September 18, 2023
TO: All Virtual Currency Business Entities Licensed under 23 NYCRR Part 200 or Chartered as Limited Purpose Trust Companies under the New York Banking Law
FROM: Adrienne A. Harris, Superintendent of Financial Services
RE: Proposed Updates to Guidance Regarding Listing of Virtual Currencies
Effective immediately, the New York State Department of Financial Services (the “Department” or “DFS”) has instituted a new General Framework for Greenlisted Coins that supersedes the previous Greenlist process as defined by the Guidance on the Adoption or Listing of Virtual Currencies (“Original Guidance”) and is issuing the following “Proposed Updates to Guidance Regarding Listing of Virtual Currency” (“Guidance”) for public comment.
Proposed Updates to Guidance Regarding Listing of Virtual Currencies
In 2015, the New York State Department of Financial Services (the “Department” or “DFS”) issued its virtual currency regulation, 23 NYCRR Part 200, under the New York Financial Services Law. Since 2015, DFS has served as the prudential regulator overseeing virtual currency business activity in New York, granting both virtual currency licenses under Part 200 (“BitLicenses”) and limited purpose trust company charters, to ensure that New Yorkers have a well-regulated way to access the virtual currency marketplace and that New York remains at the center of technological innovation and forward-looking regulation.
In June 2020, informed by its experience as the regulator of BitLicensees and New York-chartered limited purpose trusts engaged in virtual currency business activity (collectively, “VC Entities”), the Department published its original Guidance on the Adoption or Listing of Virtual Currencies (“Original Guidance”). In that publication, the Department stated that the Original Guidance was prepared in order to “(A) provide a general framework for a VC Entity’s creation of a firm-specific policy for the adoption or listing of a new coin, without DFS’s prior approval, through the process of self-certification; and (B) a general framework for the process of Greenlisting1 coins for wider usage.”
Since the publication of the Original Guidance, the Department has continued to serve as the leading regulator of VC Entities and their activities, and the market has evolved sufficiently that the Department is enhancing the requirements of the Original Guidance. As a result, the Department is now issuing this “Proposed Updates to Guidance Regarding Listing of Virtual Currencies” (the “Guidance”) for public comment.
This Guidance sets forth the following expectations for which DFS is seeking public comment:
- Heightened risk assessment standards for coin-listing policies and tailored, enhanced requirements for retail consumer-facing products or service offerings;2 and
- New requirements associated with coin-delisting policies.
Comments must be submitted to [email protected] by October 20, 2023. Please use “Proposed Coin-Listing Policy Framework” in the subject line. Note that comments may be subject to public inspection and should not include any sensitive or confidential information. DFS will issue its final Guidance following the closure of this comment period. Following the issuance of the final Guidance, a VC Entity that wishes to engage in self-certification of coins will be required to submit to the Department an updated coin-listing policy that meets the standards of Section (A). VC Entities will not be permitted to self-certify any new coins without a coin-listing policy and accompanying coin-delisting policy that complies with the final Guidance.
Like the Original Guidance, this Guidance provides a framework under which VC Entities may create, and seek DFS approval of, a firm-specific self-certification policy for the listing of new coins. This Guidance also provides enhanced requirements for a VC Entity’s coin-delisting policy. It is important to note that the requirements for a coin-delisting policy apply regardless of whether a VC Entity maintains a coin-listing policy for self-certification purposes.
In accordance with the Original Guidance, VC Entities must continue to provide written notice to DFS of any coins that are self-certified under an approved coin-listing policy. In addition, VC Entities must at all times keep and maintain records available for DFS review. Records must be kept in a form and manner consistent with the VC Entity’s recordkeeping requirements to demonstrate continued compliance with the VC Entity’s coin-listing policy and this Guidance.
Consistent with the Original Guidance, VC Entities without DFS-approved coin-listing policies may only list coins that are included on the Department’s Greenlist, unless a VC Entity has otherwise been approved by DFS to list a coin as a material change to business under 23 NYCRR § 200.10. In order to mitigate the potential for market disruption, VC Entities that currently list coins that are no longer included on the Greenlist are not required to immediately delist the removed coins. DFS will coordinate with all VC Entities as appropriate to ensure each VC Entity has an approved coin-delisting policy and associated procedures, as described below, prior to requiring the delisting of any coin. DFS may, at any time and in its sole discretion, require VC Entities to delist or otherwise limit New Yorkers’ access to coins that are not included on the Greenlist. Any such action will be taken over an appropriate timeline to mitigate any impact to New Yorkers and the broader marketplace.
