New York fines Robinhood Crypto $30 million for AML and cybersecurity deficiencies
In light of the program’s deficiencies, the firm’s 2019 certifications to the Department attesting to compliance with these Regulations should not have been made and thus violated the law, the state regulator added.
Robinhood Crypto, the digital asset subsidiary of commission free neobroker Robinhood, has been fined a $30 million penalty by the NYDFS for significant failures in the areas of bank secrecy act/anti-money laundering (“BSA/AML”) obligations and cybersecurity, according to the watchdog.
New York Department Of Financial Services Superintendent Adrienne A. Harris explained in a statement that as its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance.
“All virtual currency companies licensed in New York State are subject to the same anti-money laundering, consumer protection, and cybersecurity regulations as traditional financial services companies. DFS will continue to investigate and take action when any licensee violates the law or the Department’s regulations, which are critical to protecting consumers and ensuring the safety and soundness of the institutions.”
Robinhood Crypto was improperly certified since 2019
In addition to the penalty, RHC will also be required, as part of the settlement, to retain an independent consultant that will perform a comprehensive evaluation of RHC’s compliance with the Department’s Regulations and RHC’s remediation efforts with respect to the identified deficiencies and violations.
Following a supervisory examination and a subsequent enforcement investigation, the NYDFS found that Robinhood Crypto’s BSA/AML compliance program, including its transaction monitoring system, had significant deficiencies.
The NYDFS listed the three main deficiencies in Robinhood Crypto’s BSA/AML program: inadequately staffed; failed to timely transition from a manual transaction monitoring system that was inadequate for RHC’s size, customer profiles, and transaction volumes; and did not devote sufficient resources to adequately address risks specific to RHC.
Robinhood Crypto’s cybersecurity program also had critical failures as it did not fully address operational risks, and specific policies within the program were not in full compliance with several provisions of the Department’s Cybersecurity and Virtual Currency Regulations, the agency explained in an announcement.
In light of the program’s deficiencies, the firm’s 2019 certifications to the Department attesting to compliance with these Regulations should not have been made and thus violated the law, the state regulator added.
Other deficiencies include the lack of a distinct, dedicated phone number on its website for the receipt of consumer complaints and certain reporting violations.
