NYDFS Monitorships: Is There an Emerging Trend?

by Matthew L. Levine

Photo of the author(s)

Matthew L. Levine

In 2012, the New York State Department of Financial Services (DFS) made a regulatory splash when it imposed a two-year monitorship on Standard Chartered Bank as part of an enforcement action.[1]  One commentator noted that the DFS settlement with Standard Chartered had “upended the regulatory dynamics of the international banking world” with this “staggering” resolution.[2]

Following the Standard Chartered matter, between 2012 and 2018, the agency imposed more than a dozen monitorships on large regulated entities.[3]  One by one these monitorships were wound down, and most concluded by 2019 or 2020, having achieved remedial or investigative purposes.   (One exception was an expiring monitorship imposed on Deutsche Bank for anti-money laundering compliance failures, which was extended twice, once in 2017 and again in 2019.)[4]

Notably, over the last year, DFS has imposed or threatened to institute a monitor in several enforcement actions, as a result of the agency’s view that the subject entities had permitted development of serious compliance deficiencies.  This occurrence has led to speculation that monitorships are once again becoming a regular feature of DFS settlements.  A closer look at these enforcement actions suggests that conclusion is, for now, tentative.

National Bank of Pakistan

The trend began in January 2022 in a settled enforcement action with the National Bank of Pakistan (NBP).[5]  NBP operated a modest New York branch (approximately $188 million in assets) and is majority-owned by the Pakistani government.  NBP remains the only Pakistani bank with a New York branch.[6]

DFS found that the branch’s BSA/AML deficiencies persisted over six examination cycles between 2014 and 2020 – this despite the bank having settled an enforcement action previously with DFS and the Federal Reserve Bank of New York by Written Agreement in 2016.[7]  This is a practically unheard of length of time for an institution to go without a strong regulatory response.

DFS asserted that branch and Head Office management allowed for “a high level of severe weaknesses and unsafe and unsound conditions requiring urgent restructuring,” and that “NBP failed to adequately supervise the New York Branch and allowed the problems to persist year after year.”  DFS imposed a substantial penalty of $35 million, along with a number of mitigation and reporting obligations.[8]

DFS raised the specter of an independent monitor in its Consent Order, but instead of imposing a monitor at the outset of the enforcement action, gave the bank another year to finish cleaning up its act.  At the end of a year, DFS will determine whether to require the bank to engage an Independent Consultant to conduct “a comprehensive evaluation of NBP and the Branch’s implementation of the remediation” required by the Consent Order.   Moreover, DFS also reserved the right to impose a monitorship, without more, in the event it deemed it necessary following receipt of the Independent Consultant’s evaluation of remedial progress.[9]   Whether DFS ultimately takes either of these steps remains to be seen.

Robinhood Crypto

In an enforcement action taken in July 2022 against Robinhood Crypto LLC,[10] DFS did impose a monitor  — well, sort of.   Robinhood Crypto is the cryptocurrency exchange owned by Robinhood Markets, Inc., and has held a BitLicense and money transmitter license from DFS since 2019.  DFS entered into a sweeping enforcement action with this fintech firm, alleging Robinhood Crypto’s compliance program suffered from certain structural deficiencies.

First, DFS alleged that Robinhood Crypto relied on its parent corporation and an affiliate for “substantial aspects” of its compliance program, and because the compliance programs for the parent and affiliate were “not compliant” with applicable laws and regulations, they failed to address “all the particular risks applicable to a licensed virtual currency business.”[11]

Second, DFS asserted that this structural problem was exacerbated by a “lack of prominence for Robinhood Crypto within the parent corporation’s organizational structure,” and claimed that, because of an inadequate governance structure, Robinhood Crypto “played no meaningful role in compliance efforts at the entity level.”  DFS further found that these structural deficiencies impeded appropriate cooperation with the DFS investigation, alleging they “contributed to a level of cooperation with the Department that, at least initially, was less than what is expected of a licensee ….”  All of this occurred while Robinhood Crypto experienced tremendous growth during the 2020 – 2021 crypto boom.[12]

Third, DFS alleged that Robinhood Crypto suffered from a number of specific BSA/AML deficiencies, including (a) a substantial backlog of alerts for suspicious transactions that arose from the absence of an automated transaction monitoring system, (b) deficiencies in its cybersecurity program, including both an inadequate risk assessment and insufficient Business Continuity and Disaster Recovery Plan, and (c) violations of consumer complaint regulations.[13]

Prior to entering into the Consent Order, Robinhood Crypto had engaged a third-party compliance consultant to assist with improvement of its compliance program.   DFS permitted this consultant to switch roles and become the “Independent Consultant” called for by the Consent Order, with responsibility to “commence a comprehensive review of [Robinhood Crypto]’s current compliance programs” regarding Part 200, the BitLicense regulation, Part 417 relating to money transmitters, Part 500 relating to cybersecurity, and Part 504 relating to transaction monitoring.[14]

