Following an audit conducted between 2019 and 2021, on August 2, 2022, the New York State Department of Financial Services (NYDFS) announced that Robinhood Crypto - a subsidiary company of Robinhood licensed to engage in virtual currency and money transmission business activities - will pay a $30 million penalty to New York State for significant failures in the areas of Bank Secrecy Act and Cybersecurity.
What were the key issues with Robinhood’s compliance program?
The Consent Order issued by the NYDFS highlighted the following four key deficiencies within Robinhood Crypto (RHC)’s compliance program.
1. BSA/AML and Transaction Monitoring Programs
- Insufficient BSA/AML staff with the appropriate level of skills.
- Absence of an automated transaction monitoring system throughout 2019 and 2020.
- Lack of CCO’s involvement in the launch and implementation of an automated AML software program in April, 2021.
- Poor risk governance in the thresholds used to generate exception reports for crypto-specific transaction monitoring rules, which resulted in low number of SAR filings.
- Inadequate escalation processes for suspicious activity and repeat SAR filings.
2. Cybersecurity Program
- Insufficient cybersecurity staff with the appropriate level of skills.
- Inadequate cybersecurity policies and procedures.
- Lack of a written Business Continuity and Disaster Recovery Plan and of a notification process to regulators and law enforcement in the event of a cybersecurity incident.
3. Consumer Complaints
- Lack of a dedicated telephone number for customer complaints on RHC’s website.
4. Compliance Governance and Culture
- Inadequate prominence of RHC’s compliance function within RHM’s organizational structure, as evidenced in the lack of participation of the CCO in formal reporting to the Board of Directors and independent audit or risk committees.
Why is NYDFS’s ruling on Robinhood Crypto important?
The agreement with Robinhood was the first enforcement action by NYDFS—which, given New York's status as a financial center, has a significant influence on financial regulation and enforcement—against the cryptocurrency sector. It also comes as its new superintendent, Adrienne A. Harris, seeks to strengthen the regulatory organization's virtual currency staff and offer more direction to the crypto business.
The fine comes amid a difficult year for crypto, which has seen both steep losses that sent some firms into bankruptcy, along with a series of large-scale hacks that resulted in billions of dollars in losses by customers and investors.
What are the key compliance priorities for Crypto companies?
The tale of Robinhood demonstrates the distinctive compliance difficulties faced by rapidly expanding businesses in highly regulated industries.
Rapid expansion entails a heavier regulatory burden, particularly for businesses involved in the bitcoin industry. In this perspective, the Consent Order has several important takeaways for compliance best practices, particularly for start-ups in periods of rapid growth and for entities regulated by NYDFS generally.
1. Focus on AML and Cybersecurity
The Consent Order reflects the NYDFS's focus on these issues, which is shared by other state and federal agencies and regulators, such as the SEC and DOJ. Companies should make sure they are in compliance with all applicable AML and cybersecurity regulations because regulatory investigations are likely to give these a higher priority.
Specifically, RHC’s tale highlights 3 critical processes that financial services companies should focus on to minimize their exposure to regulatory scrutiny, namely:
- ensuring that an adequate number of suspicious activity reports (SARs) is submitted;
- adopting a reasonable threshold amount and criteria for transaction monitoring and for issuing exception reports; and
- documenting SAR escalation protocols.
2. Scrutiny of Digital Assets and Virtual Money
Companies like RHC, whose businesses focus on digital assets and virtual money, are being closely watched by regulators. As a result, they should concentrate on compliance with both existing rules controlling financial institutions more generally as well as new regulations that are sector-specific, such as New York State’s Virtual Currency Regulation.
3. Adapt Compliance Staffing to Match Overall Growth
The Consent Order serves as a reminder to businesses to expand their compliance departments in line with growth in their businesses and to make sure that compliance leadership possesses the necessary levels of experience and subject matter expertise. This is true even though hiring for operational positions can frequently take precedence when businesses are experiencing rapid growth.
4. Create Automated Compliance Systems
Businesses must switch some compliance-related tasks from being humanly monitored to being automated if they reach a particular level of growth. During 2019 and 2020, when it employed a manual transactions monitoring program and its overall transaction volume surged by more than 500 percent, NYDFS discovered that RHC lacked sufficient people or resources.
5. Cooperate with Regulatory Inquiries
Although it recognizes that RHC's participation with NYDFS's investigation improved over time, the Consent Order highlights RHC’s initial shortcomings in doing so. This provision of the Order emphasizes the significance of acting quickly to cooperate with regulatory inquiries, including by promptly giving regulators the documents they have requested, disclosing any information necessary to comply with reporting obligations.
If necessary, the entities should retain an outside counsel early in the course of a regulatory inquiry to facilitate such cooperation.
6. Develop an Appropriate Compliance Reporting Structure
NYDFS criticized RHC for its compliance reporting structure since its CCO did not participate in reporting issues to the board of directors and instead reported internally to a business function at RHC rather than to compliance or legal officers at its parent or affiliate. The fact that RHC outsourced its compliance role to its parent and affiliate led NYDFS to identify a weakness in RHC's compliance program.
Regulated entities can take precautions by:
- having their CCO report directly to their CEO and board, and/or to the CCO and general counsel of the parent or affiliate leading compliance efforts; and
- maintaining a strong compliance function within each affiliate or subsidiary, including written policies and procedures that are tailored to each entity's
What Are the Key Implications and Takeaways for Crypto Companies?
In sum, the Consent Order makes it very obvious that compliance programs call for a sufficient amount of compliance governance, including adjusting a company's workforce, policies, and processes to growth in the size and breadth of its operation. Furthermore, as would be reasonable, businesses should only certify compliance to the NYDFS if they have complied with the rules.
In this context, it is useful to recall that the NYDFS issued more licenses linked to cryptocurrencies in the first half of 2022 than it did in the entire year of 2021, and as a result, the NYDFS is likely to continue keeping a close check on the industry and threatening action if necessary.
The organizations applying for licenses in New York should prepare for regulatory examinations during the first year after receiving their license and should promote cooperation with relevant regulatory authorities.
Why was Robinhood ordered to pay a crypto trading fine?
The NYDFS has stressed that, for years, it has maintained a strict framework of licensing and oversight over crypto enterprises of all kinds, despite the fragmentation and confusion around crypto regulation at the federal level. It appears that NYDFS is indicating with this initial consent order that enforcement will be a significant, and possibly expanding, part of this framework.
Overall, these developments highlight the need for NYDFS-licensed businesses to proactively assess and improve their financial crime and cybersecurity compliance programs. This is especially true for organizations that collaborate with other affiliates to share resources and policies for compliance.
What can your crypto and DeFi fintech do to reduce risk of non-compliance?
As a specialized outsourced compliance provider, InnReg is well positioned to offer companies operating in the crypto and alternative finance sectors compliance expertise to support the full gamut of compliance requirements, including:
- Compliance policy development and management;
- Compliance facilitation across Federal and State regulatory bodies;
- Monitoring for regulatory changes;
- Risk assessment and quality control;
- Implementation of compliance management workflows tailored to blockchain-based business models; and
- Support the CCO function and other key stakeholders in establishing an effective compliance governance and risk management framework.