Robinhood Crypto (RHC) has been ordered to pay a $30 million penalty for “significant deficiencies” in its Bank Secrecy Act/anti-money laundering (BSA/AML) compliance program and for cybersecurity violations, said the New York Department of Financial Services.
NYDFS discovered RHC’s compliance deficiencies following a supervisory examination and a subsequent investigation. In its consent order, the NYDFS stressed that “RHC’s overall approach to its compliance obligations substantially contributed to such [BSA/AML and cybersecurity] deficiencies.”
Starting in May 2019, when RHC commenced operations of its regulated business activity in New York and at least throughout 2020 (the time period relevant to this Consent Order), “RHC was not fully compliant with New York State regulations and failed to address some of the particular risks associated with operating a cryptocurrency trading platform,” the agency stated.
It added, “RHC was reliant on its parent and affiliates for substantial aspects of its compliance program. Although such reliance is not inherently violative of DFS requirements, in this case, such reliance proved to be a weakness because the programs of the parent (RHM) and affiliate (RHF) were not compliant with New York State regulations, and they failed to address all the particular risks applicable to licensed virtual currency businesses.”
BSA/AML compliance failures
According to the NYDFS, RHC’s BSA/AML compliance program was “inadequately staffed; failed to timely transition from a manual transaction monitoring system that was inadequate for RHC’s size, customer profiles, and transaction volumes; and did not devote sufficient resources to adequately address risks specific to RHC.”
NYDFS said it similarly found “critical failures in RHC’s cybersecurity program,” including that the program “did not fully address RHC’s operational risks, and specific policies within the program were not in full compliance with several provisions of the Department’s Cybersecurity and Virtual Currency Regulations.
According to NYDFS, such deficiencies resulted from “significant shortcomings in the management and oversight of RHC’s compliance programs, including a failure to foster and maintain an adequate culture of compliance. The Department also discovered that adequate resources were not devoted to RHC’s compliance programs, particularly as it grew, which exacerbated these issues.”
Moreover, RHC improperly certified compliance with the Department’s Transaction Monitoring Regulation and Cybersecurity Regulation. Under those regulations, companies should only be certifying to DFS if their programs are fully compliant with the applicable regulation. “In light of the program’s deficiencies, RHC’s 2019 certifications to the Department attesting to compliance with these Regulations should not have been made and, thus, violated the law,” the agency stated.
The agency also said RHC “failed to comply with certain consumer protection requirements by not maintaining a distinct, dedicated phone number on its website for the receipt of consumer complaints.” It also violated certain reporting requirements pursuant to its bespoke Supervisory Agreement with the Department.
According to NYDFS, Robinhood violated the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (23 NYCRR Part 504), and Cybersecurity Regulation (23 NYCRR Part 500).
Under the terms of the settlement, in addition to the penalty, RHC also must retain an independent consultant that will perform a “comprehensive evaluation” of the firm’s compliance with the Department’s Regulations and its remediation efforts of identified deficiencies and violations.
Other enforcement actions
This is the third enforcement action against Robinhood that required the hiring of an independent consultant for compliance failures. In December 2020, the Securities and Exchange Commission fined Robinhood Financial $65 million “for repeated misstatements that failed to disclose the firm’s receipt of payments from trading firms for routing customer orders to them” and for “failing to satisfy its duty to seek the best reasonably available terms to execute customer orders.”
In June 2021, the Financial Industry Regulatory Authority (FINRA) fined Robinhood Financial a record $70 million for negligently communicating false and misleading information to its customers concerning a “variety of critical issues, including whether customers could place trades on margin, how much cash was in customers’ accounts, how much buying power or “negative buying power” customers had, the risk of loss customers faced in certain options transactions, and whether customers faced margin calls,” FINRA stated.
Robinhood Financial further “failed to exercise due diligence before approving customers to place options trades,” the agency said. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.