The US government took its strongest step yet in its oversight
of other virtual currency yesterday, fining prominent “Bitcoin
alternative” company Ripple Labs Inc. $700,000 for what the
government called a willful violation of the anti-money laundering
laws.
In Ripple, the Financial Crimes Enforcement Network (FinCEN)
targeted one of the more prominent virtual currency companies for
its first virtual currency civil enforcement action. Ripple does
not rely on Bitcoin but instead issues its own virtual currency and
operates an open payment network using that virtual currency.
Unlike many smaller Bitcoin and other virtual currency companies,
Ripple has several prominent financial institution investors and it
boasts of a compliance staff with years of anti-money laundering
(AML) experience. Ripple’s own virtual currency, XRP, is
the second largest in market capitalization behind
Bitcoin.
Concurrently with the FinCEN settlement, Ripple entered into a settlement agreement resolving a
criminal investigation by the US Attorney’s Office for the
Northern District of California (USAO) for the same AML failures
cited in the FinCEN order, agreeing to pay a criminal forfeiture
amount of $450,000, payment of which will partially satisfy
FinCEN’s $700,000 penalty.
AML Obligations for Virtual Currency Companies
FinCEN, the regulator responsible for enforcement of the Bank
Secrecy Act, found that Ripple operated as a money services
business (MSB) and sold virtual currency without implementing an
adequate anti-money laundering program. Notably, FinCEN and
the USAO did not find that any actual money laundering or illegal
activity took place using Ripple or its virtual
currency. Rather, FinCEN’s action is based on
Ripple’s alleged failures to: (1) register as an MSB; (2)
implement an adequate AML program; and (3) report three suspicious
transactions (two of which Ripple declined to process).
FinCEN’s principal finding was that Ripple failed to follow
FinCEN’s March 2013 guidance
identifying conduct that causes virtual currency companies to
become MSBs (the 2013 guidance). The 2013 guidance generally
identifies as an MSB a person that accepts and transmits
convertible virtual currency or that buys or sells convertible
virtual currency in exchange for currency of legal tender or
another convertible virtual currency. MSBs must register with
FinCEN, appoint an AML compliance officer, and implement an AML
program reasonably designed to address money laundering risks
raised by its business, including by reporting suspicious
transactions to FinCEN.
During the two years after FinCEN issued the 2013 guidance, it
notified virtual currency companies privately if it thought they
were acting as unlicensed MSB under the 2013 guidance, and it
issued a series of interpretative letters explaining the
guidance. While the private notifications and interpretive
letters caused some companies to change their business models or
register as MSBs, until now FinCEN had not publicly punished any
company for failing to follow the 2013 guidance.
While the 2013 guidance is focused on virtual currency businesses,
the underlying MSB rules may apply to any company offering
innovative payment solutions. Yesterday’s enforcement
action signals that such companies now risk enforcement action
unless they either register as MSBs or can convince FinCEN that
such registration is not required. This poses a legal hurdle
for startups and emerging companies, and their investors, who are
unsure of whether their cutting-edge payment solutions are subject
to rules originally designed for brick-and-mortar
businesses.
Low Tolerance for AML Compliance Delays
According to a joint statement of facts, FinCEN
and the USAO determined that Ripple Labs Inc. and its
subsidiary XRP II, LLC violated the registration, AML program, and
transaction reporting requirements of the Bank Secrecy Act (BSA)
and its implementing regulations.1 Specifically,
Ripple Labs engaged in sales of its XRP virtual currency without
registering with FinCEN as a money services business and also
without implementing and maintaining an effective AML
program. In July 2013, a new Ripple subsidiary did register
with FinCEN but was found to have lacked an effective AML program
and to have failed to file suspicious activity
reports.
Notably, the joint statement of facts states that Ripple failed to
register as an MSB until April 29, 2013, or for about six
weeks after the March 18, 2013 guidance. Similarly,
Ripple’s subsidiary registered as an MSB on September 4,
2013, and FinCEN and the USAO faulted the subsidiary for not
adopting its written AML program until three weeks later, on
September 26. Other violations occurred for a longer
period: the joint statement of facts states that
Ripple’s subsidiary did not perform a risk assessment until
six months after registration, and it did not conduct AML training
until nearly a year after its formation.
Finally, FinCEN and the USAO found that the Ripple subsidiary did
not conduct an independent review of its AML program until nearly a
year after it began virtual currency sales, by which time it was
aware of the USAO investigation. While many financial
institutions conduct annual reviews of their AML program, the AML
rules require only the frequency of the MSB’s review
“be commensurate with the risk of the financial services
provided.”2 Thus FinCEN appears to be
interpreting its regulation to require a review within the first
year of MSB operations, or at least upon learning of potential
government investigations.
Broad Remedial Measures
As part of the settlement, Ripple (and relevant subsidiaries)
agreed to take several remedial actions
aimed to give the government greater visibility into virtual
currency transactions. Two of these actions are particularly
noteworthy. First, Ripple agreed to improve its
monitoring tools for identification and possible reporting to the
government of funds flows and counterparty information regarding
Ripple transactions. Second, Ripple also agreed to
offer incentives (such as free XRP virtual currency) for customers
to provide identification information, and then to cut off any
Ripple customer who does not provide that information within 180
days of the settlement.
Other remedial measures are similar to those commonly seen in AML
enforcement actions. Ripple agreed to comply with MSB
registration and AML program requirements and to make enhancements
to the company’s AML controls and training
program. Ripple also agreed to external audits of its program
through the year 2020, and to a three-year lookback review of
historical transactions for potential suspicious activity
reporting.
1 See 31 U.S.C. § 5330, 31 C.F.R. § 1022.380 (registration); 31 U.S.C. § 5318(a)(2), (h), 31 C.F.R. § 1022.210 (AML program); and 31 U.S.C. § 5318(g), 31 C.F.R. § 1022.320 (SAR reporting).
2 31 C.F.R. § 1022.210(d)(4).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.