NYDFS Fines Trading Platform for BSA/AML, Transaction Monitoring and Cybersecurity Lapses

The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.

The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.

The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.

Issue summary

• Cooperation. NYDFS claimed that the company, by submitting delayed or insufficient information to NYDFS, exhibited “a level of cooperation with the Department that . . . was less than what is expected of a licensee that enjoys the privilege of conducting business in the State of New York.” 
• Insufficient remediation. While the company updated policies and procedures in response to NYDFS’ concerns (for example, with the business continuity and disaster recovery plan), the department asserted that those remediations were inadequate.
• BSA/AML program and transaction monitoring. The NYDFS focused on the importance of transaction monitoring in a BSA/AML program and noted that it must be “reasonably designed, based upon the risk assessment of the entity,” to ensure adequate monitoring for potential BSA/AML violations or suspicious activities and to stop transactions that are prohibited by Office of Financial Asset Control sanctions. An adequate monitoring system is “commensurate with [the entity’s] growth,” which includes having adequate compliance staff with the appropriate skill to manage that growth, does not have significant backlogs in evaluating alerts for suspicious activity, applies reasonably calculated business rules, and has appropriate escalation processes for suspicious activity. It also focused on the importance of documenting material compliance deficiencies related to transaction monitoring and related remedial efforts.  Additionally, NYDFS claimed that the manual transaction monitoring occurring at the company during the 2019 examination was insufficient for the value and volume of activity it conducted, and efforts to roll out automated monitoring were delayed and inefficient. Once automated rules were in place, they were not broad enough to capture all relevant risks.
• Cybersecurity. NYDFS focused on the alleged failure to conduct an assessment of cybersecurity risks, a lack of detailed policies and procedures for a long list of processes (see paragraph 55 on page 16 of the order), and specifically called out both inadequate policies and procedures for in-house and external app development and the lack of a written business continuity and disaster recovery plan. It further noted that the incident response plan had no process for notifying regulators and law enforcement of cybersecurity incidents.
• Certification. NYDFS claimed violations for certifying the BSA/AML and cybersecurity programs despite the above deficiencies.

Implications

• Outsourcing operational functions to third parties or affiliates is commonly permissible, but companies cannot outsource oversight of their BSA/AML compliance and cybersecurity programs. Third parties handling certain audit and other functions must subject to appropriate oversight, including regular reporting on information security, compliance, and cybersecurity programs and their effectiveness to the board or a committee of the board.
• Risk assessments are critical. All controls in BSA/AML compliance and cybersecurity programs must be reasonably related to the entity’s risks, as determined by a thorough risk assessment. NYDFS’ comments about growth emphasize the importance of updating risk assessments regularly to ensure that controls are managing current and emerging risks.
• Policies and procedures are not mere formalities. NYDFS wants assurances that they are up to date and accurate, and that they are documented, reviewed, and consistently implemented as written.
• Secure coding procedures have not traditionally been a focus for the NYDFS, but the consent order’s attention to them appears to signal a new area of regulatory scrutiny.
• Cooperation and engagement matter when interacting with NYDFS — or any other regulator — and particularly during examinations and investigations. Remediation must be complete and responsive to the issues raised. Companies facing simultaneous investigations and examinations should be mindful that the effectiveness of remediation in response to findings may shape regulatory perceptions about cooperation during an investigation.

For more information about this consent order and its implications, please contact Edward Somers, Elizabeth McGinn, Kathryn Ryan, Benjamin Hutten, or an Orrick attorney with whom you have worked in the past.