Guidance Regarding Adoption or Listing of Virtual Currencies
In June 2015, DFS issued its virtual currency regulation, 23 NYCRR Part 200, under the New York Financial Services Law. Since 2015, under that “BitLicense” regulation or the limited purpose trust company provisions of the New York Banking Law, DFS has granted 25 virtual currency licenses and charters to ensure that New Yorkers have a well-regulated way to access the virtual currency marketplace and that New York remains at the center of technological innovation and forward-looking regulation.
To provide regulatory clarity and efficiency, and to ensure that our approach to regulating virtual currency businesses reflects the realities of an evolving market, we continue to review our regulations and their implementation. In the five years since DFS began authorizing BitLicensees and virtual currency trust companies (collectively, “VC Entities”), some of these businesses have asked to list new virtual currencies (“coins”) in addition to those included in their initial DFS applications. Over that time, there has been exponential growth in the number of coins.
Proposed Guidance of December 11, 2019
To enhance efficiency and enable VC Entities to offer and use new coins in a timely and prudent manner, on December 11, 2019, DFS issued proposed guidance on this subject seeking comments from all interested parties and the general public regarding the following two proposed coin adoption or listing options that DFS wished to make available to the VC Entities:
- A proposed DFS webpage, to be updated from time to time, that would contain a list of all coins permitted for VC Entities’ Virtual Currency Business Activity, without DFS’s prior approval, as long as such listed coins had not been subject to any material modification, division, or change after their listing on the DFS webpage (the “Greenlist”); and
- A proposed model framework for the creation by a VC Entity of a coin-listing or adoption policy tailored to the VC Entity’s specific business model and risk profile (a “coin-listing policy”) that, if approved by DFS, would enable the VC Entity to self-certify the listing or adoption of new coins in addition to those on the Greenlist, without any further approval from DFS.
Under the Proposed Guidance, once DFS approved a VC Entity’s coin-listing policy, the VC Entity would be able to self-certify to DFS that its proposed adoption or listing of new coins complied with its DFS-approved coin-listing policy’s requirements. The VC Entity would then provide written notice to DFS of its intent to offer and use any such new coins, including details of the usage and offering of such coins, prior to using or offering the coins. To be clear, in such cases, only prior notice to DFS with respect to the particular coin would be required, and not a prior DFS approval of the particular coin.
VC Entities without DFS-approved coin-listing policies would be required to seek DFS’s prior approval to list or adopt any coins for which they had not previously received DFS approval, other than Greenlisted coins.
All VC Entities would be required to keep DFS informed, no later than at the time of their next quarterly filing, of all coins used or offered in connection with their Virtual Currency Business Activity.
Both in specific response to the above-noted request for comments and otherwise, DFS has received feedback from various stakeholders, including the regulatory community, VC Entities and other virtual currency firms, attorneys, and foundations. That feedback was mostly positive and reflected support for the use both of coin-listing policies and Greenlisting. (Read the feedback at Coin-Listing Guidance Comments.)
As to coin-listing policies, comments were broadly in favor of the overall approach, and some changes were suggested with respect to the specific wording or implementation. As to the Greenlist process, feedback was offered regarding, for example, the specific manner or manners in which coins might be chosen and the amount of time that might be needed to evaluate and Greenlist coins.
Having reviewed and considered all such comments from stakeholders, DFS has revised the Proposed Guidance, as below, to: (A) provide a general framework for a VC Entity’s creation of a firm-specific policy for the adoption or listing of a new coin, without DFS’s prior approval, through the process of self-certification; and (B) a general framework for the process of Greenlisting coins for wider usage.
This guidance, which contains these revisions, is intended to outline two separate frameworks designed to enhance speed and efficiency in a VC Entity’s adoption or listing of coins, with the goal of fostering innovation in a manner that is consistent with the safety and soundness of the VC Entities and with the protection of consumers.
DFS will continue to engage with stakeholders and to evaluate this guidance in the context of the evolving virtual currency marketplace.
