New York State Department of Financial Services Proposes Broad Licensing Requirements for Businesses Engaged in Virtual Currency Activities
On July 17, 2014, the New York State Department of Financial Services (“DFS”) issued for public comment its proposed “BitLicense” regulatory framework1 (the “Regulations”) and an accompanying press release.2 The release of the proposed Regulations follows the DFS announcement on March 11, 2014 that DFS would consider proposals and applications in connection with the establishment of virtual currency exchanges in New York.3
The proposed Regulations would require new licenses for any business engaged in a “virtual currency business activity” (a “Licensee”) and would impose new requirements in connection with consumer protection, anti-money laundering (“AML”), and cybersecurity as well as certain other obligations. While some have applauded the effort of the DFS to bring virtual currency, particularly bitcoin, activities into the mainstream of financial regulation, the breadth and detail of the Regulations go well beyond traditional money transmitter licensing and will pose substantial challenges for companies attempting to offer new virtual currency related businesses in New York. What follows is a brief summary of some of the most significant aspects of the regulations.
Under the Regulations, “virtual currency business activities” are broadly defined to include (1) receiving or transmitting virtual currency;4 (2) securing, storing, holding or maintain custody or control of virtual currency on behalf of others; (3) buying and selling virtual currency as a customer business (as distinct from personal use);5 (4) converting virtual currency to legal tender (or vice-versa) or one virtual currency to another virtual currency; or (5) controlling, administering or issuing a virtual currency.6 However, the Regulations would not apply to either (a) persons that are chartered under the New York Banking Law to conduct exchange services and that DFS has approved to engage in a virtual currency business activity or (b) merchants and consumers that use virtual currency “solely for the purchase or sale of goods or services.” There is no express exemption for companies already licensed to engage in money transmission in New York, or even for banks. Moreover, unlike in traditional money transmission licensing regimes, agents of the Licensee must be separately licensed.
Any entity that engages in virtual currency business activities would then need to become licensed and subject to detailed requirements related to compliance, consumer protection, capital, asset protection, examination and supervision, change in control, recordkeeping and reporting, AML, cybersecurity and business continuity.
The Regulations require substantial information regarding the proposed Licensee, its business plans, financing, directors, officers and investors, but the requested information is largely consistent with information required for other similar licenses. Although the Regulations promise action on applications within 90 days of when the application is complete, applicants should plan on an extended period of give and take with the DFS before an application is deemed sufficiently complete to start the clock. In addition, Licensees will be required to go back to the DFS for approval of each new product, service, activity or material change to an existing product.
Custody and Protection of Customer Assets. The Regulations attempt to extend traditional money transmission requirements with respect to custody and collateralization of customer assets, without addressing any of the unique aspects of virtual currency activities. For example, Licensees must hold virtual currency in the same type and amount as that which is owed to another person, which raises the question what it means to owe a decentralized virtual currency like bitcoin to another person, and whether “holding” the currency would mean anything more than maintaining control of the codes that gave rise to the collateralization obligation in the first place. Regardless, as with traditional money transmitters, virtual currency Licensees also would be required to maintain U.S. dollar bonding or trust funds and capital, in each case in an undefined amount.
Other consumer protections include mandatory disclosures, receipts requirements, fraud prevention mandates and consumer complaint policies. Of particular note is the requirement that prior to entering into a transaction with a customer for the first time, Licensees must provide a virtual “Miranda warning” disclosing all material risks7 associated with its activities as well as all relevant terms and conditions associated with its products and services.
Establishment of an AML Program. The development and implementation of an acceptable AML program is a critical element of the Regulations. Among other things, Licensees must conduct an initial risk assessment and develop a written anti-money laundering policy that is reviewed and approved by the Licensee’s board of directors and must designate someone responsible for coordinating day-to-day compliance with the AML program.
Records of Virtual Currency Transactions. Of particular interest to participants in the virtual currency ecosystem is that the DFS would require Licensees to maintain the following information for all of its transactions involving virtual currency: (1) the identity and physical addresses of the parties involved; (2) the amount or value of the transaction, including the denominations used and the method of payment; (3) the date(s) on which the transaction was initiated and completed; and (4) a description of the transaction.
Large Transaction Reporting. Licensees also must notify DFS within 24 hours when the Licensee is involved in a transaction or series of transactions in one day, by one person, exceeding $10,000 in the aggregate.
