July 17, 2014
Contact: Matt Anderson, 212-709-1691
NY DFS RELEASES PROPOSED BITLICENSE REGULATORY FRAMEWORK FOR VIRTUAL CURRENCY FIRMS
Framework Includes Consumer Protection, Anti-Money Laundering, and Cyber Security Rules for Virtual Currency Businesses
Proposed Regulations Submitted for a 45-Day Notice and Comment Period to Solicit Public Feedback
Benjamin M. Lawsky, Superintendent of Financial Services, today announced that the New York State Department of Financial Services (DFS) has issued for public comment a proposed “BitLicense” regulatory framework for New York virtual currency businesses. The proposed regulatory framework – which is the product of a nearly year-long DFS inquiry, including public hearings that the Department held in January 2014 – contains consumer protection, anti-money laundering compliance, and cyber security rules tailored for virtual currency firms.
Superintendent Lawsky said: “We have sought to strike an appropriate balance that helps protect consumers and root out illegal activity – without stifling beneficial innovation. Setting up common sense rules of the road is vital to the long-term future of the virtual currency industry, as well as the safety and soundness of customer assets.”
In accordance with the New York State Administrative Procedures Act (SAPA), the proposed DFS rules for virtual currency firms will be published in the New York State Register’s July 23, 2014 edition, which begins a 45-day public comment period. After that public comment period, the rules are subject to additional review and revision based on that public feedback before DFS finalizes them.
Additionally, DFS is today immediately publishing a copy of the regulations on the website Reddit. Earlier this year, Superintendent Lawsky hosted an “Ask Me Anything” forum on Reddit about DFS’ work on virtual currency regulation, which generated more than 1,200 public comments. Links to the proposed rules are also being tweeted out from the DFS Twitter handle (@NYDFS) and Superintendent Lawsky’s Twitter handle (@BenLawsky).
Superintendent Lawsky said: “We recognize that – as the first state to put forward specially tailored rules for virtual currency firms – continued public feedback will be an important part of finalizing this regulatory framework. We look forward to carefully and thoughtfully reviewing public comments on our proposal.”
The new DFS BitLicenses will be required for firms engaged in the following virtual currency businesses:
- Receiving or transmitting virtual currency on behalf of consumers;
- Securing, storing, or maintaining custody or control of such virtual currency on the behalf of customers;
- Performing retail conversion services, including the conversion or exchange of Fiat Currency or other value into Virtual Currency, the conversion or exchange of Virtual Currency into Fiat Currency or other value, or the conversion or exchange of one form of Virtual Currency into another form of Virtual Currency;
- Buying and selling Virtual Currency as a customer business (as distinct from personal use); or
- Controlling, administering, or issuing a Virtual Currency. (Note: This does not refer to virtual currency miners.)
The license is not required for merchants or consumers that utilize Virtual Currency solely for the purchase or sale of goods or services; or those firms chartered under the New York Banking Law to conduct exchange services and are approved by DFS to engage in Virtual Currency business activity.
Key requirements for firms holding BitLicenses include:
- Safeguarding Consumer Assets. Each firm must hold Virtual Currency of the same type and amount as any Virtual Currency owed or obligated to a third party. Companies are also prohibited from selling, transferring, assigning, lending, pledging, or otherwise encumbering assets, including Virtual Currency, it stores on behalf of another person. Each licensee must also maintain a bond or trust account in United States dollars for the benefit of its customers in such form and amount as is acceptable to DFS for the protection of the licensee’s customers.
- Virtual Currency Receipts. Upon completion of any transaction, each firm shall provide to a customer a receipt containing the following information: (1) the name and contact information of the firm, including a telephone number established by the Licensee to answer questions and register complaints; (2) the type, value, date, and precise time of the transaction; (3) the fee charged; (4) the exchange rate, if applicable; (5) a statement of the liability of the Licensee for non-delivery or delayed delivery; (6) a statement of the refund policy of the Licensee.
- Consumer Complaint Policies. Each firm must establish and maintain written policies and procedures to resolve consumer complaints in a fair and timely manner. The company must also provide notice to consumers, in a clear and conspicuous manner, that consumers can bring complaints to DFS’s attention for further review and investigation.
- Consumer Disclosures. Companies must provide clear and concise disclosures to consumers about potential risks associated with virtual currencies, including the fact that: transactions in Virtual Currency are generally irreversible and, accordingly, losses due to fraudulent or accidental transactions may not be recoverable; the volatility of the price of Virtual Currency relative to Fiat Currency may result in significant loss or tax liability over a short period of time; there is an increased risk of loss of virtual currency due to cyber attacks; virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to FDIC or SIPC protections; among others.
