New York financial regulators have issued a scorcher of an enforcement action against Robinhood, hitting the online trading app with a $30 million for allowing a weak compliance program that, in turn, allowed a wide range of other compliance failures.
The New York Department of Financial Services (DFS) announced the sanction on Tuesday. The precise target of the order was Robinhood Crypto, the cryptocurrency trading platform that parent company Robinhood launched in 2018. In its complaint, however, DFS faulted the crypto unit and parent company alike for failing to make necessary investments in compliance program capabilities as both units saw soaring growth from 2018 through 2020.
“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance — a failure that resulted in significant violations of the department’s anti-money laundering and cybersecurity regulations,” DFS superintendent Adrienne Harris said in a statement.
DFS specifically faulted Robhinhood Crypto for a shoddy anti-money laundering compliance program, including an inadequate transaction monitoring system; and a cybersecurity compliance program that lacked sufficient policies for, well, pretty much every IT risk a company might encounter.
The broader failure, however — and one other compliance officers should heed, especially if you’re working in fintech or some other high-growth sector — was an ill-conceived and poorly supported compliance program overall. Like, before DFS even started listing the various AML and cybersecurity failures it found, the agency’s settlement order against Robinhood began with this:
Although these deficiencies will be discussed in turn more fully below, it is worth beginning with the department’s observation that [Robinhood Crypto’s] overall approach to its compliance obligations substantially contributed to such deficiencies… [Robinhood Crypto] played no meaningful role in compliance efforts at the entity level, resulting in a lack of an ability to influence staffing and resources, or to timely and adequately adopt measures that would assure full compliance with the department’s regulations.
Ouch. DFS might as well have ordered Robinhood’s management team to wear t-shirts saying “I’m a loser” as part of the settlement.
A Compliance Function Not Empowered
One fundamental issue was the amount of authority established for the chief compliance officer at Robinhood Crypto — or more accurately, the lack thereof.
On a day-to-day level, Robinhood Crypto’s compliance program was actually managed by the parent company, Robinhood Markets, with some help from the firm’s broker-dealer affiliate, Robinhood Financial. Robinhood Crypto’s compliance officer, however, did not report into the compliance or legal teams at either of those divisions. Instead, he reported to Robinhood Crypto’s director of product operations, without any duty or opportunity to brief the Robinhood Markets board on compliance issues. (I have a good sense of who this compliance officer was, but am not entirely sure; so I won’t name the person here.)
That isolation and low-status position caused other problems. For example, when DFS examiners conducted a review of Robinhood Crypto’s operations, the business failed to disclose that other parts of the Robinhood empire were under state and federal investigation; that’s a violation of DFS disclosure rules. (Robinhood paid $70 million to FINRA last year for issues with its broker-dealer division.)
Robinhood Crypto also mistakenly told DFS examiners that they lacked authority to examine the policies and practices in other parts of Robinhood, when in fact DFS has wide-ranging authority to examine financial firms operating in New York.
Now, Robinhood wouldn’t be the first company to manage compliance operations on behalf of a subsidiary — but you still need to have proper structure and autonomy for the subsidiary compliance officers. Having a compliance officer report into an operating executive such as a product manager is a huge red flag, both for financial examiners and other regulators such as the Justice Department.
Most large companies already know this. Most small companies don’t need to know it, because smaller companies have fewer compliance risks. The danger zone is for small companies rapidly becoming large companies. They constantly need to confirm that the structure of their compliance function allows the compliance program to remain robust and effective — even as new business gushes through the door, business models get more complex, and self-important executives in operating units go on egotistical power trips.
Specific Robinhood Compliance Failures
So anyway, Robinhood Crypto didn’t have that robust compliance function. From that position of weakness, many other compliance failures flowed.
First was an inadequate AML compliance team. More precisely, Robinhood Crypto’s compliance officer had no team at all; he relied on the financial crimes compliance team at Robinhood Financial to run AML compliance for him, although that other team“was itself inadequately staffed to provide adequate compliance support,” DFS said.
Robinhood Crypto also relied on manual transaction monitoring throughout 2019 and 2020, even while business was booming and transactions were averaging 106,000 per day by late 2019. That led to a backlog of alerts that Robinhood’s AML compliance teams couldn’t review in a timely manner, because (see previous paragraph) they were too small to begin with. Even after an independent consultant warned in 2019 that manual transaction monitoring was a weakness, Robinhood Crypto didn’t implement an automated solution until April 2021.
There were similar issues with the firm’s cybersecurity program. Again, Robinhood Crypto relied on the Robinhood parent to manage cybersecurity — but that arrangement didn’t fully address Robinhood Crypto’s unique operations, risks, and reporting lines. Nor did Robinhood Crypto establish all the written policies and procedures that DFS expects for compliance with its cybersecurity rules, formally known as 23 NYCRR Part 500.
Flawed risk assessments, incomplete business continuity plans, incident response plans that didn’t include a process for notifying regulators after a breach: the DFS complaint reads like a greatest hits album of what a company can do wrong with its cybersecurity compliance program. Because of those weaknesses, DFS said, Robinhood Crypto’s compliance certifications in 2019 were invalid. (This is, by the way, similar to the sanction DFS imposed on Carnival Corp. a few weeks ago: technical flaws in Carnival’s cybersecurity program, including an incomplete breach response plan, which invalidated Carnival’s compliance certifications.)
Meanwhile, at the Company
Several hours after settling the DFS case, Robinhood announced an ugly earnings report for Q2. Revenue was $318 million, up 6 percent from the prior quarter but down 44 percent from the year-ago period. Cryptocurrency trading revenue plunged from $233 million one year ago to just $58 million this quarter.
Oh, and this too — Robinhood is also laying off 23 percent of its workforce, on top of a 9 percent cut announced earlier this year. That’s a reduction of roughly 1,000 people in total. So whatever growth pains the company suffered on its way up, one wonders what will happen next on the way down.