News

New York’s Department of Financial Services, or DFS, fined Robinhood Markets’ cryptocurrency wing $30 million for “significant violations” of anti-money laundering and cybersecurity rules, marking the state’s first penalty against a virtual asset services provider.

Robinhood Crypto, which holds licenses to operate as both a money transmitter and a cryptocurrency business in New York, runs an online platform through which customers can buy cryptocurrency on various exchanges with U.S. dollars from their accounts at its sister company, Robinhood Financial, a broker-dealer.

“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance,” DFS Supervisor Adrienne Haris said in a statement. Under a consent order finalized Monday and disclosed Tuesday, the company must also retain an independent consultant to monitor its progress.

Robinhood Crypto, or RHC, initially claimed that DFS lacked authority to examine practices of its parent and affiliates and failed to report investigations of affiliated entities as required, according to the consent order, which followed the regulator’s examination of the company from January through September 2019.

A sharp drop in the value of Bitcoin and other cryptocurrencies has left the industry with less resources to spend on compliance and other non-revenue generating tasks, said Jason Scharfman, head of compliance, cryptocurrency and risk products at Corgentum Consulting in New York.

“There was a lot of belt tightening,” Scharfman said. “They’ve already squeezed compliance departments, and there’s more coming.”

But Tuesday’s penalty, which DFS announced six days after news emerged that federal officials suspect that Kraken, one of the world’s largest cryptocurrency exchanges, helped customers circumvent U.S. sanctions against Iran, may prompt an industry-wide rethink.

The violations

RHC relied solely on parent company Robinhood Market’s AML compliance, fraud detection and cybersecurity programs, which did not meet New York’s standards, DFS alleged Tuesday.

Despite this reliance, RHC’s chief compliance officer reported to the parent company’s senior products manager rather than directly to the board of directors or risk assessment committees.

RHC’s failure to allocate enough resources and staff to the company’s AML function was compounded by its reliance on a manual system to screen a daily average of 106,000 transactions with an aggregate value of $5.3 million.

By October 2020, 10 months after an independent consultant warned RHC that the manual process had “minimal value currently” and recommended rapid adoption of automated software, the company had accumulated a backlog of 4,378 transactions requiring review for potentially illicit activity.

RHC did not completely switch to automated screening until April 2021.

Monitoring also suffered from an “extremely high and arbitrary” threshold for flagging crypto-specific transactions, which, according to DFS, went unnoticed by RHC if they did not exceed $250,000 in aggregate value over a six-month period.

As a result, the company filed only two SARs during the period in question.

“Such a high threshold amount was unacceptable given the volume of transactions processed through RHC,” DFS said.

RHC’s total reliance on its parent company’s AML program also extended to cybersecurity, according to DFS, which accused the platform of failing to hire sufficient staff to account for its rapid growth during the period in question and ensure compliance with reporting requirements.

“Despite these weaknesses in its transaction monitoring and cybersecurity programs, RHC improperly certified compliance with the department’s transaction monitoring regulation and cybersecurity regulation,” DFS concluded.

The company also lacked a phone number for handling customer complaints as required by New York’s virtual currency regulation.

Robinhood Markets, which disclosed the impending enforcement action to investors on July 19, said in a statement Tuesday that the company has made significant improvements in the areas of AML compliance and cybersecurity, which remain a priority.

Robinhood CEO Vlad Tenev wrote in a blog post that the company will cut operations, marketing and program management staffing levels by 23 percent in response to high inflation and the market-wide crash of cryptocurrency.

Contact Fred Williams at fwilliams.acams.org