On July 17, 2014, the New York State Department of Financial Services (DFS) became the first state agency to release proposed regulations specifically governing the crypto-currency industry. The proposed regulations were published in the New York State Register on July 23, 2014, initiating a 45-day public comment period under the New York State Administrative Procedures Act (SAPA). Following on the Financial Crimes Enforcement Network’s (“FinCEN”) March 20134 Guidance on virtual currency, numerous states have issued virtual-related advisories (TX), clarifying statements (WA), and consumer warnings (HI). However, none except New York have proposed new regulations for virtual currency businesses. Numerous states have quietly granted money transmitter licenses to virtual currency companies during the past year. The new regulatory mechanism is colloquially referred to as a “BitLicense,” in reference to the first crypto-currency system, Bitcoin. After the 45-day public comment period, the proposed “BitLicense” regulations will be subject to additional review and revision based on feedback received during the public comment period. Rather than adapt New York’s existing financial regulations, including state money transmitter laws, to fit constantly evolving business models, New York opted to craft a set of rules specific to crypto-currencies.
The proposed regulations are in numerous ways more burdensome than those imposed on traditional money services businesses. Of note, the proposed rules do not contain an exemption analogous to the “agent of a payee” exemption under New York money transmitter law that permits certain fiat currency payment processors and bill payment vendors to avoid licensure. In addition, the regulations impose minimum capital requirements above and beyond those required of money transmitters, and record keeping requirements under the proposed regulations are far more exigent, requiring licensees that process virtual currency payments to record, among other things, the full name and physical address of the sender. While some of the requirements appear intended to protect consumers from the risks inherent with doing business with inexperienced companies and untested business models, others, if enacted, appear to require virtual currency businesses to fundamentally alter the way they process virtual currency transactions. This latter aspect sets the stage for a direct challenge by NY regulators to the design of most virtual currency systems – the pseudonymous nature of transactions. The proposed rules signal strongly to virtual currency companies that regulators view with great suspicion one of the core innovations embodied in cryptographic payment platforms: the ability of a consumer to conduct a cash-like transaction over the Internet without being required to share financial information with a third party.
“Virtual Currency” Defined
The DFS proposal broadly defines “virtual currency” as “any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.” This includes any digital unit of exchange that may be created or obtained by computing or manufacturing effort, regardless of whether it has a centralized or decentralized repository or administrator. Virtual currency does not include, however, digital units used solely within online gaming platforms with no market or application outside of those platforms, nor does it include digital units used exclusively as part of customer affinity or rewards programs. This closely parallels FinCEN’s inquiry into whether or not a currency is “convertible” as the primary factor in deciding whether to apply additional regulatory scrutiny.
Who Must Be Licensed?
Any entity engaged in “virtual currency business activity” must obtain a BitLicense, which involves the following types of transactions:
- Receiving or transmitting virtual currency (except when utilized by merchants and consumers solely for the purchase or sale of goods or services)
- Securing, storing, holding, or maintaining custody or control of virtual currency on behalf of others
- Buying and selling virtual currency as a customer business
- Performing “retail conversion services”, including the conversion or exchange of fiat currency (government-issued currency) or other value into virtual currency, the conversion or exchange of virtual currency into fiat currency or other value, or the conversion or exchange of one form of virtual currency into another form of virtual currency
- Controlling, administering, or issuing a virtual currency
As referenced above, persons who send and receive virtual currency solely in connection with the purchase or sale of goods and services (i.e., consumers directly paying merchants with virtual currency in exchange for goods or services) as well as entities that are already chartered under the New York Banking Law to conduct exchange services and who are approved by DFS to engage in virtual currency business activity need not obtain a BitLicense.
