September 10, 2014
On July 21, 2014, the New York Department of Financial Services ("NYDFS") released a groundbreaking virtual currency regulatory framework, becoming the first state to issue comprehensive rules tailored to virtual currency businesses. The proposed framework, which has become commonly known as the "BitLicense," was the long-anticipated product of nearly a year of public hearings and other inquiries. Initially slated for a 45-day public comment period, the comment period was recently extended to October 21, 2014. This client alert provides detailed information on the scope of the proposed regulation, and discusses potential implications for the virtual currency industry.
What are Virtual Currencies?
Virtual currencies are digital representations of value that function as a medium of exchange and can be transferred, stored and traded electronically. They do not have legal tender status (i.e., they are not a "fiat" currency), are not backed by any government and are not necessarily pegged to any fiat currency. Today, the most prominent virtual currency is Bitcoin, which first appeared in 2009. As with many virtual currencies, Bitcoin functions via a decentralized peer-to-payment system, meaning there is no third-party intermediary. Transactions are pseudonymous–identities are encrypted and no personal information is exchanged, but public ledgers maintain full transaction records.
While virtual currencies have been around for several years, legislative and regulatory responses at the state and federal level are still in their primacy, making the proposed NYDFS regulations a significant development that will likely have a prominent impact on the future evolution of virtual currencies.
A "Novel" Regulation of Virtual Currency Activities
NYDFS Superintendent Benjamin M. Lawsky has described the proposed regulatory framework as a "novel regulation [that is] the collision of banking regulations with new technology." It is a comprehensive framework that focuses on consumer protection, anti-money laundering and cybersecurity rules for virtual currency businesses. Not only is the scope of the framework detailed, but the proposed application is expansive. The NYDFS has adopted a broad view of what entities constitute "virtual currency businesses." Under the proposed regulations, entities conducting specific virtual currency activities involving New York or a New York Resident would be required to obtain BitLicenses. These activities include:
Notably, under the proposed framework, BitLicenses will not be required for (i) entities that are chartered under the New York Banking Law to conduct exchange services and which are approved by the NYDFS to engage in virtual currency business activities and (ii) merchants or consumers that use virtual currencies only for the purchase or sale of goods or services.
The Proposed BitLicense
The Application Process
Under the proposed rules, entities are not permitted to engage in the aforementioned virtual currency activities without obtaining a license from the NYDFS (a "BitLicense"), nor may they conduct such activity through an unlicensed agent. The proposed regulations provide for a lengthy application that includes requirements such as (i) the applicant’s name and affiliates; (ii) detailed biographical information, a background report and fingerprints for each applicant, director, principal officer, principal stockholder and principal beneficiary; (iii) financial statements and details of all banking arrangements; (iv) proposed, current and historical business descriptions, to include primary markets, projected customer base and specific marketing targets; and (v) all written policies and procedures required under the framework. These policies include the following policies, procedures and plans: anti-fraud, anti-money laundering, cybersecurity, privacy and information security, business continuity and disaster recovery and complaints. Once they’ve made it through the application process and have a BitLicense, the requirements for licensees are significant. In particular, licensees must implement three significant programs: anti-money laundering, cybersecurity and business continuity and disaster recovery.
The Anti-Money Laundering Program
Under the proposed framework, a licensee’s anti-money laundering program must include an initial risk assessment and annual assessments thereafter, and also provide for (i) a system of internal controls, policies and procedures; (ii) independent testing for compliance with and the effectiveness of such program; (iii) ongoing training for personnel; and (iv) include policies for the preservation of records. Under the anti-money laundering requirements, licensees would be required to maintain customer identification programs, which would include verifying customer identities, checking customers against the Specially Designated Nationals ("SDNs") list maintained by the Treasury Department’s Office of Foreign Asset Control ("OFAC") and conducting enhanced due diligence for accounts involving foreign entities. Under the proposed regulations, licensees would need to identify and appoint an officer to coordinate and monitor compliance with the anti-money laundering program. Licensees would also be required to notify the NYDFS of (i) any transaction or series of transactions that exceed $10,000 in one day and (ii) any suspicious activities that might signify money laundering, tax evasion or other illegal activity.
