To address the need for uniformity in state regulation of virtual currencies, a drafting committee (the Committee) of the Uniform Law Commission (ULC)1 has been working on a proposed uniform state Regulation of Virtual Currency Businesses Act (the Act).2 On February 19-21, the Committee met in Palo Alto, California, to discuss a revised draft of the Act. The Committee’s stated mission is to “harmonize” state-level regulation of virtual currencies “[i]n the absence of an overarching federal payments regulatory framework.”3
There are significant open items in the Act, and there was a robust discussion of critical policy and practical issues during the February meeting, which was attended by Commissioners as well as Observers representing government and industry interests. Still, the Committee maintains its goal of producing a finished product in time for adoption at the full ULC annual meeting over July 8-14. Accordingly, the Committee remains on an accelerated drafting schedule, with a new draft expected in time for discussion at its next meeting over April 2-3 in Chicago. Interested parties are urged to submit comments to the Committee as quickly as possible to maximize the likelihood of their being considered during the drafting process.
Among the topics addressed at the drafting meeting were (i) some of the most fundamental policy questions in the Act, such as the basic definitions of “virtual currency” and “virtual currency business activity,” (ii) the availability of exemptions for certain otherwise regulated entities such as securities broker-dealers, (iii) questions of consistency with other laws on basic questions such as what constitutes an “unfair or deceptive practice,” (iv) questions of regulatory burden, particularly for inherently interstate services, (v) licensing and reporting requirements and (vi) a number of items intentionally left open by the Reporter, including whether to include an “on-ramp” to regulation for startups and/or certain existing businesses, what requirements (if any) should be imposed with respect to business continuity/disaster recovery plans and cybersecurity monitoring programs and how to address permissible investments or reserves in the context of a virtual currency business.
This Update summarizes the Act Article by Article and also highlights some of the substantive points likely to interest our clients, some of the significant changes from the prior draft and some drafting directions that the next version likely will take based on the discussion at the February meeting.
Content of the Act
Article I,4 “General Provisions,” sets forth the scope of the Act (Section 102), the controlling definitions (Section 103) and the exemptions (Section 104).
Scope. The “scope” section is new and very broad. It provides that the Act is intended to govern businesses that “offer ... services and products that assist residents [of the adopting state]” to deal in virtual currency. § 102(d) (emphasis added). This language arguably extends the intended scope beyond businesses that provide specific types of intermediary services in specified types of virtual currency transactions — merely “assisting” residents would be sufficient to trigger application of the Act. Similarly5, the use of the term “offer,” which is repeated throughout the “scope” section, could be misinterpreted to apply to entities involved in the marketing of virtual currency services provided by others. The scope section risks creating uncertainty as to the Act’s intended coverage, because the operative definitions and substantive provisions are not written as broadly. If the scope section cannot be appropriately tailored, it might be better to eliminate or simplify it instead of risking the creation of ambiguity as to the proper interpretation of the operative provisions that follow.
Definitions. The definitions section, Section 103, is critical, and it has undergone significant change since the initial draft. First, although the definition of “virtual currency” itself did not change materially from the prior draft’s definition of “digital currency,”6 the definition was one of the most hotly contested provisions during the February meeting. Aside from drafting questions, such as the circularity of an exclusion for “digital units of value” purchased for use other than in a “virtual currency business activity,” participants questioned the complexity of the definition as well as variances from definitions of virtual currency in other regulatory regimes. While no final drafting was done at the meeting, this definition is expected to be substantially simplified in the coming redraft.
The definition of “virtual currency business activity” was expanded significantly and was the subject of extensive discussion. Here too, the view was expressed that the complicated definition, with numerous subparts and exceptions, should be narrowed significantly to focus on three fundamental activities: storing, transferring or exchanging virtual currency. Even those simple concepts are not without controversy, however, as the definition of “transfer” in the current draft includes the “change in ... power to ... prevent a transaction of virtual currency or of credentials.” § 103(19) (emphasis added). As a result, the proposed definition of virtual currency business activity would include custodians of credentials for purposes of multisignature arrangements. § 103(25)(C)–(E). Although there are questions whether the mere power to prevent a transfer from occurring should be equated with the power to actually “transfer” virtual currency in the plain meaning of the term, the consensus was that the “unilateral right” to transfer or prevent transfer should be regulated.
