Robinhood Crypto fined $30M by NYDFS for Bank Secrecy / AML issues
The New York Department of Financial Services (NYDFS) has announced that Robinhood Crypto, LLC (“RHC”) will pay a $30 million penalty to New York State for significant failures in the areas of bank secrecy act/anti-money laundering (“BSA/AML”) obligations and cybersecurity.
In addition to the penalty, RHC – the crypto unit of Robinhood (NASDAQ:HOOD) – will also be required, as part of the settlement, to retain an independent consultant that will perform a comprehensive evaluation of RHC’s compliance with the Department’s Regulations and RHC’s remediation efforts with respect to the identified deficiencies and violations.
Superintendent of Financial Services Adrienne A. Harris said:
“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance—a failure that resulted in significant violations of the Department’s anti-money laundering and cybersecurity regulations. All virtual currency companies licensed in New York State are subject to the same anti-money laundering, consumer protection, and cybersecurity regulations as traditional financial services companies. DFS will continue to investigate and take action when any licensee violates the law or the Department’s regulations, which are critical to protecting consumers and ensuring the safety and soundness of the institutions.”
The Department found, following a supervisory examination and a subsequent enforcement investigation, that RHC’s BSA/AML compliance program, including its transaction monitoring system, had significant deficiencies. Among other things, RHC’s BSA/AML program was inadequately staffed; failed to timely transition from a manual transaction monitoring system that was inadequate for RHC’s size, customer profiles, and transaction volumes; and did not devote sufficient resources to adequately address risks specific to RHC.
Similarly, the Department found critical failures in RHC’s cybersecurity program. The program did not fully address RHC’s operational risks, and specific policies within the program were not in full compliance with several provisions of the Department’s Cybersecurity and Virtual Currency Regulations.
All of these deficiencies resulted from what the Department found were significant shortcomings in the management and oversight of RHC’s compliance programs, including a failure to foster and maintain an adequate culture of compliance. The Department also discovered that adequate resources were not devoted to RHC’s compliance programs, particularly as it grew, which exacerbated these issues.
Despite these weaknesses in its transaction monitoring and cybersecurity programs, RHC improperly certified compliance with the Department’s Transaction Monitoring Regulation and Cybersecurity Regulation. Pursuant to those regulations, companies should only be certifying to DFS if their programs are fully compliant with the applicable regulation. In light of the program’s deficiencies, RHC’s 2019 certifications to the Department attesting to compliance with these Regulations should not have been made and thus violated the law.
Finally, RHC failed to comply with certain consumer protection requirements by not maintaining a distinct, dedicated phone number on its website for the receipt of consumer complaints. RHC also violated certain reporting requirements pursuant to its bespoke Supervisory Agreement with the Department.
Under the settlement reached today, in addition to payment of a $30 million penalty, RHC will be required to retain an independent consultant that will perform a comprehensive evaluation of the RHC’s compliance with the Department’s Regulations and RHC’s remediation efforts with respect to the identified deficiencies and violations.
A copy of the consent order regarding Robinhood Crypto can be found here (pdf).