliates.  RHC further claimed that any weakness in its program were overstated because RHC relied on more robust programs of its parent and affiliate, when in reality such programs were not compliant with various aspects of [the NYDFS's] laws and regulations.

Other Enforcement Actions Against RHC

This is not the first regulatory action RHC has faced.  In 2020, the SEC fined RHC $65 million for misleading its customers about "payment for order flow" (a key source of revenue).  Just last week, RHC reported that the SEC was investigating its compliance with a short-selling rule.  The same day, RHC also unfortunately announced it would be cutting 23% of its workforce last week as well, in an organizational restructuring move responsive to the crypto market crash.

Compliance Takeaways for Crypto Companies

This enforcement action highlights the fact that CCOs in crypto companies (as well as Fintech start-ups in general) are often asked to wear multiple hats, to build and implement compliance programs with potentially inadequate resources, or to make split-second judgment calls with limited information.  This reality, coupled with the evolving nature of the cryptocurrency-related laws and regulations, the typical firehose of customer data needing analysis, and growing federal and state enforcement in the crypto sector, has increased anxiety among crypto CCOs about the potential for personal liability for compliance failures.  RHC's case serves as a reminder to crypto companies that BSA/AML compliance must be a priority and is not the place to cut corners.  Adequate transaction monitoring - and related follow-up - is critical to avoiding regulatory ire.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

New York Restricts Automated Decision Making in Employment

By Timothy Dickens Ballard Spahr August 29 , 2022

Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023.

Status Update: Federal Contractor Vaccine Mandate Injunction Narrowed

By Lila A. Sevener Ballard Spahr August 29 , 2022

On August 26, 2022, the United States Court of Appeals for the Eleventh Circuit narrowed the nationwide injunction of Executive Order 14042, which requires federal contractors and employees who work on or in connection with a covered federal contract, or share a workplace with another employee who works on or in connection with such contracts, to be fully vaccinated against COVID-19.

Unions Cannot Force OSHA to Issue Permanent COVID Standard

By Shannon D. Farmer Ballard Spahr August 26 , 2022

On August 26, 2022, the U.S. Court of Appeals for the District of Columbia Circuit turned back efforts by a group of unions seeking to force the Occupational Safety and Health Administration (OSHA) to quickly issue a permanent rule establishing protections for healthcare workers from COVID-19.

More From Cryptocurrency

Proposed UCC Amendments to Article 12 Shed New Light on Transacting and Securing Interests in Digital Assets

By John B. Hutton III Greenberg Traurig December 07 , 2022

As we know it, the emerging practice of transacting in digital assets has developed into a mainstream fragment of the financial market ecosystem.

FINRA Targeting Crypto Asset Retail Communications

By William B. Mack Greenberg Traurig November 22 , 2022

The Financial Industry Regulatory Authority (FINRA) in November 2022 released a targeted exam letter pertaining to communications for crypto products and services.

Takeaways From SEC v. LBRY, Inc. On What Constitutes A "Security"

By Chih-Hsun (Tim) Lin Ingram Yuzek Gainen Carroll & Bertolotti November 21 , 2022

It has been a long and heated debate as to whether NFTs and certain cryptocurrencies can be deemed as securities under applicable laws and precedents.

Featured Stories
Closeclose
Search
Menu

Working...