(A) General Framework for the Creation of a VC Entity’s Coin-Listing Policy
A VC Entity that wishes to self-certify the use of new coins, in addition to those on the Greenlist referenced below, without the prior approval of DFS, must create a coin-listing policy in accordance with the following general framework.
A VC Entity’s coin-listing policy must include robust procedures that comprehensively address all steps involved in the review and approval of coins. The policy must be tailored to the VC Entity’s specific business model, operations, customers and counterparties, geographies of operations, and service providers; and to the use, purpose, and specific features of coins being considered.
The policy should result in approval of a coin only if the VC Entity concludes that the coin’s intended use or adoption is consistent with the consumer protection and other standards embodied in 23 NYCRR Part 200 and with the safety and soundness of the VC Entity.
Consistent with the intent and purpose of 23 NYCRR 200.15(g), a VC Entity cannot self-certify any coin that may facilitate the obfuscation or concealment of the identity of a customer or counterparty. Thus, for example, no privacy coin can be self-certified. A VC Entity also cannot self-certify any coin that is designed or substantially used to circumvent laws and regulations (for example, gambling coins).
A coin-listing policy should, at a minimum, contain and be based on the following attributes:
The VC Entity must ensure that:
- Its board of directors or an equivalent governing authority approves the coin-listing policy;
- Its board of directors or an equivalent governing authority reviews and independently makes decisions to approve or disapprove each new coin;
- Any actual or potential conflicts of interest in connection with the review and decision-making process have been assessed and effectively addressed, whether such actual or potential conflicts of interest are related to the VC Entity, its owners, principals, employees, their respective families, or any other party;
- It keeps records, readily available for DFS’s review, of the coin-listing policy’s application to each coin. This includes board of directors or equivalent governing authority minutes, including the names of the participants and all documents the participants reviewed in connection with each coin’s approval or disapproval, such as reviews and sign-offs by all the VC Entity’s stakeholders, such as the legal, compliance, cybersecurity, and operations teams, including an assessment of all associated material risks;
- Its board of directors or an equivalent authority reviews, at least annually, its coin-listing policy to ensure that it continues to properly identify, assess, and mitigate the relevant risks and to ensure the robustness of the governance, monitoring and oversight framework;
- It informs DFS immediately if, at any time after DFS approval of its coin-listing policy, the VC Entity’s coin-listing policy ceases to comply with the general framework laid out in this Guidance; and
- It does not make any changes or revisions to its DFS-approved coin-listing policy without the prior written approval of DFS.
II. Risk Assessment
The VC Entity must perform a comprehensive risk assessment designed to ensure that the coin and the uses for which it is being considered are consistent with the consumer protection and other standards embodied in 23 NYCRR Part 200 and with the safety and soundness of the VC Entity. The risks to be assessed include, but are not limited to, the following:
- Risks associated with a new coin’s creation or issuance, governance, usage, or design. The VC Entity must conduct a thorough due diligence process to ensure that the coin is created or issued by a legitimate and reputable entity or entities for lawful and legitimate purposes, and not for evading compliance with applicable laws and regulations (e.g., by facilitating money laundering or other illegal activities); and that the process is subject to a strong governance and control framework;
- Operational risks associated with a new coin, including the resulting demands on the VC Entity’s resources, infrastructure, and personnel, as well as its operational capacity for continued customer on-boarding and customer support based on reasonable forecasts considering the overall operations of the VC Entity;
- Risks associated with any technology or systems enhancements or modification requirements necessary to ensure timely adoption or listing of any new coin;
- Cybersecurity risk;
- Risk of malfeasance, including, for example, theft;
- Market risks, including concentration of coin holdings or control by a small number of individuals or entities, price manipulation, and fraud, and the impact of the coin’s wider or narrower adoption on market risks;
- Risks relating to code defects and breaches and other threats concerning any new coin and its supporting blockchain, or the practices and protocols that apply to them. Mitigation should include, among other things, an escalation process to report such defects, breaches and threats to senior management and the board of directors or an equivalent governing authority for further action;
- Risks relating to potential non-compliance with the requirements of the VC Entity’s supervisory agreement with DFS as a result of the adoption of new coins, including the VC Entity’s capital requirement in accordance with 23 NYCRR 200.8;
- Legal risks associated with any new coin, including any pending or potential civil, regulatory, criminal, or enforcement action relating to the issuance, distribution, or use of the new coin;
- Risks associated with actual or potential conflicts of interest; the VC entity must have effective policies and procedures to prevent such conflicts from affecting the VC Entity’s use or offering of the coin, and must also have effective requirements for the disclosure of such conflicts to customers; and,
- Regulatory risks. Each coin must comply with all applicable laws, rules, regulations, and regulatory guidance, such as those of the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), the U.S. Commodity Futures Trading Commission (CFTC), and the U.S. Securities and Exchange Commission (SEC), including, if applicable, whether a regulator has determined that the coin is a security.
