New York Proposes First State Bitcoin Regulations

by Proskauer Rose LLP

One might have thought the biggest news in the digital currency world lately was Dell announcing that it was now accepting bitcoin. However, after a series of highly-publicized hearings in January, New York State rolled out its proposed regulations surrounding bitcoin and virtual currency – the first state in the nation to propose licensing requirements for virtual currency businesses.

The July 23rd New York State Register includes a Notice of Proposed Rule Making from the New York State Department of Financial Services (the "NYSDFS") regarding the regulation of virtual currency ("Regulation of the Conduct of Virtual Currency Businesses," No. DFS-29-14-00015-P). The proposed rule calls for the creation of the "bitlicense" which the NYSDFS has hinted at in the past. The state agency goals are two-fold: to protect New York consumers and users and ensure the safety and soundness of New York licensed providers of virtual currency products and services. Virtual currency is still a nascent industry that is generally unregulated outside of federal anti-money laundering regulations, and while anti-establishment bitcoin pioneers may revel in the "wild west" atmosphere of the digital currency, the NYSDFS feels that their proposed regulations will protect consumers from undue risk, encourage prudent practices for those engaged in virtual currency business activity and foster the growth of the New York financial sector.

The Notice, which refers to the full text of the proposed rule originally made available by NYSDFS on July 17th, marks the beginning of a 45-day window for public comment on the proposed rule. Interestingly, the NYSDFS concurrently released a copy of the proposed regulations on the social news site Reddit to elicit debate (note, Ben Lawsky, Superintendent of Financial Services at the NYSDFS, participated in a Reddit AMA ("Ask Me Anything") session in February as the agency was developing the rules).

The proposed rule appears to be drafted to carefully exclude merchants and bitcoin miners from the scope of the licensing requirement, but include exchanges, digital wallet services, merchant service providers and others in the virtual currency ecosystem. It imposes many of the same types of requirements that we already have in the area of money transmission and clearing house services, including capital requirements, anti-money laundering safeguards, and "know your customer" type issues. It also includes requirements with respect to business continuity and cyber security issues.

This alert will outline some of the major elements of the "bitlicense" regulations.

Who's Covered?

Under the proposed regulations, "Virtual Currency Business Activity" means any one of the following activities involving New York or a New York resident:

(1) receiving Virtual Currency for transmission or transmitting the same;

(2) securing, storing, holding, or maintaining custody or control of Virtual Currency on behalf of others;

(3) buying and selling Virtual Currency as a customer business;

(4) performing retail conversion services, including the conversion or exchange of Fiat Currency or other value into Virtual Currency, the conversion or exchange of Virtual Currency into Fiat Currency or other value, or the conversion or exchange of one form of Virtual Currency into another form of Virtual Currency; or

(5) controlling, administering, or issuing a Virtual Currency.

Such "virtual currency businesses" would have to obtain a license from the agency before engaging in any such business activity, though persons chartered under the New York Banking Law to conduct exchange services and are approved by the NYSDFS to engage in virtual currency business activity would be exempt. As previously mentioned, the proposed rules seemingly excludes consumers who buy goods and services with digital currency, merchants who accept digital currency and bitcoin miners from the scope of the licensing requirement, but explicitly include digital currency exchanges, digital wallet apps and services, merchant service providers, virtual currency issuers,  and other similarly situated businesses. Specially, the agency is not seeking to regulate virtual currency used solely on online gaming platforms or digital units used exclusively for customer affinity or rewards program, but cannot be converted into fiat currency.

