On July 17, the New York State Department of Financial Services (DFS) issued proposed regulations delineating a license process for certain businesses involved in Bitcoin and other virtual currencies (Proposed Rules). The Proposed Rules would require any business that engages in "virtual currency business activity" (Virtual Currency Firms) to obtain a license from DFS (BitLicense) and would require such businesses to adopt consumer protection, anti-money laundering and cyber security procedures and requirements.
A 45-day public comment period for the Proposed Rules commenced on July 23. The Proposed Rules may be revised and reissued by DFS following the review of the public comments.
Executive Summary of Proposed Regulations
- Any business that secures, stores, holds or maintains custody or control of virtual currency on behalf of others or engages in other delineated businesses is required to obtain a BitLicense.
- Applicants for a BitLicense must provide disclosure about its operations and owners and provide detailed background information and fingerprints of such owners.
- Applicants for a Bit License must maintain "adequate" capital based on the size and nature of the business and such capital must be invested in specified US dollar denominated accounts.
- Applicants for a BitLicense must establish anti-money laundering and similar policies that are subject to the review and inspection of DFS.
- BitLicense holders must maintain records for an extended period of time and periodically submit reports and financial statements to DFS.
Summary of Bitcoin
As explained in our November 26, 2013, advisory , Bitcoin is a type of digital asset that is based upon a peer-to-peer, decentralized, computer-generated, math-based and cryptographic protocol. Bitcoins may be converted to fiat currencies, such as US dollars or other national currencies based on then-current exchange rates. Approximately 13 million bitcoins currently exist and the maximum number of bitcoins that will ever be created is 21 million. Approximately 400 digital assets or "altcoins" have been launched, of which 10 have a market capitalization in excess of $10 million as of July 23, 2014, and many of which are based on protocols similar to or derived from the protocol and computer network that underlie bitcoin transactions (Bitcoin Network).
Scope of the BitLicense Framework
The Proposed Rules require Virtual Currency Firms to apply for BitLicenses from the DFS prior to commencing operations. A Virtual Currency Firm refers to any person that engages in "virtual currency business activity," which includes, among other things, (a) receiving "virtual currency" for transmission or transmitting it; (b) securing, storing, holding or maintaining custody or control of virtual currency on behalf of others; (d) buying and selling virtual currency as a customer business; and (e) performing retail conversion services (i.e., the conversion of virtual currency into fiat currency, or vice versa, or the conversion of a virtual currency into another virtual currency), provided that such activity involves the State of New York or a resident thereof.
As drafted, it is possible that the Proposed Rules would require virtual currency exchanges, storage services such as online Bitcoin "wallets" and funds that invest in Bitcoin to obtain a BitLicense. However, the Proposed Rules exempt (a) banks and limited liability trust corporations chartered under the laws of the State of New York that are approved by DFS and (b) merchants and consumers that use virtual currency solely for the purchase or sale of goods and services.
A prospective licensee (Applicant) must provide extensive information about its operations and its principal officers, equity owners and/or beneficiaries, including but not limited to (a) a description of the proposed, current and historical business of the Applicant; (b) detailed background information; and (c) an independently prepared background report for the Applicant and its owners and current financial statements for the Applicant and its owners. The Proposed Rules require DFS to approve or deny a completed application within 90 days of its filing, subject to an extension by DFS. The Proposed Rules require DFS to investigate the "financial condition and responsibility, financial and business experience, and character and general fitness of the [A]pplicant." As such, DFS has broad discretionary authority in granting BitLicenses.
The Proposed Rules subject Virtual Currency Firms to various regulations and requirements concerning their operations. Some of the most significant licensee requirements are summarized below.
Minimum Capital and Asset Custody Requirements
The Proposed Rules require each licensee to maintain minimum capital in an amount to be determined based on proposed operations. The minimum capital required is based upon the total assets and liabilities, the actual and expected volume of the licensee's virtual currency business activity, the liquidity position of the licensee and the amount of leverage employed by the licensee. The Proposed Rules require earnings and profits to be stored in certificates of deposit issued by financial institutions regulated by a federal or state agency, money market funds, state and municipal bonds, US government securities or US government agency securities, provided that each of the foregoing is denominated in US dollars and has a maximum maturity of one year.
In addition, licensees would be required to maintain a bond or trust account in US dollars for the benefit and protection of its customers. Furthermore, if a licensee maintains custody or control, or otherwise secures or holds, virtual currency on behalf of customers, such licensee must hold in reserve an equal amount of virtual currency as being stored by the customers (e.g., a wallet that stores 50,000 bitcoin for its customers is required to maintain a "reserve" of 50,000 bitcoin that is not accessible by customers). The Proposed Rules prohibit licensees from selling, transferring, hypothecating, lending or otherwise using the customers' virtual currency; thereby, preventing a business from, among other things, operating a fractional reserve business operation or lending customer deposits.
Anti-Money Laundering Program and Know-Your-Client Requirements
The Proposed Rules establish various anti-money laundering and know-your-client requirements. The licensee is required to conduct an initial risk assessment concerning legal, financial and other risks associated with the licensee's activities and to create a corresponding anti-money laundering program. An anti-money laundering program must (a) provide a system of internal controls and policies to ensure compliance with anti-money laundering laws, rules and regulations; (b) provide annual independent testing of compliance with the program; (c) designate a qualified individual in compliance for coordinating and monitoring day-to-day compliance with the program; and (d) provide ongoing training for appropriate personnel to ensure that they understand the program.
