Recent regulatory action against a crypto-asset trading firm offers some key lessons in anti-money laundering compliance for all financial institutions
This month’s announcement that New York State’s financial regulator had fined the crypto arm of Robinhood Markets $30 million, largely due to alleged violations of anti-money-laundering (AML) regulations, highlights key compliance considerations, according to an industry expert.
Along with other deficiencies such as cybersecurity lapses, the New York State Department of Financial Services (NYDFS) penalized Robinhood Crypto for allegedly failing to devote sufficient resources to combating money laundering. Robinhood Crypto is a wholly owned subsidiary of Robinhood Markets Inc, which among other things, allows United States-based retail customers to trade stocks and options on a commission-free basis through its broker-dealer subsidiary, Robinhood Financial.
“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance — a failure that resulted in significant violations of the Department’s anti-money laundering and cybersecurity regulations,” stated Superintendent of Financial Services Adrienne A. Harris.
Lessons from the regulatory action
For AML officers, the regulatory action provides five key takeaways, says Sarah Beth Felix, a former Bank Secrecy Act (BSA) compliance officer who now runs Palmera Consulting, an AML consulting firm.
Lesson 1: Filing few suspicious activity reports (SARs) invites regulatory scrutiny
The NYDFS order states that during the time period for the regulator’s 2019 examination, only two suspicious activity reports (SARs) were filed in response to Robinhood Crypto’s “crypto-specific transaction monitoring alerts.” The number of SARs filed by a firm “is an indicator — like it or not — of effectiveness,” Felix explains.
“It is not the only indicator, but we see this in order after order. Low SARs filed always make a good examiner dig deeper. There is not a magic number per financial institution, but we know that low SARs are a high-level red flag for a savvy examiner,” she says.
Lesson 2: Avoid arbitrary transaction monitoring thresholds
With regard to its two crypto-specific transaction monitoring rules, NYDFS examiners found that Robinhood Crypto “employed an extremely high and arbitrary threshold amount to generate exception reports,” the order states. “That threshold amount was $250,000, in cumulative transaction volume over a six-month period. Such a high threshold amount was unacceptable given the volume of transactions processed through (the firm).”
Arbitrary thresholds have no place in a well-run AML program, Felix adds. “Even if the arbitrary threshold is established by a third-party system, there must be work shown — like you would do if your math teacher was watching you explain your answer.”
Lesson 3: SARs escalation procedures must be documented
The order states that the firm’s “escalation processes for continuing suspicious activity and repeat SAR filings were inadequate.”
It is a commonplace mistake not to document escalation processes in procedures for suspicious activity monitoring programs, Felix says. “Procedures should include lists of what information may trigger an escalation, what type of information will be reviewed, investigatory standards, and time frames for each of those processes.”
Lesson 4: Beware the “illusion of authority”
All of Robinhood Crypto’s AML problems were exacerbated by a “lack of prominence” for its compliance function within the organizational structure of Robinhood Markets, the order states, adding that despite Robinhood Crypto’s reliance on its parent and affiliate for its compliance program, the crypto unit’s chief compliance officer reported to the director of product operations at Robinhood Markets, rather than reporting directly to a legal or compliance executive.
“The CCO [Chief Compliance Officer] also did not participate in any formal reporting to the board of directors or independent audit or risk committees at the parent or affiliate. Thus, [Robinhood Crypto] played no meaningful role in compliance efforts at the entity level, resulting in a lack of an ability to influence staffing and resources, or to timely and adequately adopt measures that would assure full compliance with the Department’s regulations,” the order states.
AML officers should be on the lookout for the “illusion of authority,” Felix says, noting that “we see this woven throughout every supervisory order over the past five years, explicitly or implicitly.
“It doesn’t matter if your title has ‘officer’ in it or not,” she explains. “If your position is buried in the organization chart like this CCO at Robinhood Crypto, or if you’ve asked many times for more staff, better systems, or off-loading of non-BSA responsibilities and your C-suite is not listening, you most likely have the illusion of authority. And that presents risk to you as the AML officer.”
Lesson 5: Parent companies and investment subsidiaries should have separate, tailored AML programs
The order states that Robinhood Crypto failed to transition its manual transaction-monitoring system to an automated system in a timely manner, “which was unacceptable for a program that, as of September 30, 2019, averaged 106,000 transactions daily, totaling $5.3 million.
“Given this level of business and increase in alert volume at the enterprise level, a manual system was not adequate to support a compliant AML program, particularly in light of the staffing inadequacies. It is not surprising, therefore, that AML staff simply could not keep up with the transaction alerts, resulting in (a) significant backlog.”
The order adds: “Transaction monitoring is a cornerstone of an effective BSA/AML program. It must be conducted thoughtfully, efficiently, and in a manner commensurate with institutions’ business profiles.”
This action serves as a reminder that parent companies and subsidiaries should have their own AML programs, Felix advises. “Whether it is rolling up or down the chain, parent companies and subsidiaries must have their own AML program, to include — tailored to them — policies and procedures, but also monitoring systems, personnel, escalation paths, reporting lines to board, etc.”
In traditional banks that have wholly owned trust companies or wealth management companies, there is commonly heavy reliance on the parent bank’s AML officer and program, Felix notes. “This needs to be reevaluated, as the monitoring systems and customer due diligence scoring for the bank products are not robust enough to appropriately cover the nuanced threats within trust or wealth management.”