Robinhood's crypto unit (RHC) has been slapped with a $30 million fine by New York State Department of Financial Services for "significant" anti-money laundering, cybersecurity and consumer protection violations.
Despite self-reporting compliance with the rules, an NYDFS investigation uncovered a litany of failures at the brokerage, as it struggled to keep pace with customer demand for crypto services.
Among other things, the regulator found that RHC’s BSA/AML program was inadequately staffed; failed to timely transition from a manual transaction monitoring system that was inadequate for RHC’s size, customer profiles, and transaction volumes; and did not devote sufficient resources to address risks specific to the business.
Similarly, the Department found critical failures in RHC’s cybersecurity programme, which failed to fully address RHC’s operational risks and included policies that were in violation of State Department rules.
The watchdog has blamed the deficiencies on "significant shortcomings in the management and oversight of RHC’s compliance programmes, including a failure to foster and maintain an adequate culture of compliance". The Department also discovered that adequate resources were not devoted to RHC’s compliance programmes, particularly as it grew.
Finally, RHC failed to comply with certain consumer protection requirements by not maintaining a distinct, dedicated phone number on its website for the receipt of consumer complaints.
“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance — a failure that resulted in significant violations of the Department’s anti-money laundering and cybersecurity regulations,” says Superintendent Adrienne Harris. “All virtual currency companies licensed in New York State are subject to the same anti-money laundering, consumer protection, and cybersecurity regulations as traditional financial services companies. DFS will continue to investigate and take action when any licensee violates the law or the Department’s regulations, which are critical to protecting consumers and ensuring the safety and soundness of the institutions.”
Under the settlement, in addition to payment of a $30 million penalty, RHC will be required to retain an independent consultant that will perform an ongoing evaluation of regulatory compliance and remediation efforts by the firm.