The New York Department of Financial Services (DFS) has entered the crypto AML enforcement fray, issuing a $30 million fine to Robinhood Crypto, LLC, the crypto trading unit of the larger parent firm, for AML program deficiencies and failure to maintain a culture of compliance, among other things.
Why should compliance officers take note? This is DFS’s first enforcement action against a crypto firm, as well as the regulator’s first citation of a violation of its Part 504 regulation (requiring firms’ annual certification that they maintain a reasonably designed transaction monitoring and filtering program).
With regulators bearing down on crypto, turmoil in the crypto markets, and limited compliance staffing and resourcing, compliance officers in the industry are understandably anxious about their own personal liability for compliance missteps. “There is more risk because there is no clear rulebook,” said one Chief Compliance Officer recently.
While compliance officers may feel inundated right now, here are 4 key areas compliance officers should focus on from this latest enforcement action.
Ensure organizational prominence for compliance
DFS emphasized that compliance needs sufficient prominence in a firm’s organizational structure. The compliance function should report up to appropriate senior management (e.g., legal, risk, or compliance senior management), in addition to formal compliance reporting to the Board and/or Board committees. This is critical to maintain a culture of compliance.
Compliance is fundamentally a CEO-level issue, and you have to make sure its prominence matches its importance. The stakes of sidelining compliance are clear – beyond Robinhood’s sizeable fine, it’s also required to maintain for 18 months an independent consultant that reports to DFS and reviews the firm’s compliance programs.
Secure sufficient compliance resources
Your compliance function needs to be well-staffed and resourced. This starts with compliance officers – do you have the experience to take on your firm’s risks, especially as it grows, and do you have sufficient oversight of program changes, like introducing new tools?
High-growth firms also need to progress their compliance tooling from manual to automated processes and hire experienced AML compliance staff. Deficiencies in all these areas led to DFS’s enforcement action.
Don’t hesitate to press for the right tools and staff to do your job. Compliance officers often say their most important skills are championing compliance needs and standing their ground, while balancing different stakeholder demands.
Make sure your compliance technology and KRIs are appropriate for your size
AML program effectiveness is increasingly an emphasis of regulators, but it’s notoriously hard to define. The latest enforcement action gives some examples of unacceptable performance.
First, if you’re growing quickly, you should progress to automated systems. DFS said a manual transaction monitoring program was unacceptable to handle more than 100,000 daily transactions totaling over $5 million, a SAR alert volume increase of 500% within 2 years, and a SAR alert backlog of over 4,000.
Second, your transaction monitoring rules and SAR filing rates need to be reasonable for your transaction volume. DFS considered an exception reporting threshold of $250,000 in cumulative transaction volume over 6 months to be “extremely high and arbitrary,” and said it was unacceptable for only 2 SARs to be filed in an 8-month period for a high transaction volume.
Are your KRIs reasonable for your firm? What other useful KRIs are in your data? What technology is needed to measure those? Are you addressing any KRIs indicating high risk?
Reduce any “unknowns” and remedy gaps or issues quickly.
Your most likely source of exposure comes from unknown risks or requirements. DFS noted that Robinhood was never fully compliant with New York regulations during the period at issue and didn’t address known risks for its business model.
First identify the risks and requirements you’re expected to manage, then look to automated tools or streamlined processes to notify you of issues quickly before they get out of hand. It is critical to remediate issues or gaps promptly – DFS cited delays in addressing known AML program weaknesses as further indication of AML program deficiencies.
As pressure ratchets up on compliance officers, take a step back to check you’ve thought about each of these core areas. While you may feel buried in day-to-day tasks, you can gain comfort by assuring yourself that you have addressed these critical areas of potential vulnerability for your AML compliance program.