In the past few years, virtual currencies, particularly Bitcoin, have jumped from an online experiment to a multi-billion dollar global phenomenon. Now, governments are starting to recognize these currencies, hoping to both legitimize and secure them with proposed regulations. On July 17, the New York State Department of Financial Services (NYSDFS) released a proposed regulatory framework for virtual currency that would require businesses that hold, transmit or convert virtual currencies to everyday currencies to apply for “BitLicenses.” This is one of the first proposed regulations on virtual currencies in the United States since the IRS proclaimed Bitcoin to be property subject to capital gains tax last March. While NYSDFS is still only seeking comments on these rules and nothing is final, I will attempt to break down the proposal as is and provide some initial thoughts on the implications for virtual currencies.

What is the purpose of the regulations?

NYSDFS announced these regulations as a result of public hearings it conducted in January 2014. NYSDFS hopes to use these rules to protect consumers, prevent money laundering, and improve cyber security for businesses that use virtual currencies. These regulations represent the most extensive virtual currency regulations proposed by a state to date. They are intended to apply to companies providing virtual currency financial services, but do not apply to merchants or consumers that use virtual currency solely for the purchase or sale of goods or services.

What are the proposed rules?

Under the proposed rules, if a business wants to offer financial services using virtual currencies, such as converting between U.S. dollars and Bitcoins, it must apply for a BitLicense. In its current form, the BitLicense framework includes:

(1) Defines virtual currency and business activities involved with virtual currencies.

(2) Establishes rules to cut down on the use of virtual currencies for money laundering and fraud.

(3) Imposes a cybersecurity program on virtual currency businesses (explained in more detail below).

(4) Places disclosure, recording, and capital requirements on these businesses.

(5) Details consumer protections and creates a system to resolve complaints for consumers using virtual currencies.

Besides the list stated above, the BitLicense framework would also set a transitional period for the rules to take effect, outline disaster recovery mechanisms, and define rules for mergers and licensee advertising. These latter proposals will not be discussed in detail here.

Defining Virtual Currency and Virtual Currency Business Activities

The proposed rules define a few important terms for purposes of regulation. One is “Virtual Currency”, defined as any type of digital unit used as a medium of exchange or stored value that is integrated into any type of payment system. This includes currencies that have a central authority (e.g., Mazacoin which is controlled by the Oglala Sioux tribe), are decentralized in nature (e.g., Bitcoin), and/or are created or obtained by computing or manufacturing effort (e.g., mining bitcoins). This definition specifically excludes any online currency that only exists as part of an online gaming platform or digital units that are exclusively used in customer affinity or rewards programs (e.g., airline miles). It also excludes anything that cannot be converted into or redeemed for fiat currency (e.g., US Dollars).

These rules also define “Virtual Currency Business Activity” as any activity that transmits or stores virtual currency on behalf of others. These actions are usually facilitated by “online wallets”—businesses that act as online lockers for storing and trading purposes. This definition also covers businesses that primarily deal in virtual currency as a business model and those that convert virtual currency to fiat currency, such as Bitcoin exchanges. Finally, these activities also cover entities that issue or administer virtual currencies, like an online central bank. Because all “virtual currency business activities” must be licensed, these proposed rules have the potential to affect a wide swath of businesses, not just those physically located in New York. By mid-2014, capital in Bitcoin-related start-ups had increased to more than $240 million—an increase of about 1,200 percent from the previous year. If any of those businesses want to have a physical presence in New York or want to deal with New Yorkers online, they must get licensed.

Rooting out Money Laundering and Fraud

Virtual currencies have the potential to enable criminals to launder funds faster, cheaper, and more secretively than ever before. Not only can some virtual currency transactions operate with minimal fees, but currencies like Bitcoin offer anonymity in the form of darknets and mixers, which can mask transactions and allow for untraceable business dealings where illegitimate funds later re-emerge in “legitimate” transactions in new markets. NYSDFS’s proposed rules attempt to tackle this problem, creating a framework for companies with BitLicenses to identify and report allegations of money laundering to NYSDFS. Not only must licensees maintain identifying information for all parties involved in virtual currency transactions and report any suspicious activity, but they must also verify account holders who initiate transactions with a value greater than $3,000 (or roughly 6 bitcoins at current value) and inform NYSDFS of any transactions with a value over $10,000. These rules also place a number of other requirements on licensees, such as increased scrutiny on business dealings involving foreign entities and barring licensees from doing business with foreign shell companies (entities without a physical presence in any country).

