New York state proposes regulatory framework for virtual currencies
By Stuart Gittleman, Compliance Complete
NEW YORK, July 23, 2014 (Thomson Reuters Accelus) – The New York State Department of Financial Services (DFS) is seeking public comment on a proposed “BitLicense” regulatory framework for New York virtual currency businesses, DFS Superintendent Benjamin M. Lawsky said Thursday.
The proposed framework – the first on a state-wide basis in the country – will require licensees to have strong compliance and supervisory policies and procedures.
“We have sought to strike an appropriate balance that helps protect consumers and root out illegal activity – without stifling beneficial innovation. Setting up common sense rules of the road is vital to the long-term future of the virtual currency industry, as well as the safety and soundness of customer assets,” Lawsky said in a release.
Comments will be received for 45 days following July 23, and must be submitted pursuant to the state’s official process in order to be considered, the DFS said.
The DFS began its inquiry into appropriate regulatory guidelines for virtual currencies in August 2013, held public hearings in January and announced in March that it will consider formal proposals and applications for the establishment of regulated virtual currency exchanges operating in the state.
The proposal addresses consumer protection, anti-money laundering compliance, and cyber security rules tailored for virtual currency firms, among other concerns. The DFS may conduct additional review and revision based on the comments before finalizing the regulatory framework, the agency said.
“We recognize that, as the first state to put forward specially tailored rules for virtual currency firms, continued public feedback will be an important part of finalizing this regulatory framework. We look forward to carefully and thoughtfully reviewing public comments on our proposal,” Lawsky added.
Not for everyone
Under the proposal, BitLicenses will be required for firms engaged in the following virtual currency businesses:
- Receiving or transmitting virtual currency on behalf of consumers;
- Securing, storing or maintaining custody or control of such virtual currency on the behalf of customers;
- Performing retail conversion services, including converting or exchanging fiat currency – such as dollars, pounds or euros – or other value into virtual currency, or vice versa, or converting or exchanging one form of virtual currency into another form;
- Buying and selling virtual currency as a customer business, as opposed to personal use; or
- controlling, administering or issuing a virtual currency.
The license will not be required for virtual currency miners; for merchants or consumers that utilize virtual currency solely to buy or sell goods or services; or for firms chartered under the state’s Banking Law to conduct exchange services that are approved by DFS to engage in virtual currency business activity, the DFS said.
Potential barriers to entry
Under the proposal, a licensee must:
- Safeguard consumer assets by holding virtual currency of the same type and amount as it owes or is obligated to pay a third party. A licensee may not sell, transfer, assign, lend, pledge or otherwise encumber assets, including virtual currency, it stores on behalf of another person, and must also maintain a bond or trust account in U.S. dollars for the benefit of its customers in such form and amount as is acceptable to DFS.
- Upon completion of any transaction, provide the customer with a receipt showing the firm’s name and contact information, including a telephone number for answering questions and registering complaints; the type, value, date and precise time of the transaction; the fee charged; the exchange rate, if applicable; a statement of the firm’s liability for non-delivery or delayed delivery; and a statement of the firm’s refund policy.
- Establish and maintain written policies and procedures to resolve consumer complaints in a fair and timely manner, and provide a clear and conspicuous notice to consumers that they can bring complaints to DFS’s attention for further review and investigation.
- Provide clear and concise consumer disclosures of potential risks, including that virtual currency transactions are generally irreversible; that losses due to fraudulent or accidental transactions may not be recoverable; that the volatility of the price of the currency relative to fiat money may result in significant loss or tax liability over the short term; that there is an increased risk of loss due to cyber-attacks; and that the currency is not legal tender, is not backed by the government, and accounts and value balances are not protected by the Federal Deposit Insurance Corporation or the Securities Investors Protection Corporation protections.
- Implement an anti-money laundering compliance program and maintain, for all transactions involving the payment, receipt, exchange or conversion, purchase, sale, transfer or transmission of virtual currency, the identity and physical addresses of the parties involved; the amount or value of the transaction, including in what denomination purchased, sold, or transferred, and the method of payment; the date the transaction was initiated and completed, and a description of the transaction.
- At a minimum, when opening accounts for customers, verify their identity, to the extent reasonable and practicable, maintain records of the information used to verify such identity, including name, physical address and other identifying information, and check customers against the Specially Designated Nationals list maintained by the Treasury Department’s Office of Foreign Asset Control. Enhanced due diligence may be required based on additional factors, such as for high-risk customers, high-volume accounts, or accounts on which a suspicious activity report has been filed. Firms are also subject to enhanced due diligence requirements for accounts involving foreign entities and may not conduct business with foreign shell entities.
- Monitor for transactions that might signify money laundering, tax evasion, or other illegal or criminal activity and notify the DFS immediately upon detecting such a transactions. When being involved in a transaction or series of transactions for the receipt, exchange or conversion, purchase, sale, transfer, or transmission of virtual currency in an aggregate amount exceeding the value of $10,000 in one day, by one person, a licensee must notify the DFS within 24 hours. A licensee must have and use an approved methodology for valuing virtual currency in fiat money to meet its reporting requirements.
- Maintain a cybersecurity program designed to perform a set of core functions, including identifying internal and external cyber risks; protecting systems from unauthorized access or malicious acts; detecting systems intrusions and data breaches; and responding and recovering from any breaches, disruptions or unauthorized use of systems. A licensee must conduct penetration testing of its electronic systems, at least annually, and vulnerability assessment of those systems, at least quarterly.
- Designate a qualified employee to serve as its chief information security officer responsible for overseeing and implementing the firm’s cybersecurity program and enforcing its cybersecurity policy.
- Agree to be examined by DFS whenever the superintendent deems necessary – but no less than once every two calendar years – to determine the licensee’s financial condition, safety and soundness, management policies, and compliance with laws and regulations.
- Make and keep books and records, including transaction information, bank statements, records or minutes of the board of directors or governing body, records demonstrating compliance with applicable laws including customer identification documents, and documentation of investigating consumer complaints.
- Submit to DFS quarterly financial statements within 45 days following the close of the licensee’s fiscal quarter, and submit audited annual financial statements prepared in accordance with generally accepted accounting principles, with an opinion of an independent certified public accountant and an evaluation by such accountant of the firm’s accounting procedures and internal controls within 120 days of its fiscal year end.
- Meet capital requirements as determined by DFS based on factors including the composition of the licensee’s total assets and liabilities, whether the licensee is already licensed or regulated by DFS, the amount of leverage used by the firm, the liquidity position of the firm, and extent to which additional financial protection is provided for customers.
- Designate as its chief compliance officer a qualified individual or individuals responsible for coordinating and monitoring compliance with the BitLicense regulatory framework and all other applicable federal and state laws, rules and regulations.
- Establish and maintain a written business continuity and disaster recovery plan reasonably designed to ensure the availability and functionality of the licensee’s services in the event of an emergency or other disruption to its normal business activities.
- Promptly notify DFS of any emergency or other disruption to its operations that may affect its ability to fulfill regulatory obligations or that may have a significant adverse effect on the licensee, its counterparties or the market.
License applications will be accepted beginning when the proposed regulations become effective. Firms already engaged in virtual currency business activity will have a 45-day transitional period to apply for a license from that date, and the superintendent will issue or deny the license within 90 days of a complete application submission.
Interested parties can follow the regulatory development on the agency’s and the superintendent’s Twitter feeds, the DFS noted.
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)