On September 15 2015 the Conference of State Bank Supervisors (CSBS) issued its Model Regulatory Framework for State Regulation of Certain Virtual Currency Activities(1) to assist states in developing regulatory approaches to licensing and supervising virtual currency activities. The model framework takes into account comments received on a draft developed by the CSBS Emerging Payments Taskforce and published for comment in December 2014.(2) While important changes were made, the model framework remains a high-level outline that will require substantial elaboration as individual states attempt to use it to guide their own rule-writing efforts. Nonetheless, it provides useful insight into the direction of state regulation of virtual currency activities.
Definitions of 'virtual currency' and 'covered activities'
'Virtual currency' is defined by the model framework as "a digital representation of value used as a medium of exchange, a unit of account or a store of value, but does not have legal tender status as recognized by the United States Government". 'Virtual currency' expressly includes digital currencies and cryptocurrencies, and expressly excludes:
- the software or protocols governing the transfer of the digital representation of value;
- stored value redeemable exclusively in goods or services limited to transactions involving a defined merchant; or
- units of value that are issued in affinity or rewards programmes and that cannot be redeemed for either fiat or virtual currencies.
While the express exclusion of closed-loop pre-paid or stored value systems is helpful, the definition does not address the finer points that would help to differentiate virtual currencies from a variety of open-loop pre-paid or stored value products.
Importantly, the model framework applies to activities involving third-party 'control' of virtual currencies. The following activities, when carried out on behalf of another, are specifically identified as being covered by the model framework:
- the transmission of virtual currency;
- exchanging sovereign currency for virtual currency (or vice versa) or different virtual currencies; and
- services that facilitate the third-party exchange, storage and/or transmission of virtual currency.
A number of important questions are raised by the definition and the examples, including how broadly the concept of control will be applied (eg, whether any single party controls a virtual currency that is held with multi-signature technology) and how broadly the concept of facilitate might be applied. Among other things, the model framework gives as examples of such facilitation "wallets, vaults, kiosks, merchant-acquirers, and payment processors", yet some of these activities may not be considered licensed money transmission when they involve fiat currency, thereby raising the question of what attributes of virtual currencies warrant such new levels of regulation.
The model framework expressly excludes the following activities:
- merchants and consumers which use virtual currencies solely for the purchase or sale of goods or services;
- activities that are not financial in nature but utilise technologies similar to those used by digital currencies;
- activities involving units of value that are issued in affinity or rewards programmes and that cannot be redeemed for either fiat or virtual currencies; and
- activities involving units of value that are used solely within online gaming platforms and have no market or application outside those gaming platforms.
Questions remain in the implementation of even these exemptions, such as whether an illicit market in gaming currency, which can exist despite the best efforts of the platform provider, could transform the provider's unregulated gaming feature into a highly regulated functionality. The model framework also does not suggest a standard for interaction with other regulatory regimes (eg, those for banks, securities firms and licensed money transmitters), leaving open questions as to the potential for overlapping regulation when otherwise licensed financial services providers become involved in virtual currency activities. Finally the model framework does not suggest an 'on ramp' in the form of a temporary or conditional licence for start-ups that may pose lower levels of risk, although it leaves open the possibility that a "courageous" state may experiment in that regard.
Regulatory requirements for virtual currency activities
The model framework sets forth the following recommended areas of coverage for virtual currency activity oversight:
- licensing requirements relating to both the business and its owners, including details of the entity's business plan and banking arrangements;
- use of licensing systems (eg, the Nationwide Multistate Licensing System);
- financial strength and stability, including:
- net worth or capital requirements;
- flexible permissible investment reserve requirements, which may include reserves held in virtual currencies (an important acknowledgement of the industry concern that in many circumstances like-kind reserves are the only sensible way of addressing reserve issues);
- defined mechanisms for holding and validating reserves;
- surety bonds;
- information on the method for calculating the value of virtual currencies; and
- policies and procedures for disaster recovery and business continuity and customer access to funds in the event of a failure;
- consumer protection policies, documentation and disclosures, including:
- an obligation to hold an actual amount of virtual currency in trust for customers and ensure that amount is identifiable separately from any other customer or entity holdings;
- disclosures regarding complaints, error resolution, virtual currency risks and the uninsured status of virtual currency (such requirements are recommended regardless of whether a service provider is targeting a consumer or commercial customer base); and
- receipts with exchange rate information;
- cybersecurity programmes, policies and procedures, including cybersecurity audits with flexible standards to vary the level of the audit as appropriate to the business model and level of activity (in particular, the model framework acknowledges that third-party audits may not be appropriate in some circumstances);
- general compliance with federal and state laws;
- Bank Secrecy Act/anti-money laundering implementation and compliance, including verification of service user, not just account holder, identity;
- access to books and records, including 'to the extent practicable' transaction-level data such as names, addresses and internet protocol addresses of the parties to the transaction, identifiable information regarding the virtual currency owner, transaction confirmations and destinations of foreign transactions. It appears that the model framework contemplates that such transaction-specific information might be included in affirmative reporting requirements, rather than just being available for review through examinations – a potentially substantial expansion of the general regulatory approach to transaction-level reporting; and
- general supervision authorities (eg, examination, investigative and enforcement) and access to private keys in the event of an institution's insolvency
The model framework provides a helpful window into the future direction of virtual currency regulation and supervision at the state level, but much work remains to be done before any individual state will be able to translate the model framework into actionable rules and regulations.
For further information on this topic please contact David E Teitelbaum or Joel D Feinberg at Sidley Austin LLP by telephone (+1 202 736 8000) or email (firstname.lastname@example.org or email@example.com). The Sidley Austin website can be accessed at www.sidley.com.
(1) The model framework is available here.
(2) The draft model framework is available here.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.