The New York State Department of Financial Services (the “Department”) recently published its proposed rules and regulations (the “Proposed Rules”) for vendors conducting business involving virtual currency.1 The Proposed Rules establish the requirements for the licensing of virtual currency businesses and the ongoing compliance requirements for licensees.2While the Proposed Rules are designed to protect the public, there is concern within the virtual currency community that the regulations are unduly burdensome and will ultimately erode a key feature of virtual currencies: privacy.
If approved, the Proposed Rules will create a licensing regime that will apply to all businesses that store, control, buy, sell, transfer or exchange virtual currencies in New York or with New York residents. Merchants that accept virtual currencies solely in exchange for goods or services will be exempt. The superintendent of the New York Department of Financial Services (the “Superintendent”), Benjamin Lawsky, has indicated that the aim of the Proposed Rules is to “safeguard customer assets, protect against cyber hacking, and prevent the abuse of virtual currencies for illegal activity, such as money laundering.”3
How the Department Defines Virtual Currency
The Proposed Rules define “virtual currency” as “any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.”4 The term “virtual currency” will be broadly construed to include both centralized and decentralized digital units of exchange and any digital units that can be created or obtained by computing or manufacturing effort. Various forms of digital units that cannot be converted into, or redeemed for, conventional fiat currencies (i.e., government-issued currency that is designated as legal tender in its country of issuance through government decree, regulation, or law such as dollars and euros) will be excluded from the definition of virtual currency.5
The Proposed Rules Only Apply to Virtual Currency Businesses
The Proposed Rules will apply to any person or business engaged in “virtual currency business activities” in New York or involving New York residents (each a “Virtual Currency Business” or “Licensee”).6 The Proposed Rules define Virtual Currency Business Activities to include:
- Receiving for transmission or transmitting virtual currency;
- Securing, storing, holding, or maintaining custody or control of virtual currency on behalf of others;
- Buying and selling Virtual Currency as a customer business;
- Performing retail conversion services, including the conversion or exchange of fiat currency or other value into Virtual Currency; or
- Controlling, administering or issuing a Virtual Currency (other than Virtual Currency miners).7
The Proposed Rules exclude from the licensing requirements entities that are chartered under the New York Banking Law to conduct exchange services and that have been approved by the Department to engage in Virtual Currency Business Activity. The Proposed Rules expressly exclude from the licensing requirements those merchants and consumers engaged in the use of virtual currency solely for the sale and purchase of goods or services.
Under the Proposed Rules anyone engaged in Virtual Currency Business Activity must be licensed in the state of New York. Applications for a license to engage in Virtual Currency Business Activities (a “BitLicense”) must be filed with the Department. The Superintendent of the Department must approve or deny every application for a BitLicense within 90 days from the filing of an application “deemed by the Superintendent to be complete.” The Proposed Rules grant the Department the right to request additional information from applicants for a BitLicense before the application is deemed complete by the Superintendent. We anticipate the process will take longer than 90 days to complete.
An application for a BitLicense will be filed with the Department and will require the applicant to provide information including the applicant’s affiliates and organization structure; directors, officers, and shareholders; certain financial information; the proposed, current and historical business of the applicant; details of all banking arrangements; all written policies and procedures of the applicant; existing, pending, and threatened litigation; insurance policies; and the methodologies used to calculate the value of virtual currency in fiat currency. The Proposed Rules will also require personnel associated with the applicant to submit to background checks, fingerprinting, and other due diligence designed to identify bad actors during the registration process.
Upon the filing of an application and payment of the required fee, the Department will investigate the financial condition and responsibility, financial and business experience, and character and general fitness of the applicant to determine whether the applicant’s business will be conducted honestly, fairly, equitably, carefully, and efficiently and in a manner commanding the confidence and trust of the community.
Requirements of BitLicense Holders
Licensees must maintain and enforce written compliance policies, including policies with respect to consumer protection, antifraud and anti-money laundering, cyber security, privacy, and information security.
