Viewpoint: N.Y.’s Proposed Virtual Currency Licensing Regulations: The Right Direction but Still a Bumpy Road

By Judith Rinearson, Bryan Cave LLP

What’s interesting about the new regulations put forward for comment by the New York Department of Financial Services (NYDFS)[i] regarding licensing of digital/crypto/mathematical/virtual currencies, such as Bitcoin (referred to collectively as “virtual currency” by the NYDFS regulators or simply “VC”) is how clearly they’ve been designed to address precisely and comprehensively all the concerns currently raised about virtual currency.

Although similar in many ways to existing state money transmitter licensing laws, these newly proposed virtual currency regulations (VC Proposed Regs) actually depart from existing money transmitter licensing laws in a number of ways. The differences speak volumes about where regulators view the biggest risks from VC and how they hope to address those risks. The inevitable question must be raised as to whether, in their eagerness to mitigate risks, the NYDFS has gone too far, rendering it virtually impossible for VC businesses to prosper in the competitive payments arena.

The NYDFS’s 45-day public comment period on its proposal began yesterday.

The VC Proposed Regs

The VC Proposed Regs are structured like many other state licensing laws. First come the all-important definitions, followed by the description of when licensing is required. The drafters took pains to define VC carefully, avoiding potential traps by excluding gaming tokens and reward/loyalty points. The definition of VC business activity that will require licensing is quite broad, however; essentially including any VC-related business other than acceptance by merchants or use by consumers. The categories of covered VC business activity requiring licensing include the following:

• Receiving VC for transmission or transmitting VC;
• Storing or holding VC on behalf of others;
• Buying or selling VC as a “customer business” (Note: “customer business” is not defined);
• Retail conversion services, including fiat currency to VC or one VC to another VC; and
• Controlling, administering or issuing VC. 

The only exemptions are:

• Persons that are chartered under the New York Banking Law to conduct exchange services and are approved by the superintendent to engage in VC business activity; and
• Merchants and consumers that utilize VC solely for the purchase or sale of goods or services. (Note: Consumers who utilize VC to purchase other VC or fiat currencies are not exempt under this language.)

The application process for a license under the VC Proposed Regs is similar to many other licensing application processes. Of course, fingerprints and background/criminal checks are required for all principal officers and principal shareholders (owning 10 percent or more). An interesting addition to the list is also requiring background checks for “principal beneficiaries”—anyone holding 10 percent or more of the entity “in trust.”

Other data required to be submitted include financial statements, business history and business plans, banking arrangements, written policies and procedures, affidavit on pending civil or criminal litigation actions or proceedings regarding not only the VC business but also its principal officers, principal shareholders and principal beneficiaries.

As for compliance officers and policies, these must cover AML and also antifraud, cybersecurity, privacy and information security. All policies must be reviewed and approved by the licensee’s board of directors or an equivalent governing body.

As with other licensees, NYDFS requires licensees to obtain bonds in an amount “acceptable to the superintendent.” And as with other licensees, a VC licensee would be prohibited from “selling, transferring, assigning, lending, hypothecating, pledging or otherwise using or encumbering” its assets, including VC assets.

Finally, to obtain a license, the applicant must have minimum capital in an amount determined by the superintendent based on a number of factors, including composition of assets and liabilities; volume of business, current and expected; and whether the entity is already licensed under another area, such as under New York’s banking or insurance law.

How the VC Proposed Regs Differ from N.Y.’s Money Transmitter Licensing Regs

While there are many similarities, there are also many differences between the VC Proposed Regs and the existing money transmitter licensing regulations:

• Time requirement for response. Perhaps in response to concerns about delays caused by potential bureaucracy, the VC Regs require that a license must be issued within 90 days of the application being “deemed complete.” Similarly, approval for a change of control (a change in the power to vote 10 percent or more of the shares, or a change of power to control) must be approved or denied in 120 days. New York is historically a very slow state when it comes to licensing and change of control approvals. This is a positive development.

• Restrictions on investing profits. New York has long had requirements for “permissible investments,” which regulate how licensees must hold and invest funds/securities equal to the amount of customer funds being held (referred to as “outstanding payment instruments”). But the VC Proposed Regs also regulate how a licensed entity invests its “retained earnings and profits.” Of course, requiring investment of these earnings and profits in certain “high-quality, investment-grade permissible investments with maturities of up to one year and denominated in United States dollars” may be good business advice, but it seems extraordinary to place restrictions on how these entities invest their own profits. This seems to cross the line on imposing restraints on how VC businesses operate. 

