In 2013, cryptocurrency investors, enthusiasts, financial regulators and the crypto community witnessed the largest bitcoin exchange in the world, Mt. Gox, collapse. New York regulators decided they needed to step in and ensure that kind of thing did not happen in their state. Two years later, the New York State Department of Financial Services (NYDFS) issued its final BitLicense regulations with respect to virtual currency transactions. Since then, NYDFS has granted over 10 BitLicenses to some major virtual currency businesses in recent years.
In general, companies engaging in digital assets, including crypto and tokens, activities involving New York State or persons that reside, are located, have a place of business or conducting business in New York, are required to obtain a BitLicense from NYDFS.
The regulations apply to any company engaged in the following “virtual currency” business activities:
- Virtual currency transmission.
- Storing, holding, or maintaining custody or control of virtual currency on behalf of others.
- Buying and selling virtual currency as a customer business.
- Performing exchange services as a customer business.
- Controlling, administering, or issuing a virtual currency.
The BitLicense does not apply to retailers that accept bitcoin or to individuals trading or purchasing with bitcoin. Likewise, software developers can be exempt from the BitLicense so long as their applications never take possession of customers’ digital assets.
Whether your company was already licensed or recently received a BitLicense, or you’re wondering how much work it will take to maintain the license, there are some key provisions all cryptocurrency businesses should understand.
1. Maintain Written Compliance Policies
Each Licensee is required to maintain and enforce written compliance policies, including policies with respect to anti-fraud, anti-money laundering, cybersecurity, privacy and information security, and any other policy required under the BitLicense regulations. Additionally, the policies must be reviewed and approved by the Licensee’s board of directors or an equivalent governing body.
2. Minimum Capital Requirement
Each Licensee is required to maintain at all times minimum capital in an amount and form as determined by the NYSDFS superintendent to ensure the financial integrity of the Licensee and its ongoing operations based on an assessment of the specific risks applicable to each Licensee. Factors considered in determining the minimum amount of capital include but not limited to:
- the composition of the Licensee’s total assets, including the position, size, liquidity, risk exposure, and price volatility of each type of asset;
- the composition of the Licensee’s total liabilities, including the size and repayment timing of each type of liability;
- the actual and expected volume of the Licensee’s Virtual Currency Business Activity;
- whether the Licensee is already licensed or regulated by the superintendent under the Financial Services Law, Banking Law, or Insurance Law, or otherwise subject to such laws as a provider of a financial product or service, and whether the Licensee is in good standing in such capacity;
- the liquidity position of the Licensee;
- the financial protection that the Licensee provides for its customers through its trust account or bond and;
- the types of products or services to be offered by the Licensee.
3. Examination by NYSDFS
Each Licensee is subject to NYSDFS examination at least once every two calendar years. The examination includes assessing and evaluating:
- the financial condition of the Licensee;
- the safety and soundness of the conduct of its business;
- the policies of its management;
- whether the Licensee has complied with the requirements of laws, rules, and regulations and;
- the Licensee’s books, records, accounts, documents, and other information.
4. Independent Audit of Financial Statements and Effectiveness of Internal Controls Structure
In addition to providing quarterly financial statements within 45 days following the close of the Licensee’s fiscal quarter, each Licensee is required to submit audited annual financial statements, together with an opinion and an attestation by an independent certified public accountant regarding the effectiveness of the Licensee’s internal control structure.
5. Compliance Programs and Business Continuity and Disaster Recovery Program
Each Licensee is required to conduct an initial risk assessment that will consider legal, compliance, financial, and reputational risks associated with the Licensee’s activities, services, customers, counterparties, and geographic location and should establish, maintain, and enforce (1) an anti-money laundering (AML) program, (2) an effective cyber security program, including penetration testing, to ensure the availability and functionality of the Licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering, at least quarterly, (3) a business continuity and disaster recovery (“BCDR”) plan reasonably designed to ensure the availability and functionality of the Licensee’s services in the event of an emergency or other disruption to the Licensee’s normal business activities.
New York takes consumer protection very seriously, as should all businesses working in the digital assets industry. There is no question that the NYSDFS BitLicense regulations can be costly but at the same time, present an opportunity for other states to view the BitLicense regulation as the model for the cryptocurrency industry. Firms like BPM, one of the largest West Coast-based CPA firms that specialize in serving companies in the crypto industry, can assist you with pre-and post-BitLicense requirements.