The Proposed Rules require Licensees to designate a qualified individual or individuals responsible for coordinating and monitoring compliance with the Department’s BitLicense regulatory framework and all other applicable federal and state laws, rules, and regulations.
The Proposed Rules impose a series of duties on Licensees designed to ensure that there are systems in place to safeguard customer assets. Licensees will be required to maintain a bond or trust account in United States dollars for the benefit of their customers in an amount that the Department deems acceptable. The Department has not provided guidance on what may be deemed “acceptable,” and this may become an issue of focus during the comment period as firms assess their capital requirements under the Proposed Rules. Licensees will be required to hold Virtual Currency of the same type and amount as any Virtual Currency owed to a third party. The funds held on account by the Licensee must remain unencumbered, and the Licensee may not sell, transfer, assign, lend, hypothecate, pledge, or otherwise use or encumber the assets.
The Proposed Rules also require that all Licensees maintain “at all times such capital as the Superintendent determines is sufficient to ensure the financial integrity of the Licensee and its ongoing operations.”8 The Department will consider a variety of factors in this process, including the Licensee’s total assets, the composition of its total liabilities, the expected volume of its business, the amount of leverage employed by the Licensee, and the financial protection that the Licensee provides for its customers.
The Proposed Rules require Licensees to invest their retained earnings and profits in “only the following high-quality, investment-grade permissible investments with maturities of up to one year and denominated in United States dollars”: certificates of deposit issued by financial institutions that are regulated by a United States federal or state regulatory agency; money market funds; state or municipal bonds; United States government securities; or United States government agency securities.9
Noticeably absent from the list of acceptable securities in which Licensees may invest their retained earnings are fiat currency or virtual currencies such as Bitcoin.
Reports and Financial Disclosures
Licensees will be required to submit to the Superintendent quarterly financial statements and audited annual financial statements, together with an opinion of an independent certified public accountant and an evaluation by such accountant. A Licensee will be required to notify the Superintendent in writing of any criminal action or insolvency proceeding against the Licensee or any of its directors, officers, or stockholders, as applicable, immediately after the commencement of any such action or proceeding, and any proposed change to the methodology used to calculate the value of Virtual Currency in fiat currency that was submitted to the Department. Licensees will also be required to submit a report to the Superintendent immediately upon the discovery of any violation or breach of law, rule, or regulations.
Change of Business
The Proposed Rules will require Licensees to apply for and obtain written approval for any plan or proposal to introduce or offer a new product, service, or activity or to make a material change to an existing product, service, or activity involving New York or New York residents.10 Before making such a change, the Licensee will be required to submit a written plan describing the proposed material change, including a detailed description of the business operations, compliance policies, and the impact on the overall business of the Licensee.
Change of Control
The Proposed Rules will require Licensees to obtain the approval of the Superintendent prior to a change of control of a Licensee.11 Prior to any change of control, the person seeking to acquire control of a Licensee will be required to submit a written application to the Superintendent in a form prescribed by the Superintendent. The Superintendent is required to approve or deny every application for a change of control of a Licensee within 120 days from the filing of an application deemed by the Superintendent to be complete.
Advertising and Marketing
Under the Proposed Rules, Licensees will have to include a legend on any advertising, communications, and solicitations by Licensees. A Licensee will be required to include its name on all advertised products and services and to “disclose in clear, conspicuous, and legible writing in the English language … all material risks associated with its products, services and activities.”12
Licensees will be required to provide clear and concise disclosures to consumers about potential risks associated with virtual currencies. The Proposed Rules outline four key disclosures that must be made to consumers, which include the fact that:
- Transactions in Virtual Currency are generally irreversible and, accordingly, losses due to fraudulent or accidental transactions may not be recoverable;
- The volatility of the price of Virtual Currency relative to fiat currency may result in significant loss or tax liability over a short period of time;
- There is an increased risk of loss of virtual currency due to cyber attacks; and
- Virtual currency is not legal tender and is not backed by the government, and accounts and value balances are not subject to FDIC or SIPC protections.
