To print this article, all you need to do is be registered or log in to Mondaq.com.
On August 2, 2022, the New York State Department of Financial Services (DFS) announced a consent order with Robinhood Crypto (RHC), the virtual currency trading platform of mobile trading application provider Robinhood Markets , finding that RHC had failed to maintain anti-money laundering (AML) and cybersecurity compliance programs. RHC agreed to a $30 million fine and an 18-month review by an independent compliance consultant who will report to DFS. Through this enforcement action, DFS has made it clear that it expects virtual currency companies, like traditional financial institutions, to invest in compliance programs to ensure they are commensurate with the risks and volume of their business, particularly for financial crime compliance and cybersecurity.
The RHC Order is the first major cryptocurrency-related enforcement action by DFS. This aligns with DFS’s increased focus on the industry over the past year. Among other things, DFS issued more virtual currency-related licenses in the first half of 2022 than in 2021, announced plans to triple its virtual currency team, and was the first financial regulator in the country to issue guidance. on stablecoins.
The principal terms of the RHC consent order were negotiated in the summer of 2021 and first disclosed in Robinhood’s S-1 filing dated July 1, 2021, in which it estimated at least $15 million in ‘fine. This estimate was increased a few weeks later to $30 million when Robinhood went public. Unlike other regulators, DFS typically provides factual details in its consent orders, giving the industry insight into key issues leading to enforcement action. Supervised entities have long been encouraged to review past consent orders for guidance and learning. The RHC Consent Order is part of this tradition. Notably, key findings and themes are similar to the content of DFS’ historic consent orders: (1) failure to maintain a culture of compliance, including insufficient staff and resources, and a lack of stature for the compliance function; (2) failure to implement an effective AML program, particularly with respect to transaction monitoring; and (3) lack of cooperation and transparency with regulators. Additionally, the RHC order is the latest in a series of actions focused on cybersecurity regulation compliance and improper certifications under Part 500.
Lack of compliance culture
The central finding of the consent order is that RHC failed SERVING THE BENCH AND BAR SINCE 1888 August 17, 2022 Familiar themes in DFS’s first enforcement action against virtual currency firm Karen R. King is partner and Alexander M Levine is a partner at Morvillo Abramowitz Grand Iason & Anello. www. NYLJ.com (Photo: Shutterstock.com) to develop an appropriate compliance culture and its compliance department lacked stature within the organization. DFS found that RHC played no meaningful role in entity-level compliance efforts and instead relied on its parent and affiliate entities. For example, the RHC CCO had no direct support staff and depended on the parent entity team, which itself was understaffed, particularly as the RHC business grew. DFS also found that the “lack of emphasis on HCR compliance within” its parent company’s organizational structure “exacerbated” its compliance issues. He noted that the CCO reported to the director of product operations, rather than a legal or compliance officer from the parent organization, and was not involved in any formal reporting to the board or audit or management committees. risks.
These themes echo findings that appear in several consent orders against traditional financial institutions. Earlier this year, DFS’s consent order against the National Bank of Pakistan revealed that the New York branch had failed to adequately staff compliance units and promote a culture of compliance, and that lack of oversight enabled to “problems to persist year after year”. Similarly, in its 2020 consent order against Goldman Sachs, DFS noted that a subsidiary “relyed extensively” on its parent company’s due diligence and review of Malaysian bond transactions at the heart of 1MDB. , exposing the entity to “undue financial and reputational risk”. In a 2016 consent order against Mega International Commercial Bank of Taiwan, DFS criticized the New York branch’s compliance structure because compliance and operational functions were confused and there was inadequate reporting from the head office compliance environment. In the same year, DFS discovered that Agricultural Bank of China had failed to provide the New York branch CCO with sufficient independence and prevented it from assuming important compliance responsibilities. In 2017, DFS found that the compliance department of the New York branch of NongHyup Bank was under-resourced, understaffed, and at one point was headed by a compliance officer who did not have a adequate understanding of BSA/AML concepts.
The Robinhood Crypto Order is the first major cryptocurrency-related law enforcement action by DFS. This aligns with DFS’s increased focus on the industry over the past year.
