New York State DFS Superintendent Benjamin Lawsky today issued proposed rules applicable to virtual currency businesses. These proposed rules continue the DFS’s efforts to regulate this emerging, dynamic industry. As it has done in the past, the DFS seeks input from the public, soliciting comments on the proposed rules for 45 days after the proposed rules’ formal release on July 23, 2014.
The rules seek to govern “Virtual Currency Business Activity,” a newly-minted term that supposedly captures the right kinds of commercial activity related to virtual currency so that the DFS can “strike an appropriate balance that helps protect consumers and root out illegal activity – without stifling beneficial innovation.” But, as they are written, the proposed rules are wide in scope and heavy on compliance. It appears that the proposed rules would apply to a class of people and entities which is much broader than that which is covered by FinCEN’s 2013 Virtual Currency Guidance and FinCEN’s February 2014 Letter Rulings. For example, the proposed rules would apply to “anyone securing, storing, holding, or maintaining custody or control of Virtual Currency on behalf of others,” sweeping in wallet service providers, or providers of any service which holds at least one of the needed “private keys” to execute Bitcoin transactions. Such service providers are not necessarily within the reach of FinCEN’s Guidance. The rules also cover the retail conversion of currency, including fiat-to-digital and digital-to-digital conversions.
Those within the reach of the proposed rules would need to take a number of steps to become and remain licensed by the NYDFS. These include traditional requirements such as financial disclosures, background checks, and an explanation of the regulated payment flows; but the proposed rules also demand more, including extensive disclosures about applicant business plans, corporate structures, and future strategies.
Once licensed, virtual currency businesses will be subject to an expanded set of operational and reporting requirements. These requirements include:
- Maintaining 10 years’ worth of transaction data, which must include personal identifying information of both parties to each transaction;
- Storing all “communications and documentation related to investigations of customer complaints and transaction error resolution….”;
- Quarterly reporting not only of certain financial and transaction data often required of money services businesses, but also of “financial projections and strategic business plans”;
- Submitting to regular examinations by the DFS;
- Maintaining a “Cyber Security Program” that addresses, among other things, incident responsiveness, customer privacy, business continuity, and information governance; and
- A unique, state-specific, suspicious activity reporting obligation where “each Licensee that is not required to file SARs [with FinCEN] … shall file with the superintendent…reports of transactions that indicate a possible violation of law or regulation….”
Not only do the proposed rules unambiguously impose AML compliance obligations and other security-related requirements that are broader than even those required by the Bank Secrecy Act, but their requirement to report strategic business plans and other sensitive information could pose particular challenges in an industry in which innovation is premium. The new state-specific suspicious activity report, if adopted by many other states that decide to follow New York’s lead, could become a burden on virtual currency companies, especially if the reporting requirements are not coordinated or uniform between separate states. Similarly, it is not clear whether some types of businesses could comply with the proposed rules, even if they tried. For example, collecting physical address information on all of the parties of every kind of virtual currency transaction may not be practical or even technologically feasible.