Long recognized for its work guiding clients in various industries through their most significant regulatory and enforcement challenges, Paul, Weiss is at the forefront in helping financial institutions, fintech companies, investors, media and entertainment clients and technology companies navigate the new world of cryptocurrency and blockchain technology. Our multi-disciplinary team helps clients capitalize on the business opportunities, identify the challenges and mitigate the emerging legal risks of digital assets.
NY DFS Announces First Crypto Enforcement Action Against Robinhood Crypto for AML and Cybersecurity Compliance Deficiencies
August 9, 2022 Download PDF
On August 2, 2022, the New York Department of Financial Services (“DFS”) announced a $30 million consent order (the “Order”) against Robinhood Crypto, LLC (“Robinhood Crypto”), a wholly owned subsidiary of Robinhood Markets Incorporated (“RHM”), which offers cryptocurrency trading.[1] This marks DFS’s first enforcement action against a crypto company. When announcing the consent order, Superintendent Adrienne Harris said that DFS would continue to take action when virtual currency companies licensed by DFS violate DFS’s anti-money laundering and cybersecurity regulations.[2]
DFS found, among other things, that Robinhood Crypto (i) failed to maintain a compliant anti-money laundering (“AML”) program as required by New York’s Virtual Current Regulation and as part of Robinhood Crypto’s registration with DFS as a money transmitter; (ii) violated DFS’s Part 504 regulation by failing to maintain an appropriate transaction monitoring system and submitting an “improper” certification of compliance; and (iii) violated DFS’s Part 500 regulation by failing to maintain a compliant cybersecurity program and submitting an “improper” certification of compliance.[3]
In addition to the monetary penalty, Robinhood Crypto is required to maintain an independent consultant for an 18-month term that will report to DFS and conduct a comprehensive review of Robinhood Crypto’s compliance programs.[4] DFS launched its investigation into Robinhood Crypto following a finding of “serious deficiencies” during a safety and soundness examination that began in 2020.[5]
Key takeaways from the Order are:
- Crypto Companies Should Ensure That Their Compliance Programs Are Proportionate to Their Size and Scope. DFS found that Robinhood Crypto lacked adequate staff or resources throughout 2019 and 2020, during which it used a manual transactions monitoring program and its transaction volume across the enterprise increased by more than 500 percent.[6] DFS stated that the use of the manual transaction monitoring system was not a per se violation, but that Robinhood Crypto should have transitioned to an automated system because it averaged 106,000 daily transactions for a total of $5.3 million per day.[7] DFS pointed specifically to a “substantial backlog” in process alerts, including those used for evaluating potentially suspicious transactions to determine whether a suspicious activity report (“SAR”) should be filed.[8] Additionally, DFS found that Robinhood Crypto “employed an extremely high and arbitrary threshold amount”—specifically, a cumulative transaction volume of $250,000 over a six-month period—to generate exception reports; as a result of that threshold amount, Robinhood Crypto only filed two SARs during the time period for the 2019 examination.[9] As such, DFS found that Robinhood Crypto did not devote sufficient funding or resources to grow the compliance program as the user base increased.
