The New York State Department of Financial Services ("DFS") recently became the first state regulator to propose a regulatory framework for the bitcoin virtual currency industry. DFS posted its "Regulation of the Conduct of Virtual Currency Business" on its website, as well as on the social media websites Reddit and Twitter, forums utilized by many bitcoin stakeholders. Given New York's historical role as a clearinghouse for financial and currency transactions, DFS's broad regulatory purview as New York's main financial regulator, and the high-profile initiatives and enforcement actions this new regulator has pursued since opening its doors in October 2011, it is no surprise that DFS is at the forefront in attempting to regulate bitcoin.
At the core of DFS's proposed regulation is a licensing requirement—the "BitLicense"—for virtual currency firms operating in New York. Under DFS's proposal, firms subject to the licensing requirement must comply with rules regarding consumer protections, capital requirements, anti-money laundering, and cyber security. Notably, DFS's proposed rules are designed for virtual currency businesses. As stated in its official Notice of Proposed Rule Making, the purpose of DFS's proposal is to "protect New York consumers and users" and to "ensure the safety and soundness" of businesses providing virtual currency products and services in New York.
Virtual Currency Developments in the Past Year
Since our November 2013 article regarding bitcoin and DFS,significant developments have occurred in the nascent virtual currency industry. In January 2014, for example, federal prosecutors in New York seized almost 30,000 bitcoins, worth approximately $28 million at the time, from the servers of Silk Road, an online black market site.Transactions on Silk Road are alleged to have occurred entirely in the virtual currency, which allows users to remain anonymous. A few days later, a prominent bitcoin advocate, Charlie Shrem, was indicted by a federal grand jury in New York on charges of running a "bitcoin-laundering scheme" through Silk Road. In February 2014, Japan's Mt. Gox, once the largest bitcoin exchange, announced that its network systems had been hacked, resulting in the loss of approximately 850,000 of its customers' bitcoins, and about 100,000 of its own, which had a combined value of about $500 million. In March 2014, the Internal Revenue Service pronounced that for U.S. federal tax purposes, virtual currency is treated as property, not currency. Because this ruling has significant implications for when and how a taxpayer should report any gain or loss on transactions involving virtual currency, some commentators have suggested that it could reduce the volume of virtual currency business. And in April 2014, the Chinese government ordered commercial banks and payment firms to shut down all bitcoin trading accounts.
While these reports, and the recent volatility of bitcoin's price, suggest that the bitcoin market is incurring some growing pains, there are other signs that it has begun to mature and stabilize. In May 2014, a pair of prominent bitcoin investors disclosed in a regulatory filing their intent to list a bitcoin exchange-traded fund on the Nasdaq stock exchange. In June 2014, the State of California repealed a state law prohibiting commerce using anything but U.S. currency. California businesses may now accept virtual currencies as a form of payment. In July 2014, the European Banking Authority warned banks that they should not buy, hold, or sell virtual currencies until regulators develop adequate safeguards. Significantly, a handful of major retailers have recently announced that they would take bitcoin as a form of payment, and real estate deals in excess of a million dollars have reportedly been completed solely with the virtual currency.
These developments have shaped the marketplace within which bitcoin firms operate. For virtual currency businesses, however, DFS's regulatory action may have the greatest impact.
Scope of the Licensing Requirement. The centerpiece of DFS's proposed bitcoin regulations is the "BitLicense," an idea which DFS introduced in November 2013. In order to engage in "virtual currency business activity" involving New York, a firm would be required to obtain a license from DFS. A BitLicense would be required to:
- receive or transmit virtual currency on behalf of consumers;
- secure, store, or maintain custody or control of such virtual currency on behalf of customers;
- perform retail conversion services;
- buy and sell virtual currency as a customer business; and
- control, administer, or issue virtual currency.
DFS's proposed regulation would exempt three types of entities from the licensing requirement: (1) merchants and consumers, (2) virtual currency "miners," and (3) firms approved under New York law to conduct exchange services and to engage in virtual currency business activity.
The BitLicense Application. To obtain a BitLicense, a firm must submit an application and an application fee to DFS. The application must include, among other things:
- for each principal director, officer, shareholder, and beneficiary, detailed biographical information, a background report, and a complete set of fingerprints;
- a detailed business plan;
- current and projected financial statements; and
- "an explanation of the methodologies used to calculate the value of Virtual Currency in Fiat Currency," that is, currency issued and designated by a government as legal tender.
DFS must approve or deny each application within 90 days of filing a complete application. Once issued, the BitLicense remains effective until surrendered by the licensee or revoked or suspended by DFS.DFS may revoke or suspend a BitLicense, for example, for a violation of any provision of the proposed regulations.
A firm with a BitLicense must obtain DFS's prior approval before taking any action that may result in a material change to an existing product or service or that may result in a change of control of the licensed firm or its assets.
Compliance, Capital, and Examination Requirements
DFS's proposed bitcoin regulations set out detailed requirements for compliance, capital, books and records, and reporting.
Compliance Requirements. To ensure compliance with all applicable federal and state laws, rules, and regulations, a virtual currency firm will be required to designate a compliance officer and to maintain written compliance policies reviewed and approved by its governing body.The firm's compliance policies must include policies regarding antifraud, anti-money laundering, cyber security, data privacy, and information security.
Capital Requirements. DFS's proposed regulations require virtual currency firms to maintain capital in levels sufficient to maintain the firm's financial stability. DFS will determine a licensee's capital requirements based on a variety of factors, such as the volume of the firm's virtual currency business, the amount of leverage used by the firm, and the firm's liquidity position. Furthermore, the proposed rules restrict a firm's investment of retained earnings to certain types of low-risk investments, such as U.S. government securities, with maturities of up to one year.