The Order provides that the new engagement with the consultant “shall be explicit that the Independent Consultant will report to DFS” (although one might argue this consultant is in some sense reviewing its own work).  Also in the Order, DFS reserved the right to replace the Independent Consultant with another consultant of the Department’s choosing six months after its work begins.[15]

Coinbase

In January 2023, DFS announced a settled enforcement action with Coinbase,[16] the largest cryptocurrency exchange based in the U.S. and a holder of both a BitLicense and money transmitter license from DFS.  Coinbase only first received its DFS BitLicense in 2017, and in 2018 obtained a separate charter to operate a limited purpose trust company for its custody business.[17]  Along with a substantial monetary penalty of $50 million, the Coinbase Consent Order announced that DFS had already taken the “extraordinary step” of imposing a monitor almost a year before, in February 2022, “to review Coinbase’s compliance shortcomings and to assist the company to address those shortcomings[].”[18]

DFS took this action, it said, because Coinbase’s “compliance system failed to keep up with the dramatic and unexpected growth of Coinbase’s business,” resulting in the firm becoming “overwhelmed” by a “substantial backlog of unreviewed transaction monitoring alerts” and exposing its platform to “risk of exploitation by criminals and other bad actors.”[19]

Among other claims by the Department, Coinbase was alleged to have committed “egregious” compliance failures by amassing a backlog of more than 100,000 unreviewed transaction monitoring alerts, along with a separate backlog of 14,000 customers that required enhanced due diligence review.  Additionally, DFS asserted that Coinbase had failed to provide timely notice to the agency concerning a cybersecurity event resulting from a phishing scam targeting approximately 6,000 Coinbase customers.  DFS ultimately determined that Coinbase appeared unable to achieve remediation on its own, and needed the aid of a monitor “to assist the company [in] address[ing its] shortcomings.”  The Consent Order continues on the Independent Monitor for another year following this settlement.[20]

Takeaways

In discerning whether there is a developing trend towards inclusion of an independent monitor in DFS dispositions, some facts to note are:

  • Of these three recent enforcement actions, only one involved actual imposition of a traditional independent monitor by DFS, the Coinbase matter. That monitorship is currently slated to have a two-year term, unless DFS decides to extend it.
  • Two of these three resolutions involve relatively new DFS licensees, as they operate in the cryptocurrency industry. Robinhood Crypto had its license for just three years, and Coinbase only five; each was a relative newcomer to the regulated financial industry in New York and each grew their businesses quickly during the 2021 crypto boom.
  • In two of the three matters, DFS alleged that the overall institutional enterprise had structural compliance deficiencies that impacted a DFS-licensed affiliate downstream.
  • With regards to the NPB enforcement action, DFS did not actually require a monitor for NBP – despite six cycles of poor examinations — instead reserving the option to implement one if the bank did not successfully complete remediation within a year.
  • Monitorships place a significant burden on a regulated entity, requiring a major devotion of time, energy and financial resources. But they are no cakewalk for DFS either; proper management of a monitorship takes a substantial investment of time by DFS enforcement and supervisory personnel, so the agency is not especially incentivized to institute them unless believed to be genuinely necessary.

Footnotes

[1] https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1408191.

[2] https://ir.lawnet.fordham.edu/jcfl/vol18/iss4/6/.

[3] See https://www.dfs.ny.gov/industry_guidance/enforcement_actions_lfs.

[4] https://www.law360.com/articles/1169119/ny-regulator-looks-to-extend-deutsche-bank-monitorship.

[5] https://www.dfs.ny.gov/system/files/documents/2022/07/ea20220216_consent_order_nbp_rev.pdf.

[6] Id.

[7] Id.; see also https://www.dfs.ny.gov/system/files/documents/2020/04/ea160314_national_bank_pakistan.pdf.

[8] Id.

[9] Id.

[10] https://www.dfs.ny.gov/system/files/documents/2022/08/ea20220801_robinhood.pdf.

[11] Id.

[12] Id.

[13] Id.

[14] Id.

[15] Id.

[16] https://www.dfs.ny.gov/system/files/documents/2023/01/ea20230104_coinbase.pdf.

[17] See https://www.dfs.ny.gov/virtual_currency_businesses.

[18] https://www.dfs.ny.gov/system/files/documents/2023/01/ea20230104_coinbase.pdf.

[19] Id.

[20] Id.

Matthew L. Levine is a partner at Elliott Kwok Levine & Jaroslaw LLP.  He previously served as Executive Deputy Superintendent for Enforcement at the New York State Department of Financial Services and as a federal prosecutor.

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.

Share this post:

Share on PinterestShare on LinkedInShare on Reddit