On August 1, Robinhood Crypto, LLC (RHC) entered a consent order with the New York State Department of Financial Services (DFS) requiring RHC to pay a $30 million fine for violating (1) New York’s virtual currency regulatory regime known as the BitLicense, (2) a Supervisory Agreement entered with DFS as a condition of its BitLicense, (3) anti-money laundering (AML) requirements applicable to money transmitters, and (4) other requirements related to transaction monitoring, filtering, and cybersecurity. The consent order, which is DFS’s first enforcement action under the BitLicense regime or against a digital currency business, offers several important takeaways for blockchain companies operating or seeking to operate in the state, including (1) the importance of scaling up compliance processes commensurate with business growth, (2) the risks of relying on compliance programs of affiliated entities, (3) the importance of well-developed reporting lines in compliance programs, and (4) the consequences of filing “improper” certifications under DFS’s transaction monitoring and cybersecurity rules.
Lesson 1: Scale up compliance processes commensurate with business growth
It is critical for fast-growing companies in the blockchain industry to scale up compliance programs commensurate with growth. In the consent order, DFS found that RHC lacked adequate staff or resources throughout 2019 and 2020, a period when alert volumes across the entire Robinhood enterprise increased by more than 500 percent. In particular, DFS found that RHC’s Chief Compliance Officer (CCO) lacked commensurate experience to oversee RHC’s compliance program, was insufficiently involved in the oversight of the launch and implementation of RHC’s automated transaction monitoring system, and had no direct support staff within RHC to assist with management of RHC’s Bank Secrecy Act and Anti-Money Laundering (BSA/AML) program.
The order found that due to RHC’s size, growth, and the volume of transactions that it processed, automated transaction monitoring became necessary to maintain compliance with DFS’s Transaction Monitoring Regulation. However, according to DFS, RHC failed to timely transition its manual transaction monitoring system to an automated system, which caused RHC to experience a significant backlog in processing alerts (i.e., in evaluating potentially suspicious transactions in order to determine whether a Suspicious Activity Report (SAR) should be filed, as mandated under federal and state anti-money laundering laws and regulations). Additionally, DFS found that RHC deployed an extremely high threshold amount for generating exception reports on cryptocurrency transactions, and criticized RHC’s escalation processes for continuing suspicious activity and repeat SAR filings. In sum, according to the order, RHC’s transaction monitoring process was inadequate for its size, customer profiles, and transaction volumes.
Lesson 2: Reliance on affiliated entities’ compliance programs can pose legal risks
DFS found that RHC’s reliance on its parent and affiliates for major aspects of its compliance program “substantially contributed” to RHC’s failure to maintain an effective BSA/AML program and to fully comply with DFS’s Cybersecurity Regulations. DFS noted that the parent’s and affiliate’s programs were not compliant with New York State regulations, and failed to address the particular risks applicable to digital currency businesses.
Reliance on affiliated entities’ compliance programs can pose legal risks, especially where such programs are not adapted to the company’s risk profile and the spectrum of risks it faces. Such risks are exacerbated where the company’s own compliance officer lacks a clear reporting line to the larger organization (see Lesson 3 below).
Lesson 3: Reporting lines are important in ensuring an effective compliance program
DFS found that the lack of a clear reporting line for RHC compliance within the parent entity’s organizational structure exacerbated problems stemming from its reliance on affiliated entities’ compliance programs. Despite RHC’s reliance on its parent and affiliates for its compliance program, RHC’s CCO reported to RHC’s Director of Product Operations, rather than reporting directly to a legal or compliance executive at the parent or affiliate. DFS also found that the RHC CCO did not participate in any formal reporting to the Board of Directors or independent audit or risk committees at the parent or affiliate. As a result, DFS concluded that RHC had a limited role in compliance efforts at the parent entity level, which resulted in an inability to influence staffing and resources, or to timely and adequately adopt measures that would assure full compliance with DFS’s Regulations.
DFS’s focus on reporting lines illustrates that reporting relationships can contribute to compliance successes and failures. Appropriate reporting relationships, and integration of business unit compliance officers into enterprise-wide compliance management and oversight, can be essential to ensuring that each business unit’s compliance program receives adequate resources and attention and is fully integrated into an organization’s daily operations.
In addition, DFS found that RHC’s management failed to adequately develop and maintain an appropriate culture of compliance at RHC. DFS’s emphasis on the role of management in ensuring effective compliance programs mirrors guidance from federal enforcement agencies. Namely, guidance from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) emphasize that senior management should promote a culture of compliance throughout business organizations.
Lesson 4: Filing “improper” certifications under DFS’s transaction monitoring and cybersecurity rules can lead to violations
The enforcement action against RHC illustrates the risk that DFS will penalize companies that file “improper” certifications under DFS’s transaction monitoring and cybersecurity rules. Both certifications must be submitted to DFS on an annual basis. In the RHC enforcement action, RHC filed a certification attesting to compliance with the transaction monitoring rule (often called Rule 504) even though, according to DFS, an RHC affiliate’s Head of AML acknowledged that RHC was not in compliance. Further, DFS found that RHC’s certification attesting to compliance with DFS’s cybersecurity rules was “improper” because RHC failed to meet various requirements under the regulation.
DFS’s first enforcement action against a digital currency business is notable both for what it may portend as well as the compliance lessons that it offers regulated entities, and in particular blockchain companies. For more information on this action or on the BitLicense or New York’s money transmitter regulatory requirements, please contact a member of Steptoe’s International Trade and Regulatory Compliance or Blockchain and Cryptocurrency practices.