This is Part 1 of 2 of my Overview and Comment of the BitLicense proposal by the New York State Department of Financial Services. Please note, it is not word for word the proposal but it does go over the major rules and regulations proposed in sections 200.1 – 200.15. Some parts are exactly as the appear in the BitLicense. My comments, questions and concerns (bold) are also in the sections.
Section 200.1 Introduction
Regulations will be a necessity for the Virtual Currency industry. The businesses and customers involved in Virtual Currency Business Activities in the State of New York and all jurisdictions do in fact need to be protected. However, the proposed rules and regulations in Part 200 Virtual Currencies will undoubtedly stifle innovation and the proposal completely ignores the underlying applications and functions of this new Blockchain technology. The truth is, if Bitcoin innovation is halted in the United States, specifically the State of New York; it will be developed in international markets and serve as self evident.
The value in this technology is in its transparent and equal cryptography nature. Application Programming Interfaces (APIs) with the Virtual Currency’s Blockchain will create an unlimited range of financial tools and protective measures to ensure compliance with domestic and international laws, rules, and regulations; anti-fraud, anti-money laundering, cyber security, and counter-terrorism finance activity; and lastly protect consumers from privacy and information security events, fiat insolvency and ultimately financial instability.
Semantics are the human window into the language of thought. The existing financial terms are in place as ideals and generally accepted principles that everyone is supposed to know and abide by. Software built on top of Blockchain technology does not allow default. The third party needed in so many of our trust based models is replaced by code. The escrow is software built in the form of mathematically bound hedges, multi-signature cryptographic keys, and determined outputs based upon met or unmet input. The Blockchain is the real-time, perpetual, irreversible, and universal balance sheet with the most recent time stamped state of Bitcoin (BTC) ownership from 1 unit of BTC to 0.00000001 BTC or one Satoshi.The universal medium of exchange and form of digitally stored value technology, the Bitcoin digital unit, is created through and limited by the computational hash rate and difficulty of the decentralized network.
Section 200.2 Definitions
Any transmission, receiving, buying, selling, securing, storing, holding, administering, issuing, maintaining custody of or control of on behalf of others, converting into government-issued legal tender or other tangible or intangible asset including other forms of Virtual Currency by All Affiliates, Licensees, Persons, Principal Officers, Principal Stockholders, and Principal Beneficiary’s that directly or indirectly own or control Virtual Currency in the state of New York; constitutes activity and therefore must be licensed and approved by the superintendent under statutory authority: Financial Services Law, sections 102, 201, 301, and 302.
Section 200.3 License
All persons in the State of New York or any person engaging in Virtual Currency Business Activity with a New York Resident must have a license obtained from the superintendent. Persons operating under the New York Banking Law to conduct exchange services must be approved by the superintendent to engage in Virtual Currency Business Activity. Merchants and consumers that utilize Virtual Currency solely for the purchase or sale of goods or services do not need an approval from the superintendent.
This is repelling any sort of domestic enterprise from establishing itself in the State of New York and creating a regulatory environment that will create disincentive for any type of international partnership with a company based out of New York. Bitcoin is borderless and decentralized in its nature and it is no surprise these proposed regulations are coming from New York, the financial capital of the world. The businesses building this industry will be forced to move to other states and countries where this type of regulatory environment does not exist. It is likely that future non-financial applications of Blockchain technology will also be developed in jurisdictions outside of the State of New York.
Why should the businesses that are building the wallets, exchanges, and financial tools that will strengthen the security and transparency of this emerging industry have to be subject to this kind of regulatory environment?
What if these businesses go to other geographical locations and the State of New York is isolated from financial and non-financial applications of this revolutionary technology?
How could these regulations affect persons and current residents of the State of New York, and furthermore if the proposal is used as a foundation for future legislation the greater United States?
