On January 12, 2024, the New York State Department of Financial Services (“NYDFS”) Superintendent Adrienne Harris announced that the Department had reached a $8 million settlement with brokerage firm Genesis Global Trading, Inc. (“GGT”) for its alleged failure to maintain an effective compliance program in violation of NYDFS virtual currency and cybersecurity regulations. GGT, which filed for bankruptcy in January 2023, had been licensed by the NYDFS to engage in virtual currency business activities in the State of New York since 2018. In addition to the payment of the fine, GGT will surrender its BitLicense, which allowed it to conduct virtual currency business in New York. The company also informed the NYDFS of its intention to cease operations in New York.
According to the Consent Order, the Virtual Currency Regulation (23 NYCRR Part 200) requires each licensee to, among other things, comply with certain financial reporting requirements (23 NYCRR § 200.14); develop and implement an effective anti-money laundering (“AML”) program (23 NYCRR § 200.15); and maintain a robust cybersecurity program (23 NYCRR § 200.16). In addition, the Cybersecurity Regulation (23 NYCRR Part 500) requires covered entities to implement and maintain a cybersecurity program that protects their information systems and nonpublic information based upon periodic risk assessments (23 NYCRR §§ 500.1, 500.9, 200.16). The NYDFS emphasized in the Consent Order that the cybersecurity risk assessment should serve as the foundation of a company’s cybersecurity program.
Following two full-scope examinations of GGT and an enforcement investigation, the NYDFS discovered that GGT did not perform a cybersecurity risk assessment until December 2022, and the assessment performed was not adequately comprehensive. The company also allegedly failed to conduct a thorough and up-to-date firm-wide risk assessment that met the Virtual Currency Regulation’s requirements until mid-2022. The NYDFS also determined that GGT’s AML policies and procedures failed to comply with Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) requirements; its automatic transaction monitoring system was never tested to confirm that it was operating as intended; and the company failed to file Suspicious Activity Reports (“SARs”) that were commensurate with the number of transactions it was processing. In addition, the NYDFS identified deficiencies in GGT’s sanctions screening program and its consumer protection disclosure requirements.