In what is the New York Department of Financial Services'
(NYDFS) first enforcement action against a NYDFS-licensed
"virtual currency business," on August 1, 2022, the
agency announced $30 million settlement with
cryptocurrency investing platform Robinhood Crypto, LLC
("RHC"). The settlement addressed charges stemming from
what the NYDFS cited as various deficiencies during 2019-20 of
RHC's Bank Secrecy Act (BSA) and anti-money laundering (AML)
program and RHS' cybersecurity obligations under the
agency's Virtual Currency "BitLicense" regulation (23 NYCRR Part
200) and Cybersecurity Regulation (23 NYCRR Part 500),
among other things
NYDFS has been active in crypto regulation for many years. In
2015, New York was the first state to promulgate a comprehensive
framework for regulating virtual currency-related businesses. The
keystones of the BitLicense regulations are consumer protection,
anti-money laundering compliance and cybersecurity rules that are
intended to place appropriate "guardrails" around the
industry while allowing innovation. In addition, NYDFS's
Cybersecurity Regulation went into effect in March 2017 and
generally requires all covered entities, including licensed virtual
currency businesses, to establish and maintain a cybersecurity
program designed to protect the confidentiality, integrity, and
availability of its information systems. Licensed virtual currency
companies are subject to the same AML and cybersecurity regulations
as traditional financial services companies.
In 2019 the NYDFS granted RHC's application for a
BitLicense. The BitLicense, along with a New York state money
transmitter license also granted at the time, authorized Robinhood
Crypto to offer services for buying, selling and storing various
cryptocurrencies to New York residents. Overall, NYDFS stated that
after conducting a supervisory examination and investigation, it
found that RHC had "shortcomings in the company's
management and oversight of its compliance programs" and that
inadequate staffing and resources were devoted to BSA/AML,
transaction monitoring and cybersecurity compliance commensurate
with its growth. As such, the agency found that RHC's programs
did not fully address RHC's operational risks, particularly
those associated with operating a cryptocurrency trading platform,
and that specific policies within the program were not in full
compliance with NYDFS's Cybersecurity and Virtual Currency
Regulations. Under the settlement, beyond the $30 million penalty,
RHC will be required to retain an independent consultant to perform
a comprehensive evaluation of the RHC's remediation and
compliance efforts.
This is an active summer at NYDFS for crypto developments. The
RHC settlement follows on the heels of last month's release of a stablecoin guidance meant to set
foundational criteria for USD-backed stablecoins issued by
DFS-regulated entities on the issues of redeemability, assets
reserves and attestations about such reserves.
New York Financial Regulator Brings First AML And
Cybersecurity Enforcement Action Against Licensed Crypto Trading
Entity
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss