Case Involves Familiar But Instructive Regulatory Findings
The New York Department of Financial Services (“NYDFS”) made clear last week that crypto companies can be held accountable for allegedly failing to comply with anti-money laundering (“AML”) / Bank Secrecy Act (“BSA”) regulations. Federal and certain State laws require crypto companies like Robinhood Crypto, LLC (“RHC”) to maintain effective AML programs, and to implement systems to identify suspicious activity and block illegal transactions on their platforms (which we have previously discussed, including here and here). On August 2, 2022, NYDFS announced that it entered a Consent Order penalizing RHC $30 million for alleged AML, cybersecurity and consumer protection violations. RHC also is required to retain an independent consultant to perform compliance assessments evaluating the Company’s remediation efforts.
This enforcement action is entirely consistent with the recent Guidance on Use of Blockchain Analytics issued by the NYDFS, directed to all virtual currency business entities that either have a NYDFS Bitlicense or are chartered as a limited purpose trust company under the New York Banking Law. As we have blogged, the Guidance emphasizes “the importance of blockchain analytics to effective [AML] policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.”
The Consent Order contains a litany of alleged AML deficiencies, many of which have figured prominently in other enforcement actions. We detail them below. From a BSA/AML perspective, the key focus – not surprisingly – was on the adequacy of RHC’s transaction monitoring systems. Again, the message is: written policies and programs may look great on their face, but actual execution is key. The adequate funding and staffing of compliance functions is also critical.
RHC’s Alleged Compliance Violations
According to its press release, NYDFS conducted a safety and soundness examination of RHC from January 2019 to September 2019, as well as a subsequent enforcement investigation, which revealed alleged failures across RHC’s BSA/AML and cybersecurity programs. This all followed on a Supervisory Agreement dated January 24, 2019, entered into between NYDFS and RHC, which pertained to capital requirements, protection of consumer assets, certain prohibitions on conduct, notice requirements, and an understanding that RHC is subject to NYDFS BSA/AML and transaction monitoring requirements – thereby confirming the general wisdom that regulatory actions often follow on the heels of an institution’s perceived failure to heed prior warnings.
Specifically, NYDFS found that RHC’s BSA/AML compliance program was inadequately staffed; relied on a manual transaction monitoring system inadequate for the company’s size, customer profiles, and transaction volumes; and did not adequately resource its risk prevention programs. NYDFS asserted that RHC’s failures to cultivate a culture of compliance, and to devote sufficient resources to compliance, caused the violations, which were exacerbated by RHC’s rapid growth. Despite these compliance issues, RHC improperly certified that it had complied with NYDFS’s Transaction Monitoring and Cybersecurity regulations in 2019, further violating the law.
The specific violations at issue arose under Part 200 (the “Virtual Currency Regulation”), Part 417 (the “Money Transmitter Regulation”), Part 500 (the “Cybersecurity Regulation”), and Part 504 (the “Transaction Monitoring Regulation”) of the Superintendent’s Regulations. In addition, RHC also allegedly violated consumer protection laws by failing to maintain a phone number on its website to field consumer complaints, and violated certain reporting requirements under the terms of its Supervisory Agreement with NYDFS.
One of the primary structural weaknesses that NYDFS identified in the Consent Order was RHC’s reliance on its (non-crypto) parent company and affiliates for “substantial aspects” of its compliance program. Although such reliance does not inherently violate compliance requirements, it was detrimental to RHC’s BSA/AML compliance programs because the parent and affiliate programs were also not compliant, nor did they address the crypto-specific risks RHC was responsible for mitigating. NYDFS also noted that RHC’s Chief Compliance Officer (“CCO”) allegedly lacked the necessary experience to oversee a compliance program of this scale, and failed to properly implement the automated software program designed to provide the fraud prevention and AML programming necessary to comply with state and federal regulations. NYDFS further stressed that the CCO reported to RHC’s Director of Product Operations, “rather than reporting directly to a legal or compliance executive at the parent or affiliate.” The CCO therefore lacked sufficient prominence in the overall corporate organizational structure. Similarly, the Consent Order repeats the now-familiar allegation in AML enforcement actions that there was inadequate staffing of compliance personnel. These staffing issues were compounded, allegedly, by RHC’s reliance on a manual (vs. automated) system for running its transaction monitoring system, resulting in a backlog of “alerts” requiring review for potential Suspicious Activity Report (SAR) filings. To quantify this finding more concretely, the NYDFS found that a manual system – although “not inherently a violation of DFS’s Transaction Monitoring Regulation” – was “unacceptable for a program that . . . averaged 106,000 transactions daily, totaling $5.3 million.”
The Consent Order also sets forth another familiar story: the hiring by the financial institution of an outside consultant, whose compliance report ultimately becomes a weapon used by the government against the financial institution. Here, RHC’s outside consultant identified in December 2019 RHC’s alleged lack of an automated management software program as a weakness. The fact that an improved AML software program was not implemented until April 2021 was problematic, particularly given the backlog in the review of alerts and SAR filings.
Also: not for the first time, the regulator’s perception of the organization’s response to the case was important to the outcome. Here are two telling paragraphs from the Consent Order, which fairly or not, reflect NYDFS’s view on how the regulated community should react to it:
- RHC’s compliance approach manifested not only substantive failures, but also contributed to a level of cooperation with the [NYDFS] that, at least initially, was less than what is expected of a licensee that enjoys the privilege of conducting business in the State of New York. For example, information provided by RHC was either delayed, insufficient, or both. In several instances, RHC failed to disclose investigations by federal state regulators of an RHC affiliated entity, in violation of reporting obligations governed by RHC’s Supervisory Agreement with the Department.
- RHC also initially claimed during the Examination, erroneously, that [the NYDFS] did not have the authority to examine policies or practices of RHC’s parent and affiliates. RHC further claimed that any weakness in its program were overstated because RHC relied on more robust programs of its parent and affiliate, when in reality such programs were not compliant with various aspects of [the NYDFS’s] laws and regulations.
Other Enforcement Actions Against RHC
This is not the first regulatory action RHC has faced. In 2020, the SEC fined RHC $65 million for misleading its customers about “payment for order flow” (a key source of revenue). Just last week, RHC reported that the SEC was investigating its compliance with a short-selling rule. The same day, RHC also unfortunately announced it would be cutting 23% of its workforce last week as well, in an organizational restructuring move responsive to the crypto market crash.
Compliance Takeaways for Crypto Companies
This enforcement action highlights the fact that CCOs in crypto companies (as well as Fintech start-ups in general) are often asked to wear multiple hats, to build and implement compliance programs with potentially inadequate resources, or to make split-second judgment calls with limited information. This reality, coupled with the evolving nature of the cryptocurrency-related laws and regulations, the typical firehose of customer data needing analysis, and growing federal and state enforcement in the crypto sector, has increased anxiety among crypto CCOs about the potential for personal liability for compliance failures. RHC’s case serves as a reminder to crypto companies that BSA/AML compliance must be a priority and is not the place to cut corners. Adequate transaction monitoring – and related follow-up – is critical to avoiding regulatory ire.