The application process is more rigorous than that for a money transmitter license. In addition to the information required of applicants for a money transmitter license, the proposed rules require the following:
- A list of, and detailed biographical information for, each applicant, director, principal officer, principal stockholder, and principal beneficiary of the applicant, including the individual’s name, physical and mailing addresses, information and documentation regarding their personal history, experience, and qualification, accompanied by a form of authority, executed by the individual to release to the DFS
- A background check prepared by an independent investigative agency “acceptable to the superintendent” for individual applicant, principal officer, principal stockholder, and principal beneficiary of the applicant
- A complete set of fingerprints and portrait-style photographs for each applicant, principal officer, principal stockholder, and principal beneficiary of the applicant
- An organizational chart of the applicant and its management structure
- A current financial statement for each applicant, principal officer, principal stockholder, and principal beneficiary of the applicant
- A description of the proposed, current and historical business of the applicant
- Details of all banking arrangements
- All written company policies and procedures
- An affidavit describing any administrative, civil, or criminal action, litigation, or proceeding before any governmental agency, court or arbitration panel, and any existing, pending, or threatened action, litigation or proceeding against the applicant or its directors, principal officers, principal stockholders, and principal beneficiaries
- Any insurance policies maintained for the benefit of the applicant, its directors or officers, or its customers
- An explanation of methodologies used to calculate the value of the virtual currency in fiat currency
The DFS has 90 days to approve or deny every application, although the superintendent has discretion to extend the approval timeframe.
If a BitLicense is issued, in addition to the required surety bond (see below), a license holder must also maintain sufficient capital “to ensure the financial integrity of the licensee and its ongoing operations.” The superintendent will use the following to determine the appropriate level of capitalization:
- The composition of the licensee’s total assets, including the position, size, liquidity, risk exposure, and price volatility of each type of asset
- The composition of the licensee’s total liabilities, including the size and repayment timing of each type of liability
- The actual and expected volume of the licensee’s virtual currency business activity
- Whether the licensee is already licensed or regulated by the DFS
- The amount of leverage employed by the licensee
- The liquidity position of the licensee
- The financial protection that the licensee provides to its customers through a trust account or a bond
Permissible Investments/Surety Bond
All earnings and profits may only be invested in the following high-quality, investment-grade permissible investments with maturities of up to one year and denominated in United States dollars:
- Certificates of deposits issued by federally or state regulated financial institutions
- Money market funds
- State or municipal bonds
- United States government securities; or
- United States government agency securities
The proposed rules also require each licensee to hold virtual currency of the same type and amount as any virtual currency owed or obligated to a third party. Licensees are also prohibited from selling, transferring, assigning, lending, pledging, or otherwise encumbering assets, including virtual currency, stored on behalf of another person. Each licensee must also maintain a bond or trust account in United States dollars for the benefit of its customers in form and amount acceptable to the DFS (at present, the minimum bond amount required for money transmitter licensees is $500,000.00, and we presume the BitLicense minimum bond amount will similar).
The proposed rules also require the maintenance of extensive record keeping, including the following:
- For each transaction, the amount, date, and precise time of the transaction, any payment instructions, the total amount of fees and charges received and paid to, by, or on behalf of the licensee, and the names, account numbers, and physical address of the parties to the transaction
- A general ledger containing all assets, liabilities, capital, income, expense accounts, and profit and loss accounts
- Bank statements and bank reconciliation records
- Any statements or valuations sent or provided to customers or counterparties
- Records or minutes of meeting of the board of directors or an equivalent governing body
- Records demonstrating compliance with state and federal anti-money laundering laws and
- Communications and documentation related to investigations of customer complaints and transaction error resolution or facts giving rise to possible violation of the law
Waiver of 4th Amendment rights/Examinations
The proposed rules would require the licensee to waive any rights under Article I, § 12 of the New York State Constitution and the Fourth Amendment to the United States Constitution, and to consent to the search of all facilities, books, records, documents or other information maintained by the licensee or its affiliates, wherever the information may be located. Each licensee would also be required to submit to a thorough examination by the DFS not less than once every two years, to submit to the DFS quarterly financial statements within 45 days of the completion of each fiscal quarter, and to submit to the DFS annual audited financial statements within 120 days of the completion of each fiscal year.
Anti-money laundering (“AML”) program
Each licensee is required to develop and implement a complex AML program. As part of the program, among other things, each licensee must maintain the following information for all transactions involving the payment, receipt, exchange or conversion, purchase, sale, transfer, or transmission of virtual currency: the identity and physical addresses of the parties involved; the amount or value of the transaction, including in what denomination purchased, sold, or transferred, and the method of payment; the date the transaction was initiated and completed, and a description of the transaction.
