Robinhood’s crypto unit (RHC) was recently slapped with a $30 million fine by the New York State Department of Financial Services for considerable cyber security, anti-money laundering, and consumer protection violations.
Despite self-reporting compliance with the rules and regulations, an NYDFS investigation discovered a litany of failures at the brokerage, as it kept struggling to keep pace with client demand for cryptocurrency services.
Among many other things, the watchdog found that RHC’s BSA/AML program was inefficiently staffed; failed to promptly transition from a manual transaction monitoring platform that was insufficient for RHC’s size, transaction volumes, and customer profiles; and never devoted sufficient resources to address most of the risks that affect the specific business.
In that context, the Department discovered serious failures in RHC’s cybersecurity program, which failed to wholly address RHC’s operational risks and included policies that were mostly in violation of State Department rules.
The regulator blamed the deficiencies on:
“Significant shortcomings in the management and oversight of RHC’s compliance programmes, including a failure to foster and maintain an adequate culture of compliance”.
The Department also noted that enough resources were not devoted to RHC’s compliance programs, mainly as it grew. In the end, RHC failed to comply with some consumer protection requirements by not maintaining a unique, dedicated phone number on its website for receiving consumer complaints.
Superintendent Adrienne Harris stated:
“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance — a failure that resulted in significant violations of the Department’s anti-money laundering and cybersecurity regulations.”
“All virtual currency companies licensed in New York State are subject to the same anti-money laundering, consumer protection, and cybersecurity regulations as traditional financial services companies. DFS will continue to investigate and take action when any licensee violates the law or the Department’s regulations, which are critical to protecting consumers and ensuring the safety and soundness of the institutions.”
Under this settlement, together with the payment of a $30 million penalty, RHC will be needed to retain an independent consultant that will conduct a continuous evaluation of regulatory compliance and remediation efforts by the company.