In what it’s calling the “first civil enforcement action against a virtual currency exchanger,” the Financial Crimes Enforcement Network (FinCEN) announced on Tuesday, May 5, 2015, that a civil money penalty of $700,000 would be imposed against Ripple Labs, Inc., for various violations of the Bank Secrecy Act (BSA) and for operating as a virtual currency exchange without registering for a money services business (MSB) license. To fully grasp the issues at stake here, some background on Ripple is useful.
The fundamental reason cryptocurrencies, Bitcoin being the most well-known example, have generated so much interest among technologists is that it allows users to decentralize trust through the use of a shared, replicated ledger. What this means is that Bitcoin’s blockchain, the public ledger that logs every single transaction, allows users to transact value across the internet with complete strangers without involving any central authority that might add costs and delays to the transaction. Ripple (or XRP as it’s represented), is a cryptocurrency platform launched by Ripple Labs that aims to bring the undeniable benefits of a shared, replicated ledger to the risk-averse world of mainstream financial institutions. It seeks to distance itself from the negative associations that cryptocurrencies like Bitcoin have accrued, by positioning itself as a protocol for clearing and settlement of transactions between financial institutions. Other differences with Bitcoin are more technical in nature, with the most important being that Ripple s uses something called a ‘consensus algorithm’ to process and record transactions on its ledger, which is different from Bitcoin’s ‘proof-of-work’ system. Essentially, this allows for Ripple to be less energy-intensive, process transactions faster, and reduce susceptibility to malicious collusion amongst its participating nodes (the servers responsible for updating the ledger). Ripple’s unique architectural choices also impose tradeoffs, which we won’t go into here.
In its original guidance, issued on March 18, 2013, regarding how the Bank Secrecy Act applies to virtual currency, FinCEN stated the following:
“An administrator or exchanger that (1) accepts and transmits a convertible virtual currency or (2) buys or sells convertible virtual currency for any reason is a money transmitter under FinCEN’s regulations, unless a limitation to or exemption from the definition applies to the person. FinCEN’s regulations define the term “money transmitter” as a person that provides money transmission services, or any other person engaged in the transfer of funds.
Reading through FinCEN’s articulation of how Ripple violated its guidance, there are two key areas where Ripple Labs went wrong. First, it operated as an administrator and exchanger of virtual currency (XRP in this case), without a money services business (MSB) license, either directly or through a subsidiary, until at least September 4, 2013—a good five months after FinCEN released its guidance. Second, Ripple failed to institute a robust anti-money laundering (AML) program, headed by a full-time compliance officer, ensuring adequate KYC measures were undertaken and suspicious transaction activity reported.
Despite the fairly serious nature of these infractions, FinCEN decided to settle for imposing a fine on Ripple Labs and not pursue criminal charges. Ripple Labs has committed to fully complying with all BSA regulations in the future and undertake a number of remedial measures. These include “enhancements to the Ripple protocol” to create analytical tools that would allow for reporting regarding any counterparty or flow of funds using the Ripple protocol and instituting protocol-wide AML measures to assess risk and flag suspicious activity.
For many cryptocurrency enthusiasts, many of whom espouse strong libertarian leanings, Ripple’s settlement with FinCEN represents why Bitcoin remains the cryptocurrency of choice. Its decentralized and open source nature means that no single party analogous to Ripple Labs exists to impose protocol-wide standards. It makes the system extremely resilient (or perhaps, more accurately, ‘anti-fragile’) to government sanction or external attack. The way regulatory agencies in the US, whose primary mandate is to thwart criminal actors from using the financial system, have approached this problem is to robustly regulate those nodes where the traditional financial system intersects with Bitcoin-based service providers. Hence entities seeking wide mainstream adoption such as Coinbase and Circle, must demonstrate their compliance with all existing money transmission regulations in order for their users to be able to integrate their online bank accounts. While these providers can effectively monitor the activity of users within their platform, the task becomes much more difficult as users engage in Bitcoin transactions with unknown Bitcoin addresses, especially if those are controlled by actors in countries with lax AML enforcement.
Given these challenges, having a single entity with more control over the cryptocurrency protocol, as is the case with Ripple, suddenly seems like strength rather than a design flaw. It gives regulators confidence that this is a technology they can grapple with given the tools at their disposal, and reassures financial institutions who are wary of associating with third parties that may expose them to more risk than they are willing to tolerate. For Ripple Labs, this censure may therefore be a way to demonstrate that they are cryptocurrency platform that regulators understand, making them a more palatable partner for mainstream financial institutions.