- DFS Also Focuses on Compliance Leadership and Culture of Compliance. DFS found that Robinhood Crypto’s leadership—specifically, its Chief Compliance Officer (“CCO”)—lacked “commensurate experience to oversee a compliance program such as [Robinhood Crypto’s], particularly as it grew” and was “insufficiently involved in the oversight of the launch and implementation of [Robinhood Crypto’s] automated software program. . . that was designed to enhance [Robinhood Crypto’s] compliance program.”[10] DFS found that the overall culture of compliance and oversight of compliance was lacking, which DFS stated was evidenced through its reliance on the compliance programs of RHM and Robinhood Financial, LLC (“RHF”), a broker-dealer subsidiary of RHM.[11] As described in more detail below, DFS found that the organizational structure of RHM resulted in Robinhood Crypto playing “no meaningful role in compliance efforts at the entity level, resulting in a lack of an ability to influence staffing and resources, or to timely and adequately adopt measures that would assure compliance with [DFS’] Regulations.”[12]
- Companies Should Be Cautious When Relying on Parent or Group-Wide Compliance Systems. DFS took issue with the fact that Robinhood Crypto substantially relied on the compliance programs of its parent and affiliate, while noting that such reliance is not inherently problematic. [13] According to the consent order, Robinhood Crypto relied on RHM and RHF for its AML compliance, its fraud detection, and its cybersecurity program despite the fact that the compliance programs at RHM and RHF were also “not compliant with New York State regulations” and did not “address all the particular risks applicable to licensed virtual currency business.”[14] Further, DFS noted that Robinhood Crypto’s CCO reported to Robinhood Crypto’s Director of Product Operations instead of RHM and RHF’s Board of Directors, independent auditors, or risk committees, or anyone who oversaw the compliance programs at RHM and RHF—which DFS suggested would be more appropriate in this context since Robinhood Crypto was relying on the compliance programs of RHM and RHF.[15]
- This Was DFS’s First Citation of a Violation of Part 504. To our knowledge, this was DFS’s first citation of a violation of its Part 504 AML/sanctions regulation in a public enforcement action.[16] In addition to finding that Robinhood Crypto’s transaction monitoring system did not satisfy one of the substantive requirements of Part 504, DFS also found that the company’s certification of compliance with Part 504 for calendar year 2019 was “improper” because it was filed despite the deficiencies in its transaction monitoring and, as noted by DFS, acknowledgement by RHF’s Head of Anti-Money Laundering that Robinhood Crypto was not in compliance with Part 504.[17] This perhaps indicates DFS’s greater willingness to cite Part 504 violations in the future. All DFS-regulated companies subject to Part 504 should consider reviewing and, where needed, bolstering their internal procedures for complying with Part 504, including its certification requirement.
In the context of the fragmentation and uncertainty at the federal level with respect to crypto regulation, the DFS has emphasized that, for years, it has provided a rigorous framework of licensing and regulation over crypto companies of various kinds. With this first consent order, it appears that DFS is signaling that enforcement will be an important, and perhaps growing, feature of this framework. Crypto companies should consider taking this opportunity to evaluate and, where needed, enhance their financial crimes and cybersecurity compliance programs.
* * *
[1] N.Y. Dep’t of Fin. Services, In the Matter of Robinhood Crypto, LLC (Aug. 2, 2022), available here (hereinafter, the “DFS Order”); N.Y. Dep’t of Fin. Services, DFS Superintendent Harris Announces $300 Million Penalty on Robinhood Crypto for Significant Anti-Money Laundering, Cybersecurity & Consumer Protection Violations (Aug. 2, 2022), available here (hereinafter, the “DFS Press Release”).
[2] N.Y. Dep’t of Fin. Services, DFS Superintendent Harris Announces $300 Million Penalty on Robinhood Crypto for Significant Anti-Money Laundering, Cybersecurity & Consumer Protection Violations (Aug. 2, 2022), available here.
[3] DFS Order, supra note 1.
[4] Id.
[5] Id.
[6] Id. at ¶ 38.
[7] Id. at ¶ 41.
[8] DFS Order, supra note 1, at ¶ 37.
[9] Id. at ¶ 45.
[10] Id. at ¶ 36.
[11] DFS Press Release, supra note 1.
[12] DFS Order, supra note 1, at ¶ 31.
[13] Id. at ¶ 6
[14] Id.
[15] Id. at ¶ 31.
[16] In DFS’s Industrial Bank of Korea consent order, the DFS noted that IBK’s Part 504 certification was inappropriate, but Part 504 was not among the legal violations cited by the order. See Paul, Weiss, Industrial Bank of Korea Reaches $86 Million AML Resolution with DOJ, NY Attorney General, and NY DFS (Apr. 24, 2020), available here. By contrast, DFS has cited violation of the Part 500 cybersecurity rule, including inappropriate certifications of compliance with that rule, in several prior enforcement actions. See Paul, Weiss, New York DFS Files First Enforcement Action Alleging Violations of Cybersecurity Regulation (July 30, 2020), available here.
[17] DFS Order, supra note 1, at ¶ 48.