On May 5, 2015, the Financial Crimes Enforcement Network (“FinCEN”) fined Ripple Labs Inc. (“Ripple Labs”) and its wholly owned subsidiary XRP Fund II LLC (“XRP II”) $700,000 for violations of the Bank Secrecy Act (“BSA”). Specifically, FinCEN charged that Ripple Labs, which sold a virtual currency known as XRP, willfully violated the BSA by acting as a money services business (“MSB”) without registering with FinCEN, and by failing to implement and maintain an adequate anti-money laundering (“AML”) program designed to protect its products from use by money launderers or terrorist financiers. FinCEN also named XRP II, the subsidiary, as a willful violator for failing to implement an effective AML program, and for failing to report suspicious activities related to several financial transactions that occurred after XRP II had assumed Ripple Labs’ functions of selling virtual currency and acting as an MSB.

FinCEN imposed the fine in coordination with the U.S. Attorney’s Office for the Northern District of California, which had sought a $450,000 forfeiture from Ripple Labs in its parallel settlement agreement for the criminal investigation. According to the DOJ’s press release, Ripple Labs and XRP II agreed to the settlement agreement in exchange for resolving the criminal investigation and a promise. The terms of the settlement agreement incorporate the same Remedial Framework and Statement of Facts and Violations imposed by FinCEN. The $450,000 forfeiture will be credited toward the $700,000 fine. As many headlines reported, Ripple Labs became the first Virtual Currency Provider to face a civil enforcement action. The Statement of Facts and Violations, and Remedial Framework, provide an important reminder for Virtual Currency Providers and MSBs generally of the regulations with which they must comply.

First, Virtual Currency Providers are subject to the BSA and must comply with the registration and AML requirements

The BSA and its implementing regulations require MSBs to register with FinCEN by filing a Registration of Money Services Business and renewing the registration every two years. On March 18, 2013, FinCEN released guidance clarifying that exchangers and administrators of virtual currencies are money transmitters subject to FinCEN’s rules governing MSBs.

Because Virtual Currency Providers constitute MSBs, they must develop, implement, and maintain an effective written AML program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities.

The AML program at a minimum, must:

  • Incorporate policies, procedures and internal controls reasonably designed to assure ongoing compliance
  • Designate an individual responsible for assuring day-to-day compliance with the program and BSA requirements
  • Provide training for appropriate personnel, including training in the detection of suspicious transactions 
  • Provide for independent review to monitor and maintain an adequate program

MSBs must report transactions that the MSB “knows, suspects, or has reason to suspect” are suspicious, if the transaction is conducted, or attempted by, at, or through the MSB, and the transaction involves or aggregates to at least $2,000 in funds or other assets.

Further, MSBs are required to implement Know-Your-Customer/Know-Your-Counterparty procedures in order to assess the risk involved in providing account-based or transactional services to customers based on their identity and profile, and to comply with their AML program requirements regarding foreign agents or foreign counterparties. MSBs are also subject to the Funds Transfer Rule and Funds Travel Rule, which provide that (subject to certain exceptions), for individual transactions of $3,000 or above, the transmitting financial institution must obtain, verify, and keep key information from the transmitting party, and that party’s financial institution must pass on key information from the party or regarding the transaction to any intermediary financial institution.

Second, mere registration does not mean compliance with BSA

FinCEN makes clear that the registration and AML requirements are separate and independent. In other words, registration or lack thereof does not relieve an MSB of AML program requirements. This is also true in the reverse – compliance with AML program requirements does not affect the FinCEN registration requirement.

Third, for companies looking to shore up their AML programs, the remedial measures imposed by FinCEN provide examples of the type of tools that may help ensure compliance

FinCEN’s enforcement action demonstrates its ongoing commitment to ensuring that Virtual Currency Provider and MSB systems are not at risk for exploitation. Indeed, U.S. Attorney Melinda Haag emphasized this point, stating that “Ripple Labs Inc. and its wholly-owned subsidiary both have acknowledged that digital currency providers have an obligation not only to refrain from illegal activity, but also to ensure they are not profiting by creating products that allow would-be criminals to avoid detection. We hope that this sets an industry standard in the important new space of digital currency.” 

A review of the remedial measures imposed upon Ripple Labs may help other Virtual Currency Providers avoid noncompliance pitfalls. Those measures included, in relevant part:

  • Migration of services to a registered MSB. FinCEN directed Ripple Labs and XRP II to move its virtual currency to an MSB that is registered with FinCEN.
  • Maintenance of registration
  • Development of effective AML program, risk assessment, and other compliance measures as required by applicable law, including the BSA and its implementing regulations
  • Designation and maintenance of an AML compliance officer to ensure day-to-day compliance with obligations under the BSA and its implementing regulations
  • Creation of an AML training program for BSA/AML compliance and maintenance, and written evidence of such training, including a certification of such training, the name of each employee who attended such training, and the dates of such training
  • Performance of an external audit through an independent, qualified, and outside party of BSA compliance programs to evaluate whether the programs are reasonably designed to ensure and monitor compliance with the requirements of the BSA and the FinCEN rules applicable to MSBs
  • Performance of a look-back for suspicious activity, including a review of all prior transactions and attempted transactions to which the company was a party or served as an exchanger, within the past three years, involving or aggregating to at least $2,000 in funds or other assets
  • Implementation of AML programmatic transaction monitoring. For example, the Remedial Framework stated that the monitoring and reporting must include, at a minimum: (a) risk rating of accounts based on the particular gateway used; (b) dynamic risk tools to facilitate investigation of suspicious activity, including counterparty reporting, flow of funds reporting, account flagging of suspicious accounts, and degrees of separation reporting; and (c) other reports of protocol-wide activity regarding any unlawful activity.

Though Ripple Labs and its subsidiary XRP II made history as the first Virtual Currency Providers to face a civil enforcement action, they likely will not be the last. FinCEN has now demonstrated a willingness to impose fines and remedial measures on these MSBs, particularly those in innovative and newly established parts of the industry that are at risk for exploitation through criminal activity. Further, these remedial measures underscore the government’s interest in having companies develop robust compliance programs to protect against security threats. Accordingly, companies seeking to reduce their noncompliance risk are well advised to consider implementing the measures outlined above.