Cybersecurity Requirements for Licensees
In order to comply with the proposed framework, a licensee’s cybersecurity program would need to be designed to perform five core cybersecurity functions: (i) identify internal and external cyber risks; (ii) protect the licensee’s electronic systems (to include the information stored on such systems) from unauthorized or malicious acts; (iii) detect unauthorized access, intrusions and data breaches; (iv) respond to such events; and (v) recover from such events. Further, licensees would need to adopt written cybersecurity policies that address numerous areas including information security, data governance, access controls, business continuity and disaster recovery, systems operations, network security, capacity and performance planning, customer data privacy, vendor and third-party service provider management, monitoring and incident response. Audits would be required to include certain specified functions, and reports identifying relevant cyber risks, assessing the cybersecurity program and proposing steps for redress, among other requirements, would be due to the NYDFS at least annually. Sufficient personnel, including a chief information security officer, would need to be employed to manage the licensee’s cybersecurity risks.
Business Continuity and Disaster Recovery Requirements for Licensees
All licensees would be required to maintain a written business continuity and disaster recovery plan, which would (i) identify documents, data, infrastructure, personnel and competencies critical to continued operations; (ii) identify supervisory personnel responsible for implementing the plan; (iii) include a plan to communicate with essential persons in case of emergency; (iv) include procedures for maintenance of back-up facilities, systems and infrastructure and alternative staffing; (v) include procedures for backing up or copying documents and data essential to operations; and (vi) identify third parties necessary to continued operations. Such plan would need to be tested at least annually by qualified independent internal personnel or a qualified third party.
Additional Significant Requirements
In addition to maintaining the policies and procedures discussed above, licensees must always maintain "such capital as the [NYDFS] determines is sufficient to ensure [their] financial integrity and [their] ongoing operations." Licensees also would be required to (i) submit quarterly unaudited and annual audited financial statements; (ii) update the NYDFS if any changes are made to how the licensee calculates the value of virtual currency submitted as part of their application; (iii) notify the NYDFS of any criminal action or insolvency proceedings against the licensee, directors, principal officers, principal stockholders and principal beneficiaries; (iv) notify the NYDFS upon discovery of any breach of law, rule or regulation related to the conduct of the licensed virtual currency activity; and (v) submit any additional special reports required by the NYDFS. In addition, licensees would be required to maintain all books and records for a period of at least ten years, and would be subject to examinations at least every two years. Further, the proposed framework provides that licensees must obtain prior written approval from the NYDFS prior to any change of control event or any action that may result in a merger of acquisition of all or a substantial part of the assets of a licensee.
Consumer protection is a key goal of the NYDFS, and under the proposed framework licensees would also be required to disclose in writing (i) material risks associated with their products, services and activities and virtual currencies in general; (ii) general terms and conditions; and (iii) the terms and conditions of the specific transaction. Upon completion of a transaction, detailed receipts would need to be provided. Licensees would need to establish written policies and procedures for resolving consumer complaints, and clearly disclose that consumers may file complaints with the NYDFS. Licensees would also be required to comply with certain stipulations relating to advertising and marketing.
Entities currently engaging in virtual currency business activities would be required to apply for BitLicenses within 45 days of the effective date of the regulation.
The Impact of the Proposed Regulations
While the NYDFS’s proposed regulations do not contain an explanation of the proposed rules or other guidance surrounding the proposal, the proposed rules appear to be designed to increase consumer protection, prevent money laundering and promote cybersecurity for entities engaged in virtual currency activities through the implementation of a complex licensing regime with detailed requirements. The numerous requirements set forth in the proposed regulations have been alternatively praised for their comprehensive nature in the sparsely regulated virtual currency industry–which has a dark history of use for illicit activities–as well as criticized as overreaching and for potentially reducing competition. Businesses engaged in virtual currency activities both in the U.S. and abroad have expressed concern over the long arm of the NYDFS. Recently the three largest Bitcoin exchanges in China submitted comments to the NYDFS that the scope of the proposed framework should be limited to cover only virtual currency businesses with a meaningful connection to New York. Some virtual currency businesses, including prominent Bitcoin wallet and vault start-up Xapo, have already stated that they will exclude customers residing in New York in an effort to bypass any future requirement to obtain a BitLicense.
Notwithstanding the use of virtual currencies for certain illegal activities, some in the virtual currency industry continue to raise questions about customer identification programs, given that the pseudonymity of virtual currencies is often considered to be an important advantage over modern fiat currencies. Concerns about the impact on competitiveness in the industry are based on the premise that compliance will be significantly more burdensome for small entities, such as start-ups, that lack the resources and capacity of larger institutions to develop and implement the required policies, procedures and programs, as well as ensure compliance with the other regulatory requirements such as the capital requirements and reporting requirements. Any barrier to entry that the BitLicense could create due to the high hurdle for applications and compliance could potentially affect innovation in the nascent virtual currency industry.
As mentioned above, the NYDFS will accept comments relating to the proposed BitLicense framework until October 21, 2014. If the NYDFS determines substantial changes should be made to the proposed framework, it will release a revised framework for further review.