Failure to create an effective AML program
Another major issue identified in the RHC Consent Order was the failure to establish an effective AML program in violation of the Virtual Currency Regulations. Among other things, RHC lacked risk-based policies and procedures and did not have an automated transaction monitoring system until April 2021. As of October 2020, RHC had a backlog of over 4,300 suspicious transaction alerts . Additionally, RHC had been told by an outside consultant that its manual transaction review process had “minimal value” and should be quickly upgraded to an automated system, but RHC did not resolve the issue quickly. Finally, DFS found that RHC “did not have enough BSA/AML staff with the appropriate skill level to support its BSA/AML compliance program” and that RHC’s CCO “lacks the experience to oversee a compliance such as that of RHC, especially as it has grown.Based largely on these failures, DFS concluded that RHC’s Part 504 certification attesting to compliance with the Transaction Monitoring Regulation for the calendar year 2019 was inappropriate.
Most DFS enforcement actions against traditional financial institutions include findings on deficiencies in AML compliance programs, particularly with respect to transaction monitoring systems. Most similar to RHC is a 2020 consent order against the Industrial Bank of Korea in which DFS identified serious delays in the New York branch’s implementation of an automated transaction. This aligns with DFS’s increased focus on the industry over the past year. Surveillance system. The continued reliance on manual review of suspicious activity at the branch has resulted in significant backlogs and an inability to detect patterns of inappropriate transactions. Similarly, in its 2017 consent order against NongHyup Bank, DFS found that the New York branch failed to establish an effective transaction monitoring protocol and failed to promptly review all activity alerts. suspicious.
Lack of cooperation and transparency with regulators
The DFS also faulted RHC for not fully cooperating with its investigation, for providing information “either delayed or insufficient, or both” and, in several cases, for not disclosing the investigations carried out by the DFS. federal and state regulators of an RHC-affiliated entity. According to the consent order, RHC initially resisted DFS’s review, erroneously asserting that DFS had no authority to review the policies or practices of RHC’s parent or affiliated entities.
DFS’s request for cooperation from regulated entities is a common refrain in its enforcement actions. DFS has gone out of its way to commend some financial institutions for their level of cooperation, including National Bank of Pakistan, Societe Generale, NongHyup Bank, Industrial Bank of Korea, and Mashreq Bank. In contrast, he specifically noted that RHC’s cooperation “at least initially, fell short of what is expected of a licensee who enjoys the privilege of doing business in New York State.” Similar language appeared in DFS’s consent order against Bank Hapoalim, which was criticized for not immediately cooperating with the investigation and narrowly interpreting a DFS subpoena.
Gaps in RHC’s Cybersecurity Program
As with its AML program, RHC relied on its parent entity’s information systems and had no employees dedicated to cybersecurity, despite its “meteoric growth”. Although DFS did not dispute that RHC relied on the policies and procedures of its parent entity, it found that these policies did not adequately address RHC’s operations and risks, and were not no longer fully compliant with DFS cybersecurity regulations. DFS also criticized RHC’s failure to devote more resources to its cybersecurity program or develop its risk assessment policies sooner. For example, a year after receiving its license, RHC still did not have a business continuity and disaster recovery plan. Also, once implemented, the plan was not detailed enough. Based on these failures, DFS concluded that RHC’s Part 500 certification attesting to compliance with cybersecurity regulations for calendar year 2019 was inappropriate.
DFS’s finding of a violation of cybersecurity regulations and improper certification of compliance is a continuation of DFS’s recent actions on this issue. In 2020, DFS filed its first cybersecurity settlement action against First American Insurance Company, which was charged with false certification under Part 500, among other violations. In 2021, DFS entered into consent orders with three other companies based on improper certification.
The RHC action underscores DFS’s expectation that virtual currency companies will invest in their compliance programs as they develop and maintain effective AML and cybersecurity programs that follow the risk profile of the business. Infant-industry regulated firms are cautioned to learn from the experiences of other financial institutions and ensure that risk-based compliance programs and transparent regulatory engagement are priorities that go hand-in-hand with business growth.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.