BitLicense 2.0: New York Moves Closer to Comprehensive Virtual Currency Regulation

February 11, 2015

On February 4, 2015, the New York Department of Financial Services (DFS) released revisions (2015 Proposed Regulations) to its groundbreaking virtual currency regulatory framework that was first introduced on July 17, 2014 (2014 Proposed Regulations).  The revisions came after an extended public comment period and a December 18, 2014 speech by DFS Superintendent Benjamin M. Lawsky that previewed several changes to the framework, which is commonly referred to as the “BitLicense.”

Although the 2015 Proposed Regulations depart from the 2014 Proposed Regulations in certain key areas, discussed below, the breadth of activities that can give rise to a New York licensing requirement–as a general matter, engaging in “Virtual Currency Business Activity” with a “New York Resident”–demonstrates that DFS wishes to cast a broad net over virtual currency activities.  If replicated by other states, the DFS approach would mean that virtual currency businesses wishing to engage in a significant business could be required to be licensed in, and subject to examination by, as many states as the states in which they have customers.  Although there is a nod in the 2015 Proposed Regulations via their “conditional” BitLicense framework to start-up companies and other small operators, the New York scheme, if replicated, will most likely lead to a market in which enterprises with the most advanced technologies and firmest financial backing will thrive.

This Client Alert provides a brief overview of virtual currencies generally followed by a detailed analysis of the recent changes to the New York proposals.[1]

Background on Virtual Currencies

Virtual currencies are digital representations of value that function as a medium of exchange and can be transferred, stored, and traded electronically.  They do not have legal tender status (i.e., they are not a “fiat” currency like the dollar or euro), are not backed by any government, and are not pegged to any fiat currency.  Today, the most prominent virtual currency is Bitcoin, which first appeared in 2009.  As with many virtual currencies, Bitcoin functions via a decentralized peer-to-payment system, meaning there is no third-party intermediary.  Transactions are pseudonymous–identities are encrypted and no personal information is exchanged, but public ledgers maintain full transaction records.[2]

Although virtual currencies have existed for several years, legislative and regulatory responses at the federal and state level have not kept up with technological developments, making the DFS proposals a significant milestone in the evolution of virtual currency regulation.

Key Revisions to the Proposed BitLicense

Definition of “Virtual Currency Business Activity”

The BitLicense seeks to regulate entities engaged in “Virtual Currency Business Activity” by requiring them to obtain licenses and comply with anti-money laundering, cybersecurity, capital maintenance and other supervisory requirements.  The 2014 Proposed Regulations adopted a very broad view of the entities that would constitute “virtual currency businesses” by requiring licenses for entities the operations of which involved New York or a New York Resident[3] and the activities of which included any of the following:

  • Receiving or transmitting virtual currency;
  • Securing, storing, holding, or maintaining custody or control of virtual currency on behalf of others;
  • Buying and selling virtual currency as a customer business (as distinct from personal use);
  • Performing retail conversion services, including the conversion or exchange of fiat currency or other value into virtual currency, the conversion or exchange of virtual currency into fiat currency or other value, or the conversion or exchange of one form of virtual currency into another form of virtual currency; and
  • Controlling, administering, or issuing a virtual currency.[4]

In his December 18, 2014 speech, Superintendent Lawsky indicated that the BitLicense was meant to regulate “financial intermediaries” and would not extend to a broader range of actors, including software developers of virtual currency technology, virtual currency miners, and individuals purchasing and holding virtual currency solely as a personal investment.[5]

The 2015 Proposed Regulations follow the approach outlined by Superintendent Lawsky, but, more significantly, the proposals maintain the “New York or New York Resident” jurisdictional threshold.[6]  This may be contrasted with other licensing requirements, where a license is required to engage in New York State in a “business.”[7]  Many of the exemptions in the 2015 Proposed Regulations must be understood in this manner.  The activity of receiving or transmitting virtual currency, for example, is not subject to regulation where “the transaction is undertaken for non-financial purposes and does not involve the transfer of more than a nominal amount of Virtual Currency;”[8] this indicates that a transfer of a nominal amount of Virtual Currency in a transaction undertaken for “financial” purposes is a licensed activity if the broad jurisdictional basis is met.