• Prior approval for changes. Another significant restriction on how VC businesses operate are the requirements for both notice and prior written approval for “any plan or proposal to introduce or offer a new product, service or activity, or to make a material change to an existing product, service or activity, involving New York or New York residents.” What is “material change”? A change that “may cause such product, service or activity to be materially different from that previously listed on the application.” It’s worth noting that for this provision, there is no time deadline for how quickly NYDFS must respond to requests for written approval. This starts to sound like the NYDFS will be looking over every licensee’s shoulder to tell it the services or products it can offer and the product changes it can make. While other licensees must report significant changes, the requirement for written pre-approval seems truly overbroad.

• Skin in the game. One interesting departure is the requirement that, to the extent a VC licensee stores or holds VC on behalf of its customers, the licensee must hold what is effectively “permissible investment” in the same type and amount of VC as that which is owed or obligated to those customers. That makes sense, given the volatility of some VC, but it marks a departure from standard money transmitter requirements.

• Customer ID. Another new requirement applicable to VC businesses, but not to other licensees, involves customer identification. The VC Proposed Regs require that, when opening an account for a customer, each licensee “must, at a minimum, verify the customer’s identity, to the extent reasonable and practicable, maintain records of the information used to verify such identity, including name, physical address and other identifying information, and check customers against the Specially Designated Nationals (SDNs) list maintained by the Office of Foreign Asset Control (OFAC).” These kinds of requirements are more typical of federal AML laws and are not typical requirements for licensed payment service providers.

More significant is that these requirements go much further than the guidance published by FinCEN, the federal AML regulator. By choosing to regulate VC exchanges and administrators as “money transmitters” under federal law, FinCEN only obligated VC exchanges to collect and retain customers’ names and addresses as well as transaction information for all transactions in excess of $3,000. The NYDFS requirements go further, by requiring verification of customer identification for all account holders and even “enhanced due diligence” for foreign entities. 

For transactions that don’t involve account holders, but are in amounts of more than $3,000, again verification of customers is required.

• Prohibition on business with shell companies. A blanket prohibition for doing business or “having a relationship of any type” with “shell companies” that have no physical location or presence is another new requirement not imposed on other licensed entities. Given that a VC is used overwhelmingly by online businesses, requiring customers and business partners to have a physical presence may undermine the ability of a VC business to grow and compete in the global marketplace.

• Cybersecurity and other requirements. The new cyber security and fraud prevention and disaster recovery requirements in the VC Proposed Regs all make sense for this industry, but they add new burdens. Although the NYDFS has issued guidance to money transmitter licensees in these areas, these specific regulations are new.

• Consumer disclosures. One of the biggest differences between these VC Proposed Regs and existing money transmitter licensing laws is the list of consumer disclosures. Many states require certain disclosures on a money transmitter receipt (and these receipt requirements also are included in the VC Proposed Regs), but this detailed list of 10 disclosures is an entirely new level of regulatory oversight. Many of the disclosures are already considered “best practices.” In contrast, however, to some states calling for outright bans on Bitcoin or other similar VC, at least this approach puts the decision in the hands of informed consumers. [ii] Nevertheless, there are still concerns that it will be extremely difficult and burdensome to incorporate all of these disclosures into a VC business’s sales process.

The NYDFS’s approach to VC regulation is certainly comprehensive, addressing the range of legal risks associated with Bitcoin and other digital/virtual currencies. However, there is no question that the VC Proposed Regs will be difficult for many potential licensees to comply with. Moreover, the proposed very short 45-day window for applications for licensing also will create a barrier for many VC businesses.

Now is the time for the industry to consider this newest and potentially extremely helpful development and submit comments regarding the Proposed VC Regs. Not all of these requirements are unfair or unreasonable. And, to the extent they can be complied with, they provide a useful roadmap for future regulation.

Judith Rinearson leads the payments practice team for Bryan Cave LLP, where she is a partner in the firm’s New York City office. She is a voting member of DATA, the Digital Asset Transfer Authority, a self-regulatory organization focused on digital/virtual currencies, where she co-chairs the Consumer Practices Working Committee. She is also a contributing editor to Paybefore, chair of the NBPCA’s Government Relations Working Group and the association’s representative to FinCEN’s Bank Secrecy Act Advisory Group. In 2008, Rinearson was recognized by Paybefore Awards for “Outstanding Industry Achievement.” Judie may be reached at [email protected].