Licensees will also be required to make consumer disclosures at two critical phases in the relationship with the consumer: upon opening a customer account, if any, and prior to initiating a transaction in virtual currency.
When opening an account for a new customer, and prior to entering into an initial transaction for, on behalf of, or with such customer, a Licensee will be required to disclose all relevant terms and conditions associated with its products, services, and activities and Virtual Currency generally.
Prior to each transaction in Virtual Currency for, on behalf of, or with a customer, Licensees will be required to furnish to each such customer a written disclosure containing the terms and conditions of the transaction.
Virtual Currency Receipts
The consumer protection provisions of the Proposed Rules require Licensees to furnish to customers detailed receipts for each transaction in a virtual currency, stating: the name and contact information of the firm, including a telephone number established by the Licensee to answer questions and register complaints; the type, value, date, and precise time of the transaction; the fee charged; the exchange rate, if applicable; a statement of the liability of the Licensee for nondelivery or delayed delivery; and a statement of the refund policy of the Licensee.
Consumer Complaint Policies
Licensees will be required to establish and maintain written policies and procedures to resolve consumer complaints in a fair and timely manner. Licensees will be required to provide notice to consumers, in a clear and conspicuous manner, that consumers can bring complaints to the Department’s attention for further review and investigation.
Anti-money Laundering Compliance Program
The Proposed Rules will require Licensees to implement an anti-money-laundering compliance (“AML”) program including a written anti-money-laundering policy. A Licensee’s AML program will need to:
- Identify and appoint an AML officer responsible for coordinating and monitoring day-to-day compliance with the AML program (the “AML Officer”);
- Include a customer identification program (“CIP”) that calls for the verification of the customer’s identity, to the extent reasonable and practicable, and checking of customers against the Specially Designated Nationals (“SDNs”) list maintained by the Office of Foreign Asset Control (“OFAC”), a part of the U.S. Treasury Department; and
- Include policies for the preservation of records in connection with and make reports, as required by the Department, of all transactions involving the payment, receipt, exchange or conversion, purchase, sale, transfer, or transmission of Virtual Currency, including but not limited to transaction value, date, location, and participants.
Enhanced Due Diligence
The AML program will also have to include policies that address the need for enhanced due diligence of potential clients. Enhanced due diligence may be required based on additional factors such as for high-risk customers, high-volume accounts or accounts on which a suspicious activity report has been filed.
Prohibition on Accounts with Foreign Shell Entities
Licensees will be prohibited from maintaining relationships of any type in connection with their Virtual Currency Business Activity with entities that do not have a physical presence in any country.
Identification Required for Large Transactions
Licensees will be required to verify the identity of account holders initiating transactions having a value greater than $3,000.
Reporting of Suspected Fraud and Illicit Activity
Licensees will also be required to monitor for suspicious activities such as money laundering, tax evasion, or other illegal or criminal activity; to notify the Department immediately following detection; and to notify the Department within 24 hours of each transaction (or series of transactions) in virtual currency in an aggregate amount exceeding the United States dollar value of $10,000 in one day, by one person.
Anti-Fraud Policy and Procedures
Licensees will be required to take reasonable steps to detect and prevent fraud, including establishing and maintaining a written antifraud policy. The antifraud policy will need to provide for the identification and assessment of fraud-related risk areas; procedures and controls to protect against identified risks; allocation of responsibility for monitoring risks; and procedures for the periodic evaluation and revision of the antifraud procedures, controls and monitoring mechanisms.
Cyber Security Program
The Proposed Rules require a Licensee to establish and maintain a cyber security program to ensure the availability and functionality of its electronic systems and to protect those systems and the sensitive customer and other data stored on those systems. The Proposed Rules identify five core cyber security functions and require a Licensee’s cyber security program to include mechanisms to (i) identify internal and external cyber risks; (ii) protect systems from unauthorized access or malicious acts; (iii) detect systems intrusions and data breaches; and (iv) respond to and (v) recover from any breaches, disruptions, or unauthorized use of systems.
