On May 5, 2015, virtual currency exchanger Ripple Labs Inc. (“Ripple Labs”) and its wholly-owned subsidiary XRP II, LLC (together with Ripple Labs, “Ripple”)1 entered into a consent agreement with the Financial Crimes Enforcement Network (FinCEN) in which Ripple consented to a $700,000 civil penalty and stipulated to a “Statement of Facts and Violations” admitting that Ripple failed both, to register as a money services business (MSB) as required under the Bank Secrecy Act (BSA) as a result of selling its “XRP” virtual currency,2 and to satisfy other BSA requirements, including its anti-money laundering (AML) and transaction reporting obligations. Ripple concurrently entered into a settlement agreementwith the United States Attorney’s Office in the Northern District of California (USAO) in which Ripple stipulated to the same statement of facts and agreed to forfeit $450,000 to the USAO, this forfeiture will be credited to partially satisfy FinCEN’s $700,000 civil penalty. As part of its consent and settlement agreements, Ripple agreed to certain remedial actions (described below). The enforcement action against Ripple is noteworthy because it is the first civil enforcement action against a virtual currency exchanger for failing to register as an MSB. In December 2013, FinCEN had sent “industry outreach” letters to virtual currency businesses advising that they may need to register as MSBs but otherwise initiated no enforcement actions. In FinCEN’s news release, FinCEN Director Jennifer Shasky Calvery explained FinCEN’s underlying policy rationale for targeting Ripple by noting that “[v]irtual currency exchangers must bring products to market that comply with our anti-money laundering laws” and that “[i]nnovation is laudable but only as long as it does not unreasonably expose our financial system to tech-smart criminals eager to abuse the latest and most complex products.” Background On March 18, 2013, FinCEN released guidance (the “Guidance”) clarifying the applicability of the BSA to “users,” “administrators” and “exchangers” of “convertible virtual currency.” (For more information on the Guidance, see Sidley Austin’s client alert here.) The Guidance explains that both exchangers and administrators of virtual currencies are money transmitters and that money transmitters are a type of MSB generally required to register under the BSA.3 Ripple stipulated that it had acted as a virtual currency exchanger—therefore constituting a money transmitter under the BSA—since it sold its XRP virtual currency.4 As noted above, the BSA requires money transmitters to register with FinCEN as an MSB, which Ripple had failed to do. Violations According to the consent and settlement agreements, Ripple Labs Inc. acted as a virtual currency exchanger from at least March 6, 2013 through April 29, 2013 and sold at least $1.3 million worth of its XRP virtual currency. Additionally, Ripple Labs failed to establish an AML program along with other policies to ensure compliance with the BSA, including failing to designate a BSA compliance officer, conduct AML training, or obtain an independent review of its procedures. XRP II, LLC stipulated to similar violations. First, it admitted that it commenced its virtual currency exchange business in August 2013 without registering as an MSB until September 2013. Second, it stipulated that it failed to develop an adequate AML program, including failing to:
Develop a written AML program for nearly two months; Hire an AML compliance officer for six months; Conduct an AML risk assessment until March 2014; Offer AML training for nearly a year; Obtain an independent review of its AML program for nearly a year; and Establish adequate internal controls to otherwise ensure BSA compliance.
Third, XRP II, LLC failed to either file or timely report suspicious activity related to several financial transactions. Remedial Actions In addition to the civil monetary and forfeiture penalties, Ripple has agreed to:
Only transact virtual currency exchange activity through a registered MSB; Implement an effective AML program, including transaction monitoring and reporting procedures, satisfying any Know-Your-Customer requirements, hiring an AML compliance officer, and providing related AML training; Comply with the Funds Transfer Rule and Funds Travel Rule (which require the collection and transmission of certain customer information in connection with transactions of $3,000 or more); Conduct a three-year “look-back” reviewing all prior transactions of at least $2,000 to report any suspicious activity; and Obtain an independent auditor to review BSA compliance every two years until and including 2020.
Additionally, Ripple agreed to strengthen the XRP protocol analytical tools to provide for counterparty and funds flow reporting. Industry stakeholders should take notice of this FinCEN consent agreement as it signals FinCEN’s attention to virtual currency activities and expectations with respect to virtual currency exchangers.