This updated Guidance also clarifies DFS’s expectations with respect to coin-delisting. In the event a listed coin is identified as presenting newly elevated risk, whether through a VC Entity’s monitoring process, a Department-identified weakness or vulnerability, or otherwise, VC Entities must be able to discontinue support of that coin in a manner that is consistent with safety and soundness and with protection of customers and the general public. As a result, VC Entities that list any coins are required to have a coin-delisting policy that complies with this Guidance, regardless of whether they have a DFS-approved coin-listing policy. VC Entities are strongly encouraged to begin creating coin-delisting policies in compliance with Section (B) during the public comment period. All VC Entities that list any coins must meet with the Department by December 8, 2023 to preview their draft coin-delisting policy. Final coin-delisting policies must be submitted to the Department for approval by January 31, 2024.
(A) General Framework for the Creation of a VC Entity’s Coin-Listing Policy
A VC Entity that wishes to self-certify coins without the prior approval of specific coins by DFS must create a coin-listing policy in accordance with this Guidance. Until DFS has provided a VC Entity with written approval of its coin-listing policy, a VC Entity may not self-certify any coins.
Prior to listing any coin under a DFS-approved coin-listing policy, the VC Entity must provide written notice to DFS of its intent to use the coin. VC Entities are also required to keep DFS informed of all coins used or offered in connection with their virtual currency business activity.
A VC Entity’s coin-listing policy must include robust procedures that comprehensively address all steps involved in the review and approval of coins. The policy must be tailored to the VC Entity’s specific business model, operations, customers and counterparties, geographies of operations, and service providers, and must also account for the use, purpose, and specific features of the coins being considered.
The policy should result in approval of a coin only if the VC Entity concludes that the coin’s intended use is consistent with this Guidance, the standards embodied in 23 NYCRR Part 200 (including, without limitation, consumer protection principles), and with the safety and soundness of the VC Entity. A VC Entity with a DFS-approved coin-listing policy must demonstrate continued compliance with this Guidance, which DFS will assess as part of its regular continuous monitoring. Failure to do so may result in DFS taking action to revoke a coin-listing policy.
A coin-listing policy must, at a minimum, contain and be based on the following attributes:
The VC Entity must ensure that:
- Its board of directors or an equivalent governing authority (“Governing Authority,” which shall consist of a board of directors or a committee formally delegated by the board of directors) approves the coin-listing policy to ensure the robustness of the governance, monitoring, and oversight framework;
- Its Governing Authority, at least annually, reviews and determines whether to re-approve the coin-listing policy to ensure that it continues to identify, assess, and mitigate risks properly;
- Its Governing Authority reviews and makes decisions to approve or disapprove each new coin;
- Governing Authority is independent from those responsible for making the initial recommendations whether to list or delist a coin;
- Any actual or potential conflicts of interest in connection with the review and decision-making process have been assessed, effectively addressed, and fully disclosed to the public, whether such actual or potential conflicts of interest are related to the VC Entity, the VC Entity’s affiliates, and the VC Entity’s owners, principals, employees, or their respective families;
- The VC Entity keeps records consistent with applicable recordkeeping requirements and makes them readily available for the Department’s review at all times. This includes meeting minutes for all Governing Authority meetings which discuss a specific coin or coins—including all documentation reviewed and produced by Governing Authority members in connection with each coin’s approval or disapproval. This also includes all documentation reviewed and produced by those responsible for approval/disapproval recommendations related to coin-listing as well as to the risk assessment conducted on the specific coin or coins under consideration;
- The VC Entity informs DFS immediately in writing if, at any time after DFS approves its coin-listing policy, the VC Entity’s coin-listing policy ceases to comply with the requirements of this Guidance; and
- The VC Entity does not make any material changes or revisions to its coin-listing policy without the prior, written approval of DFS.
