Application processing

Consumer protection
Anti-money laundering compliance
Cybersecurity programme
Other requirements
Comment period


On July 17 2014 the New York State Department of Financial Services (DFS) issued for public comment its proposed 'BitLicense' regulatory framework(1)and an accompanying press release.(2) The release of the proposed regulations follows the announcement on March 11 2014 that the DFS would consider proposals and applications in connection with the establishment of virtual currency exchanges in New York.(3)

The proposed regulations would require new licences for any business engaged in "virtual currency business activity" and impose new requirements in connection with consumer protection, anti-money laundering and cybersecurity, as well as certain other obligations. While some have applauded the DFS's efforts to bring virtual currency activities into the mainstream of financial regulation, the breadth and detail of the regulations go well beyond traditional money transmitter licensing and will pose substantial challenges to companies attempting to offer new virtual currency-related businesses in New York. This update outlines some of the most significant aspects of the regulations.


Under the regulations, 'virtual currency business activities' are broadly defined to include:

  • receiving or transmitting virtual currency;(4)
  • securing, storing, holding or maintaining custody or control of virtual currency on behalf of others;
  • buying and selling virtual currency as a customer business (as distinct from personal use);(5)
  • converting virtual currency to legal tender (or vice versa) or one virtual currency to another; and
  • controlling, administering or issuing a virtual currency.(6)

However, the regulations will not apply to either:

  • parties that are chartered under the New York Banking Law to conduct exchange services and that the DFS has approved to engage in a virtual currency business activity; or
  • merchants and consumers that use virtual currency "solely for the purchase or sale of goods or services". There is no express exemption for companies already licensed to engage in money transmission in New York or even for banks. Moreover, unlike in traditional money transmission licensing regimes, agents of the licensee must be separately licensed.

Any entity that engages in virtual currency business activities will need to be licensed and will be subject to detailed requirements related to compliance, consumer protection, capital, asset protection, examination and supervision, change in control, recordkeeping and reporting, anti-money laundering, cybersecurity and business continuity.

Application processing

The regulations require substantial information about the proposed licensee, its business plans, financing, directors, officers and investors; but the requested information is largely consistent with information required for similar licences. Although the regulations promise action on applications within 90 days of completion, applicants should plan on an extended period of give and take with the DFS before an application is deemed sufficiently complete to start the clock. In addition, licensees will be required to obtain the DFS's approval of each new product, service, activity or material change to an existing product.

Consumer protection

The regulations attempt to extend traditional money transmission requirements with respect to custody and collateralisation of customer assets, without addressing any of the unique aspects of virtual currency activities. For example, licensees must hold virtual currency in the same type and amount as that which is owed to another person. This raises the question of what it means to owe a decentralised virtual currency such as bitcoin to another person, and whether 'holding' the currency would mean anything more than maintaining control of the codes that gave rise to the collateralisation obligation in the first place. Regardless, as with traditional money transmitters, virtual currency licensees will also be required to maintain US dollar bonding or trust funds and capital, in each case in an undefined amount.

Other consumer protections include mandatory disclosures, receipts requirements, fraud prevention mandates and consumer complaint policies. Before entering into a transaction with a customer for the first time, licensees must provide a virtual 'Miranda warning' disclosing all material risks(7) associated with their activities and all relevant terms and conditions associated with their products and services.

Anti-money laundering compliance

Anti-money laundering programme
The development and implementation of an acceptable anti-money laundering programme is a critical element of the regulations. Among other things, licensees must conduct an initial risk assessment and develop a written anti-money laundering policy which is reviewed and approved by the licensee's board of directors, and must designate someone responsible for coordinating day-to-day compliance with the programme.

Records of virtual currency transactions
Of particular interest to participants in the virtual currency ecosystem is that the DFS would require licensees to maintain the following information for all of its transactions involving virtual currency:

  • the identities and addresses of the parties involved;
  • the amount or value of the transaction, including the denominations used and the method of payment;
  • the date(s) on which the transaction was initiated and completed; and
  • a description of the transaction.

Large transaction reporting
Licensees must also notify the DFS within 24 hours if they are involved in a transaction or series of transactions concluded in one day, by one person, exceeding $10,000 in the aggregate.

Reporting illegal or suspicious activity
Each licensee must monitor for transactions that might signify money laundering, tax evasion or other illegal activity and notify the DFS immediately upon detection of such transactions. If required by federal law, a licensee must file a suspicious activity report; otherwise, if a licensee discovers suspicious activity that indicates a possible violation of law and is not required to file a suspicious activity report, it must file a report, in a form determined by the DFS, within 30 days of the discovery.(8)

Customer identification programme
When opening an account for a customer, licensees must:

  • verify a customer's identity, to the extent reasonable and practicable;
  • maintain records of the information used to verify such identity, including name, physical address and other identifying information; and
  • check customers against the Specially Designated Nationals list maintained by the Office of Foreign Assets Control.