Other notable changes to the definition of virtual currency business activity include a de minimisexception for transferring, or receiving for transfer, no more than a bracketed “nominal amount” or a “nominal number” of transactions, an exception generally supported by the industry.7 § 103(25)(C)(ii). In contrast, the proposed addition of coverage for holding “e-precious metals or e-certificates of precious metals” or “issuing shares or e-certificates representing interests in precious metals” raises significant issues, including the potential overlap of commodities regulation. § 103(25)(G). It appears unlikely that this change will survive into the next draft, while express carve-outs for obtaining virtual currency for investment purposes or to purchase consumer goods are more likely to remain. § 103(25)(ii)–(iii).
A bracketed carve-out for state trust companies remains a topic of significant debate, as some commentors questioned the appropriateness of interstate mechanisms for coordination of trust company regulation in connection with virtual currency businesses.8 § 103(25)([iv]). This contrasts with the general acceptance of the exemption for “banks” at Section 104 of the Act, a term from which trust companies would be excluded under a bracketed provision of the “bank” definition at Section 103. § 103(2).
Controversies regarding other definitions have potential ramifications far beyond the Act itself. In particular, the draft Act contains definitions of “unfair or deceptive practice” and “unsafe or unsound practice” that set forth expansive standards not previously seen in other definitions of these terms. The Act would define a practice as “unfair or deceptive” if it “poses more than nominal risks to users other than market risks,” § 103(21)(emphasis added), an exceptionally low standard that lacks any of the qualifications that appear in other definitions of the term, such as the one used by the Federal Trade Commission. Similarly, the “more than nominal” standard also is used in the Act’s definition of an “unsafe or unsound practice”: conduct “that may pose more than nominal financial risk other than market risk to the licensee or to its users’ ability to redeem ... virtual currency.” § 103(22)(emphasis added). Not only is “nominal risk” an inappropriately low threshold, but it offers no further qualification relating risks and consequences or consideration of mitigating controls used to manage risk. This stands in contrast, for example, to the standard used by the Federal Deposit Insurance Corporation: “Generally speaking, an unsafe or unsound practice embraces any action, or lack of action, which is contrary to generally accepted standards of prudent operation, the possible consequences of which, if continued, would result in abnormal risk of loss or damage to an institution, its shareholders, or the insurance fund administered by the FDIC.” FDIC, Bank Compliance Guide Policy-Manual § 15.1, Bk. Compl. Gd. 63,12,831 (CCH) (2015). During the Committee meeting there was general acknowledgement that such novel definitions were inappropriate, so it seems unlikely that they will survive into the next draft. Nonetheless, all financial institutions, regardless of whether they plan to engage in virtual currency businesses, should pay close attention to this development, since new definitions in a model law may be cited in interpreting similar language in other statutes.
Exemptions. Turning to the express exemptions from the Act in Section 104, we note that the current draft deletes the express exemption from the prior draft for commodities boards, clearing agencies and futures commission merchants regulated under the Commodity Exchange Act, and securities clearing and settlement agencies and broker-dealers regulated under the Securities Exchange Act of 1934. The current version of the Act instead exempts “any transfer or transaction any part of which is governed by the Electronic Fund Transfers Act of 1978 ..., the Securities Exchange Act of 1934 ..., or the Commodities [sic] Exchange Act of 1936.” § 104. The switch from an entity-based exemption to a transaction-based exemption would significantly affect these otherwise heavily regulated entities, which may engage in virtual currency transactions that are not directly subject to the referenced statutes. Following discussion of this issue at the meeting, it appears likely that the exemptions will be restored, but interested parties may wish to submit comments on this point.
Article 2, “Licensure,” governs the license application (Sections 202 and 205), reciprocal licensing (Section 203), security (Section 204), renewal (Section 206) and net worth requirements (Section 207). Article 2 contains the Act’s endorsement of the Nationwide Mortgage Licensing and Registry (NMLS) to allow for coordination of multistate licensing in states that choose to enable NMLS registration generally. § 202([a]). Article 2 preserves the concept of reciprocity in state licensing, a critical step in making state-based licensing regimes more manageable for the industry, although the details may benefit from further discussion.