Cyber Security Policy
The cyber security policy must address a number of areas, including: information security; data governance and classification; access controls; capacity and performance planning; systems operations and availability concerns; systems and network security; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third-party service provider management; monitoring and implementing of changes to core protocols not directly controlled by the Licensee, as applicable; and incident response.
The Proposed Rules will impose additional obligations on a Licensee as part of its cyber security program such as:
- Conducting penetration testing of its electronic systems, at least annually, and vulnerability assessment of those systems, at least quarterly;
- Having an independent, qualified third party conduct a source code review of any internally developed proprietary software used in the Licensee’s business, at least annually;
- Preparing annual reports assessing the integrity of the Licensee’s electronic systems;
- Maintaining audit trail systems that track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting; and
- Training and continuing to educate personnel capable of managing cyber security risks.
Chief Information Security Officer
The Proposed Rules require a Licensee to appoint a qualified employee to serve as the Licensee’s chief information security officer (“CISO”) responsible for overseeing and implementing the Licensee’s cyber security program and enforcing its cyber security policy. The Proposed Rules, however, do not specify any qualification requirements for the CISO. The Department will have to clarify whether any degree of education or examination will be a prerequisite to being deemed qualified to serve as a CISO.
Business Continuity and Disaster Recovery
The Proposed Rules also seek to regulate the integrity of the online systems used by Licensees by requiring Licensees to establish and maintain a written business continuity and disaster recovery plan (“Business Continuity Plan”). The Business Continuity Plan must be designed to ensure the availability and functionality of the Licensee’s services in the event of an emergency or other disruption to normal business activities. The Proposed Rules do not clarify the meaning of “reasonably designed” but do require that the Business Continuity Plan be distributed to all relevant employees and that copies of the Business Continuity Plan be maintained at one or more accessible off-site locations. Licensees will also be required to provide training to all employees responsible for implementing the Business Continuity Plan regarding their roles and responsibilities. Finally, the Business Continuity Plan will have to be tested annually by qualified, independent internal personnel or a qualified third party and revised accordingly.
Books and Records
Licensees will be required to keep certain books and records, including: transaction information; bank statements; records or minutes of the board of directors or governing body; records demonstrating compliance with applicable laws, including customer identification documents; and documentation related to investigations of consumer complaints. The records will need to be maintained in their original form or native file format for at least 10 years from the date of their creation. Licensees will be required to maintain for at least five years records of non-completed, outstanding or inactive Virtual Currency accounts or transactions after the time when any such Virtual Currency has been deemed, under the Abandoned Property Law, to be abandoned property.
The Proposed Rules afford the Department broad discretion to examine all activities of a Licensee. A Licensee will be subject to periodic examination by the Department and its staff to determine the Licensee’s financial condition; the safety and soundness of the conduct of its business; management policies; compliance with laws and regulations; and such other matters as the Superintendent may determine may affect the Licensee’s business involving New York or New York residents. The Proposed Rules do not limit the number of examinations that may be conducted but do create a minimum requirement of one examination every two years.
The Proposed Rules have met with varying degrees of support and criticism. Supporters of the Proposed Rules include investors and potential Licensees that have tied their hopes of fortune to the expectation that regulation will establish credibility for virtual currencies and bolster consumer confidence in Virtual Currency. Some argue the Proposed Rules will ostensibly put a stop to innovation involving other virtual currencies such as Litecoin and Peercoin.13 Ultimately, any firm that is planning to trade in or develop a platform to facilitate the trading of virtual currencies should proceed with caution. Due to the lack of clearly defined guidance with respect to the authority of the Department, it is important that you engage experienced counsel to assist you in navigating the regulatory requirements that may apply to any business you are building.