New York Financial Regulator Brings First AML and Cybersecurity Enforcement Action against Licensed Crypto Trading Entity
In what is the New York Department of Financial Services’ (NYDFS) first enforcement action against a NYDFS-licensed “virtual currency business,” on August 1, 2022, the agency announced $30 million settlement with cryptocurrency investing platform Robinhood Crypto, LLC (“RHC”). The settlement addressed charges stemming from what the NYDFS cited as various deficiencies during 2019-20 of RHC’s Bank Secrecy Act (BSA) and anti-money laundering (AML) program and RHS’ cybersecurity obligations under the agency’s Virtual Currency “BitLicense” regulation (23 NYCRR Part 200) and Cybersecurity Regulation (23 NYCRR Part 500), among other things
NYDFS has been active in crypto regulation for many years. In 2015, New York was the first state to promulgate a comprehensive framework for regulating virtual currency-related businesses. The keystones of the BitLicense regulations are consumer protection, anti-money laundering compliance and cybersecurity rules that are intended to place appropriate “guardrails” around the industry while allowing innovation. In addition, NYDFS’s Cybersecurity Regulation went into effect in March 2017 and generally requires all covered entities, including licensed virtual currency businesses, to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems. Licensed virtual currency companies are subject to the same AML and cybersecurity regulations as traditional financial services companies.
In 2019 the NYDFS granted RHC’s application for a BitLicense. The BitLicense, along with a New York state money transmitter license also granted at the time, authorized Robinhood Crypto to offer services for buying, selling and storing various cryptocurrencies to New York residents. Overall, NYDFS stated that after conducting a supervisory examination and investigation, it found that RHC had “shortcomings in the company’s management and oversight of its compliance programs” and that inadequate staffing and resources were devoted to BSA/AML, transaction monitoring and cybersecurity compliance commensurate with its growth. As such, the agency found that RHC’s programs did not fully address RHC’s operational risks, particularly those associated with operating a cryptocurrency trading platform, and that specific policies within the program were not in full compliance with NYDFS’s Cybersecurity and Virtual Currency Regulations. Under the settlement, beyond the $30 million penalty, RHC will be required to retain an independent consultant to perform a comprehensive evaluation of the RHC’s remediation and compliance efforts.
This is an active summer at NYDFS for crypto developments. The RHC settlement follows on the heels of last month’s release of a stablecoin guidance meant to set foundational criteria for USD-backed stablecoins issued by DFS-regulated entities on the issues of redeemability, assets reserves and attestations about such reserves.
Jonathan Mollod also contributed to this article.