Regulating The Wild West of Cryptocurrencies: A Primer on New York BitLicenses

As the market for cryptocurrency continues to mature, institutional investors and asset management firms are increasingly embracing the asset class. Companies that are considering entering the cryptocurrency space should be aware of an important business license for virtual currency activities issued by the New York State Department of Financial Service, (the “DFS”), commonly referred to as a BitLicense, as well as regulations governing companies operating under a BitLicense (the “Regulations”).[1]

Persons Required to Obtain a BitLicense

A person, whether an individual or an entity, that engages in “virtual currency business activity”, is required to obtain a BitLicense.  The Regulations define “virtual currency business activity” to mean one of five types of activities involving the state of New York or New York residents:

• Receiving virtual currency for transmission or transmitting virtual currency;
• Storing, holding or maintaining custody or control of virtual currency on behalf of others;
• Buying and selling virtual currency as a customer business;
• Performing exchange services as a customer business; or
• Controlling, administering, or issuing a virtual currency.

The Regulations define “virtual currency” broadly to include “any type of digital unit that is used as a medium of exchange or a form of digitally stored value,” whether the units have a centralized repository or administrator, are decentralized, or may be created or obtained by computing or manufacturing effort.

The Regulations include express carve-outs for the licensing requirement for persons that are chartered under the New York Banking Law, and merchants and consumers that utilize virtual currency solely for the purchase or sale of goods or services or for investment purposes.  Furthermore, as noted on the DFS’ BitLicense FAQ,[2] financial advisers that provide clients advice on buying or selling virtual currencies do not need a BitLicense to provide such services to New York residents.

Application Process

BitLicense applications must be submitted through the online system operated by the Nationwide Multistate Licensing System & Registry (“NMLS”). Companies applying for a BitLicense through NMLS should refer to NMLS’ checklist for a BitLicense application, which provides a detailed outline of the application process and description of the requirements for documents that need to be submitted for review and approval by the DFS.[3]

Applicants are required to provide extensive documentation for the DFS’ review, including (i) financial statements, (ii) credit reports of certain individuals affiliated with the applicant, and (iii) copies of the applicant’s anti-money laundering policy, cyber security policy, business continuity and disaster recovery policy, and business plan.  Applicants must also pay a $5,000 application fee.

In a recent notice,[4] the DFS announced that it will begin its substantive review of an application only when it includes all documents required by the NMLS application process, as reflected in the checklist.  Following a substantive review of the application, the DFS will provide the applicant detailed deficiency letters setting out any deficiencies in the application, which will include a return date by which the applicant must respond.  If all deficiencies have not been addressed by the end of the response period for the third deficiency letter, DFS may deny the application.

Regulatory Requirements Governing virtual currency Businesses

In addition to the licensing requirements discussed above, the Regulations impose stringent requirements governing the operations of persons engaging in a virtual currency business:

• General Compliance Obligations.  Each licensee must comply with all applicable federal and state laws, rules and regulations.  In addition, a licensee must designate an individual to serve as a compliance officer and maintain an enforce written compliance policies (including an anti-money laundering policy, cybersecurity policy, and business continuity and disaster recovery policy).  All policies must be reviewed and approved by the licensee’s board of directors or equivalent governing body.
• Capital Requirements.  Each licensee must maintain capital in an amount and form as the DFS determines is “sufficient to ensure the financial integrity of the licensee and its ongoing operations based on an assessment of the specific risks applicable to each licensee.”  In making its determination, the DFS may consider, among other things, the licensee’s total assets and liabilities, liquidity position of the licensee, types of entities to be serviced by the licensee, and the types of products or services offered by the licensee.
• Surety Bond.  A licensee is required to maintain a surety bond or trust account for the benefit of its customers in a form and amount acceptable to the DFS.  The DFS noted in its BitLicense FAQ that the typical minimum amount for the bond or account is $500,000, although that figure may increase based on the specifics of the licensee’s business model.
• Books and Records.  A licensee must maintain and preserve all of its books and records in their original form or native file format for a period of at least seven years from the date of their creation, in a condition that allows the DFS to determine whether the licensee is complying with all applicable laws and regulations.  The Regulations provide a detailed list of records that must be maintained, including information relating to transactions, a general ledger, bank statements, and records demonstrating compliance with applicable state and federal anti-money laundering laws.
• Examinations.  Licensees are subject to periodic examinations by the DFS at the DFS’ discretion, at least once every two calendar years.
• Financial Disclosures.  A licensee must submit to the DFS quarterly financial statements within 45 days following the close of the fiscal quarter.  The financial statements must include, among other things: (i) a balance sheet, income statement, and cash flow statement; (ii) financial projections and strategic business plans; (iii) a list of off-balance sheet items; and (iv) a statement demonstrating compliance with any financial requirements established under the Regulations.  In addition, a licensee must submit annual audited financial statements, together with an opinion and attestation by an independent certified public accountant regarding the effectiveness of the licensee’s internal controls.
• Anti-Money Laundering Program. The Regulations prescribe detailed anti-money laundering requirements a licensee must follow. Each licensee must conduct an initial risk assessment considering legal, compliance, financial, and reputational risks associated with its activities and enforce an anti-money laundering program in accordance with the Regulations.  A licensee’s anti-money laundering program must provide a system of internal controls, policies, and procedures designed to ensure ongoing compliance will all applicable anti-money laundering laws, provide for independent testing for compliance, and provide ongoing training for appropriate personnel.  Licensees must also record and maintain information in connection with the payment, receipt, exchange, conversion, purchase, sale, transfer, or transmission of virtual currency.
• Advertising and Marketing. The Regulations prohibit a licensee from advertising its products, services, or activities in New York or to New York Residents without including the name of the licensee and a legend stating that the licensee is “licensed to engage in virtual currency business activity by the New York State Department of Financial Services.”  Furthermore, licensees must maintain for examination by the DFS all advertising and marketing materials for a period of at least seven years from the date of their creation.  All advertising and marketing materials must adhere to federal and state laws and regulations, including prohibitions on false, misleading, or deceptive representations or omissions.
• Consumer Protection.  As part of establishing a relationship with a new customer, a licensee must disclose in “clear, conspicuous, and legible writing” all material risks associated with its products, services, and activities and virtual currency generally.  In addition, prior to each transaction for or on behalf of a customer, a licensee must disclose the terms and conditions of the transaction to the customer.

[1] See 23 CRR-NY, s. 200.1 et seq.

[2] See https://www.dfs.ny.gov/apps_and_licensing/virtual_currency_businesses/bitlicense_faqs.

[3] The checklist can be found at: https://nationwidelicensingsystem.org/slr/PublishedStateDocuments/NY_Virtual_Currency_New_Application_Checklist.pdf#search=virtual%20currency

[4] See https://www.dfs.ny.gov/apps_and_licensing/virtual_currency_businesses/gn/notice_vc_busact_lic_app_procedure.