A Consent Order issued in August 2022 by the New York State Department of Financial Services (“NYDFS”) for a $30 million fine on Robinhood Crypto, LLC (“RHC”) shows that cryptocurrency firms are not immune from regulatory and legal obligations. The Consent Order can be read as a partial roadmap for similar firms in establishing best practices for ongoing successful compliance operations, which help firms to remain compliant and secure concurrently.
Based on the Consent Order, firms in this space should be prepared to demonstrate to NYDFS how their compliance programs meet the standards outlined in DFS regulations, particularly the Virtual Currency Regulation, the Money Transmitter Regulation, the Cybersecurity Regulation, and the Transactions Monitoring Regulation. Firms should also ensure that they have documented policies and procedures required by the Cybersecurity Regulation.
Finally, firms should be prepared to show that they have adequate staffing associated with these regulations.
There are three best practices that can help firms achieve these goals and minimize their regulatory risks.
Fill the gaps between proofs and requirements
At their core, regulations define a series of requirements, and compliance analysts can evaluate their existing evidence of compliance, or proofs, against those requirements as part of a gap analysis of their internal controls. As part of associating a proof with a requirement, analysts should ask three questions: is the proof adequate, sufficient, and applicable to another requirement? The first two questions are easy: if a proof is adequate, it’s the right evidence; if a proof is sufficient, there’s enough detail to address the regulatory requirement.
However, analysts should further consider if a proof can be reused across multiple requirements; for example, a written information security policy might cover multiple requirements, and thus be reusable, therefore limiting the number of new proofs that need to be created.
Once an analyst has mapped the existing set of proofs to requirements, the compliance team should work with the rest of the business to close the gaps. Often, this involves developing and approving additional documents, not just policies and procedures, but also succession and hiring plans. Once approved, these proofs should be added to the requirements.
Ensure that there are documented review and sign-off cadences
An easily overlooked and similarly easily addressed issue with compliance documentation is the lack of a signature or approval by an appropriate resource on a regular basis.
When first opening a document, auditors will often look for the revision history of the document, paying particular attention to who last approved the document and their role in the organization. Next, auditors will look at the document’s review schedule – for example, if a document was last signed off in July 2022 by the Chief Counsel, it has an annual review cycle, and the prior sign-off was in July 2021, there’s no cause for concern. However, had the document been previously not approved, if there was more than a year-long gap between approvals, or if the prior approval had been via an analyst who lacked management authority, the auditor will find a reason to review the proof more closely as it may indicate that a control is not effective.
Automate as much as feasible
Most organizations will manage to follow the prior two best practices at a point in time, but regulatory compliance is a journey, not a destination. Smart organizations should look to automate:
- Collection of proofs on a regular basis.
- Control testing to validate that internal controls are working.
- Reminders to perform controls manually, but only as a last resort.
Manual control testing and operation should be considered a last resort because it’s the most resource-intensive and error-prone. For example, being able to collect proofs of all policies and procedures on an annual basis conceivably requires an analyst to spend their days finding copies of documents, checking that the approval date is within an acceptable recent duration, creating PDFs of those documents, linking those documents to controls, linking those controls to requirements, and uploading those proofs one at a time to a GRC platform or audit management software.
If an analyst misses a document or reads a date incorrectly, it can cause concern to external auditors, which creates more work for the compliance team. Creating PDFs of documents, checking dates, and adding versions are all tasks that should be automated as they don’t require any creativity or intuition, and smart organizations that are looking to reduce the time spent on preparing for audit activities and the risks of human errors should seek to automate as many of these as feasible.
While there are additional recommendations for modern organizations to optimize their compliance operations, these initial best practices will help reduce the risks of a material audit finding by an external regulatory authority.