Additionally, after one of the biggest Bitcoin exchanges, Mt. Gox, declared bankruptcy in February 2014 citing unsubstantiated hacking problems, many have called for increased fraud protections for virtual currencies. The NYSDFS proposal creates a system for companies to develop anti-fraud procedures. Basically, licensees are prevented from engaging in fraudulent activity, and customers of licensees that are victims of fraud are entitled to claim compensation from the licensee. Licensees must also take steps to identify and assess fraud-related risk areas, develop procedures to monitor and protect against these risks, and periodically evaluate these procedures to keep them up-to-date.

Bringing Cybersecurity to Virtual Currency

The proposed BitLicenses would require each licensee to establish and maintain an effective cybersecurity program to protect each of its systems from unauthorized access, use and tampering. Proposed security requirements include identifying external and internal cybersecurity risks, protecting the systems through defensive infrastructure, using detection mechanisms for breaches, and employing response tactics and recovery mechanisms to restore operations and services in the event of a cybersecurity event. These requirements are designed to prevent attacks like those experienced by the online exchange Bitcoinica, which was hacked twice in 2012, losing thousands of bitcoins that it was unable to refund to its users. As virtual currency has become more ubiquitous, NYSDFS’s cybersecurity requirements hope to protect consumers from hacking, denial of service attacks, and tampering.

Disclosure, Record, and Capital Requirements for Businesses

As a condition of getting a BitLicense, companies are subject to additional recording, capital, and disclosure requirements. Each licensee must keep a detailed record for each transaction over a period of at least ten years, accounting for amount, date, time, fees, and other information. Each licensee must document all transactions, including information on all parties involved, such as their name and physical address. These records must include a complete balance sheet, and must be submitted to NYSDFS every year. This also grants full access to licensees and their affiliates at any time for any reason, wherever they are located. Additionally, the licensee must notify NYSDFS anytime there is a material change to its business (anytime it proposes a change to an existing project or service, the licensee must write up and receive prior approval from NYSDFS). Finally, NYSDFS’s proposed rules state each licensee must keep sufficient virtual currency capital on-hand to reduce the risks associated with the volatility of virtual currencies. The minimum amount of capital on-hand each licensee needs is calculated by NYSDFS from a number of factors, including the licensee’s total assets, its volume of business activity, and money market funds among others.

Additional Consumer Protections and Complaint Resolution

Licensees will also be required to disclose consumer risks inherent with virtual currencies and provide transaction receipts. For example, consumers using a company with a BitLicense will see a notification with the risks associated with virtual currencies not being legal tender backed by a government as well as their volatility. This notification will also warn consumers that transactions of virtual currency are irreversible. Additionally, the notification will caution that virtual currency has been subject to intense speculation and volatility making its price unstable (In 2013, Bitcoin’s price moved from a low of $100 to $1,240 at its peak, with an average around $400). Each licensee must also establish and maintain procedures to “fairly and timely resolve complaints” associated with these traits and problems that can arise in the process.

The Takeaway

NYSDFS Superintendent Benjamin Lawsky, who is in charge of the process, called the proposed regulations “an appropriate balance that helps protect consumers and root out illegal activity – without stifling beneficial innovation.” NYSDFS has a chance to achieve transparency, clarity, and consumer protections for all virtual currencies used throughout New York, while creating a substantive legal basis for the industry. However, it must strike the right balance, and as the first state to formalize an online currency regulatory framework, the pressure is on for NYSDFS to get this right.

At the request of organizations like the Bitcoin Foundation, the original deadline for comments was extended past its initial 45 days to 90 days. So far, many Bitcoin-centric organizations from around the globe have begun weighing in on the proposed regulations, from the newly-created Chamber of Digital Commerce to the Chinese “Big Three” exchanges. The international scope of these filers is a sign of the far-reaching implications of this proposed licensing framework.

Photo Credit: Flickr User btkeychain