Similarly, the 2015 Proposed Regulations also state that the “development and dissemination of software in and of itself does not constitute Virtual Currency Business Activity,” but this is really a clarification for software production enterprises.[9] So too, although the revised proposal states that any entity chartered under the New York Banking Law–not just entities with an authorization to engage in exchange services–is exempt from licensing as long as it obtains approval from the Superintendent to engage in Virtual Currency Business Activity, this exemption benefits New York-chartered banks already regulated by DFS, but would not apply to an out-of-state bank if the jurisdictional basis was met.[10]  Finally, the revisions clarify that merchants and consumers that use virtual currencies solely for investment purposes, in addition to using them solely for the purchase and sale of goods, qualify for an exemption, but this too is not a material change to the overall scheme.[11]

Conditional Licenses for Virtual Currency Startups

The 2014 Proposed Regulations adopted a “one-size-fits-all” approach to BitLicenses:  all entities needing a license for “Virtual Currency Business Activity” would be required to comply with the same regulations, regardless of size or financial resources.  In his December remarks, Superintendent Lawsky noted that the compliance costs associated with such regulatory requirements might unduly constrain “new or fledgling virtual currency enterprises.”[12]

The 2015 Proposed Regulations thus add flexibility to the BitLicense regime by providing for the granting of “conditional licenses,” which Superintendent Lawsky described as being “tailored to startups and small businesses.”[13]  The revisions, however, describe conditional licenses only in broad terms and give the Superintendent far-ranging authority to define the scope of such licenses, which may undercut their utility.  Under the 2015 Proposed Regulations, the Superintendent may, in his or her sole discretion, grant a conditional license to an applicant “that does not satisfy all of the regulatory requirements upon licensing.”[14]  A conditional license will automatically expire two years after its issuance, but the Superintendent has the discretion to either renew a license for an additional period of time or remove the conditional status from a license at any time.[15]

The 2015 Proposed Regulations provide a non-exhaustive list of factors that the Superintendent will consider in issuing conditional licenses, including the nature and scope of an entity’s business, the volume of virtual currency transactions that an entity is likely to process, and the steps that an entity is taking to mitigate risks that its business poses to consumers, virtual currency markets, financial markets, and the general public.[16]  With respect to this last factor, it is important to note that although conditional licensees may face a lighter regulatory burden than regular licensees, this is not guaranteed:  they also “may be subject to heightened review, whether in regard to the scope and frequency of examination [under Section 200.13] or otherwise.”[17]  Indeed, Superintendent Lawsky warned in his December speech that conditional licensees still must comply with the framework’s consumer protection and anti-money laundering provisions.[18]  Thus, exactly how much regulatory relief the conditional license provision will offer is at best unclear.

Limited Anti-Money Laundering Revisions

Most of the robust anti-money laundering requirements contained in the 2014 Proposed Regulations remain in the 2015 Proposed Regulations.  The 2015 revisions, however, include one change related to record-keeping of virtual currency transactions.

In the 2014 Proposed Regulations, licensees were required to record the identities and physical addresses of all of the parties to a virtual currency transaction in which a licensee was involved.  Commenters noted that although licensees could readily collect identifying information on their own customers or accountholders, they would find it difficult, if not impossible, to collect such information on their customers’ counterparties, since virtual currency transactions build in a certain level of pseudonymity.  Accordingly, the 2015 Proposed Regulations provide that licensees must record identifying information on their customers or accountholders, but need only do so “to the extent practicable” for counterparties.[19]  However, when one considers the retained anti-money laundering requirements–including risk assessments, independent testing, detailed record retention, and reporting requirements–this revision must be understood as removing only a particularly burdensome requirement, not materially amending the overall regulatory scheme.

Limited Cybersecurity Revisions

As with the anti-money laundering provisions, most of the cybersecurity provisions in the 2014 Proposed Regulations are included in the 2015 Proposed Regulations, with one exception.  Under the 2014 Proposed Regulations, a licensee would have been required to hire an independent third party to conduct an annual “source code review” of the licensee’s internally developed proprietary software used in its business.  The 2015 Proposed Regulations replace this requirement and instead require that a licensee’s cybersecurity program include written policies and procedures designed to ensure the security of the licensee’s applications.  Such policies must be reviewed annually, but the review can be conducted by the licensee’s chief information security officer rather than by an independent third party.[20]

Other Changes

The 2015 Proposed Regulations liberalize to some degree, the capital requirements for licensees.  Under the 2014 Proposed Regulations, licensees would have been required to invest their retained earnings and profits only in certain enumerated securities, including certificates of deposit, money market funds, municipal bonds, and United States government bonds.  The 2015 Proposed Regulations permit a broader range of investments in other types of highly liquid investment-grade assets, and notably, virtual currencies.[21]

In addition, the 2015 Proposed Regulations permit the Superintendent to make a determination that certain passive investments in licensees do not qualify as changes in control that require regulatory approval.  In making such a determination, the Superintendent will look to whether the purchaser is making the investment solely for investment purposes, rather than to seek representation on the board of directors or to manage the entity, among other factors.[22]  Whether such a provision will aid in encouraging investment in virtual currency companies–in other contexts, it is not uncommon for 10% voting share investors to seek the right to appoint a director, for example–is unclear.