Books and Records. For at least ten years, each firm must keep books and records, including information regarding each and every transaction, bank statements, minutes of board meetings, compliance records, including customer identification documents, and documentation of consumer complaints. At DFS's request, each licensed firm must provide immediate access to all of its facilities and records.
Reporting Requirements and Regular Examinations. Each virtual currency firm must submit quarterly and audited annual financial statements to DFS. Notably, each licensee must notify DFS in writing of any proposed change to the methodology used by the firm to calculate the value of virtual currency in fiat currency. Whenever DFS deems necessary, and at least every two years, DFS shall examine a virtual currency firm's financial condition, safety and soundness, management policies, compliance with laws and regulations, and any activities outside of New York State affecting the firm's New York business.
DFS's proposed regulatory framework requires virtual currency firms to establish and maintain an anti-money-laundering program ("AML").The firm's governing body must review and approve a written AML policy, and the firm must designate an individual as responsible for overseeing and enforcing the firm's AML program. At a minimum, a licensee's AML program will include internal policies and procedures and ongoing training for appropriate personnel to ensure compliance with AML laws. As part of its AML program, each firm must keep detailed records for each transaction involving virtual currency, including the identity of the parties involved and the precise time of the transaction.
Customer Verification. When opening a new account for a customer, the firm must verify the customer's identity and check it against lists maintained by the U.S. Treasury Department's Office of Foreign Asset Control. For any transaction involving more than $3,000, the licensed firm must require verification of the identity of the account holder initiating the transaction. Additional factors, such as high-risk customers, high-volume accounts, or accounts on which a suspicious activity report has been filed, may require enhanced due diligence. Enhanced due diligence is mandatory for accounts involving foreign entities, and accounts with foreign shell entities are prohibited.
Reporting of Suspected Fraud and Illicit Activity. Firms must monitor transactions for activity that might signify money laundering, tax evasion, or any illegal or criminal activity. The firm must immediately notify DFS upon detection of a suspicious transaction, including any transaction, or series of transactions, exceeding $10,000 by a person in a day.
Cyber Security Requirements
Under DFS's proposed regulations, licensed firms will also be required to implement a cyber security program. Among other things, the firm's cyber security program must address information security, systems and network security, customer data privacy, and business continuity and recovery planning. The proposed rules specifically require the cyber-security program to provide for various "audit functions," including an annual assessment of the vulnerability of its systems; audit trail systems, which allow for the complete and accurate reconstruction of all transactions; and source code reviews by independent third parties. To oversee and enforce its cyber-security program on a day-to-day basis, each firm must designate a Chief Information Security Officer.
Business Continuity and Disaster Recovery Plan. In case a cyber event occurs which disrupts the firm's normal business activities, each licensed firm must have in place a disaster recovery plan to ensure the continuity of services during an emergency. Among other things, the firm's business continuity plan must identify data, facilities, and personnel "essential to the continued operations" of the firm's business as well as procedures for maintaining backup facilities and systems to enable the recovery of data and resumption of operations. Each firm must maintain a copy of its business continuity plan at an off-site location.
DFS's proposed bitcoin regulations also provide protections for customer assets.
Consumer Assets. For the protection of the firm's customers, a licensed firm must maintain a bond or trust account in U.S. dollars in a form and amount acceptable to DFS. The firm must also hold virtual currency "of the same type and amount," which it owes to each customer. DFS's proposed regulations prohibit firms from using or encumbering assets held by the firm on behalf of an account holder.
Consumer Disclosures. Licensed firms must disclose to customers general terms and conditions for doing business with the firm, including the customer's right to monthly account statements, as well as all material risks associated with the firm's products, services, and activities and with virtual currency in general. In disclosing material risks, DFS's proposed rules require the firm to state that virtual currency "is not legal tender," that transactions in virtual currency are "generally irreversible," that virtual currency's value derives from "the continued willingness of market participants to exchange Fiat Currency for Virtual Currency," and that "the nature of Virtual Currency may lead to an increased risk of fraud or cyber attack." A licensed firm must also disclose details specific to each transaction, including the amount of the transaction and any fees charged to the customer.
Consumer Complaint Policies. DFS's proposed regulations require virtual currency firms to establish written policies and procedures pertaining to the resolution of customer complaints. In addition to disclosing the firm's mailing address, email address, and telephone number for receiving complaints, the firm must also provide notice that consumers can contact DFS regarding complaints. Once a transaction is complete, a licensed firm must provide a detailed receipt to its customers.
Advertising and Marketing. In any advertising materials, virtual currency firms must include a legend showing that the firm is licensed by DFS. Licensees must maintain records of all advertising and marketing materials for examination by DFS.
The initial 45-day window for public comment on DFS's proposed BitLicense regulatory framework opened on July 23, 2014, the official publication date of DFS's notice of rulemaking. Members of the virtual currency industry immediately requested additional time to consider and respond to DFS's BitLicense proposal since it is the first of its kind and may serve as a model for other jurisdictions. Some commentators, for example, have argued that the proposed rules are too onerous for small businesses. Instead, they recommend either relaxing the reporting burdens or exempting small virtual currency firms altogether.
In response, DFS has extended the comment period by an additional 45 days. Comments are now due on October 21, 2014. As it currently stands, the proposed regulations require any existing firm that would be subject to the licensing requirement to apply for a BitLicense within 45 days of the effective date of the proposed DFS regulations.