Section 200.4 Application
Any person that wants to conduct Virtual Currency Business Activity in the State of New York must apply for a license. This application must include:
- The name of the applicant, the form of organization, founding date, and jurisdiction where incorporated
- A list of all applicant’s affiliates and an organization chart illustrating the relationship among the applicant and such affiliates
- The applicant’s affiliates and all shareholder and beneficiaries, physical and mailing addresses, and documentation regarding personal history, experience, and qualifications
- A background report of each applicants affiliates and shareholders
- A set of fingerprints and the date of when the fingerprints were taken for submission to the State Division of Criminal Justice Services and the Federal Bureau of Investigation
- Two portrait-style photographs of the applicants affiliates
- An organization chart of the applicants management structure indicating lines of authority and the allocation of duties of each affiliate
- A current financial statement for the applicant and each shareholder and beneficiary
- A description of the proposed, current, and historical business of the applicant including detail on the products and services provided past and future, all associated website addresses and jurisdictions in which the applicant is engaged in business, the principal place of business, primary market of operation, projected customer base, target markets, and the physical address of any operation in New York
- Any and all banking arrangements
- An affidavit describing any existing, pending or threatened action, litigation, or proceeding against the applicant or any of its affiliates including the names of the parties, the nature of the proceeding and the status of the proceeding
- Any insurance policies for the benefit of the applicant
- An explanation of the methodologies used to calculate the value of Virtual Currency in Fiat Currency
And any other information the superintendent may require in writing. However, the superintendent may permit that the application for a license or any other submission required in the application may be made or executed by electronic means.
200.5 Application fees
Each applicant must submit an initial application fee, in an amount prescribed by the superintendent to cover the cost of processing and reviewing the application. If the application is denied the fee shall not be refunded.
How much is this fee?
Can the fee be paid in Virtual Currency?
200.6 Action by superintendent
Upon the filing, of an application for licensing under the Part, payment of the required fee, and demonstration by the applicant of its ability to comply with provisions, the superintendent will investigate the financial condition and responsibility, financial and business experience, and character and general fitness of the applicant.
The applicant’s business must be conducted:
If deemed so, the superintendent will advise the applicant in writing of his approval of the application and shall issue the applicant a license to conduct Virtual Currency Business Activity. The superintendent shall approve or deny every application within 90 days from the filing. The superintendent may suspend or revoke a license issued under this Part on any ground including violations of any provisions, for good cause, failure of the Licensee to pay a judgment recovered in any court. Good cause is not limited to default, likely to default in performing its obligations or financial engagements or engages in unlawful, dishonest, wrongful, or inequitable conduct or practices that may cause harm to the public. The license will not be suspended or revoked without a hearing stating the ground upon which it is based. Preliminary injunction or a warning to restrain a Licensee from continuing to perform acts that violate any provision of this Part, the Financial Services Law, Banking Law, or Insurance Law. The superintendent preserves all power under any other provisions of the Banking Law, Insurance Law, or Financial Services Law, including power to investigate violations of law, rule, or regulation or to impose penalties or take any other action against any Person for violation of such laws, rules, or regulations.
Section 200.7 Compliance
Each Licensee is required to comply with all applicable federal and state laws, rules, and regulations.
Each Licensee shall designate a Compliance officer to ensure:
- Federal and State Laws, Rules, and Regulations
- Anti-fraud measures
- Anti-money laundering
- Cyber Security
- Privacy and Information Security
Section 200.8 Capital requirements
Each Licensee shall maintain at all times such capital the superintendent determines is sufficient to ensure the financial integrity of the Licensee and its ongoing operations.
The minimum amount of capital that must be maintained by a Licensee will be determined by but not limited to:
- The composition of the Licensee’s total assets, including the position, size, liquidity, risk exposure, and price volatility of each type of asset
- The Licensee’s liabilities, including size and repayment timing of each type of liability
- The actual and expected volume of the Licensee’s Virtual Currency Business Activity
- Existing companies good standing
- The amount of leverage employed by the Licensee
- The liquidity position of the Licensee; and
- The financial protection that the Licensee provides for its customers through its trust account or bond.
Each Licensee is not permitted to invest its retained earnings and profits into Virtual Currencies.
Section 200.9 Custody and protection of customer assets
Each Licensee shall maintain a bond or trust account in United States dollars for the benefit and protection of its customers in an amount acceptable to the superintendent.