It is not clear how the NYDFS’s proposed regulations, if implemented, will affect the use of virtual currencies both in New York and on a broader scale. In the United States, we should take note of whether other states–and, more significantly, given federal preemption, U.S. government agencies–will propose similar rules relating to virtual currencies and, if so, how those rules would interact with each other. Given that virtual currencies, such as Bitcoin, are used on a global scale, it is also important to note how foreign jurisdictions are reacting. Differences in regulation of virtual currencies could create the potential for regulatory arbitrage both domestically as well as internationally with respect to various virtual currency activities.
 The market capitalization of Bitcoin is estimated to be over $6.45 billion, with a price of over $485 as of September 10, 2014. However, the market price has historically been volatile; it reached over $1,000 in early December 2013 before plummeting by nearly 50% following the ban on Chinese Bitcoin exchanges from accepting deposits in Chinese renminbi. It experienced another significant drop following the closure of the Japan-based Mt. Gox exchange in February 2014. The market capitalization of the next most prominent virtual currency, Litecoin is approximately $170 million, with a price of $5. Crypto-Currency Market Capitalizations, http://coinmarketcap.com/.
 Ember, Sydney, "More Comments Invited for Proposed Bitcoin Rules," NY Times (Aug. 21, 2014). Available at: http://dealbook.nytimes.com/2014/08/21/more-comments-invited-for-proposed-bitcoin-rules/?_php=true&_type=blogs&_r=0.
 A "New York Resident" means any person that resides in, is located, has a place of business, or is conducting business in New York. New York State Dep’t of Financial Services, Proposed New York Codes, Rules and Regulations, §200.2(g).
 Id., §200.16. Note that these five core functions are substantively identical to the five core functions of identify, protect, detect, respond and recover, which constitute the Framework Core of the Commerce Department’s National Institute of Standards and Technology ("NIST") Cybersecurity Framework 1.0 released on February 12, 2014. See http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm.
 Id., §200.8. The minimum amount of capital required to be maintained at all times depends upon factors such as the composition of the licensee’s assets and liabilities, volume of business, amount of leverage, liquidity and financial protection for customers.
 Letter from CEOs of BTC China, Huobi and OKCoin to Superintendent Benjamin M. Lawsky, New York State Dep’t of Financial Services (Aug. 20, 2014), available at http://www.online.wsj.com/…/chinacommentsonbitlicense.pdf.
 Casares, Wences, "[Xapo] will have no choice but to block New York customers from accessing services" and Why New York Should Care," Xapo Blog (Sept. 2, 2014), http://blog.xapo.com/.
Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding the above developments. Please contact the Gibson Dunn lawyer with whom you usually work, or any of the following members of the firm’s International Trade, Financial Institutions or Information Technology and Data Privacy practice groups:
Judith A. Lee – Washington, D.C. (+1 202-887-3591, firstname.lastname@example.org)
Arthur S. Long – New York (+1 212-351-2426, email@example.com)
Marcellus A. McRae – Los Angeles (+1 213-229-7675, firstname.lastname@example.org)
Alexander H. Southwell – New York (+1 212-351-3981, email@example.com)
Jeffrey L. Steiner - Washington, D.C. (+1 202-887-3632, firstname.lastname@example.org)
Stephenie Gosnell Handler – Washington, D.C. (+1 202-887-3517, email@example.com)
Please also feel free to contact any of the following practice group members:
Jose W. Fernandez – New York (+1 212-351-2376, firstname.lastname@example.org)
Daniel P. Chung – Washington, D.C. (+1 202-887-3729, email@example.com)
Andrea Farr – Washington, D.C. (+1 202-955-8680, firstname.lastname@example.org)
Eric Lorber – Washington, D.C. (+1 202-887-3758, email@example.com)
Lindsay M. Paulin – Washington, D.C. (+1 202-887-3701, firstname.lastname@example.org)
Michael Willes - Los Angeles (+1 213-229-7094, email@example.com)
David A. Wolber – New York (+1 212-351-2384, firstname.lastname@example.org)
Annie Yan – Washington, D.C. (+1 202-887-3547, email@example.com)
Peter Alexiadis – Brussels (+32 2 554 72 00, firstname.lastname@example.org)
Attila Borsos – Brussels (+32 2 554 72 10, email@example.com)
Patrick Doris – London (+44 (0)207 071 4276, firstname.lastname@example.org)
Penny Madden – London (+44 (0)20 7071 4226, email@example.com)
Mark Handley – London (+44 (0)207 071 4277, firstname.lastname@example.org)
© 2014 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.