CSBS publishes Draft Model Regulatory Framework to promote consistent state regulation of virtual currency activities and protect consumers in the event of a breach.

In March 2014, “Mt. Gox,” one of the largest and best-known virtual currency exchanges, announced that bitcoins (a prominent virtual currency) worth $409 million had been hacked and stolen. Mt. Gox subsequently declared bankruptcy, leaving more than one million people unable to recover their funds. Earlier this month, one of the active, operational bitcoin storage wallets of European bitcoin exchange Bitstamp was hacked, with approximately 19,000 bitcoins stolen, representing a market value of approximately $5 million.

On December 16, 2014, the Conference of State Bank Supervisors (CSBS) published a Draft Model Regulatory Framework (the Framework) for state virtual currency regulatory regimes. The CSBS, a national organization dedicated to advancing the state banking system, believes that, once adopted, the Framework will support the CSBS’s policy on state regulation of virtual currency, will promote consistent state regulation of virtual currency activities and will provide for greater consumer protection. The Framework is an initiative of the CSBS’s Emerging Payments Task Force, which was formed in February 2014 to take a comprehensive look at the changing payments landscape.

What Is Virtual Currency?

Virtual currency is an electronic medium of exchange that does not have all the attributes of real currencies but that can, nevertheless, be purchased, sold and exchanged with other types of virtual currencies or real currencies, like the U.S. dollar. Virtual currency includes cryptocurrencies (bitcoins and litecoins), which are not issued or backed by any central bank or governmental authority. Although this form of currency carries with it many potential benefits — including speed and efficiency, lower transaction costs and the provision of an outlet for the unbanked and underbanked around the world — it also carries a significant amount of risk. Risks include little recourse to recover lost funds, volatile values, the fact that entities responsible for virtual currency’s exchange have been subject to criminal investigation and the fact that, due to rapidly evolving technologies, currency used today could be obsolete tomorrow.

Existing State Regulation

Presently, state law generally requires the licensing of companies and individuals that transmit other people’s funds. State regulatory agencies license and regulate money transmitters to ensure compliance with state and federal regulatory requirements and to help prevent the use of money transmitters in financing illicit activities, such as narcotics trafficking and terrorism. State oversight includes ensuring that the proper policies, procedures and safeguards are in place to protect companies and their customers from operational, monetary and fraud risk. Many of the statutory provisions utilized by states are based on the Uniform Money Services Act, adopted by the National Commission on Uniform State Laws. Per this outline, prospective licensees apply for a license and submit credit reports, fingerprints, a business plan, financial statements and a surety bond. The prospective licensee may provide evidence of policies, procedures and internal controls intended to facilitate the prospective licensee’s compliance with state and federal regulations, including required Financial Crimes Enforcement Network (FinCEN) registration and documentation of a Bank Secrecy Act compliance program. After being granted a license, the licensee must maintain requisite permissible investments and surety bonds and must submit periodic reports that often include financial statements, permissible investments calculations, branch and agent reporting and transmission volume activity.

If violations are found, enforcement measures used by state authorities include a letter of understanding or consent order, acknowledging the violation and setting forth a corrective plan; temporary or permanent cease and desist orders (potentially limiting an entity’s ability to operate); civil money penalties; and the revocation of the entity’s license.

