The recently formed Emerging Payments Task Force of the Conference of State Bank Supervisors (CSBS) issued a proposed policy on state virtual currency regulation on Dec. 16, 2014 (the “Policy”). The Policy identifies core public interests that states should protect and provides a road map for state regulatory oversight of certain virtual currency activities through licensing, supervision, and enforcement.

Unlike the New York Bitlicense proposal, which mandates a separate licensing regime for companies engaged in certain virtual currency activities, the Policy recognizes that existing state banking and money transmission licensing laws may already be sufficient to protect consumers who put their trust in hosted wallet providers and virtual currency exchanges. One of the primary criticisms of the New York proposal was that it was duplicative of New York’s existing money transmission regulations, and might require certain cryptocurrency companies to apply for and maintain two separate licenses. The Policy sets forth a framework for amending or interpreting existing statutes to account for virtual currency activity, as well as for drafting new legislation. The Policy is far less prescriptive than the New York Bitlicense proposal. However, like the Bitlicense proposal, the Policy’s broad inclusion of “services supporting” virtual currency activity in the scope of those entities that should be regulated will likely lead to confusion among state regulators unfamiliar with the wide array of technologies that support cryptographically secured payment systems. Yesterday, the New York Department of Financial Services Superintendent, Benjamin Lawsky, responded to such criticism in a speech and revealed plans to issue a revised version of the Bitlicense proposal later this month.

The principal elements of the Policy are as follows:

Defining virtual currency. The Policy defines virtual currencies as “digital representations of value that can be a medium of exchange, a unit of account, and/or a store of value [including] digital currencies and crypto-currencies such as Bitcoin.”

Protecting the public. The Policy emphasizes that states have an obligation to protect three primary public interests affected by virtual currency activities:

  1. Consumer protection: where virtual currency providers are in a “position of trust with the consumer”, states should ensure minimum standards exist to limit consumer harm;
  2. Market stability: the advancement of technology, certainty of regulation, and strong, stable financial markets.
  3. Law enforcement: to ensure laws and anti-money laundering objectives are not being violated.

Activities subject to licensure & supervision. The Policy seeks to identity activities involving third party control of virtual currency, without regard to the form of technology used, where the following activities are conducted “on behalf of another”:

  1. The transmission of virtual currency;
  2. The exchange of currency for virtual currency or vice versa, or the exchange of virtual currency for virtual currency; and
  3. Services supporting third-party exchange, storage, and transmission of virtual currency including wallets, vaults, kiosks, merchant-acquirers, and payment processors.

The Policy is not intended to regulate merchants and consumers using virtual currencies to sell or purchase goods and services. Nor is it intended to regulate non-financial uses of digital currency technologies, such as a cryptographic ledger for non-financial recordkeeping.

Laws and regulations. The Policy gives states discretion to develop laws and regulations specifically for virtual currency or to apply existing money transmission laws to cover transmissions of “monetary value”. which is already defined broadly enough by the Uniform Money Services Act to cover virtual currencies. In conjunction with the Policy, the CSBS also issued a draft regulatory framework that specifies the following core elements of law and regulation that it believes should apply to virtual currency activities.

  1. Licensing – Collect the credentials of business entity owners, directors and key personnel, and document the business entity’s banking arrangements. To efficiently process and evaluate licensing applications, states should share license and enforcement data in real time.
  2. Financial solvency – Establish net worth or capital requirements and surety bond requirements based on activities and volume, permissible investments, virtual currency valuation methods, and disaster recovery and emergency preparedness plans.
  3. Consumer protections – Establish consumer protection policies and procedures, trust requirements, and complaint and error resolution procedures. Disclose risks, whether virtual currency is insured, and licensing information, and deliver transaction receipts that disclose exchange rates.
  4. Cyber security – Establish cyber security policies and procedures, including customer notification and reporting, and third party security audits.
  5. Compliance and Bank Secrecy Act / Anti-Money Laundering (BSA/AML) Oversight – Require entities to document compliance with federal BSA/AML laws, including accountholder identity verification, and recognition of states’ examination and enforcement authority with respect to BSA/AML.
  6. Books and records – Require entities to document compliance with federal law, including BSA/AML and Electronic Funds Transfer Act requirements, as well as state escheatment laws. Entities must record transaction-level data, including names, addresses, IP addresses, owners, transaction confirmations, and for foreign transactions, the destination.
  7. Supervision and enforcement – Coordinate and share supervision information by conducting joint or concurrent examinations and using or adopting reports prepared by other state or federal regulators. To facilitate regulatory cooperation, regulatory examination information should be exempt from state public record disclosure laws. Finally, regulators should have sufficient authority to examine and investigate entities, including subpoena authority, the ability to bring formal or informal actions, remove officers and directors, impose civil money penalties, take control of an entity, and appoint a receiver if necessary.

The CSBS is accepting comments on the framework for policy implementation and has listed 19 specific topics on which it has questions. Comments are due Feb. 16, 2015.