In Part 1 of this series, I discussed the purpose of the BitLicense regulation and the scope of the requirement to obtain a BitLicense. In this article, I will outline the major obligations a BitLicense imposes on the Licensee. In the third and final article of this series, I will discuss the requirement to report any material change to a licensed business’ services, the application cost and process, and provide concluding remarks on this regulatory framework.
According to Section 200.7, each Licensee’s board of directors must approve written compliance policies, designed and enforced by a responsible compliance officer, with respect to anti-fraud, anti-money laundering, cyber security, privacy, and information security. The following sections will briefly discuss each specific requirement.
Capital Requirements and Protection of Assets
In an effort to ensure financial integrity of all Licensees, Section 200.8 requires each to maintain capital in “an amount and form as the superintendent determines is sufficient.” This amount is to be determined by factors such as the composition of the Licensee’s assets and liabilities, the actual and expected volume of business, the types of services and entities serviced by the Licensee, and whether the Licensee is already regulated under other laws.
Capital requirements are far from novel for a financial services business. However, the amount of discretion placed in the superintendent exposes many entrepreneurship efforts and investment decisions to a considerable unknown.
On the positive side, the regulation explicitly allows for these amounts to be held in virtual currencies, though it requires superintendent approval for each specific Licensee. The potential to avoid costly and time consuming conversion to meet minimum capital requirements is a clear advantage for businesses dealing primarily in virtual currencies.
In addition, Section 200.9 requires assets held on behalf of customers to be immobile. Any virtual currency held on behalf of another must be maintained in the same type and amount as the deposit, and the Licensee is prohibited from selling, lending, or otherwise encumbering any custodial assets on their own accord.
Section 200.12 requires the Licensee to keep a lengthy list of records, such as customer identification and account connections, statements made to customers and counter parties, general accounting ledgers, and detailed information on each transaction. The transaction information sought includes the amount, date, time, instructions, and fees. It also includes the names and addresses of the Licensee’s customer and, to the extent practicable, any other parties to the transaction.
The softening of the requirement to obtain identifying information from all parties to the transaction is extremely important. This allows licensed virtual currency businesses to continue to allow customers to transact with accounts outside of their service, some they might not be able to identify. The open nature of virtual currency technology provides much of its value and is thankfully preserved.
Anti-Money Laundering and Reporting Requirements
One of the most important purposes of the BitLicense is the requirement to conduct anti-money laundering (AML) efforts, laid out in Section 200.15. First, the Licensee must conduct an initial risk assessment that will “consider legal, compliance, financial, and reputational risks associated with the Licensee’s activities, services, customers, counterparties, and geographic location.” The Licensee must then establish, maintain, and enforce an AML program based on the initial risk assessment. There are few specifics on what the Licensee’s AML program must entail.
While potentially frustrating for businesses, AML requirements are typically as vague as they are in the BitLicense regulation. Prescriptive regulations offer greater cost certainty and less regulatory risk, but AML efforts are necessarily risk-based and flexible. Providing a checklist that potential criminals also have access to will allow them to immediately adapt their scheme to evade detection.
One detail provided is the requirement to report suspicious activity to the superintendent. Any customer who exceeds $10,000 in aggregate transactions over a 24 hour period must be reported, as well as any other transaction that may signify money laundering, tax evasion, or other illegal activity.
This requirement is notably duplicative to any money service business’s obligation to report suspicious activity to FinCEN, a federal agency. No other state regulator requires reporting of this kind, which may set a dangerously onerous precedent for future state regulation of virtual currencies.
Cyber Security and Consumer Protection
Finally, the BitLicense regulation requires each Licensee to establish and maintain an effective cyber security program and disclose certain information and risks associated with virtual currencies to customers.
The requirements for the Licensee’s cyber security program are thorough and potentially costly but understandable considering the significant amount of consumer fraud and theft in the industry during its early, unregulated days. Beginning with the requirement to name a Chief Information Security Officer and hire additional cyber security personnel, Section 200.16 obligates the Licensee to generate a written cyber security policy addressing areas such as network and physical security, access controls, business continuity, capacity and performance planning, and incident response. The Licensee must actively audit their policies, including annual penetration testing and quarterly vulnerability assessments.
As an additional consumer protection measure, Licensees are also required by Section 200.19 to disclose material risks, general terms and conditions, terms of transactions, and receipts to customers. The regulation boldly includes a list of material risks as a minimum disclosure standard such as virtual currency’s lack of governmental backing, shifting regulatory risk, the irreversible nature of virtual currency transactions, and the general instability and volatility of the trading market.
Taking part in the global financial system is no small undertaking, and these cyber security and consumer protection requirements reflect the enormity of the Licensee’s responsibilities to its customers and the general economy.
Disclaimer: This article is provided for informational and educational purposes only and is not intended to constitute legal advice. Readers should not act or rely on any information contained in this article without first seeking the advice of an attorney.