New York’s Leadership in Virtual Currency Regulation

A leader in regulating this field is New York. On January 26, 2016, the Manhattan U.S. Attorney for the Southern District of New York announced the unsealing of criminal charges against Robert M. Faiella, a/k/a “BTCKing,” an underground bitcoin exchanger, and Charlie Shrem, the chief executive officer and compliance officer of a bitcoin exchange company, for engaging in a scheme to sell more than $1 million in bitcoins to users of the underground website “Silk Road”. In July 2014, the New York Department of Financial Services (NYDFS) proposed BitLicense, an extensive regulatory framework that would mandate licenses for a wide range of companies that intersect with digital currencies, including bitcoin. A revised version of the proposal is expected in early 2015. Under the proposed licensing scheme, businesses dealing in digital currencies would be required to, among other things: (i) hold funds of the same type and amount of virtual currency owed to consumers; (ii) provide consumer disclosures, transaction receipts and a policy for complaints and resolution; (iii) verify account holders and report on suspected illicit activity or fraud as part of their efforts to abide by anti-money-laundering rules; (iv) comply with certain bond and capital requirements; (v) maintain a cybersecurity program; (vi) hire a compliance office and chief information security officer; and (vii) keep extensive records. In early 2014, the NYDFS started taking applications for regulated digital currency exchanges. One such application belongs to Cameron and Tyler Winklevoss, who recently announced their intention to form the first regulated bitcoin exchange, dubbed the “NASDAQ of Bitcoin”.

The CSBS Framework

The CSBS Framework builds on BitLicense and adopts many of its principles. Per the Framework, state financial regulatory regimes applying to virtual currency activities should include the following 8 components:

• Licensing Requirements: These requirements must include credentialing business entity owners, directors and key personnel and details on the banking arrangements of the business entity.
• Use of Licensing Systems: The systems must be equipped with the ability for the states to share licensing and enforcement data in real time.
• Financial Strength and Stability: The state may set requirements, including minimum net worth or capital, permissible investments and surety bonds intended to create financial security in the event of failed transactions or a failed business. States may also require the establishment of policies, procedures and documentation for disaster recovery and emergency preparedness plans.
• Consumer Protection: State authorities would require written consumer protection policies; the holding of an actual amount of virtual currency in trust that is identifiable separately from other funds; and adequate disclosures, including exchange rates, risks, insurance coverage, licensing information and agency contact information.
• Cybersecurity: States would require instituting written cybersecurity programs, policies and procedures; notification of consumers in the event of a cybersecurity event; and third-party cybersecurity audits.
• Compliance with Bank Secrecy Act/Anti-Money-Laundering Laws and Regulations: This compliance will including instituting written policies to this effect and verifying account holder identities.
• Books and Records: State authorities could require access to books and records; production of audited financial statements consistent with generally accepted accounting principles (GAAP) as recognized in the United States; and documentation and production of transaction-level data, including names, addresses and IP addresses of parties to a transaction, identifiable information of virtual currency owner, and country of destination.
• Supervision: State authorities would have the ability to consult and coordinate with other state and federal regulators, to conduct joint or concurrent examinations with them or to use and adopt reports of examination prepared by them. The authorities would have enforcement capabilities, which would include the removal of officers and directors, imposition of civil money penalties, taking control of the entity or appointing a receiver to the entity.

The draft Framework is open to public comment until February 16, 2015.

CFPB Proposed Rule

The Framework comes following a proposed rule with a request for public comments. The rule was published on November 10, 2014 by the Consumer Financial Protection Bureau (CFPB) with respect to Prepaid Accounts under the Electronic Fund Transfer Act (Regulation E) and the Truth In Lending Act (Regulation Z). The proposed rule would extend the applicability of Regulation E and Regulation Z into the mobile, peer-to-peer, payroll and government benefits spheres. The proposed rule would make disclosures match up across the industry and would require companies selling prepaid cards to limit consumers’ losses when funds are stolen or the cards are lost, to investigate and fix errors, to provide free access to account information and to apply credit card protections if credit is offered in connection with a prepaid account. It is still not clear whether the proposed rule would be extended to apply to bitcoin wallets, which can store funds on them — a prepaid-like feature. If it is so extended, bitcoin wallet providers, in managing those funds, would be subject to those prepaid account rules, even if the wallets operate purely as mobile apps.

Pepper Point: Entities involved in the exchange or issuance of virtual currency or other emerging payment forms would be well advised to commence assessing their existing policies and procedures as pertaining to client identification, consumer protection, money-laundering protection, cybersecurity, data breach and disaster recovery and to seek advice from legal counsel to ascertain that the policies and systems in place provide adequate protection and would be sufficient to comply with the Framework.