Reporting of Illegal or Suspicious Activity. Each Licensee must monitor for transactions that might signify money laundering, tax evasion or other illegal activity and notify DFS immediately upon detection of such transactions. If required by federal law, a Licensee must file a Suspicious Activity Report (“SAR”); otherwise, if a Licensee discovers suspicious activity that indicates a possible violation of law and is not required to file a SAR, the Licensee must file a report, in a form determined by DFS, within 30 days of its discovery.8
Customer Identification Program. When opening an account for a customer, Licenses must, at a minimum, verify a customer’s identify, to the extent reasonable and practicable, maintain records of the information used to verify such identify, including name, physical address and other identifying information, and check customers against the Specially Designated Nationals list maintained by the Office of Foreign Asset Control.
Establish a Cybersecurity Program. A unique aspect to the Regulations is that they would require each Licensee to establish a cybersecurity program designed to (1) identify internal and external cyber-risks; (2) protect the Licensee’s systems from unauthorized or malicious acts; (3) detect system intrusions and data breaches;9 (4) respond to any breaches; and (5) recover from such breaches. Licensees must submit an annual report to DFS that assesses, among other things, the Licensee’s cybersecurity program. Additionally, among other safeguards, the Licensee should conduct annual penetration testing and quarterly vulnerability assessments of its electronic systems. More intrusively, the Regulations require that “an independent, qualified third party conduct a source code review of any internally developed proprietary software used in the Licensee’s business operations, at least annually.”
Capital Requirements. DFS will impose capital requirements based on a Licensee’s total assets and liabilities, the actual and expected volume of the Licensee’s virtual currency business, whether the Licensee is already subject to DFS review, the Licensee’s leverage, the Licensee’s liquidity position and the extent to which the Licensee provides additional financial protection for customers through a trust account or bond. Moreover, Licensees may only invest retained earnings in certain investment-grade instruments.
Compliance Officer. Licensees must designate a compliance officer responsible for coordinating compliance with the Regulations and all other applicable law.
Books and Records. Licensees must maintain certain books and records, including transaction information, certain financial information and statements, records or minutes of the Licensee’s governing body, records documenting legal compliance (including records documenting customer identification, records linking customers to their respective accounts and balances and records of all compliance breaches), documents relating to investigations of customer complaints and anything else DFS may require. Licensees must maintain records of all non-completed, outstanding or inactive virtual currency accounts or transactions for at least five years after any related virtual currency is deemed to be abandoned property under New York law.
Reports and Financial Disclosures. Each Licensee must submit to DFS quarterly financial statements and audited annual financial statements.
Business Continuity and Disaster Recovery. Licensees must maintain a business continuity and disaster recovery plan reasonably designed to ensure the functionality of the Licensee’s services in the event of an emergency or other disruption. Licensees also must notify DFS of any emergency or disruption that may affect their ability to fulfill their regulatory obligations or that may have a significant adverse effect on a Licensee, its counterparties or the market.
Transition. A person already engaged in a virtual currency business activity must apply for a license within 45 days of the effective date of the Regulations. DFS must issue or deny a license within 90 days of the filing of any completed application.
DFS published the Regulations in the New York State Register’s July 23, 2014 edition.10 The public may submit comments for 45 days after publication, although a number of commentors have already requested an extension of this deadline.
If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work or
1 Available at http://www.dfs.ny.gov/about/press2014/pr1407171-vc.pdf.
2 Available at http://www.dfs.ny.gov/about/press2014/pr1407171.html.
3 Available at http://www.dfs.ny.gov/about/po_vc_03112014.pdf.
4 Although the DFS press release refers to entities “receiving or transmitting virtual currency on behalf of consumers,” the Regulations themselves do not include the “on behalf of consumers” qualifier.
5 Since “converting” virtual currency is separately covered, the broad reference to buying and selling virtual currency as a customer business, creates substantial ambiguity as to what entities may be captured by the Regulations due to their purchase and sale of virtual currencies, such as bitcoin. Additionally, while the DFS press release clarifies that this activity is “as distinct from personal use,” the Regulations themselves do not include the “as distinct from personal use” qualifier.
6 The DFS press release clarifies that “controlling, administering, or issuing” a virtual currency does not “refer to virtual currency miners.” However, this is not specified in the text of the Regulations.
7 For example, among other required disclosures of material risks, the Regulations require disclosures stating that virtual currency is not legal tender and the customer’s account is not guaranteed by the FDIC or SIPC; transactions in virtual currency are generally irreversible and losses due to fraud or accidental transactions may not be recoverable; some transactions are deemed to be made when recorded on a “block chain” ledger rather than when the customer first initiates the transaction; and volatility in the virtual currency exchange rate may result in significant loss or tax liability.
8 Additionally, continuing suspicious activity must be reviewed on an ongoing basis and a corresponding report filed within 120 days of the last filing describing the continuing activity.
9 The Regulations define cybersecurity events to include even attacks that are unsuccessful.
10 Available at http://docs.dos.ny.gov/info/register/2014/july23/pdf/rulemaking.pdf.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.