Privacy & Information Security Law Blog

On May 5, 2015, the Financial Crimes Enforcement Network of the U.S. Treasury Department (“FinCEN”), in coordination with the U.S. Attorney’s Office for the Northern District of California (“USAO”), announced a civil monetary penalty of $700,000 against Ripple Labs, Inc. (“Ripple Labs”) and its subsidiary XRP II, LLC (“XRP II”) for violations of the Bank Secrecy Act (“BSA”). This assessment represents the first BSA enforcement action against a virtual currency exchanger by FinCEN. The fine coincides with a settlement agreement between Ripple Labs, XRP II and the USAO to resolve any criminal and civil liability arising out of these activities, the terms of which include a $450,000 forfeiture and full cooperation by Ripple Labs in the ongoing investigation.

Ripple Labs facilitated transfers of virtual currency and provided virtual currency exchange services. Ripple Labs maintained its own virtual currency, known as XRP, and was the second-largest cryptocurrency after Bitcoin at the beginning of 2015.

The enforcement action follows guidance issued by FinCEN in March 2013 clarifying that the BSA and implementing regulations applied to participants in the virtual currency arena and, more specifically, that “exchangers” and “administrators” of virtual currencies were required to register with FinCEN as “Money Service Businesses” (“MSB”). (See FIN-2013-G0001.) The BSA further requires MSBs to implement anti-money laundering (“AML”) programs, report suspected suspicious transactions over $2,000 and adopt certain “Know-Your-Customer” (“KYC”) procedures.

According to the Settlement Agreement, Ripple Labs operated as an MSB without registering with FinCEN and continued to engage in covered activity after the FinCEN guidance was issued in March 2013. Specifically, Ripple Labs failed to establish an appropriate AML program and failed to adopt adequate policies and procedures to comply with its obligations under the BSA. It was noted that the Ripple Labs subsidiary, XRP II, was registered with FinCEN, but nevertheless failed to adopt an effective AML program and failed to report suspicious transactions.

In an attached “Statement of Facts and Violations” Ripple Labs admitted to specific violations of the BSA. For example, in September 2013, its subsidiary, XRP II, negotiated a $250,000 transaction for the sale of virtual currency by email and agreed to dispense with its KYC requirements when the customer objected to providing information. In November 2013, XRP II rejected a $32,000 transaction because of concerns over the legitimacy of the overseas customer’s source of funds, but failed to file a suspicious activity report (SAR).

The settlement agreement with the USAO requires Ripple Labs to cooperate fully with an ongoing investigation of related criminal violations and offered no “protection from prosecution” to any individuals, to include present or former officers, directors and employees of Ripple Labs. In addition to the civil fine and forfeiture, Ripple Labs and XRP II agreed to engage in remedial steps to ensure future compliance with the BSA, to conduct a three-year “look back audit” for suspicious transactions and to retain external independent auditors to review BSA compliance biannually until 2020.

This action underscores the importance of responding to advisory guidance from FinCEN addressing the application of existing regulations and adapting compliance measures accordingly. Reference in the statement of facts to the previously issued FinCEN guidance demonstrates the government’s view that the advisories put institutions on notice of regulatory requirements. Failure to act following such clarification is evidence of “willfulness” as that term is used in civil enforcement of the BSA. A proactive response to evolving regulatory guidance should be viewed as an investment in risk management, and ultimately more cost effective than a subsequent enforcement action that could result in years of regulatory scrutiny. Banking institutions should take measures to ensure that BSA-covered account holders, subsidiaries and affiliates have the requisite compliance programs and licenses as part of KYC and ongoing due diligence.

View a copy of our client alert.