Robinhood Crypto (RHC) agreed to pay a $30 million fine to the New York State Department of Financial Services (NYDFS) for “significant failures” in its Bank Secrecy Act/anti-money laundering (BSA/AML) and cybersecurity compliance programs.

The NYDFS announced Tuesday that over several years, Robinhood’s BSA/AML program was inadequately staffed; failed to transition from a manual transaction monitoring system unfit for the firm’s size, customer profiles, and transaction volumes; and did not devote sufficient resources to addressing risks unique to the company.

Similarly, Robinhood’s cybersecurity program did not adequately address the risks of a potential breach and was not in full compliance with the NYDFS’s cybersecurity regulations.

In addition to paying the fine, Robinhood must hire an independent consultant for 18 months to review its BSA/AML and cybersecurity compliance programs, according to a consent order. The consultant “will review, report on, and assist RHC regarding its efforts to remedy these deficiencies in RHC’s compliance programs,” the order said, and report to the NYDFS on the company’s progress in remediating the issues.

Robinhood Crypto also broke the law in 2019, the NYDFS said, when it certified to the department the company was in full compliance with the agency’s BSA/AML cybersecurity regulations.

“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance—a failure that resulted in significant violations of the department’s anti-money laundering and cybersecurity regulations,” said NYDFS Superintendent Adrienne Harris in a press release. “All virtual currency companies licensed in New York State are subject to the same anti-money laundering, consumer protection, and cybersecurity regulations as traditional financial services companies. DFS will continue to investigate and take action when any licensee violates the law or the department’s regulations, which are critical to protecting consumers and ensuring the safety and soundness of the institutions.”

The company violated the NYDFS regulation related to consumer protection when it failed to maintain a “distinct, dedicated phone number on its website for the receipt of consumer complaints,” the agency added.

Robinhood Crypto previously disclosed to investors in July 2021 a fine from the NYDFS for compliance failures was imminent, predicting it would be “at least” $10 million.

The NYDFS order marked the third time a subsidiary of Robinhood Markets paid a fine and was ordered to hire an independent consultant to remediate failures in its compliance program.

Robinhood Financial paid a $70 million penalty in June 2021 to the Financial Industry Regulatory Authority for failing to adequately monitor compliance with FINRA’s rules. It was required to hire an independent consultant to oversee the remediation.

Robinhood Financial was fined $65 million in December 2020 by the Securities and Exchange Commission (SEC) for misleading customers about how it makes money and failing to secure best sale prices. The SEC required Robinhood to hire an independent consultant to review its policies and procedures related to customer communications.

Robinhood response: A spokeswoman for Robinhood Markets said the company is pleased the case has been settled.

“We have made significant progress building industry-leading legal, compliance, and cybersecurity programs and will continue to prioritize this work to best serve our customers,” said Cheryl Crumpton, associate general counsel of litigation and regulatory enforcement for Robinhood Markets, in an emailed statement.