Other Important Requirements

  • Application Details:  Applicants would have to submit financial, insurance and banking particulars; organization charts and background reports for the principal officers and stockholders (along with fingerprints for officers, principals and employees); and an explanation of the methods used to calculate the value of virtual currency in fiat currency, among other things. Upon filing of an application, the agency will investigate the financial condition and responsibility of the applicant before issuing the bitlicense, and may revoke the license on sufficient grounds. Moreover, if the licensee wants to make a "material change" to an existing product or service, it would need the NYSDFS's prior approval; similar approval would be required in the event of any changes of control or mergers and acquisitions.
  • Compliance: Applicants would have to comply with all federal and state laws and regulations, appoint a compliance officer to monitor activity within the business, and maintain written compliance policies relating to anti-fraud, anti-money laundering, cybersecurity, and privacy and data security. In addition, virtual currency businesses would have to submit quarterly financial statements and audited annual financial statements to the NYSDFS.
  • Capital Requirements: The proposed regulations do not outline specific capital requirements. Rather, the text suggests that licensee shall maintain levels of capital as the NYSDFS determines is sufficient to ensure financial stability, taking into account basic financial barometers. The proposed regulations also would require licensees to only invest earnings in high-quality investments with maturities of up to one year, such as certificates of deposit regulated under U.S. law, money market funds, state or municipal bonds, or U.S. Gov't securities.
  • Anti-Money Laundering: Each licensee would be expected to enforce an anti-money laundering program with adequate internal controls and training, as well as a written policy reviewed and approved by the licensee's board. Under the regulations, virtual currency records would have to include records containing the identity and physical addresses of the parties involved, the amount of the transaction, the method of payment, the date(s) on which the transaction was initiated and completed, a description of the transaction, and special reports of any aggregate daily transactions that exceed $10,000 or otherwise involve suspicious activity. Covered businesses would also have to conduct adequate due diligence on new customers, with enhanced scrutiny for foreign entities. Such regulations are presumably similar to the March 2013 Financial Crimes Enforcement Network ("FinCEN") Guidance (FIN-2013-G001), which clarified that federal anti-money laundering regulations covering  "money services businesses" also applied to virtual currency exchanges.
  • Examinations: Each licensee would have to permit the NYSDFS to examine the licensee's accounting and operations at least once every two years to determine financial stability, business soundness and compliance.
  • Cybersecurity: Under the bitlicense regulations, each licensee would have to establish an effective cybersecurity program for their electronic systems and maintain a written cybersecurity policy that covers data and network security, data governance, access controls, business continuity and disaster recovery, customer privacy, vendor management, and incident response, among others. Licensees would also have to appoint a Chief Information Security Officer responsible for implementing the cybersecurity program and also submit an annual report assessing the cybersecurity program.
  • Protection of Customer Assets: The regulations would require each licensee to maintain a bond or trust account for the benefit of its customers in an amount acceptable to the NYSDFS, and hold virtual currency of the same type and amount the licensee is storing for a customer. The licensee would be prohibited from selling or encumbering virtual currency assets stored on behalf of a customer.
  • Consumer Protection: The proposed regulations require certain disclosures before a consumer may enter into a transaction, including disclosure of the material risks associated with digital currency (e.g., digital currency is not legal tender, transactions are generally irreversible, values may fluctuate, and cyberattacks are a real concern), the general terms and conditions of conducting business with the licensee, and a detailed receipt following the completion of any transaction.

Looking Ahead

All entities involved in or planning on being involved in virtual currency-related businesses should study this proposed rule carefully. There is still an opportunity to voice concerns and have the final rule reflect any issues that the NYSDFS views as important (for example, some commentators have suggested that the regulations should contain exemptions for smaller digital currency start-ups that handle small transactions, while the Bitcoin Foundation suggests that the comment period should be open for a longer period of time to allow the industry to digest the proposal). It is likely that whatever is enacted in New York will be used as a model in other states that wish to enact a similar virtual currency licensing structure. Moreover, the regulations, as they stand today, require that any entity engaged in a "virtual currency business activity" would have to apply for a license within 45 days of the effective date of the regulations or risk being deemed to be conducting an unlicensed virtual currency business, further suggesting the importance in getting up to speed with the emerging digital currency regulatory environment in New York. It remains to be seen how onerous the final regulations and compliance obligations will be to both established digital currency service providers and start-ups alike.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer Rose LLP | Attorney Advertising

Written by:

Proskauer Rose LLP

Proskauer Rose LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.