On August 1, 2022, Robinhood Crypto LLC (“RHC”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) based on “serious deficiencies” related to anti-money laundering (“AML”), cybersecurity, and virtual currency that were identified in DFS’s examination of RHC covering the period from January to September 2019.[1] RHC is a cryptocurrency trading platform that is licensed by DFS to engage in virtual currency business in New York. RHC is a wholly-owned subsidiary of Robinhood Markets, Inc. (“RHM”), which runs a popular commission-free stock and option trading platform through its broker-dealer subsidiary, Robinhood Financial, LLC (“RHF”). DFS found that during a period of rapid growth for RHC’s business in 2019, RHC “failed to invest the proper resources and attention to develop and maintain a culture of compliance—a failure that resulted in significant violations of [DFS’s] anti-money laundering and cybersecurity regulations.”[2] The Consent Order requires RHC to pay a $30 million civil penalty and hire an independent consultant for eighteen months to review and report on RHC’s efforts to improve its compliance programs. The settlement has important lessons for regulated entities on what regulators expect an “appropriate culture of compliance” to look like, particularly as companies scale up the size and complexity of their operations.[3]
The Consent Order
The Consent Order highlights “deficiencies in RHC’s compliance function across multiple areas” related to AML, cybersecurity, and virtual currency.[4] In the Consent Order, DHS first pointed to RHC’s “overall approach” to its compliance obligations, observing that RHC relied on its parent and affiliates for substantial aspects of its compliance program.[5] Although such an approach is not “inherently violative” of DFS’s requirements, the Consent Order notes that it was problematic here because RHM and RHF’s compliance programs were themselves insufficient for RHC’s needs as a licensed virtual currency business.[6]
Relatedly, DFS pointed to the “lack of prominence for RHC compliance within RHM’s organizational structure”—specifically, the agency stressed that RHC’s Chief Compliance Officer reported to RHC’s Director of Product Operations rather than directly to a legal or compliance executive at RHM or RHF, and was not involved in any organized reporting to the board of directors.[7] As a result, RHC “played no meaningful role in compliance efforts at the entity level.”[8] DFS also found that RHC’s cooperation efforts were, “at least initially, . . . less than what is expected of a licensee that enjoys the privilege of conducting business in the State of New York.”[9] In DFS’s view, information provided by RHC to DFS was “delayed, insufficient, or both,” and RHC “erroneously” challenged DFS’s authority to examine its parent and affiliates, despite its position that it could rely on their compliance policies and practices.[10] DFS found that RHC’s level of cooperation reflected on its overall “compliance approach.”[11] Finally, DFS found that RHC’s CCO “lacked commensurate experience to oversee a compliance program such as RHC’s.”[12]
Anti-Money Laundering
DFS found that RHC lacked sufficiently skilled AML staff given the pace of RHC’s growth. Indeed, RHC’s CCO had no direct support staff, but instead relied exclusively on RHF for management of RHC’s AML program. RHF’s staff was unable to keep up with the pace of RHC’s business, resulting in a backlog of 4,378 alerts identifying potentially suspicious transactions at RHM in 2020. Given the magnitude of RHC’s trading operation—with an average of 106,000 daily transactions as of September 2019—DFS also found that it was unacceptable that RHC conducted all of its transaction monitoring manually and did not have any automated AML transaction monitoring system in place. DFS additionally determined that RHC’s AML program was deficient because its escalation processes for suspicious activity were inadequate and because its threshold amount for generating exception reports ($250,000) was too high, leading to RHC filing only two suspicious activity reports during the period of the examination in 2019.
Cybersecurity
DFS similarly found that RHC improperly relied wholly on RHM’s cybersecurity program. The Consent Order states that while RHC was “within its right” to rely on RHM’s compliance procedures, this reliance did not promote adequate accountability for cybersecurity compliance in light of RHC’s rapid growth and because RHM’s policies and procedures were not tailored to RHC’s operations.[13] DFS also highlighted other weaknesses, including a lack of dedicated cybersecurity personnel at RHC, RHC’s failure to conduct a risk assessment for its cybersecurity policies, its failure to maintain a disaster recovery and continuity of operations plan, and an incident response plan that did not include a process for notifying regulators or law enforcement in the event of a cybersecurity incident.
Virtual Currency Regulation
Finally, the Consent Order identified that RHC did not provide a telephone number for the receipt of customer complaints on its website, in violation of DFS’s Virtual Currency Regulation.
