Wednesday, May 6, 2015

FinCEN fines Ripple $700k, requires remedial actions

Post updated to reflect comments from Ripple; see bottom of post.

The U.S. Financial Crimes Enforcement Network (FinCEN) has announced an enforcement action against Ripple Labs, Inc. (Ripple) and its subsidiary XRP II, LLC (XRP). This is the first enforcement action against a virtual currency company. Their findings of facts and violations include that Ripple acted as a money service business (MSB) without registering with FinCEN, and that both Ripple and XRP acted improperly. The fine is $700,000.

The rules that FinCEN found Ripple and XRP to be in willful violation of are primarily ones of anti-money laundering (AML) compliance. They did not implement their AML program quickly enough, when it was implemented it was not good enough, and a number of transactions which FinCEN deemed to warrant the filing of suspicious activity reports (SARs) did not get filed. These are the sort of violations that any exchange (whether dealing in virtual currencies or strictly fiat ones) might commit.

The remedial actions required by FinCEN are what seem to be causing the most conversation on Twitter and similar online discussion forums.

A lot of it is exactly what you'd expect. There's the $700,000 fine, a requirement that Ripple and XRP implement better AML practices, and the requirement of a third-party auditor for the next six years to verify that the AML program is in place and being followed appropriately. There's also a requirement to look back at the last three years of data available to Ripple and file any SARs that such information may warrant.

Further however the remedial actions may require (but it's not entirely clear) updates to various parts of the virtual currency software developed by Ripple. This is not the software and business logic used internally at Ripple or XRP to run their businesses, but the software that runs the Ripple protocol and network.

Let's take a look at some of the requirements specifically.
Within 30 days of the date of this agreement, Ripple Labs and XRP II will move its service known as Ripple Trade (formerly known as Ripple Wallet, which allows end users to interact with the Ripple protocol to view and manage their XRP and fiat currency balances), and any such functional equivalent, to a money services business that is registered with FinCEN (the “Ripple Trade MSB”).
So the wallet needs to be run out of the FinCEN registered MSB. I'm surprised this isn't already the case, but maybe it's a question of formally moving ownership of Ripple Trade from Ripple to XRP (the latter is registered currently).
Users of Ripple Trade (which will include all users registering after the date of this agreement and any existing users who register at the request of Ripple Labs) will be required to submit customer identification information, as required under the rules governing money services businesses, to the Ripple Trade MSB;
This seems a lot like what Coinbase and Circle already require today in the Bitcoin world. One thing that's different however is that, per the Ripple Terms of Use (see Item 3), Ripple Trade does not have access to user keys. They're a web-based wallet like Blockchain.info. This indicates that while wallets that lack keys to your accounts may not have the same level of fiduciary obligations as a hosted wallet like Coinbase, they still have AML obligations under FinCEN rules.
After 180 days of the date of this agreement, Ripple Labs will (1) prevent any existing Ripple Trade user who has not transferred to a wallet or account with customer identification information from accessing the Ripple protocol through the Ripple Trade client, and (2) not otherwise provide any support of any kind to such a user in accessing the Ripple protocol.
So, 180 days from now, any Ripple Trade account which is not AML-compliant will be frozen. Interestingly this requirement doesn't just say that they cannot trade with Ripple Trade. It says the account cannot be allowed access to the Ripple protocol. If they cannot access the protocol then they cannot move the money to another wallet or a personal wallet. The money is just stuck there until they meet the reporting requirements.
8. Enhancements to Ripple Protocol: Within 60 days, Ripple Labs, XRP II, and the Ripple Trade MSB will improve, and upon request provide any information requested by FinCEN or the U.S. Attorney’s Office as to the use and improvement of, existing analytical tools applicable to the Ripple protocol, including: (1) reporting regarding any counterparty using the Ripple protocol; (2) reporting as to the flow of funds within the Ripple protocol; and (3) reporting regarding the degree of separation. 
I am admittedly not as familiar with the Ripple network as I am with Bitcoin. I'm not sure what sort of blockchain analysis (if that's even the right word) is possible on Ripple. But this requirement seems to be saying that Ripple will build the tools necessary to do blockchain analysis that can positively identify any counterparty and follow the flow of funds between parties. No doubt there will be some connection between these tools and the AML-required customer information collected.
10. Transaction Monitoring: Ripple Labs will institute AML programmatic transaction monitoring across the entire Ripple protocol, and will report the results of such monitoring to the U.S. Attorney’s Office, FinCEN, and any other law enforcement or regulatory agency upon request. The monitoring and reporting must include, at a minimum: (a) risk rating of accounts based on the particular gateway used; (b) dynamic risk tools to facilitate investigation of suspicious activity, including counterparty reporting, flow of funds reporting, account flagging of suspicious accounts, and degrees of separation reporting; and (c) other reports of protocol-wide activity regarding any unlawful activity
More monitoring and blockchain analysis, this time (I think) for "programmaticaly" identifying accounts and activity which warrant a SAR being filed.

