Superintendent of Financial Services Adrienne A. Harris announced today that Robinhood Crypto, LLC will pay a $30 million penalty to New York State for significant failures in the areas of bank secrecy act/anti-money laundering obligations and cybersecurity that resulted in violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (23 NYCRR Part 504), and Cybersecurity Regulation (23 NYCRR Part 500). In addition to the penalty, RHC will also be required, as part of the settlement, to retain an independent consultant that will perform a comprehensive evaluation of RHC’s compliance with the Department’s Regulations and RHC’s remediation efforts with respect to the identified deficiencies and violations.  

“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance—a failure that resulted in significant violations of the Department’s anti-money laundering and cybersecurity regulations,” said Superintendent Harris. “All virtual currency companies licensed in New York State are subject to the same anti-money laundering, consumer protection, and cybersecurity regulations as traditional financial services companies. DFS will continue to investigate and take action when any licensee violates the law or the Department’s regulations, which are critical to protecting consumers and ensuring the safety and soundness of the institutions.”  

The Department found, following a supervisory examination and a subsequent enforcement investigation, that RHC’s BSA/AML compliance program, including its transaction monitoring system, had significant deficiencies. Among other things, RHC’s BSA/AML program was inadequately staffed; failed to timely transition from a manual transaction monitoring system that was inadequate for RHC’s size, customer profiles, and transaction volumes; and did not devote sufficient resources to adequately address risks specific to RHC. Similarly, the Department found critical failures in RHC’s cybersecurity program. The program did not fully address RHC’s operational risks, and specific policies within the program were not in full compliance with several provisions of the Department’s Cybersecurity and Virtual Currency Regulations.  

All of these deficiencies resulted from what the Department found were significant shortcomings in the management and oversight of RHC’s compliance programs, including a failure to foster and maintain an adequate culture of compliance. The Department also discovered that adequate resources were not devoted to RHC’s compliance programs, particularly as it grew, which exacerbated these issues.  

Despite these weaknesses in its transaction monitoring and cybersecurity programs, RHC improperly certified compliance with the Department’s Transaction Monitoring Regulation and Cybersecurity Regulation. Pursuant to those regulations, companies should only be certifying to DFS if their programs are fully compliant with the applicable regulation. In light of the program’s deficiencies, RHC’s 2019 certifications to the Department attesting to compliance with these Regulations should not have been made and thus violated the law.  

Finally, RHC failed to comply with certain consumer protection requirements by not maintaining a distinct, dedicated phone number on its website for the receipt of consumer complaints. RHC also violated certain reporting requirements pursuant to its bespoke Supervisory Agreement with the Department. 

Under the settlement reached today, in addition to payment of a $30 million penalty, RHC will be required to retain an independent consultant that will perform a comprehensive evaluation of the RHC’s compliance with the Department’s Regulations and RHC’s remediation efforts with respect to the identified deficiencies and violations. 

Read a copy of the Robinhood Crypto, LLC consent order on the DFS website. 

###