Finally, the 2015 Proposed Regulations ease the burden on licensees’ obligations to keep books and records.  Under the revisions, licensees must keep and preserve all books and records for seven years instead of ten years.[23]


In the coming days, the 2015 Proposed Regulations will be published in the New York State Register, which will trigger a 30-day public comment period.  Given the limited departures from the 2014 proposals in DFS’s revised framework, it is not clear whether additional comments will result in material changes to the regulatory scheme.  What is clear, however, is that DFS has staked its claim to be the U.S. leader in virtual currency regulation, and that DFS’s leadership will likely favor, on a national basis, players that are best equipped to manage heightened regulatory expectations.

   [1]   For a broader overview of the proposed BitLicense framework, please see our prior client alert on the subject, “The New Standard in Bitcoin Regulation?  New York’s Proposed BitLicense Would Create a Highly Regulated Virtual Currency Industry,” available at–Bitcoin-Regulation–New-York-Proposed-BitLicense.aspx.

   [2]   See Judith Lee, et. al., “Bitcoin Basics:  A Primer on Virtual Currencies,” Business Law International (Jan. 2015), available at

   [3]   A “New York Resident” is defined as any person that resides in, is located, has a place of business, or is conducting business in New York.  N.Y. State Dep’t of Fin. Servs., Proposed New York Code, Rules and Regulations (Feb. 4, 2015) (hereinafter “2015 Proposed Regulations”), §200.2(i); N.Y. State Dep’t of Fin. Servs., Proposed New York Code, Rules and Regulations (July 17, 2014) (hereinafter “2014 Proposed Regulations”), §200.2(g).

   [4]   2014 Proposed Regulations, §200.2(n).

   [5]   Lawsky, Benjamin, “Remarks at the Bipartisan Policy Center on Regulating Virtual Currencies and Payments Technology,” Dec. 18, 2014, available at (hereinafter “Lawsky Remarks”).

   [6]   2015 Proposed Regulations, §200.2(h)-(i).

   [7]   See, e.g., 3 New York Code, Rules and Regulations § 401.1(a) (“Application for a license to engage in the business of making loans in the principal amount of $25,000 or less for any loan to an individual for personal, family, household, or investment purposes and in a principal amount of $50,000 or less for business and commercial loans.”).

   [8]   2015 Proposed Regulations, §200.2(q)(1).

   [9]   Id., §200.2(q).

  [10]   2015 Proposed Regulations, §200.3(c)(1).

  [11]   Id., §200.3(c)(2).

  [12]   See Lawsky Remarks.

  [13]   2015 Proposed Regulations, §200.4(c)

  [14]   Id., §200.4(c).

  [15]   Id., §200.4(c)(3)(i)(A)-(B).

  [16]   Id., §200.4(c)(7).

  [17]   Id., §200.4(c)(2).

  [18]   See Lawsky Remarks.

  [19]   Id., §200.15(e)(1)(i).

  [20]   Id., §200.16(f).

  [21]   Id., §200.8(b).

  [22]   Id., §200.11(a)(3).

  [23]   Id., §200.12(a).

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding the above developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or the authors of this alert:

Judith A. Lee – Washington, D.C. (+1 202-887-3591, [email protected])
Arthur S. Long – New York (+1 212-351-2426, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, [email protected])
Stephenie Gosnell Handler* – Washington, D.C. (+1 202-887-3517, [email protected])

Please also feel free to contact any of the following members of the firm’s International Trade, Financial Institutions or Information Technology and Data Privacy practice groups:

United States:
Jose W. Fernandez – New York (+1 212-351-2376, [email protected])
Marcellus A. McRae – Los Angeles (+1 213-229-7675, [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Daniel P. Chung – Washington, D.C. (+1 202-887-3729, [email protected])
Andrea Farr – Washington, D.C. (+1 202-955-8680, [email protected])
Eric B. Lorber – Washington, D.C. (+1 202-887-3758, [email protected])
Lindsay M. Paulin – Washington, D.C. (+1 202-887-3701, [email protected])
Michael Willes – Los Angeles (+1 213-229-7094, [email protected])
David A. Wolber – Washington, D.C. (+1 202-887-3727, [email protected])
Annie Yan – Washington, D.C. (+1 202-887-3547, [email protected])

Peter Alexiadis – Brussels (+32 2 554 72 00, [email protected])
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Patrick Doris – London (+44 (0)207 071 4276, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Mark Handley – London (+44 (0)207 071 4277, [email protected])

*  Ms. Gosnell Handler is not yet admitted to practice in the District of Columbia and currently practices under the supervision of the Principals of the Firm.

© 2015 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.