On May 5, Ripple Labs (Ripple) entered into a consent decree with the Financial Crimes Enforcement Network (FinCEN), under which Ripple admitted to conduct that violated U.S. anti-money laundering (AML) laws and agreed to take remedial measures to prevent future violations. Concurrently, Ripple entered into an almost identical settlement agreement with the U.S. Department of Justice (DOJ), under which Ripple further agreed to cooperate with the DOJ in any investigations and prosecutions into AML violations associated with Ripple’s conduct. FinCEN assessed a $700,000 civil money penalty (CMP) against Ripple, of which $450,000 will be deemed satisfied by Ripple’s forfeiture to the DOJ of that amount.
The size of the CMP is surprising given that in recent years other money services businesses (MSBs) have been fined a fraction of the amount for repeated AML violations over several years, while Ripple and its affiliates were operating as MSBs for only two years. The statement of facts and violations attached to the consent decree and settlement agreement make clear that FinCEN and the DOJ expect strict compliance by virtual currency companies with all AML requirements applicable to MSBs. Ripple and its subsidiary XRP II, LLC sold large amounts of the Ripple network currency, XRP. Under recent guidance on virtual currency activities from FinCEN, such activities obliged Ripple to register as MSBs and to fulfill certain requirements applicable to MSBs. These requirements include maintenance of an AML policy and appointment of an AML compliance officer, as well as numerous recordkeeping, monitoring and reporting requirements. Although Ripple did eventually fulfill many of these requirements after becoming an MSB, it was penalized for the interim period of several months when it was not compliant, as well as for failing to adhere strictly to the requirements of its AML policy in connection with several sales.
The consent decree and settlement agreement also specify certain remedial measures to be taken by Ripple, including creation and implementation of an AML training program, an external audit of Ripple’s AML program, enhancement of Ripple’s AML screening and monitoring capabilities, and retroactive examination of transactions for previously-undetected money laundering activity, along with filing any required Suspicious Activity Reports on such activity. Notably, despite mandating general compliance with AML laws, the remedial measures specifically call for compliance with the Funds Travel Rule and Funds Transfer Rule.
Broadly speaking, the “Travel” Rule requires regulated financial institutions (including MSBs) to retain and include in payment instructions certain information related to the payment and its participants, so that a funds transfer can be traced from end to end even if it passes through multiple intermediary financial institutions (at least domestically). Although the justification for the Travel Rule may be clear, how to implement its requirements in the context of cryptocurrencies is anything but. Traditional payment systems such as credit card, ACH and wire are closed systems set up to support the entry and transmission of the required information fields between participants, who must be regulated depository institutions. However, using Bitcoin as an example, most cryptocurrencies are open systems and users do not need to go through a financial institution in order to effect transactions. This presents a challenge for transactors who are financial institutions subject to AML laws. Although it is possible to comply with the Travel Rule when submitting a transaction to the blockchain by including the required information within the supported metadata fields, all the information is visible to the general public. While required fields such as the amount and execution date of the transfer are inherently public for Bitcoin transactions, other required fields include the name, address and account number of the sender and (if applicable) the receiver. In fact, if any other specific identifying information on the receiver is available (such as a telephone number or social security number), this must also be included. Finding out whether any given counterparty is a financial institution and complying with the resulting Travel Rule requirements, while maintaining the privacy (and indeed personal safety) of individuals, will therefore present an ongoing challenge for cryptocurrency businesses.