Several days ago, the New York Department of Financial Services (NYDFS) published a draft proposal for a “BitLicense.” The 40-page document presents a framework for the regulation of Virtual Currency Businesses in New York. Virtual Currency Business activity includes:
- Receiving Virtual Currencies for transmission or transmitting the same;
- Securing, storing, holding, or maintaining custody or control of Victual Currency on behalf of others;
- Buying and selling Virtual Currency as a customer business;
- Performing retail conversion services;
- Controlling, administering or issuing a Virtual Currency.
The previous therefore includes (but is not limited to) the following services:
- Cryptocurrency Exchanges
- Tipping services
- Mining pools
- Direct purchasers/sellers
- Basic hosted wallets
- Multi-signature wallets
- Merchant payment processors
- Local wallet software developers
The proposal exempts “merchants and consumers that utilize Virtual Currency solely for the purchase or sale of goods or services” from the licensing requirements. A summary of the Licensee requirement highlights in the proposal can be found below.
All applicants have to provide a background report. Also a set of fingerprints of the applicant and applicant employees will have to be provided for submission to the State Division of Criminal Justice Services and the Federal Bureau of Investigation. A non-refundable application fee is part of this process. The department’s superintendent has the authority to suspend or revoke a license.
A Compliance Officer is mandatory and is responsible for monitoring and coordinating several policies in the proposal including anti-money laundering and cyber security.
Anti-money laundering program
The anti-money laundering program is extensive, and requires the collection of all the following for each transaction:
- Amount of any fees charged
- Any payment instructions
- Name of all parties to the transaction, and
- Physical address of all parties to the transaction
- Time of the transaction.
Records of each transaction must be stored for 10 years. The requirement does not have a minimum threshold. Transactions worth more than $10,000 by single person on a single day have to be reported, as well as transactions that may signify money laundering, tax evasion or other illegal criminal activity.
Cyber security program
Licensees will have to ensure the availability and functionality of their systems are and protect those systems from any unauthorized access or tampering. This requires a security policy that describes procedures for protection and disaster recovery plans, which must be reviewed annually. A Chief Information Security Officer (CISO) must be designated to implement and enforce the cyber security program. The CISO will have to report annually on the functionalities and vulnerabilities of the systems. Audit functions should do quarterly vulnerability assessments and annual penetration testing.
Protection of customer assets
Not only will Licensees be required to hold a full reserve for any cryptocurrencies owed, but also USD collateral will be required. The percentage is, however, not specified. Lending, hypothecating, pledging, or otherwise using or encumbering assets is not allowed.
Books and records
Inactive Virtual Currency accounts will become abandoned property after five years, and therefore owned by the state.
Reports and financial disclosures
Quarterly financial statements must be prepared and submitted to the NYDFS. Annual financial statements must prepared in accordance with generally accepted accounting principles (GAAP) and audited by an independent certified public accountant.
A long list of material risks when dealing in Virtual Currencies must be disclosed. This includes a warning that transactions are irreversible, the volatility and unpredictability of cryptocurrencies and the increased risk of fraud or cyber attacks.
Even though the previous may sound dramatic, it is not likely that the final law will be exactly as in the proposal. It is common for proposals to be over-inclusive. The community may now respond to the proposal during the public comment period. The comment period starts on July 23, and will last for 45 days.