Moreover, the licensee must maintain records of virtual currency transactions and make reports to DFS on (a) any transaction, or series of transactions, of virtual currency in an aggregate amount more than $10,000 in one day by any one person and (b) suspicious activity that might signify money laundering, tax evasion, or other illegal or criminal activity.
Each licensee would also be required to maintain a customer identification program, which includes: (a) identification and verification of account holders (with enhanced due diligence for high-risk customers, high-volume accounts or accounts for which a suspicious activity report has been filed); (b) enhanced due diligence for accounts involving foreign entities; (c) prohibition on accounts for foreign shell entities (entities must have a physical presence in any country); and (d) verification of accountholders initiating transactions greater than $3,000.
Recordkeeping, Examination and Audit Requirements
The Proposed Rules provide for a comprehensive scheme of record retention and examination. Under the Proposed Rules, each licensee is required to make and preserve all of its books and records for at least ten years The books and records include: a record of each transaction (specifying, e.g., the amount, date and precise time of the transaction, any payment instructions, and the total fees charged and received); a general ledger containing all assets, liabilities, capital, income, expense and profit/loss accounts; bank statements; compliance records; and meeting minutes of the board of directors or equivalent governing body. Also, licensees are required to provide to DFS, upon request, immediate access to all facilities, books, records, documents or other information maintained by the licensee or its affiliates.
Furthermore, licensees are subject to "spot" and routine examinations at least every two years, which would include a review of the licensee's books, records, documents and accounts for purposes of determining the financial condition of the licensee or its safety and soundness practices. The licensee also would be required to permit and assist DFS in its conduct of any special investigations regarding possible violations of laws, rules and regulations.
The Proposed Rules also require periodic financial disclosures and reports. Licensees are required to submit quarterly financial statements within 45 days following the close of the licensee's fiscal quarter, including various accountings, financial statements, projections and business plans. Licensees are also required to submit audited annual financial statements and an evaluation by a certified public accountant of the accounting procedures and internal controls of the licensee. Moreover, the licensee is required to notify DFS of any criminal action or insolvency proceeding against the licensee or its directors, principal stockholders, officers or beneficiaries immediately after commencement of an action, and must submit a report to DFS immediately upon discovery of any violation of law, rule or regulation.
Cyber Security Requirements
The Proposed Rules also address cyber security concerns specific to Virtual Currency Firms, requiring licensees to establish and maintain an effective cyber security program to ensure the availability and functionality of the licensee's electronic systems and to protect such systems and any sensitive data stored on those systems from unauthorized access, use or tampering. Each licensee is required to develop a cyber security program designed to perform five core functions: (a) identifying internal and external cyber risks by identifying sensitive information on the licensee's systems; (b) protecting the licensee's electronic systems, and the information on those systems, from unauthorized access through the use of defensive infrastructure; (c) deterring system intrusions, data breaches and unauthorized access to systems, information and malware; (d) responding to any detected attempt to gain unauthorized access to, disrupt or misuse a licensee's electronic systems or the information thereon (Cyber Security Events); and (e) to mitigate any negative effects from Cyber Security Events.
In addition to the cyber security program, the licensee is required to develop a written cyber security policy, which would be subject to review and approval of the board of directors at least annually. The Proposed Rules establish extensive content requirements for such written cyber security policy and require the retention of a chief information security officer (CISO).
Also, a licensee is required to submit an annual report to the DFS, prepared by the CISO, assessing the availability, functionality and integrity of electronic systems, identifying risks to the licensee, and proposing redress for such risks. Furthermore, the licensee's cyber security program is required to implement various audit functions, consisting of: (a) penetration testing of electronic systems and vulnerability assessment of such; (b) audit trail systems; and (c) source code reviews by an independent third-party.
In addition to addressing licensees' operational stability and integrity, the Proposed Rules provide for three requirements intended to promote operational continuity. In the event of a change of control, a merger, acquisition of at least 10 percent of the voting equity or an acquisition of all or substantially all of the assets of the licensee, the licensee (or in the case of a merger/acquisition, both parties) is required to obtain the approval of DFS prior to consummation of such transaction. Licensees are required to establish and maintain a written business and continuity disaster recovery plan (BCDR Plan) to ensure the availability and functionality of the licensee's services in the event of an emergency or disruption. A BCDR Plan should identify essential documents, data, facilities, infrastructure and personnel for the continued operation of the licensee's normal business, developing procedures for maintenance of back-up facilities, systems, infrastructure, and alternative staffing and procedures for back-up or copying essential documents and data.
Although the proposed BitLicense includes comprehensive rules, it represents the next step in the evolution and acceptability of Bitcoin and virtual currencies. By proposing rules to protect customers, DFS is creating a framework to ensure that businesses that operate in New York are legitimate and complying with applicable federal and state regulations. While there is no current indication that other states or foreign jurisdictions will follow the DFS's BitLicense framework (whether in its proposed or finalized form), the BitLicense framework may influence other jurisdictions' regulatory responses to virtual currencies.