Addressing regulatory concerns pertaining to consumer protection, market stability, and law enforcement, the Framework expands on the CSBS draft framework released in December 2014.
The Conference of State Bank Supervisors (CSBS) recently announced the adoption of a final model regulatory framework (Framework) that recommends that states license and supervise virtual-currency businesses that transmit, exchange, or facilitate the third-party exchange, storage, or transmission of virtual currency. The Framework, which is intended to address regulatory concerns pertaining to consumer protection, market stability, and law enforcement, builds upon and modifies the CSBS draft framework that was released in December 2014. While the Framework is not binding on the states, it plainly encourages state financial regulatory agencies to exercise regulatory and supervisory authority over virtual- currency activity.
“Virtual Currency” Defined
The Framework defines “virtual currency” to mean “a digital representation of value used as a medium of exchange, a unit of account, or a store of value, but does not have legal tender status as recognized by the United States Government.” Virtual currency, as used in the Framework, includes “digital currency” and “cryptocurrency.” Excluded from the Framework’s definition of virtual currency, however, are (i) software or protocols governing the transfer of the digital representation of value, (ii) stored value redeemable exclusively in goods or services limited to transactions involving a defined merchant, and (iii) units of value that are issued in affinity or rewards programs and that cannot be redeemed for either fiat or virtual currencies.
Covered Currencies and Activities
Under the Framework, states would issue licenses to persons engaging in a minimum level of activities that involve the transmission or exchange of virtual currency, and to services that facilitate the third-party exchange, storage, or transmission of virtual currency (such as wallets, kiosks, merchant-acquirers, vaults, and payment processors). The Framework specifies a number of activities that fall outside of the scope of the Framework, including
- merchants and consumers who use virtual currencies solely for the purchase or sale of goods or services,
- activities that are not financial in nature but utilize technologies similar to those used by digital currency,
- activities involving units of value that are issued in affinity or rewards programs and that cannot be redeemed for either fiat or virtual currencies, or
- activities involving units of value that are used solely within online gaming platforms and have no market or application outside of those gaming platforms.
The Framework does not apply to depository institutions or to entities that are otherwise exempt from laws and regulations applicable to covered activities. The Framework stipulates that state bank regulatory authorities should require an applicant for licensure to provide details of the applicant’s business plan and banking arrangements, and to credential the business owners, directors, and key personnel (although CSBS does not indicate who should be considered “key personnel”).
Notably, the Framework diverges in certain respects from the New York Department of Financial Services (DFS) current BitLicense framework by recommending a comprehensive licensing scheme for all virtual-currency businesses. In contrast to the DFS BitLicense framework, the CSBS Framework does not include a “conditional license” alternative (or “on ramp”) for start-ups or other applicants that do not satisfy all of the regulatory requirements upon licensing. While then-Superintendent Lawsky noted that the DFS conditional license was intended to provide flexibility for start-ups that must obtain a license, the CSBS states that the goals of legal and regulatory incubation must be balanced against considerations of potential harm to consumers, which could be caused “by entities regardless of size,” and the due process and procedural rights that a license offers that are separate from other legal requirements.
No Insurance Requirement But “Strength and Stability” Component Requires Access to Keys
In light of the relatively undeveloped nature of the cyber-insurance market, the Framework will not mandate that licensees have cyber insurance. However, the CSBS “encourages continued exploration of insurance and other market based risk management solutions”. Under the Framework, a licensee must have adequate policies and procedures to protect customer access to funds in the event of failure. The CSBS’ “strength and stability” component requires policies and procedures detailing how private keys are transferred or recovered in the event of a licensee’s failure.
Uniform Licensing: Required Policies
The Framework contemplates the use of the Nationwide Multistate Licensing System (NMLS) to process and evaluate applications. Using this system, states could share information, including licensing and enforcement data, on a near real-time basis. The CSBS discusses other approaches that state regulators are developing for uniformity and information sharing purposes. The CSBS further states that initiatives that allow single, uniform uploads will be useful for collecting periodic information from licensees.
The Framework would require various policies to be maintained by licensees, including a disaster-recovery plan and cybersecurity policies, procedures and controls. The CSBS retreated from its proposed requirement that a third-party cybersecurity audit be conducted to monitor risks, recommending instead that a cybersecurity audit be performed where necessary. In turn, the licensee’s risk profile is expected to determine whether the audit should be performed by internal staff or a third party.
Flexible Framework That States May Tailor As Appropriate
The CSBS identifies other requirements that states should impose on licensees in a flexible manner. For example, the Framework would impose on licensees a flexible financial strength requirement mandating capital requirements, permissible investments and reserves, along with customer protection requirements providing for disclosures and notices, compliant resolution procedures, and receipt requirements. Periodic reporting requirements would be determined on a state-by-state basis, taking into consideration the company, usefulness of information, and feasibility of transferring the information. However, the CSBS recommends that transaction-level data be reported to states to the extent feasible. Although access to books and records would be required under the Framework, states could mandate the form and format of books and records production.
Federal Law Compliance
Under the Framework, a licensee would be required to comply with federal Bank Secrecy Act and anti-money laundering laws and related regulations as opposed to specific state-by-state requirements because the CSBS concluded that existing federal laws in this area are sufficient. The Framework, however, recommends that states require verification of a licensee’s service user, and not just account holders. In addition, other federal laws, such as the Electronic Funds Transfer Act (Regulation E), would apply to such activities.
Differences from the Draft Framework
CSBS notes that many of the changes from the draft framework in the CSBS Framework are intended “to ensure clarity and consistency” and incorporate industry feedback. Notably, the Framework establishes a recommended regulatory regime for “virtual currency,” and defined the term “virtual currency,” a noted omission from the draft framework. Further, as noted above, the CSBS eliminated a proposed requirement that a third-party cybersecurity audit be conducted to monitor risks.
To date, few states have taken action to regulate virtual currency. The Framework is an important step in the development of virtual currency regulation as it is the first model intended for use by multiple jurisdictions. While the Framework is not binding, and it is not clear how and to what extent states will adopt a full-blown regulatory scheme as recommended by the CSBS, the Framework plainly will encourage states to consider an appropriate virtual currency regulatory scheme.
The impact of the Framework on virtual-currency intermediaries, and the developing virtual currency system, will depend in large part on the nature and extent of states’ responses to, and implementation of, the Framework. One thing that is quite clear is that the Framework’s impact is unlikely to be broadly felt in the immediate or near term, inasmuch as it will take a meaningful amount of time for states to develop, (presumably) propose and finalize any licensing and supervisory schemes. Further, while any new regulation inevitably will add to the costs of compliance and doing business for virtual currency providers, the Framework’s espousal of the NMLS as a licensing medium should encourage consultations and coordination among the states to develop a uniform licensing framework, which in turn would mitigate the compliance burdens on virtual currency intermediaries that propose to conduct a national or multistate business. It is less clear, however, whether the Framework will encourage uniformity in areas such as reporting, capital and reserves, audit activities, and the like. By the same token, the Framework’s apparent rejection of conditional, or “on ramp,” licensing could prove to be a substantial barrier to entry for start-ups that engage in virtual-currency activities or are seeking to innovate in developing new virtual currency products and services.