Why it matters

The New York Department of Financial Services (DFS) released the final regulations for the much-anticipated BitLicense, the first state regulatory regime designed specifically for virtual/digital currency business activities. Although the final version of the regulation contains several changes from the February 2015 proposal, the changes fell short of what the digital currency community had requested. Most important, the final version does not require virtual currency firms to file suspicious activity reports with both the DFS and the Financial Crimes Enforcement Network if they are already filing such reports with the latter. In addition, as noted by DFS Superintendent Benjamin Lawsky in his statement unveiling the final regulation, a company will not need to seek regulatory approval every time it makes a change to its business model or product offering, such as a standard software or app update. Regulatory approval will be required only for material new products, services or activities or for material changes to existing products, services or activities. Other requirements in the February proposal remained unchanged—such as capital, consumer protection and cybersecurity regulations, as well as the limited “on ramp” option for smaller startups that cannot afford the full licensing program. “This is a critical and exciting time in the broader evolution of the payments system,” Lawsky stated. “Virtual currency is a novel field for regulators, and everyone—including our office—must be willing to take a hard look at how these new rules are working when they are put into practice.”

Detailed discussion

The original version of the BitLicense proposal announced last summer by the DFS, New York’s financial services regulator, set out the first comprehensive framework developed especially for licensing and regulating virtual currencies business activities. It met a firestorm of comments from the digital currency community and was followed earlier this year with a substantially revised proposal that generated many fewer comments. The final regulation announced on June 6 contained only a handful of substantive changes, which Superintendent Lawsky characterized as not “the type of major changes that we saw in the last round.”

The regulations require a person to seek a BitLicense before engaging in any one of five different types of activities in New York or involving New York residents: (1) receiving virtual currency for transmission or transmitting virtual currency (with an exception for nonfinancial transactions involving only a nominal amount of the virtual currency); (2) storing, holding or maintaining custody or control of virtual currency on behalf of others; (3) buying or selling virtual currency as a customer business; (4) performing exchange services (including the conversion of currency or other value into virtual currency and vice versa and the conversion of one form of virtual currency into another); and (5) controlling, administering or issuing a virtual currency (excepting virtual currency miners).

Covered entities are subject to a myriad of requirements for the initial BitLicense application as well as ongoing compliance, including a robust anti-money laundering (AML) compliance program, the imposition of certain Bank Secrecy Act (BSA) reporting and recordkeeping requirements that may not otherwise be applicable, advertising and marketing requirements, a cybersecurity program, business continuity and disaster recovery planning, and a customer complaint process and consumer protections intended, among other things, to ensure that customers are provided with “clear and concise” disclosures about the risks of virtual currency.

Earlier this year, the DFS modified the original proposal based on public comments to add a two-year transitional “on ramp” for startups in the form of a conditional license. The requirements for the conditional license are more flexible than the regular requirements, with the DFS having greater discretion in applying capital and other requirements to applicants (which do not need to be just startups).

The final regulation also reflects a reduction in the reporting requirements. Licensees that file suspicious activity reports (SARs) with the Financial Crimes Enforcement Network (FinCEN) do not have to file duplicate SARs with the DFS. (Other licensees not subject to the SAR requirement will need to file SARs with the DFS.) “Our goal is to avoid duplication where possible,” Superintendent Lawsky clarified. He acknowledged that “we generally already have access to that information when we need it through information sharing arrangements with federal regulators.”

In prepared remarks at the BITS Emerging Payments Forum, Lawsky pointed out that firms are not required to obtain prior approval for each round of venture capital funding (unless the investor intends to oversee the company’s management and policies as a “control person”). He also noted that entities that want both a BitLicense and a money transmitter license need only submit a single application if they can satisfy the requirements for both.

Commenting on when a licensee would need to seek prior approval before making a material change, Lawsky said, “A good example of a material change would be if a firm that was licensed as a wallet service decided to begin offering exchange services.” He added, “We have no interest in micro-managing minor app updates. We’re not Apple.”

Software developers can also breathe easier, Lawsky added, as the DFS has no interest in regulating their business. Only financial intermediaries—those holding customer funds—must apply for a BitLicense, he said, based on “the need for heightened regulatory scrutiny to help ensure that a customer’s money does not just disappear into a black hole.”

Lawsky noted that “setting the exact contours of the new rules of the road in these areas is extraordinarily difficult,” and that regulators “are not always going to get the balance precisely right,” but “we need to begin somewhere.”

Although commentary on the final rules was mixed at best, much of it did not reflect a good understanding of how other financial intermediaries are already being regulated, at least in New York. For example, Peter Van Valkenburgh, director of research at Bitcoin advocacy organization Coin Center, in commenting on how “[t]he final BitLicense still creates a lopsided regime as between digital currency businesses and traditional money transmitters and banks,” told The Hill, “It has cybersecurity and state-level anti-money laundering requirements that will not and have never applied to the legacy payments industry.”

However, banks and money transmitters in New York and other states are already subject to full AML recordkeeping and reporting requirements like those being imposed by the DFS under the federal Bank Secrecy Act and they are all subject to increasingly demanding regulatory expectations with respect to cybersecurity efforts.

To read the final BitLicense regulations, click here.

To read Superintendent Lawsky’s prepared remarks, click here.