The New York State Department of Financial Services issued final regulations requiring a so-called “BitLicense” and establishing minimum standards for all financial intermediaries who engage in a virtual currency business activity from New York or to a NY resident.

The regulations impact a wide spectrum of potential businesses, although they exclude merchants and consumers who use virtual currencies in connection with transactions for goods or services, persons chartered under the NY banking law and approved to engage in a virtual currency business activity, and persons who engage in the mere “development and dissemination of software in and of itself.” This appears to exclude virtual currency miners, although the regulations are not entirely clear. According to Benjamin Lawsky, the departing superintendent for the NYDFS,

[S]tudents or other innovators who are simply developing software and are not holding onto customer funds are not required to apply for a BitLicense.

In general, the new regulations require all financial intermediaries engaging in a virtual currency business to apply and obtain a so-called BitLicense, and to maintain certain minimum standards and programs to help ensure customer protection, cybersecurity and anti-money laundering compliance.

Under the regulations, what constitutes a virtual currency should be broadly construed and includes any digital unit that is utilized as a medium of exchange or as a form of digitally stored value. However, virtual currencies do not include certain digital units that are used solely with online gaming platforms or as a part of a customer affinity or rewards program (with some restrictions), or that are used as part of prepaid cards.

Likewise, virtual currency business activity is broadly defined and includes (1) receiving virtual currency for transmission or transmitting virtual currency except where the transaction is for non-financial purposes and only involves a nominal amount; (2) storing or holding virtual currency for others; (3) buying and selling virtual currency as a customer business; (4) engaging as a customer business in the conversion or exchange of (a) fiat currency or other value into virtual currency, (b) virtual currency into fiat currency or other value, or (c) one form of virtual currency into another form of virtual currency; or (5) controlling, administering or issuing a virtual currency.

Applications for a BitLicense require extensive information about the applicant and its principals. Among the required information is a description of the firm’s proposed business activities, all relevant written policies and procedures, and fingerprints and a third-party prepared background report on each principal. Fingerprints and a photograph will also be required for each employee who may have access to customer funds.

Each virtual currency firm must have and enforce written compliance policies addressing anti-fraud, anti-money laundering, cybersecurity, privacy and information security. Virtual currency firms must maintain at all times “such capital in an amount and form as the superintendent determines is sufficient to ensure the financial integrity of the [l]icensee and its ongoing operations.”

Virtual currency firms are required to maintain and keep certain records in their original or native file format for at least seven years and submit themselves to examination by the NYDFS. They are also required to file quarterly unaudited financial statements and one annual financial statement that is certified. Such firms must appoint a chief compliance officer, a chief AML officer and a chief information security officer with specified responsibilities. Certain minimum risk disclosures are required to be made to all customers.

All virtual currency firms must apply for a license within 45 days of the unspecified effective date of the regulations or cease operating as a virtual currency firm. Material changes in business must be pre-approved by the NYDFS.

The NYDFS may grant perpetual licenses or two-year conditional licenses. All licenses can be revoked after a hearing upon a showing of “good cause.”

Nothing in the new NYDFS provisions regulates virtual currencies themselves.

(Click here for background on recent virtual currency regulatory developments in the November 13, 2014 advisory, "Recent Key Bitcoin and Virtual Currency Regulatory and Law Enforcement Developments" by Katten Muchin Rosenman LLP.)

My View: The NYDFS is the first US regulator to impose a specific requirement for virtual currency firms to obtain a BitLicense in order to conduct business and to require licensees to adhere to express minimum standards. It only can be hoped that other states contemplating regulations adopt equivalent requirements so interstate commerce involving virtual currency is not unnecessarily burdened. That being said, one thing that is particularly remarkable about the NYDFS BitLicense regulations are the requirements of licensees t0 maintain cybersecurity programs containing proscribed elements. In particular, the NYDFS expressly requires virtual currency firms to adhere to many of the best practices recommended (but not yet mandated) by other regulators, including identifying internal and external cyber risks, establishing procedures to protect the firm’s electronic systems and customer data, appointing a chief information security officer to oversee the firm’s cyber security program, requiring penetrating testing and audit trails, and requiring firms to maintain a business continuity and disaster recovery plan. Even financial service firms that are not involved in a virtual currency business should review these requirements to evaluate whether their own cybersecurity program would pass muster.