Overall Findings
As a result of the above, DFS found that RHC: (i) failed to maintain an effective and compliant AML program, in violation of 3 NYCRR § 200.15 and 3 NYCRR § 417.2; (ii) failed to comply with its obligations to maintain an effective transaction monitoring program, in violation of 23 NYCRR § 504.3; (iii) filed an improper Certification of Compliance for 2019 because its transaction monitoring program did not meet all the requirements of the Transaction Monitoring Regulation, in violation of 23 NYCRR § 504.4; (iv) failed to maintain a compliant cybersecurity program in violation of 3 NYCRR § 200.16 and 23 NYCRR § 500; (v) filed an improper Certification of Compliance for 2019 because its cybersecurity program did not meet all the requirements of the Cybersecurity Regulation, in violation of 23 NYCRR § 500.17(b); and (vi) failed to comply with the Supervisory Agreement between RHC and DFS in violation of Section 44(1)(a) of the New York Banking Law.[14]
As a result, RHC was ordered to pay a civil monetary penalty of $30 million, and to retain an independent consultant for 18 months to monitor RHC, assist the company with improving its compliance performance, and report findings to DFS.
Key Takeaways
The Consent Order has several important takeaways for compliance best practices, particularly for start-ups in periods of rapid growth and for entities regulated by DFS generally.
- Focus on AML and Cybersecurity: The Consent Order reflects a focus by DFS—shared by other state and federal agencies and regulators, including the SEC and DOJ—on issues involving AML and cybersecurity. Companies should ensure that they are in compliance with all applicable AML and cybersecurity requirements, as these are likely to be prioritized in regulatory inquiries.
- Scrutiny on Digital Assets and Virtual Currency: Regulators including DFS, the SEC, and the CFTC are paying particularly close attention to companies such as RHC whose businesses focus on digital assets and virtual currency. Companies in this sector should focus not only on compliance with new sector-specific regulation, such as New York State’s Virtual Currency Regulation, but also on established regulations governing financial institutions more broadly.
- Develop a Proper Reporting Structure for Compliance, and Do Not Over-Rely on Parent/Affiliate Company Compliance Functions: DFS faulted RHC for its compliance reporting structure, as its CCO reported internally to a business function within RHC rather than to compliance or legal officers at its parent or affiliate, and was not involved in reporting issues to the board of directors. DFS also identified a weakness in RHC’s compliance program based on its largely outsourcing its compliance function to its parent and affiliate, whose policies and procedures were not well tailored for RHC. Regulated entities can take steps to avoid encountering similar issues with DFS if they: (i) have their CCO report directly to their CEO and board, and/or to the CCO and general counsel of the parent or affiliate leading compliance efforts; and (ii) maintain a robust compliance function within each affiliate or subsidiary, including written policies and procedures that are tailored to each entity’s business and are adapted as the entity’s business changes in scope or scale or as new risks are identified.
- Adapt Compliance Staffing to Match Overall Growth: While hiring for operational positions can often take priority when companies are in periods of rapid growth, the Consent Order offers a reminder to companies to grow their compliance departments to mirror growth in their businesses, and to ensure that compliance leadership includes proper levels of experience and subject matter expertise.
- Develop Automated Compliance Systems: The Consent Order similarly suggests that at a certain level of growth, companies must transition certain compliance functions from manually monitored to automated. This guidance is particularly important for companies that monitor high volumes of transactions for AML purposes, as well as those that process large amounts of customer data.
- Cooperate with Regulatory Inquiries: The Consent Order criticizes RHC for its initial deficiencies in cooperating with DFS’s inquiry, although it notes that RHC’s cooperation became more robust over time. This aspect of the Order highlights the importance of taking immediate action to cooperate with regulatory inquiries, including by timely providing regulators with requested documents, disclosing any information required by reporting obligations, and, where appropriate, retaining outside counsel early in the course of a regulatory inquiry to facilitate such cooperation.
[1] Robinhood Crypto, LLC, Consent Order, Dep’t Fin. Serv. (Aug. 1, 2022) https://www.dfs.ny.gov/system/files/documents/2022/08/ea20220801_robinhood.pdf (the “Consent Order”).
[2] Press Release, New York Department of Financial Services, https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202208021.
[3] Consent Order, p. 2.
[4] Id.
[5] Id. ¶ 30.
[6] Id.
[7] Id. ¶ 31.
[8] Id.
[9] Id. ¶ 32.
[10] Id. ¶ 32, 33.
[11] Id. ¶ 32.
[12] Id. ¶ 36.
[13] Id. ¶ 52.
[14] While the Consent Order provides no detail, it does allege that RHC violated the Supervisory Agreement it entered into with DFS in connection with its virtual currency license by failing to report to DFS actual or threatened government enforcement proceedings against RHC or its affiliates and by failing to report the receipt of a subpoena from a government agency by RHC or its affiliates.