On June 3, the New York State Department of Financial Services (NYSDFS) released its final "BitLicense" rules, which establish minimum standards for all financial intermediaries that conduct virtual currency business activities in New York or with a New York resident. Significantly, the final rules provide an exemption from licensing requirements for entities that are chartered under the New York banking law and are approved by the superintendent to engage in virtual currency business activities, customers and merchants that use virtual currencies in connection with transactions for goods or services, and those entities that are only involved with the development and dissemination of virtual currency software. The final rules, however, create new state law-level regulatory duties and reporting requirements.

The final rules require any financial intermediary that is engaged in a virtual currency business activity to apply for and obtain a "BitLicense." The final rules define “virtual currency business activity” as an activity that falls within one of the following categories:

• receiving virtual currency for transmission or transmitting virtual currency, except where the transaction is undertaken for nonfinancial purposes and does not involve the transfer of more than a nominal amount of virtual currency
• storing, holding or maintaining custody or control of virtual currency on behalf of others
• buying and selling virtual currency as a customer business
• performing exchange services as a customer business
• controlling, administering or issuing virtual currency.

Additionally, “virtual currency” is broadly defined and includes any digital unit that is utilized as a medium of exchange or as a form of digitally stored value. However, digital units used as part of prepaid cards, most customer affinity or rewards programs, and digitally stored units used solely within online gaming platforms are excluded from the definition of “virtual currency.”

The BitLicense application process requires the disclosure of comprehensive information about a firm’s proposed business activities, including obtaining fingerprints of each employee who has access to customer funds, as well as third-party prepared background reports on each principal. All existing virtual currency firms must apply for a license within 45 days of the effective date of the regulations or otherwise cease operating as a virtual currency firm.

The compliance requirements under the final rules are equally robust, as licensees must have written compliance policies addressing anti-money laundering (AML), anti-fraud, privacy and information security, and cybersecurity. These firms are required to have a chief compliance officer, a chief AML officer and a chief information officer. Licensees are also required to maintain and keep records in their original file format for at least seven years. In addition, licensees are subject to NYSDFS examinations and must file quarterly unaudited financial statements. For their customers, there are minimum risk disclosures that must be given as well.

Notably, the final rules eliminated a potentially burdensome and clearly redundant requirement in the proposed rules — that licensees file duplicative currency transaction reports (CTRs) and suspicious activity reports (SARs). The final rules do not require licensees to file SARs and CTRs with the NYSDFS if these reports must be filed with federal regulators. This point was reiterated in a speech by former NYSDFS Superintendent Benjamin Lawsky on June 3 to the BITS Emerging Payments Forum in connection with the release of the final rules. However, New York licensees who are not covered by federal law reporting requirements are required to file SARs and CTRs with the NYSDFS, which represents a new development because states have not required AML data filings in the past.

In addition, to meet the AML compliance requirements under the final rules, each licensee must maintain a customer identification program, which requires verifying the customer's identity to the extent reasonable and practicable, maintaining the record information for identity verification (including name, physical address and other identifying information), and checking customers against the Specially Designated Nationals list maintained by the Office of Foreign Asset Control.

Additionally, the final rules have robust cybersecurity program requirements, which include a cybersecurity program designed to perform five core functions: (a) identify internal and external cyber risks; (b) protect a licensee's electronic systems and information on those systems; (c) detect system intrusions, data breaches and unauthorized access to a system; (d) respond to detected cybersecurity events; and (e) recover from cybersecurity events and restore normal operations and services. Under the final rules, a licensee’s written policy requirements must include the licensee's policies and procedures for protecting its electronic systems and customer and counterparty data stored on those systems.

Pepper Points

These first-of-their-kind state regulations on virtual currency will have a wide-ranging impact on all entities that transact in New York or with its residents and are involved with virtual currency and virtual currency businesses. The significant operational requirements for licensees, including compliance personnel and AML reporting, could prove to be expensive and substantial barriers to entry for small businesses interested in engaging in virtual currency business activities in New York.

The final rules require notice to the NYSDFS, within 24 hours, of any virtual currency transaction exchange, or series of transaction exchanges totaling more than $10,000, made during a single business day by one person. This new state law reporting requirement likely is not required under current federal law and would not have triggered federal law reporting.

For licensees that already institute “Know Your Customer” due diligence, the final rules’ customer identification program should not require significant changes from current practices. However, for those licensees that do not already have strong AML and “Know Your Customer” programs, the final rules will require that they develop written policies, hire personnel and institute those policies quickly.

Additionally, the cybersecurity requirements for licensees under the final rules are more comprehensive than those currently required by federal regulators because they require a written plan, reports submitted to the licensee’s board of directors and employment of cybersecurity personnel. In certain instances — such as requirements to conduct annual audits of a licensee’s electronic systems, including penetration testing and quarterly vulnerability assessments of those systems — the final rules go so far as to require best practices currently only recommended by federal regulators. As such, licensees should review their cybersecurity policies and procedures to ensure that they meet the stricter requirements of the final rules.