Secured holdings or control of Virtual Currency on behalf of its customers the Licensee shall hold Virtual Currency of the same type and amount as that which is owed and obligated to such other Person. The licensee is prohibited from selling, transferring assigning, lending, hypothecating, pledging, or otherwise using or encumbering assets on behalf of another Person.
Section 200.10 Material change to business
Each Licensee must obtain the superintendents prior written approval of any plan or proposal before introducing or offering a new product, service, or activity.
- A change to an existing product, service, or activity that may cause such product, service, or activity to be materially different the previously stated on the Licensee’s application.
- Legal or regulatory issue about the permissibility of the product, service, or activity
- The proposed change may raise safety and soundness or operational concerns
The Licensee shall submit a written plan describing the proposed material change, including a detailed description of the business operations, compliance policies, and the impact on the overall business of the Licensee, as well as such other information as requested by the superintendent.
Section 200.11 Change of control; mergers and acquisitions
No change of control of the License shall be taken without prior written approval of the superintendent. The Person seeking to acquire control of a Licensee shall submit a written application to the superintendent in a form and substance acceptable to the superintendent.
Control: The possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of a Licensee whether through the ownership of stock of such Licensee or the stock of any Person that possess such power.
The superintendent shall approve or deny every application for change of control of a Licensee within 120 days from the filing of an application. This period may be extended by the superintendent. The superintendent will take into consideration the public interest and the needs and convenience of the public.
No Mergers and Acquisitions of the assets of a Licensee shall be taken without prior written approval of the superintendent. An application containing a written plan of merger or acquisition shall be submitted to the superintendent by the entities that are to merge or by the acquiring entity.
The application shall specify each entity to be merged, the entity that is to receive into itself the merging entity or the entity acquiring all or substantial all of the assets of the Licensee and the terms, conditions and mode of carrying it into effect.The superintendent shall approve or deny every a proposed merger or a proposed acquisition of all or a substantial part of the assets of a Licensee within 120 days after the submission of the proposed plan. This period may be extended by the superintendent. The superintendent will take into consideration the public interest and the needs and convenience of the public.
Section 200.12 Books and records
This section is probably the most important in terms of the intrinsic power of the technology.
Each Licensee shall in connection with its Virtual Currency Business Activity:
- Make, keep and preserve all of its books and records in their original form or native file format for a period of at least ten years from the date of their creation in a condition that will allow the superintendent to determine whether the Licensee is complying with al applicable laws, rules, and regulations.
- For each transaction:
- The amount
- Precise time of the transaction
- Any payment instructions
- The total amount of fees and charges received and paid to, by, or on behalf of the Licensee
- The names
- Account numbers
- Physical address of the parties to the transaction
General Ledger containing all:
- Expense accounts
- Profit and loss accounts
- Bank statements and bank reconciliation records
- Statements or valuations sent or provided to customers and counterparties;
- Records or minutes of meetings of the board of directors or an equivalent governing body.
- Records demonstrating compliance with applicable state and federal anti-money laundering laws, rules, and regulations, including:
- Customer identification and verification documents
- Records linking customers to their respective accounts and balances
- A record of all compliance breaches
Communications and documentation related to investigations of customer complaints and transaction error resolution or concerning facts giving ride to possible violations of laws, rules, or regulations. All of others records required to be maintained and any other record the superintendent may require. Each Licensee shall provide the Department of Financial Services of the State of New York, upon request, immediate access to all facilities, books, records, documents, or other information maintained by the Licensee or its Affiliates. Records of non-completed, outstanding, or inactive Virtual Currency accounts or transactions shall be maintained for five years after the time when any such Virtual Currency has been deemed, under the Abandoned Property Law, to be abandoned property. All of this information will be available by GET in the form of APIS with the Blockchain and developer tools through Chain and CRM platforms.
