Crypto Trading Platform Settles NYDFS Charges for BSA/AML and Cybersecurity Deficiencies

The cryptocurrency trading company Robinhood Crypto, LLC ("RHC") settled charges by the New York Department of Financial Services ("NYDFS") that it failed to (i) maintain an effective BSA/AML program, (ii) comply with NYDFS cybersecurity regulations and (iii) comply with provisions of a previously issued Supervisory Agreement. RHC is a wholly owned subsidiary of Robinhood Markets, Inc. - a financial services company that allows U.S. retail customers to trade stocks and options through its broker-dealer subsidiary.

As outlined in the Consent Order, NYDFS found that since the inception of its operations in the State of New York, RHC failed to comply fully with New York State regulations, did not address specific risks related to cryptocurrency trading, and relied on its parent companies to comply with state regulations. NYDFS asserted that while reliance on a parent company is not of itself violative conduct, in this instance it led to a significant deficiency in consumer protections. According to NYDFS, RHC played "no meaningful role in compliance efforts at the entity level, resulting in a lack of an ability to influence staffing and resources, or to timely and adequately adopt measures that would assure full compliance with [NYDFS] Regulations."

Additionally, NYDFS determined that RHC's BSA/AML compliance program was not fully compliant with NYDFS regulations. In particular, RHC did not have enough skilled staff to support the program and relied on the Financial Crimes division - which was also understaffed - to flag potential issues. According to NYDFS, this led to a large backlog in processing alerts. NYDFS added that RHC did not maintain any automated AML transaction monitoring, leaving it ill-equipped to handle the large trading volume on the cryptocurrency platform.

NYDFS also found compliance deficiencies with respect to statewide cybersecurity regulations, namely a failure to employ sufficient cybersecurity personnel to manage its cybersecurity risks and perform core cybersecurity functions. Additionally, RHC was found to have filed a certification of cybersecurity compliance, when it in fact was not fully compliant with the regulations. NYDFS stated that RHC also failed to provide consumers with an easily accessible method to report issues and complaints.

As a result, NYDFS determined that the company violated 3 NYCRR §200.15, 3 NYCRR §200.16, 3 NYCRR § 417.2 ("Anti-money laundering programs"), 3 NYCRR § 500 ("Investigation And Document Fees; Banking And Non- Banking Organizations"), 23 NYCRR § 500.17(b) ("Notices to superintendent"), 23 NYCRR § 504.3 ("Transaction Monitoring and Filtering Program requirements"), 23 NYCRR § 504.4 ("Annual board resolution or senior officer(s) compliance finding") and Section 44(1)(a) of New York Banking Law ("Violations; penalties").

NYDFS noted that RHC was not cooperative during the investigation. To settle the charges, RHC agreed to (i) pay a $30,000,000 civil monetary penalty, for which it cannot claim a tax deduction or seek reimbursement, and (ii) retain an independent consultant to conduct a review of all compliance programs.