- Verification of accountholders: Licensees must, at a minimum, when opening accounts for customers, verify their identity, maintain records of the information used to verify such identity, including name, physical address, and other identifying information, and check customers against the Specially Designated Nationals (“SDNs”) list maintained by the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”). Enhanced due diligence may be required based on additional factors, such as for high-risk customers, high-volume accounts, or accounts on which a suspicious activity report has been filed. Licensees are also subject to enhanced due diligence requirements for accounts involving foreign entities and a prohibition on accounts with foreign shell entities.
- Reporting of suspected fraud and illicit activity: Each licensee shall monitor for transactions that might signify money laundering, tax evasion, or other illegal or criminal activity and notify DFS immediately upon detection of such a transaction. When a licensee is involved in a transaction or series of transactions for the receipt, exchange or conversion, purchase, sale, transfer, or transmission of virtual currency in an aggregate amount exceeding the United States dollar value of $10,000 in one day, by one person, the licensee shall also notify DFS within 24 hours.
Cyber security program
Each licensee must maintain a cyber-security program designed to perform a set of five core functions, including:
- Identifying internal and external cyber risks by, at a minimum, identifying the information stored on the licensee’s systems, the sensitivity of such information, and how and by whom the information can be accessed
- Protect the licensee’s electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures
- Detect system intrusions, data breaches, unauthorized access to systems or information, malware and other cyber security events
- Respond to detected cyber security events to mitigate any negative effects; and
- Recover from any breaches, disruptions, or unauthorized use of systems and restore normal operations and services
Each licensee much also implement a written cyber security policy setting forth the licensee’s policies and procedures for the protection of the electronic systems and customer and counterparty data stored on those systems, which much be reviewed by the licensee’s board of directors or governing body at least annually. The cyber security policy must address the following areas:
- Information security
- Data governance and classification
- Access controls
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Monitoring and implementing changes to core protocols not directly controlled by the licensee, and
- Incident response
The proposed rule also requires each licensee to designate a qualified employee to serve as the licensee’s Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the licensee’s cyber security program and enforcing its cyber security policy. One of the responsibilities of the CISO will be to submit to DFS, at least annually, a report assessing the availability, functionality and integrity of the licensee’s electronic systems, identifying relevant cyber risks to the licensee, assessing the licensee’s cyber security program, and proposing steps for the redress of any inadequacies. The cyber security program will also be required to include the following:
- Penetration testing of its electronic systems, at least annually, and vulnerability assessments of those systems at least quarterly
- Audit trail systems that
- Track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting;
- Protect the integrity of data stored and maintained as part of the audit trail from alteration or tampering;
- Protect the integrity of hardware from alteration or tampering, including by limiting access by permissions to hardware, enclosing hardware in locked cages, and maintaining logs of physical access to hardware that allows for event reconstruction;
- Log system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an unauthorized user, and all system administrator functions performed on the systems; and
- Maintain records produced as part of the audit trail for a period of ten years
The cyber security program is also required to have adequate cyber security personnel to carry out all the necessary cyber security functions, including obtaining necessary training, and taking steps to stay abreast of changing cyber security threats and countermeasures.
Business continuity and disaster recovery plan
Each licensee is required under the proposed new role to establish and maintain a written business continuity and disaster recovery (BCDR) plan. The BCDR plan must include the following:
- Identification of documents, data, facilities, infrastructure, personnel, and competencies essential to the continued operations of the licensee’s business
- Identification of the supervisory personnel responsible for implementing each aspect of the BCDR plan
- A plan to communicate with essential persons in the event of an emergency or other disruption to the operations of the licensee, including employees, counterparties, regulatory authorities, data and communication providers, disaster recovery specialists, and any other persons essential to the recovery of documentation and data and the resumption of operations
- Procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing and other resources to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible
- Procedures for the back-up or copying, with sufficient frequency, of documents and data essential to the operations of the licensee and storing of the information off-site; and
- Identification of third parties who are necessary to the continued operations of the licensee’s business
As referenced above, the proposed regulations were published in the New York State Register on July 23, 2014, initiating a 45-day public comment period under the New York State Administrative Procedures Act (SAPA). Should you have insight or opinion to offer to the DFS, submit your comments pursuant to the SAPA by Sept.5, 2014.