Section 200.13 Examinations
Each Licensee shall permit and assist the superintendent to examine the Licensee to determine:
- The financial condition of the Licensee
- The safety and soundness of the conduct of its business
- The policies of its management
- Whether the requirements of laws, rules, and regulations have been complied with in the administration of its affairs
- Including but not limited to any activities of the Licensee outside the State of New York
Each Licensee shall permit and assist the superintendent at any time to examine all:
- Other information
Each Licensee shall permit and assist:
The superintendent to make such special investigations as the superintendent shall deem necessary to determine whether a Licensee has violated any provision of applicable laws, rules, and regulations.
Each Licensee shall permit and assist:
The superintendent to examine an Affiliate of the Licensee.
Section 200.14 Reports and financial disclosures
Each Licensee shall submit to the superintendent quarterly financial statements within 45 days following the close of the Licensee’s fiscal quarter containing:
- A statement of the financial condition of the Licensee including
- A complete balance sheet
- Income statement
- Profit and loss statement
- Statement of retained earnings
- Statement of net liquid assets
- Statement of net worth
- Statement of cash flows
- Statement of change in ownership equity
- A statement demonstrating compliance with any financial requirements in the BitLicense
- Financial Projections and Strategic Business Plans
- A list of all off-balance sheet items
- A chart of accounts, including a description of each account
- A report of permissible investments by the Licensee as permitted by the BitLicense
Each Licensee shall submit audited annual financial statements prepared with generally accepted accounting principles (GAAP), together with an opinion of an independent certified public accountant (CPA) and an evaluation by the CPA of the accounting procedures and internal controls of the Licensee within 120 days of its fiscal year end. Including:
- A statement of management’s responsibility for preparing the Licensee’s annual financial
Section 200.15 Anti-money laundering program
Each Licensee shall conduct an initial risk assessment that will consider legal, compliance, financial and reputational risks associated with the Licensee’s activities, services, customers, counterparties, and geographical location and shall establish, maintain and enforce an anti-money laundering program.
The anti-money laundering program shall, at a minimum:
- A system of internal controls, policies, and procedures designed to ensure ongoing compliance with all applicable anti-money laundering laws, rules, and regulations
- Provide for independent testing for compliance with and the effectiveness of the anti-money laundering program by the compliance officer or an outside party, annually
- The findings shall be summarized in a written report to the superintendent
- Designate a qualified individual for coordinating an monitoring day-to-day compliance with the anti-money laundering program
- Provide ongoing training for appropriate personal to have a fulsome understanding of the anti-money laundering requirements and enable them to identify transactions required to be reported and maintain records to be kept in accordance
- A written anti-money laundering policy reviewed and approved by the board of directors
Records of Virtual Currency Transactions
Each Licensee shall maintain records and make reports for all transactions involving the payment, receipt, exchange or conversion, purchase, sale, transfer, or transmission of Virtual Currency:
- The identity and physical addresses of the parties involved
- The amount or value of the transaction, including what denomination purchased, sold, or transferred
- The method of payment
- The date on which the transaction was initiated and completed
- A description of the transaction
Reports on Transactions
When a Licensee is involved in a transaction or series of transactions for the receipt, exchange, conversion, purchase, sale, transfer, or transmission of Virtual Currency in an aggregate amount exceeding the United States dollar value of $10,000 in one day, by one Person, the Licensee shall notify the Department within 24 hours.
Reporting of Suspicious Activity
Each Licensee shall monitor for transactions that might signal:
- Money Laundering
- Tax Evasion
- Other Illegal or Criminal Activity
And notify the Department of Financial Services immediately upon detection of the transaction.
Each Licensee shall file Suspicious Activity Reports (“SARs”) in accordance with applicable federal laws, rules, and regulations. Each Licensee that is not required to file SARs under federal law shall file reports of transactions that indicate a possible violation of law or regulation within 30 days from the detection of the facts that constitute the filing with the superintendent.
No Licensee shall structure transactions or assist in the structuring of transactions.