II. Risk Assessment
The VC Entity must perform a comprehensive risk assessment designed to ensure that any coin and the uses for which it is being considered are consistent with the consumer protection and other standards embodied in 23 NYCRR Part 200, and with the safety and soundness of the VC Entity. The risks to be assessed include, but are not limited to, the following:
- Technical Design and Technology Risk. A VC Entity must assess the risk associated with the listing of a coin based on the coin’s issuance, governance, usage, and/or design. The VC Entity must conduct a thorough due diligence process to ensure that the coin is created or issued by a reputable entity or entities for lawful and legitimate purposes and not for evading compliance with any law, rule, or regulation;
- Operational Risk. A VC Entity must assess operational risk associated with a coin, including the resulting demands on the VC Entity’s resources, infrastructure, and personnel, as well as its operational capacity for continued customer onboarding and customer support;
- IT/Cybersecurity Risk. A VC Entity must assess the risk to the confidentiality, integrity, and availability of all systems relating to each coin and its supporting blockchain, as well as the practices and protocols that apply to them. This assessment must include risks relating to application security, unauthorized access, and other threats;
- Market and Liquidity Risk. A VC Entity must assess any risk relating to a concentration of coin holdings or control by a small number of individuals or entities, price manipulation, fraud, and the impact of the coin’s wider or narrower adoption on market risk, as well as the sufficient liquidity to meet potential customer demand upon listing of a coin;
- Illicit Finance Risk. A VC Entity must assess the illicit finance risk associated with each coin, including its historical or potential use in facilitating illicit financial activity or potential sanctions evasion, and must ensure that mitigating controls are in place. The VC Entity must also consider broader risks of malfeasance, including, for example, theft;
- Legal Risk. A VC Entity must assess the legal risk associated with any new coin, including any pending or potential civil, regulatory, criminal, or enforcement action relating to the issuance, distribution, or use of each coin;
- Reputational Risk. A VC Entity must assess the potential impact of any negative publicity on the VC Entity’s business resulting from a decision to self-certify a specific coin; and
- Regulatory Risk. A VC Entity must assess any risk relating to potential non-compliance with the requirements of the VC Entity’s supervisory agreement with DFS and the requirements of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) as a result of the listing of each coin. Further, each coin must comply with all applicable laws, rules, regulations, and regulatory guidance.
In addition to these areas of the risk assessment, the VC Entity must also consider other factors to identify and mitigate the risks involved in each coin and its uses. As part of these considerations, VC Entities must incorporate the Department’s “Guidance on Prevention of Market Manipulation and other Wrongful Activity.” Additional considerations include, but are not limited to, the following:
- Conflicts of Interest. A VC Entity must have effective policies and procedures in place to mitigate any conflicts of interest from impacting the decisions, recommendations, and assessments made for each coin under review. In addition, a VC Entity must ensure that all potential conflicts of interest relating to coin-listing decisions are clearly disclosed to the public; and
- Customer Protection. A VC Entity must ensure that all customers are treated fairly and are afforded the full protection of all applicable laws and regulations, including protection from unfair, deceptive, or abusive practices.
If a coin is designed or substantially used to circumvent laws and regulations, or has features that may facilitate the obfuscation or concealment of the identity of a customer or counterparty, it cannot be self-certified. Further, if any coin shares any features noted immediately below and is not separately included on the Greenlist—or if a VC Entity is unable to determine that a coin does not have any such feature—it cannot be self-certified for retail consumer-facing products or service offerings:
- Stablecoins. A VC Entity cannot self-certify any stablecoin that is not included on the Greenlist, absent separate prior, written approval of DFS. This restriction extends to any coin designed to serve as collateral for a stablecoin not included on the Greenlist;
- Exchange Coins. A VC Entity cannot self-certify any coin that is issued by a cryptocurrency exchange or can otherwise be used to provide benefits on a cryptocurrency exchange;
- Protocol Resiliency. A VC Entity cannot self-certify any coin that is the native asset for a protocol where there are concerns related to the protocol’s decentralization, for example if a single entity or individual controls more than 51% of the hash power for protocols with proof-of-work or similar consensus mechanisms, or similar levels of susceptibility of concentration risk for protocols with proof-of-stake or similar consensus mechanisms. This restriction extends to all coins issued on protocols that meet the above thresholds;
- Bridged Coins. A VC Entity cannot self-certify any coin that circulates on a protocol in which it is not natively issued. This restriction extends to any coin designed to serve as collateral or governance for an application that enables the transfer of coins across different protocols (e.g., token bridge platforms); and
- Circulating Supply. A VC Entity cannot self-certify any coin in which the circulating supply is less than 35% of its total supply.3
If a VC Entity wants to list a coin that meets any of the above characteristics for its retail consumer-facing business, the VC Entity must request DFS approval as a material change to business under 23 NYCRR § 200.10. Any such request must include a risk assessment for the coin that meets the standards described within this Guidance. DFS will make the determination whether to approve the request based on its own analysis and that of the VC Entity to ensure that the appropriate compensating controls are in place to, for example, address safety and soundness concerns and ensure consumer protection.