- Anti-money Laundering Compliance. As part of its anti-money laundering compliance program, each firm shall maintain the following information for all transactions involving the payment, receipt, exchange or conversion, purchase, sale, transfer, or transmission of Virtual Currency: (1) the identity and physical addresses of the parties involved; (2) the amount or value of the transaction, including in what denomination purchased, sold, or transferred, and the method of payment; (3) the date the transaction was initiated and completed, and (4) a description of the transaction.
- Verification of Accountholders. Firms must, at a minimum, when opening accounts for customers, verify their identity, to the extent reasonable and practicable, maintain records of the information used to verify such identity, including name, physical address, and other identifying information, and check customers against the Specially Designated Nationals (“SDNs”) list maintained by the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”). Enhanced due diligence may be required based on additional factors, such as for high-risk customers, high-volume accounts, or accounts on which a suspicious activity report has been filed. Firms are also subject to enhanced due diligence requirements for accounts involving foreign entities and a prohibition on accounts with foreign shell entities.
- Reporting of Suspected Fraud and Illicit Activity. Each Licensee shall monitor for transactions that might signify money laundering, tax evasion, or other illegal or criminal activity and notify the Department, in a manner prescribed by the superintendent, immediately upon detection of such a transactions. When a Licensee is involved in a transaction or series of transactions for the receipt, exchange or conversion, purchase, sale, transfer, or transmission of Virtual Currency, in an aggregate amount exceeding the United States dollar value of $10,000 in one day, by one Person, the Licensee shall also notify the Department, in a manner prescribed by the superintendent, within 24 hours. In meeting its reporting requirements Licensees must utilize an approved methodology when calculating the value of Virtual Currency in Fiat Currency.
- Cyber Security Program: Each licensee must maintain a cyber security program designed to perform a set of core functions, including: identifying internal and external cyber risks; protecting systems from unauthorized access or malicious acts; detecting systems intrusions and data breaches; and responding and recovering from any breaches, disruptions, or unauthorized use of systems. Among other safeguards, each firm shall also conduct penetration testing of its electronic systems, at least annually, and vulnerability assessment of those systems, at least quarterly.
- Chief Information Security Officer. Each Licensee shall designate a qualified employee to serve as the Licensee’s Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the Licensee’s cyber security program and enforcing its cyber security policy.
- Independent DFS Examinations: Examinations of licensees will be conducted whenever the superintendent deems necessary – but no less than once every two calendar years – to determine the licensee’s financial condition, safety and soundness, management policies, and compliance with laws and regulations.
- Books and Records: Licensees are required to keep certain books and records, including transaction information, bank statements, records or minutes of the board of directors or governing body, records demonstrating compliance with applicable laws including customer identification documents, and documentation related to investigations of consumer complaints.
- Reports and Financial Disclosures, Audit Requirements. Each firm must submit to DFS quarterly financial statements within 45 days following the close of the Licensee’s fiscal quarter. Each firm must also submit audited annual financial statements, prepared in accordance with generally accepted accounting principles, together with an opinion of an independent certified public accountant and an evaluation by such accountant of the accounting procedures and internal controls of the firm within 120 days of its fiscal year end.
- Capital Requirements: Necessary capital requirements will be determined by DFS based on a variety of factors, including the composition of the licensee’s total assets and liabilities, whether the licensee is already licensed or regulated by DFS, the amount of leverage used by the firm, the liquidity position of the firm, and extent to which additional financial protection is provided for customers.
- Compliance Officer. Each Licensee shall designate a qualified individual or individuals responsible for coordinating and monitoring compliance with NYDFS’ BitLicense regulatory framework and all other applicable federal and state laws, rules, and regulations.
- Business Continuity and Disaster Recovery. Each Licensee shall establish and maintain a written business continuity and disaster recovery plan reasonably designed to ensure the availability and functionality of the Licensee’s services in the event of an emergency or other disruption to the Licensee’s normal business activities.
- Notification of Emergencies or Disruptions.Each firm must promptly notify DFS of any emergency or other disruption to its operations that may affect its ability to fulfill regulatory obligations or that may have a significant adverse effect on the Licensee, its counterparties, or the market.
- Transitional Period. Applications for the license will be accepted beginning on the date the proposed regulations become effective. Those already engaged in virtual currency business activity will have a 45-day transitional period to apply for a license from the date regulations become effective. The superintendent will issue or deny the license within 90 days of a complete application submission.
In August 2013, DFS announced its inquiry into the appropriate regulatory guidelines for virtual currencies. As part of an ongoing fact-finding effort informing that inquiry, the Department held public hearings in January 2014. In March 2014, the Department issued a public order announcing it will be considering formal proposals and applications for the establishment of regulated virtual currency exchanges operating in New York.To view a copy of the proposed DFS BitLicense framework, please visit, link. Only comments formally submitted pursuant to the SAPA process will be considered in connection with the promulgation of the proposed regulations.