No Licensee shall engage in knowingly allow the transfer or transmission of Virtual Currency when such action will obfuscate the identity of an individual customer or counterparty
Customer Identification Program
Each licensee must at a minimum verify the identification of account holders and maintain records of the information used to verify such identity including:
- Physical address
- Other indentifying information
- Check customers against Specailly Designated Nationals (SDNs) as maintained by the Office of Foreign Asset Control (OFAC) a part of the U.S Treasury Department
Enhanced due diligence may be required for high risk customers, high-volume accounts, or accounts on which suspicious activity has been filed.
Licensee must establish enhanced due diligence policies, procedures, and controls to detect money laundering for accounts involving foreign entities based on:
- The nature of the foreign business, the type and purpose of the activity, and the anti-money laundering and supervisory regime of the foreign jurisdiction
Each Licensee shall have appropriate policies to block or reject specific or impermissible transactions that violate federal or state laws, rules, or regulations.
Licensees are prohibited from maintaining relationships of any type in connection with their Virtual Currency Business Activity with entities that do not have a physical presence in any country.
Each Licensee must require verification of accountholders initiating transactions having a value greater than $3,000.
Each Licensee shall demonstrate that it has risk-based policies, procedures, and practices to ensure, to the maximum extent practicable, compliance with applicable regulations issued by OFAC.
The committee responsible for day-to-day operations of the anti-money laundering program shall:
- Monitor changes in anti-money laundering laws
- Maintain all records required
- Review all filings required
- Escalate matters to the board of directors and senior management
- Provide periodic reporting , at least annually, to the board of directors
- Ensure compliance with the relevant training requirements
BitLicense Comment and Review Part 2 Section 200.16-200.21
200.16 Cyber secuity program
Each Licensee shall establish and maintain an effective cyber security program to ensure:
The avaialbility and functionality of those systems
Protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering
The cyber security program shall be designed to perform the five core cyber security functions:
Identify internal and external cyber risks by, at a minimum, identifying the information stored on the Licensee’s systems and the sensitivity of the information and ultimately how it may be accessed and by whom.
protect the Licensee’s electronic systems and the information stored on those systems from unauthorized access, use, or other malicious acts through the use of defensive infrastructure
detect system intrusions, data breaches, unauthorized access to systems or information, malware, and other Cyber Security Events
respond to detected Cyber Security Events to mitigate any negative effects
recover from Cyber Security Events and restore normal operations and services
Home Depot | Target
Information that leads to identiy such as name physical address card numbers all compromised.
Each Licesnesse shall implement a written cyber security policy setting forth the Licensee’s policies and procedures for the protection of its electronic systems and customer and couterparty data stored on those sytems.
This policy shall be renewd annually and address:
data governance and classification
business continuity and siaster recovery planning and resourcescapacity and performance planning
systems operations and avialbity concerns
systems and networking security
systems and application development and quality assuaracne
physical security and environmental controls
customer data privacy
vendor and third party service provide mangament
monitoring and implementing changes to core protocols not directly contolled by the Licensee
Chief Informaiton Security Officer
Each Licesnsee shall designate a qualified employee to serve as the Licensee’s Chief Information Security Officer (CISO) responsible for overseeing and implementing the cyber security program and enforcing its cyber security policy.
Each Licensee shall submit a report prepared by the CISO and presented to the Licensee’s board of directors or equivalent governing body, at least annually, assessing the availabity, functionalyty and integiry of the Lincesee elelctronic systems, indentifying relveant cyber risks, assessing the cyber security program, and proposing steps for the redress of any inadequacies indentified.
Audit- Each Licenssee’s cyber security program shall audit:
penetration testing one ectronic systems annually and vuneleability assessment quartely
track and maintain data that allows for the complet and accurate reconstruction of all finacial transactions and accounting. (From the Blockchain)
protect the integrity of data stored and maintaind as part of the audit
protect the integirty of hardware from alteration or tampering including by limiting access to hardware, enclonsing in cages, maintiaing logs og physical access to hardware
log system events access and alterations made to the audit systems
maintain records produced as part of the audit trail for a period of ten years
Each Licensees shall have an independent qualified third party conduct a source code review of any internally developed properitary software used in business opertions, annually.