In connection with a VC Entity listing a new coin, the VC Entity must have policies and procedures in place to monitor the coin to ensure that continued listing of the coin remains consistent with safety and soundness considerations, the protection of customers and the general public, and all requirements of this Guidance. Such policies and procedures must include, but are not limited to:
- Periodic re-evaluation of the coin by those responsible for approval/disapproval recommendations related to coin-listing, including whether material changes have occurred (e.g., hard forks), with a frequency and level of scrutiny tailored to the particular coin, provided that in all cases the frequency of re-evaluation must be not less than annual;
- Adoption, documentation, and implementation of control measures to manage risks associated with the coin, including but not limited to those risks involving cybersecurity and illicit activity; and
- A coin-delisting process, as described in Section (B) of this Guidance.
In addition, as part of a VC Entity’s coin monitoring, the VC Entity is expected to comply with all elements of the Department’s “Guidance on Use of Blockchain Analytics” and other BSA/AML and sanctions-related control requirements, including its regulatory reporting obligations.
VC Entities must also verify that their coin-listing policies are appropriately integrated into the VC Entity’s overall risk and compliance framework. For example, as part of ongoing monitoring to meet all cybersecurity requirements and illicit finance risk-related obligations, VC Entities should assess and review any controls relating to the VC Entity’s governance and coin-listing inventory periodically and when there are any significant changes in the broader risk environment, or when required by DFS. Similarly, VC Entities with coin-listing policies should verify that independent testing includes coin-listing and coin-delisting in its scope as part of annual planning.
(B) General Framework for the Creation of a VC Entity’s Coin-Delisting Policy
Regardless of whether a VC Entity has a DFS-approved coin-listing policy, the VC Entity must maintain a separate policy that governs the steps the VC Entity must take to ensure safety and soundness and the protection of customers and the general public in the event the VC Entity ceases support for a coin (a “coin-delisting policy”). Coin-delisting policies must be tailored to the virtual currency business activity a VC Entity has been approved by DFS to conduct and must be submitted to DFS for approval. VC Entities should coordinate with the Department around development with respect to its coin-delisting policy and must submit a coin-delisting policy to DFS for approval by January 31, 2024. VC Entities must meet with DFS by December 8, 2023 to discuss their draft coin-delisting policy.
This coin-delisting policy must include robust procedures that comprehensively address all steps involved in removing support for a coin and must be tailored to the VC Entity’s specific business model, operations, customers and counterparties, geographies of operations, and service providers; and to the use, purpose, and specific features of coins being considered. Accordingly, the determination to delist a coin should occur only if the VC Entity concludes that the coin’s delisting is consistent with this Guidance, the standards embodied in 23 NYCRR Part 200 (including, without limitation, consumer protection principles), and with the safety and soundness of the VC Entity.
A coin-delisting policy should, at a minimum, contain and be based on the following attributes:
When a VC Entity ceases support for a coin, it must do so in an orderly manner. In light of the impact that delisting a coin may have on consumers and others, it is imperative that VC Entities have the appropriate oversight and management to govern a delisting process.4 Specifically, each VC Entity must ensure that:
- Its Governing Authority approves the coin-delisting policy to ensure the robustness of the governance, monitoring, and oversight framework;
- Its Governing Authority, at least annually, reviews and determines whether to re-approve the coin-delisting policy to ensure it continues to properly identify, assess, and mitigate risks properly;
- Its Governing Authority is independent from those responsible for making the initial recommendations whether to list or delist a coin;
- The VC Entity keeps records consistent with applicable recordkeeping requirements and makes them readily available for the Department’s review at all times. This includes, without limitation, all documentation associated with the delisting decision as well as the broader operational processes supporting that decision;
- The VC Entity informs DFS in writing of any decision to delist a coin following such a determination at least ten (10) days prior to informing its customers, and includes the rationale and all elements of the proposed delisting timeline; and
- The VC Entity does not make any material changes or revisions to its coin-delisting policy without the prior, written approval of DFS.
