On July 17, 2014, the New York State Department of Financial Services (“DFS”) issued for public comment its proposed “BitLicense” regulatory framework1 (the “Regulations”) and an accompanying press release.2 The release of the proposed Regulations follows the DFS announcement on March 11, 2014 that DFS would consider proposals and applications in connection with the establishment of virtual currency exchanges in New York.3
The proposed Regulations would require new licenses for any business engaged in a “virtual currency business activity” (a “Licensee”) and would impose new requirements in connection with consumer protection, anti-money laundering (“AML”), and cybersecurity as well as certain other obligations. While some have applauded the effort of the DFS to bring virtual currency, particularly bitcoin, activities into the mainstream of financial regulation, the breadth and detail of the Regulations go well beyond traditional money transmitter licensing and will pose substantial challenges for companies attempting to offer new virtual currency related businesses in New York. What follows is a brief summary of some of the most significant aspects of the regulations.
Under the Regulations, “virtual currency business activities” are broadly defined to include (1) receiving or transmitting virtual currency;4 (2) securing, storing, holding or maintain custody or control of virtual currency on behalf of others; (3) buying and selling virtual currency as a customer business (as distinct from personal use);5 (4) converting virtual currency to legal tender (or vice-versa) or one virtual currency to another virtual currency; or (5) controlling, administering or issuing a virtual currency.6 However, the Regulations would not apply to either (a) persons that are chartered under the New York Banking Law to conduct exchange services and that DFS has approved to engage in a virtual currency business activity or (b) merchants and consumers that use virtual currency “solely for the purchase or sale of goods or services.” There is no express exemption for companies already licensed to engage in money transmission in New York, or even for banks. Moreover, unlike in traditional money transmission licensing regimes, agents of the Licensee must be separately licensed.
Any entity that engages in virtual currency business activities would then need to become licensed and subject to detailed requirements related to compliance, consumer protection, capital, asset protection, examination and supervision, change in control, recordkeeping and reporting, AML, cybersecurity and business continuity.
The Regulations require substantial information regarding the proposed Licensee, its business plans, financing, directors, officers and investors, but the requested information is largely consistent with information required for other similar licenses. Although the Regulations promise action on applications within 90 days of when the application is complete, applicants should plan on an extended period of give and take with the DFS before an application is deemed sufficiently complete to start the clock. In addition, Licensees will be required to go back to the DFS for approval of each new product, service, activity or material change to an existing product.
Custody and Protection of Customer Assets. The Regulations attempt to extend traditional money transmission requirements with respect to custody and collateralization of customer assets, without addressing any of the unique aspects of virtual currency activities. For example, Licensees must hold virtual currency in the same type and amount as that which is owed to another person, which raises the question what it means to owe a decentralized virtual currency like bitcoin to another person, and whether “holding” the currency would mean anything more than maintaining control of the codes that gave rise to the collateralization obligation in the first place. Regardless, as with traditional money transmitters, virtual currency Licensees also would be required to maintain U.S. dollar bonding or trust funds and capital, in each case in an undefined amount.
Other consumer protections include mandatory disclosures, receipts requirements, fraud prevention mandates and consumer complaint policies. Of particular note is the requirement that prior to entering into a transaction with a customer for the first time, Licensees must provide a virtual “Miranda warning” disclosing all material risks7 associated with its activities as well as all relevant terms and conditions associated with its products and services.
Establishment of an AML Program. The development and implementation of an acceptable AML program is a critical element of the Regulations. Among other things, Licensees must conduct an initial risk assessment and develop a written anti-money laundering policy that is reviewed and approved by the Licensee’s board of directors and must designate someone responsible for coordinating day-to-day compliance with the AML program.
Records of Virtual Currency Transactions. Of particular interest to participants in the virtual currency ecosystem is that the DFS would require Licensees to maintain the following information for all of its transactions involving virtual currency: (1) the identity and physical addresses of the parties involved; (2) the amount or value of the transaction, including the denominations used and the method of payment; (3) the date(s) on which the transaction was initiated and completed; and (4) a description of the transaction.
Large Transaction Reporting. Licensees also must notify DFS within 24 hours when the Licensee is involved in a transaction or series of transactions in one day, by one person, exceeding $10,000 in the aggregate.
Reporting of Illegal or Suspicious Activity. Each Licensee must monitor for transactions that might signify money laundering, tax evasion or other illegal activity and notify DFS immediately upon detection of such transactions. If required by federal law, a Licensee must file a Suspicious Activity Report (“SAR”); otherwise, if a Licensee discovers suspicious activity that indicates a possible violation of law and is not required to file a SAR, the Licensee must file a report, in a form determined by DFS, within 30 days of its discovery.8
Customer Identification Program. When opening an account for a customer, Licenses must, at a minimum, verify a customer’s identify, to the extent reasonable and practicable, maintain records of the information used to verify such identify, including name, physical address and other identifying information, and check customers against the Specially Designated Nationals list maintained by the Office of Foreign Asset Control.
Establish a Cybersecurity Program. A unique aspect to the Regulations is that they would require each Licensee to establish a cybersecurity program designed to (1) identify internal and external cyber-risks; (2) protect the Licensee’s systems from unauthorized or malicious acts; (3) detect system intrusions and data breaches;9 (4) respond to any breaches; and (5) recover from such breaches. Licensees must submit an annual report to DFS that assesses, among other things, the Licensee’s cybersecurity program. Additionally, among other safeguards, the Licensee should conduct annual penetration testing and quarterly vulnerability assessments of its electronic systems. More intrusively, the Regulations require that “an independent, qualified third party conduct a source code review of any internally developed proprietary software used in the Licensee’s business operations, at least annually.”
Capital Requirements. DFS will impose capital requirements based on a Licensee’s total assets and liabilities, the actual and expected volume of the Licensee’s virtual currency business, whether the Licensee is already subject to DFS review, the Licensee’s leverage, the Licensee’s liquidity position and the extent to which the Licensee provides additional financial protection for customers through a trust account or bond. Moreover, Licensees may only invest retained earnings in certain investment-grade instruments.
Compliance Officer. Licensees must designate a compliance officer responsible for coordinating compliance with the Regulations and all other applicable law.
Books and Records. Licensees must maintain certain books and records, including transaction information, certain financial information and statements, records or minutes of the Licensee’s governing body, records documenting legal compliance (including records documenting customer identification, records linking customers to their respective accounts and balances and records of all compliance breaches), documents relating to investigations of customer complaints and anything else DFS may require. Licensees must maintain records of all non-completed, outstanding or inactive virtual currency accounts or transactions for at least five years after any related virtual currency is deemed to be abandoned property under New York law.
Reports and Financial Disclosures. Each Licensee must submit to DFS quarterly financial statements and audited annual financial statements.
Business Continuity and Disaster Recovery. Licensees must maintain a business continuity and disaster recovery plan reasonably designed to ensure the functionality of the Licensee’s services in the event of an emergency or other disruption. Licensees also must notify DFS of any emergency or disruption that may affect their ability to fulfill their regulatory obligations or that may have a significant adverse effect on a Licensee, its counterparties or the market.
Transition. A person already engaged in a virtual currency business activity must apply for a license within 45 days of the effective date of the Regulations. DFS must issue or deny a license within 90 days of the filing of any completed application.
DFS published the Regulations in the New York State Register’s July 23, 2014 edition.10 The public may submit comments for 45 days after publication, although a number of commentors have already requested an extension of this deadline.