First FinCEN civil action on virtual currency exchanger makes waves in fintech sector

The US Treasury’s Financial Crimes Enforcement Network (FinCEN) executed its first civil enforcement action against a virtual currency exchanger Tuesday in a $700,000 penalty against a San Francisco-based firm and its subsidiary for a host of anti-money laundering program deficiencies.

The fine against Ripple Labs Inc. related to its failure to register  with FinCEN while acting as a money services business and failing to implement adequate anti-money laundering (AML) controls, including properly monitoring for aberrant activity and filing suspicious activity reports (SARs).

The company’s subsidiary, XRP II, LLC, assumed the function of its parent to sell virtual currency and also lacked an AML program and did not report suspicious activity related to its business, in violation of the Bank Secrecy Act.

FinCEN Director Jennifer Shasky Calvery announced the penalty this week. The Vienna, VA-based agency worked in tandem with the US Attorney’s Office for the Northern District of California, which also announced a settlement agreement with the two associated companies.

Ripple Labs  and its subsidiary will not be prosecuted criminally. Ripple Labs forfeited $450,000 as part of the settlement, which will be credited to partially comply with the $700,000 penalty.

Marco Santori, a counsel at the Pillsbury law firm in New York City and chairman  of the Bitcoin Foundation’s Regulatory Affairs Committee, said the Ripple Labs penalty underscores the increasing regulatory burden in the digital currency space.

“It’s really the first public announcement of FinCENs intention to move away from understanding the industry to an enforcement posture when they are actively enforcing the guidance they published in March 2013,” he said.

Several factors helped the company with this settlement agreement, including its cooperation with the government in the ongoing investigation of its business practices. The three-year agreement stipulates that the company must enhance its AML program and train its employees to more effectively implement the controls.

Ripple Labs was founded in 2012 and is the second-largest cryptocurrency by market capitalization after Bitcoin, was formerly called OpenCoin and developed what is called the “Ripple protocol.”

Its website describes its team as a group of “experienced cryptographers, security experts, distributed network developers, Silicon Valley and Wall Street veterans” that work to code the open-source software. XRP is another math-based currency that is native to the Ripple network.

Must ‘look-back’ to move forward

Both companies will have to transact activity through a registered MSB and comply with the Funds Transfer and Funds Travel Rules. Pursuant to the agreement, the companies will also have to conduct a three-year “look-back” review to file SARs for prior missed suspicious transactions.

The companies are also required to have an outside independent auditor who will review their compliance with the Bank Secrecy Act every two years up to 2020, and will check for 11 steps that it will need to take to fulfill the agreement.

US Attorney Melinda Haag said, in a press release issued by FinCEN on the penalty, that the agreement demonstrates the vigilance on financial markets to ensure security and prevent misuse.

“Ripple Labs Inc. and its wholly-owned subsidiary both have acknowledged that digital currency providers have an obligation not only to refrain from illegal activity, but also to ensure they are not profiting by creating products that allow would-be criminals to avoid detection,” she said.

“We hope this sets an industry standard in the important new space of digital currency,” she added.

Multilateral investigation reveals exchanger had AML dark corners

In addition to being the tax authority of the United States, the Internal Revenue Service also handles a wide range of financial crime issues, including AML/BSA compliance for money services businesses through its AML division.

That division inherited responsibility for the AML exams of virtual currency businesses when FinCEN officially declared they would be treated as MSBs and would be held to the same expectations of regulatory compliance.

The IRS and its criminal investigation division worked in tandem with the US Attorney’s Office and FinCEN to handle the investigation.

According to the US Attorney’s Office, Ripple Labs failed to file a suspicious activity report when it negotiated a $250,000 transaction with a former felon convicted of dealing with explosive devices in 2013. Ripple Labs also sold its subsidiary XRP while not registered with FinCEN.

FinCEN released guidance in March 2013 clarifying the applications of the regulations implementing AML rules on in the virtual currency space. Pursuant to federal law, MSBs including exchangers and administrators, must register with FinCEN.

IRS CI Chief Richard Weber commented that federal regulations are in place to detect and stop illegal activities, including those in the virtual currency arena.

“Unregulated, virtual currency opens the door for criminals to anonymously conduct illegal activities online, eroding our financial systems and creating a Wild West environment where following the law is a choice rather than a requirement,” he said.

The ripple effect of the penalty on the fintech sector

While Ripple Labs has been cooperating with the US government, and therefore saw its original criminal charges dropped, the civil action may cause an aftershock in the financial technology industry, specifically for virtual currency businesses.

The case shows that cooperation and compliance can mollify regulators, though the reputational damage it has caused, and the actual cost of the penalty, are still to be seen.

Though the penalty may not seem high compared to fines issued on major banks and other financial institutions for their AML lapses that have soared into the billions of dollars, but can be difficult to bear for a smaller startup operation.

Looking ahead, though, the compliance costs for virtual currency startups may rise significantly, including by implementing better training procedures for staff, acquiring new technology for monitoring systems, and other must-haves the regulators are looking for to check off during investigations and audits.

Santori said the cost of noncompliance is higher than the costs of compliance, and virtual currency companies are taking notice.

Compliance at times an afterthought, must be at the forefront

The Ripple Labs penalty is another confirmation to new and prospective companies focused on revenues that they should invest in compliance.

“I think that by and large virtual currency companies have been fairly diligent about upholding their federal obligations and FinCEN has on multiple occasions noted that. They have said that virtual currency companies have filed SARs and [currency transaction reports (CTRs)]. State compliance is really the biggest challenge.”

State licensing is an uneven landscape with different requirements depending on the jurisdiction, he explained.

On a Federal level, he said FinCEN has been working very closely to understand the industry.

“I think they should be applauded for that. This settlement is just another example of that,” Santori added.

Ripple Labs Spokeswoman Monica Long issued a comment on behalf of the company, highlighting that Ripple Labs was one of the first to create a compliance program in the virtual currency landscape.

“We’ve been consistent in our message of supporting a compliant and healthy Ripple ecosystem,” she said in the statement. “We have not willfully engaged in criminal activity, nor has the company been prosecuted. We couldn’t agree more with Chief Weber’s observation that a ‘Wild West environment’ is untenable in financial services.”

Regulators still weary of virtual currency, mindful of criminal actions

Virtual currency advocates are striving to change the image of Bitcoin in the eyes of regulators who see it as an avenue for crime.

However, major cases like the Silk Road dark web marketplace, which was shut down by investigators in 2013, have tainted the reputation of the modern cryptocurrency system, also revealing dark corners where traditional AML compliance rules don’t necessarily apply.

Without a centralized authority approving transactions, and with no personal identity attached to Bitcoin transactions, the tenets of Know-Your-Customer and Customer Due Diligence are somewhat moot points in the virtual currency ambit.

In the Silk Road case, Ross Ulbricht, the site’s administrator,  was later found guilty on all seven charges in federal court, including narcotics and money laundering conspiracies and a “kingpin” charge.

Prosecutors said Ulbricht enabled more than 1 million drug deals on Silk Road and earned about $18 million in bitcoins through the sale of illegal drugs.

The US Department of Justice seized millions of dollars in Silk Road bitcoins through the case. US Attorney Preet Bharara said in a statement after the verdict that “the supposed anonymity of the dark web is not a protective shield from arrest and prosecution.”