The “virtual currency” or “BitLicense” regulations proposed by the New York Department of Financial Services (NYDFS) are well into their 45-day comment period. By now, many of the most well-known figures in the digital currency industry have commented both officially and unofficially on the proposed regulations. I have had the opportunity to read and digest the proposal itself as well as many comments that have been written about it so far. Many of them are on the mark and succinctly point out the need for further reflection and more thorough consideration on the part of New York regulators in fashioning a body of regulations that balance the need for consumer protection and anti-money laundering with the need to encourage, or at least, not stifle innovation in this nascent industry.
There has been significant commentary on Section 200.12(1) of the proposed regulations that require applicants for a “BitLicense” to capture and retain the “physical addresses of the parties to [each] transaction.” This provision has raised much ire in the digital currency (yes, “digital” as this is real and not “virtual”) ecosystem. Much has been written about how the requirement to capture and retain the physical addresses of each of the parties to a transaction is a major step in stripping away the remaining shreds of anonymity or pseudonymity of the protocol.
I also find the proposed provision highly objectionable, but for somewhat different reasons. In my comment to the NYDFS, I stated the following regarding Section 200.12(1) as proposed:
This provision clearly evidences New York’s effort to extend jurisdiction over far-flung geographic areas. As mentioned above, these geographic areas include countries where large numbers of the population are unbanked or underbanked. Indeed, according to a 2012 World Bank report, over 2.5 billion of the world’s poor are unbanked. In many of these countries, unlike in the United States and in other developed economies, often individuals lack a clearly identifiable physical address. Maintaining such a requirement is tantamount to blocking startups in these countries, and by extension the local population, from the opportunity to fully participate in the potential that the digital currency payment technology holds for the global remittance market. Indeed, access to affordable remittance services can prove life changing for many.
Specifically, the proposal completely seems to ignore the reality of the continuing technological developments centered on new payment products and services, particularly the use and promise of the interface between digital currencies and mobile devices in the emerging economies. Clearly, access to the global payments system should not hinge on one’s ability to provide a physical address. Mobile technology has developed to the point where fingerprint technology is now a reliable indicator of identity. Other biometrics such as iris scans and facial recognition technology are in development (as applied to mobile platforms) and might facilitate identity verification in the mobile markets. The proposed regulations fail to leave room for the introduction of such technologies; what’s worse, they apparently do not even contemplate them.
Aside from the alternatives to identity verification offered by technology, the proposal seems to ignore the fact that truly effective anti money laundering programs are “risk based.” Interestingly enough, though the proposal correctly calls for the development of robust AML/KYC programs, it hastily discards the necessity of requiring effective AML programs based on robust risk assessments. In other words, it requires risk-based (presumably) AML programs and then departs from a risk-based approach by requiring a physical address for all parties to a transaction, without regard to the risk presented.
Even disregarding for a moment the technological “substitutes” for a physical address, a risk-based approach could be drawn to be sensitive to the types of customer verification protocols customarily accepted in a given country. Absent that, why not consider simply recommending, as part of a risk based analysis, lower maximum transaction amount thresholds and limiting the number of daily transactions available to those who are unable to furnish a physical address, or consider a combination of both? All of these assessments are properly made within the context of a risk-based AML/CFT program. In short, there are a number of other ways to more reasonably address the risks presented absent a “one size fits all” mandate. Such is the antithesis of the risk based approach adopted by the Financial Action Task Force to which the United States is a member.
There is an overriding danger when regulators attempt to impose new, broad-based regulatory regimes over new industries with rapidly developing technologies. The danger is two-fold. First, there is the danger that lies in drafting regulations that are so narrowly tailored that they fail to anticipate realities outside their general regulatory fiefdoms, i.e. regulatory “comfort zones,” from both a geographic and a programmatic standpoint. The second danger lies in implementing regulations that fail to contemplate, and thus allow for, rapid technological development in their regulatory spheres. Thus, the specter of obsolescence before enactment is very real.
New York’s proposed “Virtual Currency” regulations fall into both traps. Let’s hope the regulators heed the warnings.
About the Author
David M. Long is the Principal of NCFPS-Digital Currency AML Consultants, a San Francisco-based, digital currency anti-money laundering and fraud prevention consultancy. NCFPS is in strategic alliances with London-based, DIACLE, Mexico City-based, ASSERTO RSC and with Toronto-based, CAMLO.ca. His consultancy leverages his background in enforcement, legal services, business, education and training. In addition to his consulting work with NCFPS, David serves on the faculty, as Assistant Professor of Criminal Justice and Legal Studies, at Chapman University-affiliated, Brandman University.