On August 1, the New York State Department of Financial Services (“NYDFS” or “DFS”) announced a Consent Order and $30 million fine against Robinhood Crypto, LLC (“RHC”), the wholly-owned cryptocurrency trading unit of the popular investing app by Robinhood Financial LLC. In the Order, NYDFS alleges RHC failed to comply with NYDFS rules pertaining to the federal Bank Secrecy Act and state and federal anti-money laundering rules (“BSA/AML”) and the NYDFS Cybersecurity Regulations. According to a Press Release issued by the DFS, the investigation revealed “significant deficiencies” in RHC’s BSA/AML compliance program and “critical failures” with the company’s cybersecurity program.
Compliance Program Inadequacies
In the Consent Order, NYDFS asserts that an investigation into RHC’s BSA/AML program revealed a number of deficiencies. Under NYDFS and federal BSA/AML regulations, organizations must implement and maintain policies and procedures to detect and report suspicious activity and block transactions prohibited by the U.S. Treasury Department’s Office of Financial Asset Control Regulations. However, the DFS alleges that RHC failed to implement adequate policies and procedures to meet these requirements. In particular, the DFS alleges that RHC failed to maintain a BSA/AML program “commensurate with the risk profile of the licensee,” noting that RHC continued to rely on a manual internal reporting system notwithstanding the fact that RHC processed an average of 106,000 transactions, totaling $5.3 million per day as of September 30, 2019. As a result of the manual reporting system and inadequate staffing, the NYDFS claims “that [RHC’s] AML staff simply could not keep up with the transaction alerts, resulting in [a] significant backlog” of processing alerts. RHC was apparently aware that its BSA/AML policies and procedures were inadequate, due to the fact that the company had hired a third-party consultant (the “Consultant”) to review its BSA/AML program in December 2019. During the engagement, the Consultant reported to RHC that its BSA/AML procedures were of “minimal value”. Even so, RHC’s Chief Compliance Officer certified to compliance with the New York Transaction Monitoring Regulation for calendar year 2019.
The NYDFS also identified inadequacies in the RHC cybersecurity program. Among other failures, the DFS faulted RHC for RHC’s overreliance on its parent company’s policies and procedures, which did not fully address RHC’s operations, risks, and reporting lines, or the full requirements of the Cybersecurity Regulations. Among other shortcomings, the DFS investigation determined that RHC: (i) employed insufficient cybersecurity personnel to manage its cybersecurity risks and to perform core functions specified in the Cybersecurity Regulation; (ii) had insufficiently detailed policies and procedures to guide its data governance and classification, IT asset management, business continuity and disaster recovery planning, systems operations, systems and network monitoring, systems and application development, risk assessment, and incident response activities; and (iii) failed to conduct risk assessments satisfying the requirements of the Cybersecurity Regulation.
In addition to the compliance failures identified, NYDFS took issue with RHC’s cooperation and candor in the investigation, noting that RHC failed to disclose investigations by federal and state regulators, in violation of RHC’s DFS Supervisory Agreement.
Consent Order Requirements
Under the Consent Order, RHC must pay a $30 million civil monetary penalty to DFS. Notably, the Order forbids RHC from recouping the cost of the penalty via any insurance policy, indemnification, or tax deduction. RHC must also re-engage its existing Consultant to conduct a comprehensive review of and assist RHC with improvements to RHC’s current compliance programs against the requirements of the BSA/AML and Cybersecurity Regulations. Under the new engagement, the Consultant will be obligated to provide regular reports to DFS regarding the RHC’s compliance with the Regulations.
The financial services industry has been subject to strict regulation for many years, and startups are not exempt from these obligations. Innovative organizations in nontraditional industries often face unique compliance challenges (for example, heightened risk of fraud, money laundering, and illegal activity in the cryptocurrency space, coupled with similar cybersecurity challenges faced by traditional financial institutions). Exponential growth is the dream of every organization, but rapid expansion often also entails increased compliance burden (and, potentially, regulatory scrutiny). Accordingly, organizations must engage in thoughtful compliance assessments and swift remediation of any gaps identified to ensure that they are meeting applicable legal, regulatory, and contractual requirements. When conducting such assessments, organizations should consider engaging consultants and other vendors via legal counsel, to shield the assessment findings with privilege and prevent their later production in court or regulatory investigations, to the extent possible. Assessments serve legal as well as compliance and information technology purposes, and conducting such assessments under the supervision of counsel enables counsel to provide the organization with legal advice regarding compliance with applicable laws and regulations.
In addition to existing laws requiring specific cybersecurity controls and assessments, many organizations will soon be required to conduct privacy impact assessments under the forthcoming California, Colorado, Connecticut, and Virginia privacy laws. Accordingly, businesses operating in multiple jurisdictions should establish a privacy and security assessment programs to help ensure they are meeting the requirements established under applicable laws and regulations (including the proportionality, data minimization, and retention obligations these laws contain). Additionally, companies should be mindful of applicable industry-specific obligations (like AML in the financial services industry), and tailor their compliance programs to meet those needs, as well. Team SPB has prepared a 2023 State Privacy Law Compliance Guide. This free resource offers information regarding the requirements of each of the current operative state privacy laws as well as sample workstreams to assist your compliance team with planning and preparing for the new 2023 state privacy laws.