Cybersecurity and anti-money laundering processes at Robinhood’s crypto trading operation depended on the system put in place by Robinhood Markets, the parent company, and it was deficient, the New York State Department of Financial Services said in agreeing to a $30 million settlement with the company last week – the agency’s first crypto enforcement action. 

At the time it began trading, in 2019, the regulator said, the crypto operation’s chief compliance officer played no meaningful role in the affiliate’s anti-money laundering and cybersecurity processes.  

“Rather than reporting directly to a legal or compliance executive at the parent or affiliate,” the regulator said, the CCO reported to the parent company’s director of product operations. 

What’s more, the CCO didn’t participate in any formal reporting to the board of directors or independent audit or risk committees at the parent or affiliate. 

As a result, the crypto operation “played no meaningful role in compliance efforts at the entity level, resulting in a lack of an ability to influence staffing and resources, or to timely and adequately adopt measures that would assure full compliance with the Department’s Regulations,” The regulator said.

The weak line of responsibility played a role in what the regulator described as poor cooperation by the operation when the evaluation began.

“At least initially, [cooperation] was less than what is expected of a licensee that enjoys the privilege of conducting business in the State of New York,” the regulator said.  

Regulatory violations

The crypto operation’s deficiencies apply mainly to its processes for complying with requirements under federal bank secrecy and anti-money laundering laws and the state regulator’s own cybersecurity rules. 

On the bank secrecy and anti-money laundering side, among other things, the operation relied on inadequate staff and manual processes for monitoring transactions for signs of suspicious activity. 

Although there’s nothing wrong with a manual system, the regulator said, it’s inadequate for an operation managing an average of 106,000 transactions a day. 

“It is not surprising … that [anti-money laundering] staff simply could not keep up with the transaction alerts, resulting in the significant backlog,” the regulator said. 

By the third quarter of 2020, the operation was trying to process a suspicious activity backlog of almost 4,400 alerts.

On the cybersecurity side, deficiencies stemmed to a degree on the operation’s reliance on the parent company’s system.  

“Though [the crypto operation] was within its right … to rely on [the parent company’s] policies and procedures, in this case these policies and procedures did not fully address [the] operations, risks, and reporting lines,” the regulator said. 

As part of the settlement agreement, the crypto operation was permitted to keep using a consultant it hired to help it fix its deficiencies as the monitor who will keep tabs on its compliance.