After holding hearings on bitcoin and virtual currencies this past January, the NYS Department of Financial Services (“DFS”) has released proposed regulations with direct impact on New York entities that deal with or accept virtual currencies. The Virtual Currencies regulations proposed will be published in the New York State Register’s July 23, 2014 edition, which begins a 45-day public comment period.
The proposed measures include a “BitLicense” required for entities that engage in any one or more of the following:
- Transmit and receive virtual currencies;
- Handle currency conversion, whether from a virtual currency to another virtual currency, or from fiat to virtual currency (or vice-versa);
- Being a custodian of virtual currency (such as a virtual bank);
- Maintaining a virtual currency exchange; and
- Retaining control of possession and issuance of virtual currency.
NOTE: DFS has stated a BitLicense is not required of merchants or consumers that utilize Virtual Currency solely for the purchase or sale of goods or services; or entities chartered under New York Banking Law to conduct exchange services and that are approved by DFS to engage in Virtual Currency business activities.
However, included among the numerous requirements proposed for those seeking a “BitLicense” are that they:
- Maintain the same amount and type of digital currency to meet its obligations to any parties. The firm must also hold a bond or a trust account in US dollars in an amount the Department of Financial Services deems acceptable to protect customers.
- “Virtual Currency Receipts” must display the following: a telephone number to lodge complaints and answer questions; the and value of the transaction; fees if any levied; any applicable exchange rates; liability disclosures in event of delayed transaction; and a refund policy.
- Firms will be required to have means of resolving any customer disputes in a timely manner and must also notify customers that the NYS Department of Financial Services can investigate any claims.
- Firms must make clear that any losses due to cyber-attacks or volatility are generally not recoverable and that since virtual currencies are not seen as legal tender, they lack the protections from the FDIC and other government agencies.
- Firms must comply with AML programs, retaining records of transactions containing personally identifiable information and the transaction amount. EDD or Enhanced Due Diligence may be needed if the individual is high risk or they have been flagged for suspicious activity.
- License holders will be required to monitor and analyze transactions for the possibility of theft, fraud, or other criminal activity. Any transaction made in an aggregate amount in excess of $10,000 shall be reported to the Department of Financial Services.
- A cyber security program must be in place in order to locate potential or actual risks. The program must also be able to safeguard the firm from intrusions and be able to ameliorate from an attack. Every year, the firm will be required to engage in penetration tests to assure the integrity of the firm’s respective systems. Similarly, the firm must assess its vulnerabilities quarterly.
- Every firm is required to have a CISO whose responsibilities would include the oversight and implementation of cybersecurity programs and subsequent policies.
- The Department of Financial Services will hold audits at least every two years to examine finances of company, to ensure that the firm is sound. Likewise, annual financial statements and an opinion from a CPA must be submitted within 120 days of its fiscal years end.
- Capital requirements will be set by analyzing the assets and liabilities of the firm, the total leverage of the company, the overall liquidity of the respective firm, and any protections already afforded to customers.
- A compliance officer must be assigned by firm to ensure compliance with “BitLicense” statutes.
- Every Licensee is required to develop a continuity of business plan to ensure continuing of operations if there are service interruptions because of disasters or other issues.
- Appropriate regulatory department must be notified if there are any interruptions to business operations that could affect the firm’s nature of complying with regulations.
- Firms that are currently in operation will have 45 days to attain a license before the laws become effective. In that time frame, the superintendent will have 90 days to approve or deny the license.
For the full copy of the proposed regulations, please click here.
If you wish to discuss implementation and requirements of the proposed virtual currency regulations, or are interested in public comment, please feel free to contact us at info@SmartEdgeLawGroup.com or (203) 307-2665.