The US government took its strongest step yet in its oversight of other virtual currency, fining prominent "Bitcoin alternative" company Ripple Labs Inc. $700,000 for what the government called a willful violation of the anti-money laundering laws. 

In Ripple, the Financial Crimes Enforcement Network (FinCEN) targeted one of the more prominent virtual currency companies for its first virtual currency civil enforcement action. Ripple does not rely on Bitcoin but instead issues its own virtual currency and operates an open payment network using that virtual currency. Unlike many smaller Bitcoin and other virtual currency companies, Ripple has several prominent financial institution investors and it boasts of a compliance staff with years of anti-money laundering (AML) experience. Ripple's own virtual currency, XRP, is the second largest in market capitalization behind Bitcoin.

Concurrently with the FinCEN settlement, Ripple entered into a settlement agreement resolving a criminal investigation by the US Attorney's Office for the Northern District of California (USAO) for the same AML failures cited in the FinCEN order, agreeing to pay a criminal forfeiture amount of $450,000, payment of which will partially satisfy FinCEN's $700,000 penalty. 

AML Obligations for Virtual Currency Companies

FinCEN, the regulator responsible for enforcement of the Bank Secrecy Act, found that Ripple operated as a money services business (MSB) and sold virtual currency without implementing an adequate anti-money laundering program. Notably, FinCEN and the USAO did not find that any actual money laundering or illegal activity took place using Ripple or its virtual currency. Rather, FinCEN's action is based on Ripple's alleged failures to: (1) register as an MSB; (2) implement an adequate AML program; and (3) report three suspicious transactions (two of which Ripple declined to process).

FinCEN's principal finding was that Ripple failed to follow FinCEN's March 2013 guidance identifying conduct that causes virtual currency companies to become MSBs (the 2013 guidance). The 2013 guidance generally identifies as an MSB a person that accepts and transmits convertible virtual currency or that buys or sells convertible virtual currency in exchange for currency of legal tender or another convertible virtual currency. MSBs must register with FinCEN, appoint an AML compliance officer, and implement an AML program reasonably designed to address money laundering risks raised by its business, including by reporting suspicious transactions to FinCEN.

During the two years after FinCEN issued the 2013 guidance, it notified virtual currency companies privately if it thought they were acting as unlicensed MSB under the 2013 guidance, and it issued a series of interpretative letters explaining the guidance. While the private notifications and interpretive letters caused some companies to change their business models or register as MSBs, until now FinCEN had not publicly punished any company for failing to follow the 2013 guidance.

While the 2013 guidance is focused on virtual currency businesses, the underlying MSB rules may apply to any company offering innovative payment solutions. The enforcement action signals that such companies now risk enforcement action unless they either register as MSBs or can convince FinCEN that such registration is not required. This poses a legal hurdle for startups and emerging companies, and their investors, who are unsure of whether their cutting-edge payment solutions are subject to rules originally designed for brick-and-mortar businesses. 

Low Tolerance for AML Compliance Delays

According to a joint statement of facts, FinCEN and the USAO determined that Ripple Labs Inc. and its subsidiary XRP II, LLC violated the registration, AML program, and transaction reporting requirements of the Bank Secrecy Act (BSA) and its implementing regulations.1 Specifically, Ripple Labs engaged in sales of its XRP virtual currency without registering with FinCEN as a money services business and also without implementing and maintaining an effective AML program. In July 2013, a new Ripple subsidiary did register with FinCEN but was found to have lacked an effective AML program and to have failed to file suspicious activity reports.  

Notably, the joint statement of facts states that Ripple failed to register as an MSB until April 29, 2013, or for about six weeks after the March 18, 2013 guidance. Similarly, Ripple's subsidiary registered as an MSB on September 4, 2013, and FinCEN and the USAO faulted the subsidiary for not adopting its written AML program until three weeks later, on September 26. Other violations occurred for a longer period: the joint statement of facts states that Ripple's subsidiary did not perform a risk assessment until six months after registration, and it did not conduct AML training until nearly a year after its formation.

Finally, FinCEN and the USAO found that the Ripple subsidiary did not conduct an independent review of its AML program until nearly a year after it began virtual currency sales, by which time it was aware of the USAO investigation. While many financial institutions conduct annual reviews of their AML program, the AML rules require only the frequency of the MSB's review "be commensurate with the risk of the financial services provided."2 Thus FinCEN appears to be interpreting its regulation to require a review within the first year of MSB operations, or at least upon learning of potential government investigations.

Broad Remedial Measures

As part of the settlement, Ripple (and relevant subsidiaries) agreed to take several remedial actions aimed to give the government greater visibility into virtual currency transactions. Two of these actions are particularly noteworthy. First, Ripple agreed to improve its monitoring tools for identification and possible reporting to the government of funds flows and counterparty information regarding Ripple transactions. Second, Ripple also agreed to offer incentives (such as free XRP virtual currency) for customers to provide identification information, and then to cut off any Ripple customer who does not provide that information within 180 days of the settlement.

Other remedial measures are similar to those commonly seen in AML enforcement actions. Ripple agreed to comply with MSB registration and AML program requirements and to make enhancements to the company's AML controls and training program. Ripple also agreed to external audits of its program through the year 2020, and to a three-year lookback review of historical transactions for potential suspicious activity reporting.