On February 4, 2015, the New York State Department of Financial Services (DFS) issued a revised version of its proposed “BitLicense” regulatory framework (the Revised Regulations) for public comment.1 The DFS issued its original version of the proposed BitLicense rules (the Original Regulations) on July 17, 2014.2 According to the DFS Superintendent, Benjamin Lawsky, the Revised Regulations address public comments to the Original Regulations as well as clarify certain provisions. The Revised Regulations and the Original Regulations together are referenced below as the “Regulations.”
In our review of the Original Regulations,3 we explained that the proposed BitLicense rules would require a new license for any entity engaged in a “virtual currency business activity” (a Licensee) and would impose new requirements in connection with consumer protection, anti-money laundering (AML) and cybersecurity, as well as certain other obligations. As we noted with respect to the Original Regulations, while some have applauded the effort of the DFS to bring virtual currency, particularly bitcoin, activities into the mainstream of financial regulation, the breadth and detail of the proposed regulatory framework go well beyond traditional money transmitter licensing and will pose substantial challenges for companies attempting to offer new virtual currency related businesses in New York. DFS Superintendent Lawsky acknowledged in a speech to the Bipartisan Policy Center (the BPC Speech) that “there are some specific areas of the regulation that are somewhat stronger or more robust for virtual currency firms than those for other financial institutions,” but also indicated that DFS is considering using these more stringent provisions as “models for our regulated banks and insurance companies.”4 Thus, while the DFS has responded to comments on a number of key elements of the Regulations and has taken steps to make the Revised Regulations more workable for the industry, other issues identified by commentators remain, such as a broad definition of “material changes” to a licensed business that require prior agency approval.
What follows is a brief summary of some of the Revised Regulations’ more salient changes to the Original Regulations.
Under the Regulations, any entity engaged in a “virtual currency business activity” would be required to register as a Licensee. The Revised Regulations modify the definitions of “virtual currency business activity” and “virtual currency” to clarify – and narrow – the scope of activities subject to the licensing requirement.
Definition of “Virtual Currency.” The Revised Regulations specifically exclude gift cards from the definition of “virtual currency.” The term “gift card” is defined very broadly for this purpose and will cover both open-loop and closed-loop “electronic payment devices.”
Under the Original Regulations, digital units that are used solely within online games and have no market or application outside the games were not deemed to be virtual currency. The Revised Regulations expand this exclusion to cover gaming units that may be redeemed for real-world purchases as long as the gaming units themselves cannot be converted into legal tender or virtual currency.
Under the Original Regulations, digital units that are used exclusively as part of a customer affinity or reward program were not deemed to be virtual currency as long as the units could not be converted into legal tender. The Revised Regulations narrow this exclusion by providing that these digital units also must not be convertible into virtual currency, although they do permit the rewards units to be redeemed for units of another affinity or rewards program.
Definition of “Virtual Currency Business Activity.” The DFS responded favorably to comments that the Regulations should not apply to businesses that utilize the “public ledger” functionality of protocols like bitcoin for purposes other than moving money. The Revised Regulations therefore exclude entities that receive or transmit virtual currency for “non-financial purposes” in a “nominal amount” of virtual currency.
The Revised Regulations now provide that the “development and dissemination of software” is not a virtual currency business activity.5
Additional Exemption. The Revised Regulations also specifically exempt entities that hold virtual currency for “investment purposes” from the licensing requirement.6
Conditional Licenses. The Revised Regulations provide the DFS the flexibility to issue a new “conditional license,” which would generally be valid for up to two years, for applicants that do not satisfy all of the BitLicense requirements. The conditional license could be made subject to a variety of limitations at the discretion of the Superintendent and would be subject to extension or cancellation. DFS Superintendent Lawsky explained in his BPC Speech that the purpose of the conditional license is to provide start-ups with flexibility “as they build up their operations.”
Background Checks. The Revised Regulations limit the application of employee background checks, which had been broadly proposed to apply to all employees, to apply only to those with access to customer funds.
Change of Control. The Revised Regulations add a specific process to request a determination by the DFS that a proposed transaction does not constitute a change of control (e.g., the DFS determines that the person is purchasing the Licensee’s stock solely for passive investment purposes).
Tax Verification. An applicant must now provide verification to DFS that it is compliant with all New York state tax obligations.
Application Fees. The Revised Regulations specify that an application will cost five thousand dollars, instead of an amount set at the discretion of the Superintendant, as originally proposed.
The Revised Regulations have relaxed certain capital requirements. Under the Original Regulations, a Licensee could invest its retained earnings and profits only in certain enumerated investment types, such as government bonds or securities, with maturities no greater than one year. In contrast, the Revised Regulations permit Licensees to invest in any “high-quality, highly liquid, investment-grade assets” in proportions acceptable to DFS. It is not clear how the deletion of bank deposits, which were enumerated in the Original Regulations, will be treated under this rubric, however, since they generally do not receive investment ratings but presumably should be eligible for this purpose. Additionally, virtual currency holdings may now count towards a Licensee’s capital requirements.
The Revised Regulations continue to require Licensees to maintain U.S. dollar bonding or trust funds and capital for the benefit of customers, but further provide that trust funds may be maintained only with “Qualified Custodians.” This term is limited to certain regulated financial institutions, such as trust companies and banks, located in New York and approved by the DFS.
The Revised Regulations no longer provide a blanket right for consumers to claim compensation from the Licensee’s bonding or trust funds for all “fraud.”
Books and Records
The Revised Regulations reduce the applicable recordkeeping requirements from ten years to seven years.
Records of Virtual Currency Transactions. While the Original Regulations required Licensees to provide the identity and physical addresses for all parties – including non-customer counterparties – to a transaction, the Revised Regulations require Licensees to obtain the information only for their own customers, although Licensees must provide information on non-customer counterparties “to the extent practicable.”
Customer Identification Program. The Revised Regulations require Licensees to verify the identity of a customer when either (1) opening an account or (2) establishing a service relationship, the latter being a new requirement. The Revised Regulations do not specify what would be a “service relationship” for this purpose.
AML Compliance Testing. The Revised Regulations clarify that internal AML compliance reviews must be independent of line operations to qualify as an alternative to an external review.
The Revised Regulations require a Licensee’s chief information security office to annually review and update the Licensee’s cybersecurity program. However, Licensees are no longer required to engage a third party to conduct a review of the source code of the Licensee’s proprietary software, one of the most controversial aspects of the Original Regulations.
The public may submit comments for 30 days after the publications of the Revised Regulations in the New York State Register, which has not occurred as of the publication of this alert.