An Analysis of the Ripple Labs FinCEN Enforcement Action
This is a guest post by Joe Ciccolo, DCC Member and CEO of BitAML.
The Ripple Labs settlement agreement, the first civil enforcement action brought against a digital currency exchange, demonstrates the perils of piecemeal AML compliance and delayed implementation. Last week, Ripple Labs, the popular payment system, currency exchange and remittance network, reached a settlement with FinCEN and the US DOJ in which it acknowledged AML compliance violations and agreed to fines in excess of $1.1 million. And that’s just the beginning. (More on the true financial and operational cost to Ripple Labs in a moment.) So what happened? And how can we learn from this enforcement action?
When Ripple Labs began blazing its trail in the world of digital currency, there were no true “rules of engagement”, and certainly nothing in the way of the AML compliance requirements that exist today. In fact, its founding predated the March 18, 2013 FinCEN guidance which applied Bank Secrecy Act (BSA) regulations to digital currency exchanges and administrators by defining them as money transmitters, a type of money services business (MSB). As detailed in the settlement agreement, Ripple Labs did not immediately register its already existing business with FinCEN when the guidance was issued. Rather, they ultimately registered a subsidiary later that same year. Thus, the company operated an unregistered money services business (MSB). Simply put, this is one of the easiest violations for a regulator to prove. It is perhaps the lowest of the proverbial low hanging fruit.
Both prior and subsequent to registering as an MSB, regulators determined that Ripple Labs did not implement an effective BSA/AML program. (Note the italicized text added for emphasis.) Lest one think they can simply delay BSA/AML compliance by postponing FinCEN MSB registration, regulators reminded digital currency entities in the settlement agreement that “…regardless of whether they have registered, as required, MSBs are subject to certain additional requirements under the Bank Secrecy Act and its implementing regulations.” So bottom line…if you’re operational, you must have an effective BSA/AML program already in place. Waiting until you reach some predetermined company milestone before building out compliance functionality is not only a regulatory violation, as FinCEN and the US DOJ proved, but a very costly business strategy.
Equally damning is the idea of cobbling together bits and pieces of your compliance program as you grow. Digital currency exchanges and administrators must be strategic and very deliberate about investments in the area of compliance. While it’s a tall order to be sure, especially for a startup or small venture, the single best approach is to lay the foundation of your program using the “four pillars” of BSA/AML compliance (1. Designation of a Compliance Officer; 2. Development of internal policies, procedures and controls; 3. Ongoing, relevant training of employees; and, 4. Independent testing and review). With few exceptions, any investments you make in the area of compliance will fall into one or more of these four buckets. The importance of developing and investing in the vitality of the four pillars cannot be understated. Within the settlement itself, regulators took the opportunity to remind digital currency exchanges and administrators that they are required to implement an AML program that, at minimum, contains each of the four pillars. While investments in compliance – a non-revenue generating function of one’s business – may seem costly, the cost of not developing and effectively implementing a strategic approach from day one is exponentially higher.
Recall earlier in this article, I alluded to the $1.1 million aggregate fine as only the beginning of the true cost. Now the real work begins! In “Attachment B: Remedial Framework”, the settlement agreement provides a detailed list of cumbersome, time-sensitive requirements and deliverables that must be turned over on an extremely tight schedule. Among these, Ripple Labs must create and implement a training program; secure an independent party to review its AML program; enhance its protocol; implement transaction monitoring systems; and, perform a “look back” for potential suspicious activity. Further, not captured in the resource cost of remediating these items is the potential loss of revenue from new or existing customers that may question their faith in the company or losses attributable to engaging regulators rather than the marketplace. Moreover, business will now be conducted on the regulator’s terms, not the company’s terms. As you may well grasp from the partial list of required remedial fixes and indirect costs, the monetary penalty is only the beginning of the financial and operational pain.
The news, however, is not all bad. In fact, regulators devoted several detailed sentences at the very beginning of the settlement agreement to applauding Ripple Labs’ cooperation and commitment to maintaining an effective AML program. This was not by accident, nor should it be overlooked. When determining monetary fines and other forfeitures, regulators generally take into consideration the level of cooperation; self-disclosures made upfront; and, past violations, if any. The acknowledgement of these proactive efforts was just as much a call to shape future interactions with other digital currency exchanges and administrators, as it was a recognition of Ripple Labs’ progress and initiative.
The settlement agreement between regulators and Ripple Labs, the first civil enforcement action against any digital currency exchange, offers a valuable learning opportunity. The speed of innovation and marketplace disruption have never met a countering forcing quite like financial regulation. Digital currency exchanges and administrators have had to make changes while in motion. Some have been forced to suspend services (temporarily or indefinitely), while others still have struggled to adapt to a system of regulation that never really seems to fit quite right. Regardless of your past experiences or current circumstances, regulation is here to stay. The Ripple Labs settlement illustrates the importance of executing a comprehensive and cohesive AML compliance strategy that begins on day one of operations. It also teaches us that proactively mending previous regulatory transgressions, owning up to compliance faults, and pursuing a course of action to make thing right can soften the blow. So, if you haven’t already begun to invest time and resources into the build out of your AML compliance program, today is the day to get started. For those that have begun, it’s imperative that you move forward by staying on top of developments in the compliance world and never look back.
The Ripple Labs settlement must be embraced as a learning opportunity. It’s just a shame that this promising venture will be held back from advancing the pace of innovation in our industry due to early AML compliance missteps.
Learn more about Joe Ciccolo, CEO of BitAML at his DCC Member Profile.