On August 1, 2022, the New York State Department of Financial Services (“DFS” or the “Department”) issued a consent order imposing a $30 million fine on Robinhood Crypto, LLC (“Robinhood”), a trading platform that allows customers to trade in cryptocurrency, for alleged non-compliance with New York’s Anti-Money Laundering (“AML”) and cybersecurity regulations. In addition to the monetary penalty, Robinhood must hire an independent consultant to conduct an 18-month “comprehensive review” to assess Robinhood’s remediation efforts regarding identified compliance gaps. The case marks DFS’s first enforcement action in the cryptocurrency sector.
- Licensed virtual currency businesses in New York must be prepared for DFS’s annual certification obligations and its safety and soundness reviews by being prepared to demonstrate how their compliance programs meet the standards set forth in DFS regulations, particularly the Regulation on virtual currency, the money transfer regulation, The Cyber Security Regulation, and the Transaction Monitoring Regulation.
- DFS safety and reliability studies that identify “serious deficiencies” may prompt DFS to initiate an enforcement investigation related to the identified deficiencies.
- DFS will scrutinize whether virtual currency businesses are allocating adequate resources to their compliance programs, particularly in relation to the company’s size and growth rate.
The DFS Regulation of Virtual Currency Business Activity
DFS is New York State’s primary financial services regulator, which licenses and supervises financial institutions in the state. In June 2015, DFS issued Part 200 of the Financial Services Commissioner’s Regulations (the “Virtual Currency Regulations”) under the New York Financial Services Act. In order to engage in a “virtual currency business” in New York, DFS requires entities to either apply for a “BitLicense” or to be chartered under the New York Banking Law – for example, as a New York State limited trust company – authorized to conduct virtual currency business activities.
The Virtual Currency Regulation requires entities regulated by the Virtual Currency DFS to establish an effective AML program. The DFS rules similarly require licensed money transmitters to establish, implement and maintain an effective AML compliance program. In addition to the Virtual Currency Regulation, the DFS Cyber Security Regulation requires licensees, including virtual currency businesses and money transmitters, to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems.
The DFS investigation into Robinhood
In 2019, DFS approved Robinhood’s applications for a virtual currency license and a money transmission license. In 2020, DFS conducted a review of Robinhood’s safety and reliability. According to the consent order, following the safety and reliability review, DFS “initiated an enforcement investigation of the various nonconformities identified by [e]review’ and ultimately found that Robinhood did not fully meet its legal obligations in two areas: (a) to maintain an effective Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”) program, including an adequate system to monitor transactions commensurate with its growth; and (b) to fully comply with the DFS Cyber Security Regulation.
According to the consent order, DFS found, among other things, that Robinhood improperly relied on its affiliate to manage Robinhood’s BSA/AML program; has not structured the BSA/AML program to allow its Chief Compliance Officer to report formally to Robinhood’s directors or its audit or risk committees; did not have sufficient BSA/AML personnel of the appropriate skill level to support its BSA/AML compliance program, particularly given Robinhood’s size and growth rate; did not have an automated anti-money laundering transaction monitoring and case management system in place at the time of the safety and soundness review and did not timely transition its manual system to an automated transaction monitoring system; there was a significant lag in processing signals of potentially suspicious transactions; and “uses an extremely high and arbitrary threshold amount to generate exception reports” for crypto-specific transaction monitoring rules.
According to the Consent Order, Robinhood also failed to hire adequate cybersecurity staff to oversee compliance with the Cybersecurity Regulation despite the company’s “enormous growth.” The consent order also alleged that Robinhood failed to establish sufficient policies and procedures in various areas required by the Cybersecurity Regulation.
Based on these alleged violations, DFS further determined that the certifications that Robinhood had submitted attesting to its compliance with each of the cybersecurity and transaction monitoring regulations were incorrect. The DFS also found that Robinhood was in breach of the Virtual Currency Regulation by failing to provide a telephone number to receive customer complaints on its website.
The Agreement and Consent Order
Robinhood first publicly disclosed the investigation and settlement with DFS a year ago in filings with the Securities and Exchange Commission. According to the consent order, Robinhood must pay a civil monetary penalty of $30 million. The consent order also requires Robinhood to engage an independent consultant for a period of 18 months to review, report and assist Robinhood in its efforts to address the compliance deficiencies identified by DFS.
“We have made significant progress in building industry-leading legal, compliance and cybersecurity programs, and we will continue to prioritize this work to best serve our clients,” Robinhood’s associate general counsel for litigation said in a recent statement. disputes and regulatory enforcement, Cheryl Crumpton . “We continue to be proud to offer a more accessible, lower-cost platform for buying and selling crypto, and we’re excited to continue growing our business responsibly with new products and services that our customers want.”
The settlement with Robinhood is the first enforcement action in the cryptocurrency sector by DFS. To avoid being subject to such action, cryptocurrency businesses licensed in New York must establish a working relationship with DFS and be prepared to demonstrate compliance with DFS regulations. As the cryptocurrency industry continues to grow, crypto businesses must take steps to ensure that their compliance programs grow at the same pace as their business. As DFS Superintendent Adrienne A. Harris stated: “DFS will continue to investigate and take action when any licensee violates the law or Department regulations that are critical to protecting consumers and ensuring the safety and soundness of institutions.”
 23 NYCRR § 200.15(b), (d).
 Press Release, DFS Continues to Advance Responsible Innovation in New York’s FinTech Industry (Jan. 24, 2019), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1901241.
 Robinhood Markets, Inc., Registration Statement (Form S-1) (July 1, 2021).
 Mengqi Sun, Robinhood’s crypto division, fined $30 million by New York’s top financial regulator, Wall St. J. (Aug. 2, 2022, 9:59 AM), https://www.wsj.com/articles/robinhoods-crypto- unit-globed-30-million-by-new-yorks-top-financial-regulator -11659445200?mod=business_minor_pos5.
 Press Release, DFS Chief Harris Announces $30 Million Fine for Robinhood Crypto for Significant Anti-Money Laundering, Cybersecurity and Consumer Protection Violations (Aug. 2, 2022), https://www.dfs.ny.gov/ reports_and_publications/press_releases/pr202208021 .