The Act provides for provisional licensing in several alternative licensing provisions, “provided that no provisional operation permission may be treated as [t]he equivalent of a property interest.” § 203, Alternative A(b); Alternative B(b); Alternative C(d). The net worth requirements for licensees do not set forth a proposed net worth amount, but the Reporter’s comment to the section raises the possibility of “allowing a portion of net worth requirements in virtual currency” to accommodate startup companies, noting the difficulty of meeting a net worth requirement for startups.
Article 2 contains certain provisions that may be onerous for licensees. For example, in addition to standard officer, director and shareholder background reports and fingerprints, applicants must include a list of server locations with their applications. § 202(a)(3), (a)(11). Despite the statement in the comments that “[t]his act should not micromanage virtual currency businesses because of the fact that added costs discourage entry and innovation,” applicants also are expected to provide their background and business plans in minute detail. See, e.g., § 202(a)(4) (requiring in the application “a description of the proposed, current, and historical business(es) of the applicant for the past ten (10) years, if applicable, including reasonable detail on the products and services provided and to be provided, all associated website addresses, the principal place of business, the projected user base, together with specific marketing targets, and the location(s) of any current or proposed database server(s)”).
The renewal process is also elaborate and may be administratively burdensome. For example, renewal requires “proof” of maintenance of permissible investments, adequate security and net worth, as opposed to a standard required submission of a certificate, accompanied by additional details that presumably would have been reviewed by the supervisory agency during ordinary course examinations. § 206(b)(5)–(7). Renewal appears to be biennial, though references to submission of an “annual” report and fee make this ambiguous. See § 206(a). In addition, the possibility of reciprocal renewals has been removed, which may be a drafting oversight given the Act’s general expansion of reciprocal licensing, while provisions for renewal via NMLS are included. See § 206(b).
While some of the burdens of the licensing process are consistent with those imposed in other licensing regimes, others appear to further increase the requirements on virtual currency business licensees. These were discussed at length at the Committee meeting, but it remains unclear what changes may be made. Interested parties may wish to comment on specific elements of the proposed processes that they view as problematic.
Article 3, “Examinations; Reports; Records,” governs the authority to conduct examinations (Section 301), cooperation and data sharing (Section 302), interim reports and changes in control (Section 303), recordkeeping (Section 304) and confidentiality (Section 305). Cooperation among state regulators is now mandatory under the Act “absent good cause shown to the contrary.” § 302(b). Regulators must cooperate to establish a “central depository” for filings, “cooperate in the development and implementation of” uniform forms and applications, conduct joint administrative hearings and civil actions, and formulate joint regulations, policies, releases, opinions and other guidance. § 302(b).
Virtual currency businesses are subject to extensive interim reports, which may be administratively burdensome. For example, the following changes require 15 days’ notice: the change in the physical location of any entity providing cloud computing or “software as a service” (SAAS); the engagement of any new entity providing cloud computing or SAAS (such notice to include the entity’s server locations); and any change in licensee server location, without regard to whether the server is under the licensee’s exclusive control, as in the prior draft. § 303(b).
The Act’s change in control provisions require a detailed notice and application in advance of the transaction. § 303(c)–(d). The provisions refer inconsistently to acquisitions of “substantially all,” a “substantial part” and a “substantial portion” of a business, which may create uncertainty as to the scope of coverage of asset sales. See, e.g., §§ 303(c)(2), (d), (d)(1).
The Act imposes substantial recordkeeping requirements on licensees for a three-year period (in brackets), including the extraordinary requirement to maintain “cryptographic credentials used by the user to authorize the transaction, ... or other information used to authorize the transaction.” § 304(a)(1). That phrase that could be read to include a user’s private keys and therefore is unworkable as written. Another unusual requirement is that records be preserved in the same form as originally made, which would seem to interfere with normal recordkeeping processes that often involve shifting records through evolving formats over time. See § 304(b). Indeed, to the extent that an original record is created in paper form, the provision appears in conflict with the Federal Electronic Signatures in Global and National Commerce Act (E-Sign Act), which affirmatively grants legal equivalence to most electronic records.
Eliminating overlap with federal requirements, the current version of the Act has removed requirements that licensees file anti-money laundering reports. See § 305 cmt.
