The recent settlement between the New York State Department of Financial Services and Robinhood Crypto LLC (“RHC”), in which RHC agreed to pay a $30,000,000 civil penalty, once more highlights the importance of adequate resourcing, authority and autonomy in maintaining effective compliance programs. https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202208021
RHC’s trading platform allows customers to trade cryptocurrencies in virtual currency markets. RHC was required to maintain an effective anti-money laundering program and to devise and implement systems reasonably designed to identify and report suspicious activity and block illegal transactions. However, the Department’s investigation found that RHC had failed to maintain an effective program or comply with Cybersecurity Regulations.
While numerous weaknesses led to this conclusion, it is worth noting the Department found that RHC’s, “approach to its compliance obligations substantially contributed to such deficiencies” and that, “These problems were exacerbated by a lack of prominence” for compliance within the organizational structure. The Chief Compliance Officer reported to the Director of Product Operations rather than directly to a legal or compliance executive. Further, the CCO did not participate in any formal reporting to the Board of Directors or independent audit or risk committees at the parent or affiliate. “Thus, RHC played no meaningful role in compliance efforts at the entity level, resulting in a lack of an ability to influence staffing and resources, or to timely and adequately adopt measures that would assure full compliance with the Department’s Regulations.”
Resources, too, were a major issue. The Department found that RHC did not have sufficient staff with the appropriate level of skills to support its compliance program, particularly given the size and pace of RHC’s growth. RHC’s CCO (described as lacking “…commensurate experience to oversee a compliance program such as RHC’s, particularly as it grew, …”) had no direct support staff within RHC but instead relied exclusively on the staff at its affiliate to manage its program. The affiliate, in turn, was itself inadequately staffed to provide adequate compliance support for RHC.
Although, there were clearly other significant causes for the failure of the compliance program in this case (a lack of automated transaction monitoring - a cornerstone of an effective anti-money laundering program, for example) the outcome sends a clear message to any organizations looking to cut corners on compliance, or to regard it as a formal or “tick the box” exercise. To do so is likely to prove very costly and trigger major business disruption.
Comments