UPDATE 6th May 1:30 UTC: Ripple Labs’ official response to the FinCEN settlement has been added below.

The Financial Crimes Enforcement Network (FinCEN) has fined Ripple Labs and its subsidiary XRP II a combined $700,000 for “willful violations” of the Bank Secrecy Act (BSA).

According to a 5th May press release by the US regulator, Ripple Labs failed to register as a money services business (MSB) with FinCEN prior to selling XRP, a digital token used to settle payments on the Ripple network. Additionally, the company is said to have failed to implement appropriate anti-money laundering (AML) procedures concurrent with its responsibilities as an MSB.

Similarly, its subsidiary, XRP II, is said to have acted unlawfully as an MSB without an effective AML program, failing to report “several” transactions said to be suspicious in nature.

The bulk of the violations against both companies appear to have taken place between 2013 and early 2014, according to a more detailed addendum to the release.

Notably, the agreement between Ripple Labs, its subsidiary and FinCEN has also taken place at the same time as a settlement between the companies and the US Attorney’s Office in the Northern District of California. The Internal Revenue Service’s Criminal Investigation Division also contributed to the investigation.

Ripple and XRP II agreed to pay $450,000 and settle “possible criminal charges” in connection with that investigation, with those funds being credited to the fine imposed by FinCEN.

FinCEN Director Jennifer Shasky Calvery said in a statement that the event should serve as a reminder to all US companies that facilitate the exchange of digital currencies:

“Innovation is laudable but only as long as it does not unreasonably expose our financial system to tech-smart criminals eager to abuse the latest and most complex products.”

Ripple Labs and XRP II have agreed to a number of conditions to settle with both FinCEN and the US Attorney’s Office, including “enhanced remedial measures” aimed at beefing up its monitoring programs.

The settlements dictate that “certain enhancements” to the Ripple Protocol need to take place “to appropriately monitor all future transactions”.

The company further agreed to biannual compliance audits through 2020.

Ripple responds

When reached for comment, a spokesperson for the company sought to frame the decision as one that showcased the tribulations that can come with building a company in an emerging field.

“Ripple Labs was one of the first to proactively build out a compliance and risk program,” Ripple Labs spokesperson Monica Long told CoinDesk. “We’ve been consistent in our message of supporting a compliant and healthy Ripple ecosystem.”

Long went on to stress that Ripple Labs does not believe it “willfully engaged” in criminal activity, adding that the company has not been prosecuted for any of its actions.

Long added:

“Ripple is infrastructure technology for banks to build compliant payment networks. The settlement announced today does not impede our ability to execute on those bank integrations.”

Government cooperation

Settlement documents provided by the Department of Justice (DOJ) go on to detail the considerations made during the settlement process with Ripple Labs and the factors that led it to drop its criminal charges.

Among the factors cited by the DOJ were what the agency called Ripple’s “extensive cooperation” with the government, its commitment to enhancing internal controls and its promise that it would continue to cooperate on matters of future concern.

Further, the company agreed to certain measures for a three-year term, including that it would disclose “any document, record or other tangible evidence” relating to BSA violations; designate employees to provide the government requested materials; and ensure the government has access to current executives, and to the extent possible, former company directors.

Should Ripple Labs be found in violation of the agreement, it will be provided with 30 days to respond to the accusations levied by the DOJ before action is taken.

Subsidiary issues

The involvement of Ripple Labs subsidiary XRP II is largely due to its use as a mechanism for the company to sell XRP “to various third parties on a wholesale basis”. The company undertook sales of XRP prior to registering as an MSB, which took place on 4th September, 2013.

The company also failed to develop and implement a written AML policy until 26th September of that year, while operating without a compliance officer until “late January 2014”. According to FinCEN, XRP II had “inadequate internal controls” to ensure BSA compliance and did not conduct an AML risk assessment prior to March 2014.

The documents suggest Ripple Labs has been aware of a federal investigation into compliance violations during the period in which XRP II was noncompliant.

“XRP II did not conduct training on its AML program until nearly a year after beginning to engage in sales of virtual currency, by which time Ripple Labs was aware of a federal criminal investigation,” the document states, suggesting that the company failed to conduct an independent review of its AML program during the same period.

The FinCEN document outlined three transactions showing how XRP II failed to file suspicious activity reports (SARs) despite being required to do so.

The most notable transaction of the three took place on 30th September, when the company sold $250,000 in XRP by email to Ripple Labs investor Roger Ver without requiring a know-your-customer form to be filled out.

XRP II is said to have failed to file two additional reports for attempted XRP purchases that took place in November 2013 and January 2014. In both cases, XRP II did not actually conduct a transaction but also failed to file SARs.

The official settlement agreement can be found below:

Settlement Agreement