Article 4, “Permissible Investments,” i.e., investments that must be held against outstanding virtual currency, was simply reserved in the current draft. At the meeting, there was active discussion of whether control of virtual currencies should be considered “custodial” and maintained separately from the assets of the provider and isolated from the provider’s creditors. In such case, “permissible investments” would play a much more limited role than they do in certain money transmission models. No final decision regarding the best approach to permissible investments was reached at the meeting.
Article 5, “Enforcement,” governs suspension and revocation (Section 501), cease and desist orders (Section 502) and civil money penalties (Section 503). Licenses are subject to suspension or revocation upon notice and a hearing on grounds of fraud, insolvency or where the licensee “engages in any [material] unsafe or unsound act or practice,” among other things. See § 503(3)–(4), (7). Interested parties may wish to comment that the materiality qualifier should be retained. State regulators would be granted the ability to impose a civil money penalty for violation of “a material provision of a federal statute, regulation, or order applicable to virtual currency business activity or otherwise applicable to [the licensee’s] business,” effectively localizing the enforcement of all applicable federal law, not just specific financial service regulations. § 504(a).
Article 6, “Administrative Procedures and Powers,” provides generally that administrative proceedings must be conducted in accordance with the state’s administrative procedures act and that enforcement remedies generally must be imposed only after notice and a hearing. §§ 601–602.
Article 7, “Content and Form of Disclosures and User Protections,” governs required disclosures (Section 701) and user protection policies and procedures (Section 702). Consumers are entitled to at least 30 days’ notice of any change in fee schedule, terms and conditions, or policies. § 701(b)(8). The Act contains a receipt requirement that appears to perpetuate the unnecessarily burdensome elements of some state money transmission statutes, requiring the printing of contact information for each state regulator on each receipt; this means that a licensee must generate a different receipt for transactions occurring in different states. § 701(f)(3). The current version of the Act has removed some of the requirements that licensees notify users of the volatility and unpredictability of the virtual currency exchange business.
The Act requires that licensees maintain “user protection policies and procedures” and make those policies and procedures available to the public. The provision goes on, however, to state that “[t]he policies and procedures required by this section shall include any action or system of records required to comply with the provisions of this [act] or applicable material provision of federal or [state or jurisdiction] statute, regulation, or order applicable to the licensee or the virtual currency business activity(ies) in which the licensee engages….” § 702(a). Read literally, this broad public disclosure requirement would extend a wide range of confidential internal policies and procedures, including, for example, a licensee’s internal anti-money laundering and fraud prevention policies and controls. Presumably this result was unintended and will need to be corrected in future drafts.
User protection policies and procedures may be changed only on 14 days’ notice to the regulator, unless an emergency requires otherwise. § 702(c). End users are entitled to 30 days’ notice of any change to “dispute resolution, complaint filing, or reports of unauthorized, mistaken, or accidental transfers or transactions.” § 702(d).
At the Committee meeting, there was discussion of whether there should be private rights of action to enforce any provisions of the Act. While this topic remains subject to debate, advocates suggested that private rights be granted primarily to enforce the consumer disclosure obligations of Article 7.
Article 8, “Cybersecurity Programs and Monitoring; Business Continuity and Disaster Recovery Programs,” is reserved. This Article remains open. The Reporter will be reviewing requirements from other regulatory schemes to avoid creating new obligations from scratch.
Article 9, “Compliance Policy,” provides that licensees “shall maintain and enforce in a record compliance policies required by any other Article of” the Act. § 901.
Article 10, “Miscellaneous Provisions,”
includes provisions relating to the E-Sign Act (Section 1002) and “savings and transition” (Section 1006). The Act purports to “modif[y], limit and supersede” the E-Sign Act, which permits modification of normal preemption principles by state law in certain circumstances. § 1002. However, it is not clear that this modification is necessary or appropriate or even whether it is effective. See 15 U.S.C. § 7002 (limiting the types of state statutes that may avoid preemption under the E-Sign Act).
Section 1006 applies to businesses with effective money transmitter licenses as of the effective date of the Act. Any such business that notifies the regulator that it intends to engage in virtual currency business activities is deemed to have applied for and received a virtual currency license.
Because the drafting of the Act remains in flux, interested parties can still provide input on a wide range of topics. However, in view of the July 2016 goal for completion, the window for comment is rapidly closing. Accordingly, interested parties may wish to monitor and/or become involved in the Committee’s activities as it continues its work in the coming weeks.