The cryptocurrency brokerage of Robinhood Markets expects to pay New York regulators a penalty of at least $10m for allegedly violating state rules on cybersecurity and anti-money-laundering practices, the company said in filings last week.
The unit, Robinhood Crypto, has reached a settlement in principle over a New York State Department of Financial Services investigation, the mobile investing firm said in the filing.
The eventual penalty could exceed $15m, the company said in paperwork filed on 1 July for its initial public offering. Any deal would also require the unit to engage an independent monitor, the company added.
NYDFS declined to comment on the talks, citing a continuing inquiry. Robinhood also declined to comment.
The disclosure comes as cybersecurity experts and US regulators warn that criminal hacking groups could increasingly target critical infrastructure, including financial services firms, and hold computer systems hostage for ransoms in cryptocurrency. After recent hacks of Colonial Pipeline and meatpacker JBS SA disrupted US supply chains, the Biden administration said it would examine cryptocurrency’s role in fueling the ransomware economy.
New York regulators direct financial firms to maintain anti-money-laundering programs that include verifying customer information, responding to law enforcement requests and monitoring transactions for risks like violating sanctions. State rules also require such companies to build out cyber defences and contingency plans to help limit the fallout of attacks.
NYDFS in March informed Robinhood’s crypto subsidiary of alleged violations of the rules, the company said in its regulatory filing with the Securities and Exchange Commission. The cyber notification highlighted “certain deficiencies in our policies and procedures regarding risk assessment, lack of an adequate incident response and business continuity plan, and deficiencies in our application development security,” the company said.
Robinhood warned investors last week that cyberattacks could hurt its bottom line. Last year, the company said some user accounts were compromised, with Bloomberg News putting the number at 2,000. Some users claimed in a class-action lawsuit in the US District Court for the Northern District of California that attackers stole millions of dollars from their accounts. Robinhood moved to dismiss the suit, which is ongoing and has said it will reimburse customers for money stolen in any hacks.
The SEC, the Financial Industry Regulatory Authority and New York state have since opened inquiries into account takeovers. It wasn’t clear if last year’s incident is tied to the proposed settlement in New York.
Robinhood has drawn the attention of regulators in recent months as retail investors have thrown cash into markets, sometimes speculating on so-called meme stocks of firms like GameStop and AMC Entertainment Holdings. Last week, Finra said Robinhood had agreed to pay $70m to resolve allegations that it misled customers, approved ineligible traders and failed to properly supervise its technology. The total comprised a $57m fine and $12.6m in compensation to customers.
The ongoing New York investigation isn’t the only state-level look into Robinhood Crypto. In April, the company said, the California attorney general’s office issued a subpoena of documents and information on the subsidiary’s trading platform and operations.
The attorney general’s office didn’t immediately respond to a request for comment. Robinhood said in SEC filings for its IPO that its crypto brokerage is cooperating with that investigation.
“We cannot predict the outcome of the investigation or any consequences that might result from it,” Robinhood said.
Write to David Uberti at [email protected]
This article was published by Dow Jones Newswires