Cybersecurity programme

A unique aspect of the regulations is that they would require each licensee to establish a cybersecurity programme designed to:

  • identify internal and external cyber-risks;
  • protect the licensee's systems from unauthorised or malicious acts;
  • detect system intrusions and data breaches;(9)
  • respond to any breaches; and
  • recover from such breaches.

Licensees must submit an annual report to the DFS that assesses, among other things, the licensee's cybersecurity programme. Additionally, among other safeguards, the licensee should conduct annual penetration testing and quarterly vulnerability assessments of its electronic systems. More intrusively, the regulations require that "an independent, qualified third party conduct a source code review of any internally developed proprietary software used in the Licensee's business operations, at least annually".

Other requirements

Capital requirements
The DFS will impose capital requirements based on:

  • a licensee's total assets and liabilities;
  • the actual and expected volume of its virtual currency business;
  • whether it is already subject to DFS review;
  • its leverage;
  • its liquidity position; and
  • the extent to which it provides additional financial protection to customers through a trust account or bond.

Moreover, licensees may invest retained earnings only in certain investment-grade instruments.

Compliance officer
Licensees must designate a compliance officer responsible for coordinating compliance with the regulations and all other applicable law.

Books and records
Licensees must maintain certain books and records, including:

  • transaction information;
  • certain financial information and statements;
  • records or minutes of the licensee's governing body;
  • records documenting legal compliance (including records documenting customer identification, records linking customers to their respective accounts and balances and records of all compliance breaches); and
  • documents relating to investigations of customer complaints and anything else that the DFS may require.

Licensees must maintain records of all incomplete, outstanding or inactive virtual currency accounts or transactions for at least five years after any related virtual currency is deemed to be abandoned property under New York law.

Reports and financial disclosures
Each licensee must submit quarterly financial statements and audited annual financial statements to the DFS.

Business continuity and disaster recovery.
Licensees must maintain a business continuity and disaster recovery plan reasonably designed to ensure the functionality of their services in the event of an emergency or other disruption. Licensees also must notify the DFS of any emergency or disruption that may affect their ability to fulfil their regulatory obligations or that may have a significant adverse effect on a licensee, its counterparties or the market.

A party already engaged in a virtual currency business activity must apply for a licence within 45 days of the effective date of the regulations. The DFS must issue or deny a licence within 90 days of filing of any completed application.

Comment period

The DFS published the regulations in the New York State Register's July 23 2014 edition.(10) The public may submit comments for 45 days after publication, although a number of commentors have already requested an extension of this deadline.

For further information on this topic please contact David E Teitelbaum or Joel D Feinberg at Sidley Austin LLP by telephone (+1 202 736 8000), fax (+1 202 736 8711) or email ( or The Sidley Austin website can be accessed at


(1) Available at

(2) Available at

(3) Available at

(4) Although the DFS press release refers to entities "receiving or transmitting virtual currency on behalf of consumers", the regulations themselves do not include the 'on behalf of consumers' qualifier.

(5) Since converting virtual currency is separately covered, the broad reference to buying and selling virtual currency as a customer business creates substantial ambiguity as to what entities may be captured by the regulations due to their purchase and sale of virtual currencies, such as bitcoin. Additionally, while the DFS press release clarifies that this activity is "as distinct from personal use", the regulations themselves do not include this qualifier.

(6) The DFS press release clarifies that "controlling, administering, or issuing" a virtual currency does not "refer to virtual currency miners". However, this is not specified in the text of the regulations.

(7) For example, among other required disclosures of material risks, the regulations require disclosures stating that:

  • virtual currency is not legal tender and the customer's account is not guaranteed by the Federal Deposit Insurance Corporation or the Securities Investor Protection Corporation;
  • transactions in virtual currency are generally irreversible and losses due to fraud or accidental transactions may not be recoverable;
  • some transactions are deemed to be made when recorded on a 'block chain' ledger rather than when the customer first initiates the transaction; and volatility in the virtual currency exchange rate may result in significant loss or tax liability.

(8) Additionally, continuing suspicious activity must be reviewed on an ongoing basis and a corresponding report filed within 120 days of the last filing describing the continuing activity.

(9) The regulations define 'cybersecurity events' to include unsuccessful attacks.

(10) Available at