On August 2, 2022, New York State’s Department of Financial Services (“DFS”) announced that Robinhood Crypto, LLC (“RHC”), a trading platform that allows customers to transact in cryptocurrencies, had agreed to pay a $30 million fine to resolve allegations of “significant” lapses in its compliance with New York State anti-money laundering and cybersecurity regulations. In addition to the fine, the settlement will also require RHC to hire an independent consultant to evaluate the company’s remediation efforts and compliance with DFS regulations. RHC did not admit to the allegations contained in the Consent Order.

As described in the DFS Consent Order, New York State law requires financial institutions to maintain an effective anti-money laundering (“AML”) program and to devise and implement systems reasonably designed to identify and report suspicious activity and block illegal transactions, and this applies to entities dealing in cryptocurrency. 23 NYCRR § 200.15(b), (d). Under 3 NYCRR § 417.2, “licensed money transmitters” are required to establish, implement, and maintain effective AML programs that include, among other things: internal policies, procedures, and controls reasonably designed to guard against money laundering, and accurate, complete, and timely reports of suspicious activity. 3 NYCRR § 417.2. Finally, according to DFS, the Transaction Monitoring Regulation requires certain DFS-regulated entities to maintain transaction monitoring and sanctions screening programs that are reasonably designed, based upon the risk assessment of the entity, to ensure the monitoring of the entity’s transactions for potential BSA/AML violations and suspicious activity reporting and to interdict transactions that are prohibited by the U.S. Treasury Department’s Office of Financial Asset Control. 23 NYCRR § 504.3(a), (b).

The DFS allegations against RHC stem from a 2020 supervisory examination and subsequent investigation which supposedly led DFS to find “significant deficiencies” in the trading platform’s Crypto AML program, such as inadequate staffing, insufficient resources, and a manual transaction monitoring system ill-suited for the rapidly growing size of the trading platform’s crypto business. Specifically, DFS alleged that RHC’s crypto business “did not have sufficient BSA/AML staff” with appropriate skill levels to support the company’s AML program, as evidenced by its supposedly “substantial backlog in . . . evaluating potentially suspicious transactions.” DFS also found that the trading platform was using a manual transaction monitoring system that was supposedly not sophisticated enough to support the trading platform’s high transaction volume, with the company averaging “106,000 transactions daily” as of September 30, 2019. DFS stated that similar deficiencies existed with respect to the trading platform’s cybersecurity program, such as a lack of dedicated in-house staff and a failure to adequately cover the company’s various operations, among other things. The DFS noted in its Consent Order, however, that RHC had already taken some corrective steps since the conclusion of its investigation in 2020.

This is DFS’s first settlement with an entity operating in the cryptocurrency market and it suggests, when viewed with other recent resolutions, that regulators are keen to bring “first-ever” enforcement actions in this space. As the regulatory landscape around cryptocurrency continues to materialize and sharpen, companies dealing in cryptocurrency should carefully monitor settlements like these and assess their own compliance programs accordingly.