On September 15, 2015, the Conference of State Bank Supervisors (“CSBS”) issued its final Model Regulatory Framework on virtual currency activities (“Final Framework”). The Final Framework follows the CSBS’s December 2014 issuance of a draft Model Regulatory Framework (“Draft Framework”). The CSBS issued the Final Framework “to assist those states seeking to develop and implement state regulatory regimes for virtual currency activities.” (Of course, one state has already finalized its regulatory regime, so the CSBS’s goal of “consistent regulatory approaches among states” will remain elusive.)

The Final Framework includes a definition of “Virtual Currency,” a general policy statement, a statement of covered and excluded activities, and a set of nine regulatory requirements.


The Final Framework defines Virtual Currency as “a digital representation of value used as a medium of exchange, a unit of account, or a store of value, but does not have legal tender status as recognized by the United States Government.” The Final Framework expressly excludes from the definition of Virtual Currency “software or protocols governing the transfer of the digital representation of value” and “stored value redeemable exclusively in goods or services limited to transactions involving a defined merchant.” The Final Framework also excludes “units of value that are issued in affinity or rewards programs and that cannot be redeemed for either fiat or virtual currencies.” These exclusions appear consistent with the exclusions provided by other regulators active in the virtual currency space (e.g., the Financial Crimes Enforcement Network and the New York Department of Financial Services).


The CSBS takes the position that “activities involving third party control of virtual currency, including for the purposes of transmitting, exchanging, holding, or otherwise controlling virtual currency, should be subject to state licensure and supervision.” The policy statement in the Final Framework provides that licensing and supervision, if implemented by the states, would “serve as a mechanism for protecting consumers, ensuring system stability, safeguarding market development, and assisting law enforcement.”


The Final Framework includes new language that makes explicit the application of the regulatory requirements to “activities involving third party control of virtual currency.” The list of “minimum” covered activities (i.e., transmission, exchanging, and services that facilitate the exchange, storage, or transmission of Virtual Currency) remains unchanged. Industry’s concern regarding the vagueness of the language regarding minimum covered activities remains unchanged, as well.

The Final Framework expands the list of activities that are excluded from the scope of covered activities. Specifically excluded from the Final Framework are “[a]ctivities involving units of value that are issued in affinity or rewards programs and that cannot be redeemed for either fiat or virtual currencies” and “[a]ctivities involving units of value that are used solely within online gaming platforms and have no market or application outside of those gaming platforms.” With respect to the reward-related exclusion, this new language appears to be superfluous, given the modified definition of Virtual Currency, and provides no further certainty for rewards program administrators that offer features such as “cash back” or statement credits as a program benefit.


The regulatory elements of the Final Framework include (1) licensing; (2) use of a robust licensing system (e.g., NMLS); (3) requirements regarding a licensee’s financial strength and stability (e.g., including net worth or capital requirements and restrictions on permissible investments); (4) requirements regarding consumer protection policies and practices (e.g., policies with regard to complaints and error resolution); (5) requirements regarding a licensee’s cybersecurity policies and procedures; (6) requirements regarding a licensee’s compliance program and a designated compliance officer; (7) requirements regarding a licensee’s BSA/AML compliance program; (8) licensee recordkeeping and reporting obligations; and (9) supervision of licensees.

There were substantive changes from the Draft Framework with respect to these regulatory requirements. We are carefully analyzing the potential impact of these changes. The bullets below identify several of the key changes to the regulatory requirements section:

  • Permissible Investments. The Final Framework provides “a flexible permissible investment requirement” to reflect “the nascent state of the industry and compelling arguments for and against like- kind permissible investments.” The Final Framework states that the “denomination of permissible reserves should be determined by the state regulator after consideration of the business model and risk at the institution.”
  • Cybersecurity Audits. The Final Framework also introduces flexibility with respect to the requirement for a cybersecurity audit to be performed by a third party. Specifically, the Final Framework provides that a cybersecurity audit “should be performed where necessary, and the risk profile of the institution should dictate whether it is appropriate for internal staff or a third party to perform the audit.” The CSBS recognizes that cybersecurity audits are but one tool to mitigate cybersecurity risks faced by all financial institutions.
  • BSA/AML Compliance. The Final Framework would apply verification requirements to an entity’s “service users,” which are not limited to account holders. The CSBS indicated that this change “reflects the diverse use case for the block chain,” and that “an individual can use a virtual currency service to transfer money via the block chain, but not necessarily create an ‘account.’”


The CSBS received comments urging the adoption of a transitional license for startups to reflect the difficulties such firms may have in meeting licensing standards. However, the Final Framework does not include a provision for a transitional license, because the CSBS determined that “consumers can be harmed by entities regardless of size,” and that “due process and other procedural rights…are difficult to tailor and separate from other legal requirements.” Accordingly, the CSBS has deferred to states to develop a transitional license, reintroducing the risk of inconsistent regulatory treatment that the CSBS sought to avoid.

*         *         *

Because the Final Framework is drafted at a high level, state-by-state implementations will undoubtedly create inconsistency. Nonetheless, the efforts by the CSBS to create a uniform nationwide framework are laudable. A deeper analysis on the scope and requirements of the Final Framework will be forthcoming.