In addition to the governance standards, a coin-delisting policy must detail the process that underpins a delisting event. Specifically, the VC Entity must implement a clear set of roles and responsibilities that establishes who has the authority to initiate a delisting event, the chain of approval through management, and the escalation to the Governing Authority for final approval. A VC Entity’s coin-delisting policy should also clearly incorporate its ongoing monitoring procedures, be reviewed and periodically updated at risk-based intervals to take into account and reflect changes in the coins it currently supports, and establish clear thresholds on criteria that may prompt a delisting. Moreover, the VC Entity must also include the types of events that may cause a delisting to be necessary or appropriate. Event types include, but are not limited to:
- New findings resulting from the periodic re-evaluation or ongoing monitoring of a listed coin;
- A change in the legal or regulatory environment that makes support for a coin no longer permissible or practical; or
- Receiving a directive from DFS to delist a coin.
The VC Entity must also establish roles and responsibilities in connection with each type of event to provide clear instructions for the VC Entity’s stakeholders depending on the specific facts and circumstances.
Once the decision to delist a coin is reached, a VC Entity must communicate clearly with its customers regarding the delisting in advance of taking action to cease support of the coin in order to minimize any potential risk of consumer harm. Unless otherwise approved or directed by DFS, the VC Entity must provide customers with at least 30 days’ prior, written notice of the specific coin or coins that will be delisted, the rationale supporting the decision to delist, the timing of the delisting, and the steps that customers who are impacted may take to either sell a delisted coin or transfer it off the VC Entity’s platform, when permitted.
The elements related to executing a delisting event that must be addressed in a coin-delisting policy include, but are not limited to:
- Advance Notice. A VC Entity’s customers must be provided with at least 30 days’ prior, written notice of any coin-delisting using commercially reasonable methods, unless the VC Entity is directed otherwise by DFS. The coin-delisting policy should detail explicitly when and how a customer will be informed of a delisting and outline any other communications the VC Entity would routinely make when delisting a coin (e.g., public communications). Importantly, the coin-delisting policy must take all additional reasonable actions to ensure protection of customers and the general public in executing a delisting event.
- Customer Support. Following the communication of a coin-delisting decision, a VC Entity must make available the requisite level of customer support to answer any questions and assist customers with safely selling the impacted coin or otherwise transferring it off the VC Entity's platform, when permitted. Depending on factors such as the volume of trading or number of holders of a coin being delisted, the VC Entity should consider whether it must dedicate separate or additional resources to respond to phone, email, or chat inquiries made by impacted customers and whether to provide tailored FAQs related to the specific delisting event.
- Documentation. A VC Entity must ensure that it appropriately documents all key details of any coin-delisting decision. This includes, at a minimum, documentation related to the monitoring that led to a delisting decision, approval of the delisting decision, data regarding the estimated impact on the VC Entity’s customer base, communications shared with customers and regulators, and documentation responsive to any issues related to customer support. The VC Entity must make readily available to DFS all documents created with regard to a delisting event and must maintain such documents consistent with the VC Entity’s recordkeeping requirements.
- Ongoing Monitoring. A VC Entity must dedicate resources to monitoring the safety and soundness of a delisting, including the necessary expertise to detect for issues with the financial health of the business, the possible introduction of cybersecurity vulnerabilities, illicit finance risk, or any technological or other challenges that would affect the customer experience.
- Impact Analysis. A VC Entity must consider second-order impacts a delisting decision might have on the VC Entity’s internal business operations as well as on any counterparties and third-party service providers leveraged in supporting a coin.
The information contained in this Guidance is not intended to be exhaustive, and DFS may update it from time to time for any reason, including, for example, in response to new information, evolving markets, or additional experience. This Guidance is not intended to limit the scope or applicability of any law or regulation.
Each VC Entity is responsible for understanding and complying with all applicable laws and regulations, including any applicable legal and regulatory requirements imposed by other state or federal regulatory agencies. This Guidance is not intended to address and does not address any such other state or federal legal or regulatory requirements.
DFS will continue to engage with VC Entities and other stakeholders to evaluate this Guidance in the context of the evolving virtual currency marketplace.
1 The Department makes available on its website a Greenlist that identifies the coins the Department has approved for VC Entities to custody or list without first establishing an approved coin-listing policy or otherwise seeking prior approval.
2 For purposes of this Guidance, a retail consumer-facing product or service offering is any VC Entity product or service offering (e.g., virtual currency exchanges) that is offered to individuals.
3 For purposes of this Guidance, “circulating supply” refers to the number of coins that are publicly available in the market and are not subject to lock-up or similar vesting periods. “Total supply” refers to the total number of coins and includes all coins that are locked or held in reserve and are not publicly available in the market.
4 A VC Entity’s coin-delisting policy may be included as part of a VC Entity’s coin-listing policy, so long as it meets all of the criteria described in this section.