By Thomas M. Dawson and Charles A. Cowan
Last week the New York Department of Financial Services (NYDFS) published its long-awaited final Regulation addressing virtual currency business activity (VCBA). “VCBA” includes transmitting such currencies, "storing, holding, or maintaining custody or control" of currency for others, buying and selling virtual currencies "as a customer business," conducting exchange services "as a customer business" or "controlling, administering, or issuing" any Virtual Currency as defined in the Regulation.
Those that wish to engage in any VCBA "involving New York or a New York Resident" will need to obtain what has become popularly known as a bitlicense.
While bitlicensing standards, bitlicense application requirements and ongoing regulatory compliance for bitlicensees (and those that control licensed entities) will be very familiar to those already regulated by the NYDFS (and, by the way, any entity or person already so regulated may also apply for a bitlicense too – with NY-chartered banks automatically bitlicensed) the new requirements will likely seem onerous to those not currently regulated.
It is worth noting that with detailed application and regulatory compliance filing requirements yet to be published it is difficult to provide precise counsel. But there are plenty of datapoints in this first-in-the-nation effort to regulate virtual currency business activity:
- Application Fee: $5,000
- Licenses are valid until revoked or surrendered
- Surety bonds or trust accounts in amounts to be determined are required to protect consumers
- Minimum risk based capital requirements will be imposed on what appears to be a case-by-case basis
- All licensees will need to "maintain and enforce" the following written compliance policies "reviewed and approved" by the licensee's Board of Directors or equivalent:
- Anti-money laundering
- Information Security
- Among other required functions/positions, licensees must designate a chief compliance officer (CCO) and a chief information security officer (CISO).
- License application packages will include:
- Biographical affidavits for directors, Principal Officers (includes CEO, CFO, COO, CCO, president, general counsel, managing partner, general partner, Controlling partner or trustee), Principal Stockholders (those owning 10% or more of any class of the applicant's voting securities and those with "power to direct or cause the direction of the management or policies" of the applicant) and Principal Beneficiary (anyone entitled to 10% or more of the benefits of a trust)
- Background reports for Principal Officers, Principal Stockholders and Principal Beneficiaries (but not for directors)
- Fingerprints for all those named immediately above (again, directors need not be fingerprinted) AND for anyone with access to customer funds
- Current financial statements for those named immediately above (again, not directors)
- Together with a host of other information and data — org charts, financial projections, details of banking arrangements, copies of any insurance policies "for the benefit of the applicant, its directors or officers, or its customers" (this is the sole direct reference to insurance in the Regulation).
Ongoing Regulatory Compliance Overview
- NYDFS will examine bitlicensees every two years (i.e., more frequently than banks or insurers)
- Bitlicensees will file quarterly unaudited financial statements as well as audited annual financials
- Annual AML risk assessments
- Annual cyber-security reviews – including penetration testing, written cyber-security policy to be reviewed annually by the Board of Directors (or equivalent) AND the CISO's annual report to the Board of Directors (or equivalent) is to be filed with the NYDFS
- Annual testing of business continuity and disaster recovery plans
- Customer identification processes, transactional recordkeeping, reporting of transactions in excess of $10,000, monitoring suspicious activity and reporting thereof, and similar matters will need to be reviewed by senior management and Boards of Directors (or equivalent) of the licensee.
Material Changes to Business
Responding to comments from industry critics during the past few months, the NYDFS narrowed the scope of regulation for bitlicensees that change the nature of their originally approved business. Prior written approval to do so will be required only for "materially new product(s), service(s) or activit(ies)" now defined, somewhat circularly, as those that are "materially different" from those originally approved.
Changes of Control
As with other NYDFS-regulated entities, prior written approval of the Superintendent is required for a change of control of a licensee. Control is defined in a familiar manner. It is presumed to exist if a person owns or will own or control 10% or more of the licensee's voting securities. There is inconsistency between the control definition and the definition of Principal Stockholder as to voting securities; that will need to be clarified in future. But control is fundamentally the power to "direct or cause the direction of the management and policies of a Licensee" and control may be determined in many ways other than based on stock ownership.
Disclaimers of control may be filed by those owning more than 10% of a bitlicensee's voting securities, as with other entities, even those who are also an officer or director of the entity.
Implications for Insurers
Apart from the business opportunity to provide various insurance products to newly or recently formed operators of various virtual currency businesses, insurers of NY-licensed or -chartered financial institutions should be alert to the possibility that older, more established businesses – banks in particular – may automatically be approved to engage in one or more virtual currency businesses, or can apply for bitlicenses. Proposal forms in general use for financial institutions should probably include a new question with respect to bitlicensing, perhaps with a follow-up request to provide a copy of the prospective insured's NYDFS bitlicense application.
Indeed, insurers of any enterprise involved in the world of virtual currency should certainly consider requiring insureds to (i) disclose plans to obtain one or more NY bitlicenses or (ii) explain why they think they do not need licenses per the NY rules if in fact the virtual currency business is engaged in VCBA in New York or with New York residents.
Insurers that have in the past written, or that currently write, bankers' blanket bonds may wish to consider adapting that product to work with respect to virtual currency businesses, perhaps most notably: (a) thinking through the implications of the dramatic exchange rate volatility exhibited by Bitcoin in particular and especially by many of the other virtual currencies that spiked in value 18 months ago and that now can be exchanged for fiat currency only via "by appointment" trades if at all; and (b) any customer cut-through features that insureds and/or regulators may insist on or may try on We would be pleased to assist, particularly as other states develop their own virtual currency regulatory frameworks. At this juncture, we can only speculate as to what other states will do, and while New York's pioneering effort may well be persuasive and influential, we suspect that other states will deviate from the NYDFS' effort.