An important thing to note is that both Section 8 and Section 10 are only possible because Ripple runs on a shared, transparent ledger (like Bitcoin). There is no equivalent to "monitor across the entire protocol" in regular banking, because there is no shared ledger. Everything has to happen at the  individual bank level. FinCEN is leveraging the existence of the shared ledger to get better information than they normally could get from any single firm, and they're having Ripple do the development work form them. This certainly shows they understand how the new technology is different from the old technology, and how it creates opportunities for FinCEN as a regulator.

Okay, last section:
11. Funds Travel Rule and Funds Transfer Rule: XRP II and the Ripple Trade MSB will ensure, or continue to ensure, that all transactions made using XRP II, Ripple Trade, or Ripple Wallet will be, or will continue to be, in compliance with the Funds Transfer Rule and the Funds Travel Rule. 
The "Funds Transfer and Travel Rules" requires that one financial institution (including, in this case, Ripple Trade and Ripple Wallet) must pass on certain information to the next institution (or wallet) for certain kinds of transactions. Essentially, Ripple can't just send your XRP to Joe Wallet Co., it also has to send them your name and address.

The requirement that all "transactions" be compliant with the travel rule implies to me that Ripple Trade will have to be updated to to disallow transactions where the requirements are not net. This further implies that assets can only be transferred out of Ripple Trade or Ripple Wallet if they are being sent to another compliant wallet.

A question of what a "compliant wallet" is remains open. Is it sufficient that a wallet promise to provide and receive the necessary information? What if it becomes common knowledge that one particular wallet host is lousy about keeping records? I doubt FinCEN would be happy with that, which further implies some sort of whitelist for wallets.

[SEE UPDATE BELOW] The last point to raise is this speech by FinCEN Director Calvery, given today. In it she says:
Ripple Labs will also undertake certain enhancements to the Ripple Protocol to appropriately monitor all future transactions.
My initial (and definitely not legal advice!) reading of Ripple's remedial action requirements didn't see any requirement that the protocol be updated - despite Section 8 being called "Enhancements to Ripple Protocol". The closest change I see to a protocol-level change would be Section 11, but even the Travel rule could be enforced at the wallet level (not the protocol level). The actual text of the remedies implies enhancements to monitoring software and wallets. But Director Calvery seems to think the protocol will be changed. I could plausibly speculate a number of reasons for this being the case (loose language, last minute changes to the settlement, technical non-clarity at FinCEN, etc.), but right now it's just not clear what this means.

UPDATE: The BitBeat blog reports that the protocol will not be updated after all. The following statements come from Ripple:
All that Ripple had agreed to, [Ripple Labs’ new Bank Secrecy Act officer, Antoinette O’Gorman] said, was to build enhanced “analytical transaction monitoring tools for monitoring transactions across the protocol” and to furnish information drawn from that monitoring to U.S. authorities upon request. The changes had “nothing to do with the protocol itself,” she said.
These monitoring tools are secondary applications that anyone could have built to analyze the flow of data across the publicly transparent ledger of Ripple transactions, she said.
Okay, so it's blockchain analysis tools, as I speculated above. This reinforces my point that FinCEN is taking advantage of the unique nature of transparent, decentralized ledgers to see further onto the flow of funds than a bank-by-bank approach would allow.

The other interesting point is this:
Addressing another contentious point, Ms. Gorman said her company had argued that Ripple Trade, a wallet application with which people can view and manage their balances of XRP, Ripple’s native currency, should not be registered as a money service business, or MSB, under FinCEN rules because it was merely a software tool without power to take custody of funds or directly exchange currency. However, FinCEN was insistent, demanding that Ripple Trade be migrated to a properly registered MSB, which means that its users must submit customer identification information.
I would like to know more about FinCEN's basis for this demand. Is FinCEN is going down the road that software which allows financial activity must be hosted by regulated companies (where users must disclose identifying information)? Or did they just ask for what they thought they could get? With the issues around whether the protocol is being changed being resolved in the negative, this part is now the biggest open question raised by this action.

No comments:

Post a Comment