BitFlyer hit with $1.2M fine in New York over cybersecurity rules breach

Getting your Trinity Audio player ready...

BitFlyer USA drew the ire of the New York State Department of Financial Services (NYDFS) after failing to comply with regulations relating to cybersecurity.

In a consent order at the start of May, the NYDFS announced a $1.2 million fine against the firm after bitFlyer agreed to settle with the financial regulator. Per the order, the NYDFS found several loopholes in bitFlyer’s security protocol, culminating in non-compliance with regulatory guidelines.

In 2017, the NYDFS issued a Cybersecurity Regulation for firms offering digital currency services, urging them to conduct periodic risk assessments of their IT systems and make necessary submissions to the regulator. The NYDFS noted that the purpose of the Cybersecurity Regulation was to protect investors’ funds and assets from security breaches by bad actors.

After a review of internal processes, the regulator alleged that bitFlyer USA failed to comply with the requirements of regular security audits in violation of laid down guidelines. The financial watchdog pointed out that the firm had also failed to implement a written cybersecurity policy with the approval of its board.

“Because bitFlyer USA had not performed a comprehensive risk assessment as required by 23 NYCRR § 500.09(a), bitFlyer USA’s cybersecurity program was not designed to protect its electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure, in violation of 23 NYCRR § 200.16(a),” the statement read.

The settlement arrangement will see bitFlyer pay the civil monetary penalty of $1.2 million within ten days in the form of a wire transfer. The agreement adds that the firm cannot claim tax deductions from the government or seek reimbursement relating to the penalty amount.

bitFlyer USA presented the NYDFS with a remediation plan to ensure the digital currency exchange is cybersecurity compliant before the end of 2023. While the consent order is binding to NYDFS, other federal and state agencies are not bound by the provisions of the order.

NYDFS on a fining spree

The New York regulator has issued numerous fines against offending digital currency firms operating in its jurisdiction. At the start of the year, it slammed a $50 million fine against Coinbase (NASDAQ: COIN) for allowing users to open accounts without carrying out robust background checks.

Robinhood (NASDAQ: HOOD) felt the weight of the regulator after it was asked to pay $30 million for non-compliance with anti-money laundering rules. The firm was asked to maintain an independent consultant to ensure adherence to NYDFS rules as part of settlement terms.

“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance—a failure that resulted in significant violations of the Department’s anti-money laundering and cybersecurity regulations,” NYDFS Superintendent Adrienne Harris said.

Watch: SEC Commissioner Hester Peirce on Bitcoin Association’s Blockchain Policy Matters