Personnel and Intelligence:
employ cyber secutiy personnel adequate to manage the Licness’s cyber security risks and to perform the core cyber secuirty function specified
provide and require cyber security personnel to attend reqular cyber security update and training sessions
require key cyber security personnel to take steps to stay abreast of changing cyber security threats and countermeasures
Section 200.17 Business continuity and disaster recovery
Each Licensee shall estaboish and maintain a written business continuty and disaster recovery plan designed to ensure the abilabilty and fucntionalty of the Licesensee services in the event of an emergency or other disruption to the Licensee’s normal business activities
Identify documents, data, facilities, infrastructure, personnell, competencies essential to the continued operations of the Licenssee’s business
identify the supervisory for implemtning each aspect of the BDCR plan;
include a plan to communicate with essitial Persons in the event of an emergency or other disruption to the operations of the Licenssee or any other person essential to the recovery of documentation and data for the resumpotion of operations. (Cassandra)?
include procedures for the maintenance of back-up facilities, systems, and infrastructure as well as staffing and other resources to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible following a disruption to normal business activites
include procedures for the back-up or copying of documents and data essential to the operations of the Licenssee and storing of the information off site
identify third parties that are necessary to the continued operations of the Licensee’s business
Each Licencess shall disstribute a copy of the BDCR plan and any revisions.
Each Licensee shall provide relevant training to all employess responsible for implementing the BDCR plan.
Each Licensee shall promtly notify the superintendent of any emergency or other sidruption to its operation that may affect its ability to fulfill regulatory obilgations or that may have a significant adverse effect on the Licensee
The BDCR plan shall be teste at least annually by qualified, independent internal personnell or third party.
200.18 Advertising and marketing
Each Licensee engaged in VBCA shall not advertise its products, services, or activittes in New York or to New York Residents without inclusing the name of the Licenss and the legend that such Licensee is “Licensed to engage in Virtual Currency Business Activity by the New York State Department of Financial Services.”
Each Licenss shall maintain, for examination by the NYDFS all advertising and marketing materials including print, internet media, radio, television advertising presentations, and borchures. Each Licensee shall maintain hard copy captures and scripts of all materials.
Each Licensee shall comply with all disclosure requiremnts under federal and state laws, rules, and regulations
In all advertising and marketing materials, each Licensee and any person acting on behalf shall not make any misleading or deceptive represntaitons.
200.19 COnsumer protection
Disclosure of material risks to customers in clear writing, in the language of any predonminant language spoken the risks associated with tis products, services, and activies, generally including at a minumum:
virtual currency is not legal tender nor back by a government or FDIC protection
legislative and regulatory changed or actions at the state, federal or international level may adversly affect the transfer, exchange, and value of Virtual Currency
transactions in Virtual Currency are generally irreversible and accordingly losses may not be recoverable
“some transactions shall be deemed to be made when recoded on a “block chain” ledger, which is not necessarily the date or time that the customer inities the transaction
the value of Bitcoin is derived from continued willingness for market participants to exchange Fiat Currency for Virtual Currency which may result in the potential for permanent and total loss of value of a particular Currency should the market disappear
there is not assurance of a person who accept virtual currenct today will continue to do so in the future
the volatility adn unpredicatability of the price of Virtual Currency relative to Fiat Currency may result in loss or tax liability of a short period of time
the nature of Virtual Currency may lead to an increased risk of fraud or cyber attack
technical difficules experiecned by a Licenssee may preven the access or use of a customers Virtual Currency
any bond or trust account for the benfit of customers may not be sufficient to cover any and all losses
Terms and Conditions
customer liability for unauthozied transasctions
The proposed regulations ultimately ignore the potential of the underlying Blockchain technology of Bitcoin. There is no mention of any Bitcoin 2.0 application use cases. In addition the proposal suggest that all companies in this space are money transmitters when the use cases for decentralized Blockchain technology go far beyond this:
Proof of Existence – Blockchain embedded time-stamped documents
BlockSign – DocUSign using the Blockchain
Storj – Decentralized Cloud
This comment period on this proposal has been extended until October 21, 2014.