Once a VC Entity begins using a new coin, the VC Entity should have policies and procedures in place to monitor the coin to ensure the VC Entity’s continued use of the coin remains prudent. This includes:
- Periodic re-evaluation of the coin, including whether material changes have occurred, with a frequency and level of scrutiny tailored to the risk level of the particular coin, provided that the frequency of re-evaluation must not be less than annual;
- Adoption, documentation, and implementation of control measures to manage risks associated with the coin; and
- The existence of a process for de-listing the coin, with respect to some or all Virtual Currency Business Activity of the VC Entity, including notice to affected customers and counterparties in the case of such de-listing.
Once a VC Entity’s coin-listing policy is approved by DFS, the VC Entity will be able to self-certify to DFS that its proposed use of a new coin complies with the requirements of its DFS-approved coin-listing policy. Prior to using the coin, the VC Entity will provide written notice to DFS of its intent to use the coin, including details of its specific use and purpose.[i] In such case, no prior approval from DFS will be required, only prior notice to DFS. VC Entities are also required to keep DFS informed, no later than at the time of their next quarterly filing, of all coins used or offered in connection with their Virtual Currency Business Activity.
A VC Entity that does not have a DFS-approved coin-listing policy is required to seek DFS’s prior approval with respect to any coin it wishes to use, unless the coin is on the Greenlist referenced below, or the VC Entity has already received DFS’s prior approval.
(B) General Framework for Greenlisting Coins
Below is the general framework and process for Greenlisting coins for wider use.
- DFS will maintain a record of all coins approved for VC Entities, whether directly by DFS or through the self-certification process, including their approved use. If a coin has received such approval for a specific use by three different and unrelated VC Entities (the “Greenlist Threshold”), DFS will prepare to add that coin for that specific use to the Greenlist.
- After Step 1 is complete, DFS will announce this on its website. DFS will also note that there will be a six-month waiting period (the “Greenlist Waiting Period”) from the date of such announcement until such time that other VC Entities that have not previously received approval can use the coin (subject to all regulatory, internal approval, and safety and soundness requirements).
- If, during the Greenlist Waiting Period, a VC Entity delists or stops using the coin under consideration for such Greenlisting, DFS may decide whether or not to continue with the Greenlist Waiting Period based on any information it considers relevant.
- During the Greenlist Waiting Period, any VC Entity may still seek to use the coin either through direct DFS approval or through the self-certification process.
- In addition, DFS may, in its discretion, add to the Greenlist coins that have been specifically reviewed and approved by DFS for creation and issuance by a VC Entity privately and in a centralized manner.
A VC Entity should have policies and procedures in place to monitor its adoption and use of any coin on the Greenlist to ensure the VC Entity’s continued use of the coin remains prudent. This includes:
- Periodic re-evaluation of the coin, including whether material changes have occurred, with a frequency and level of scrutiny tailored to the risk level of the particular coin; provided that the frequency of any such re-evaluation must not be less than annual;
- Adoption, documentation, and implementation of control measures to manage risks associated with the coin;
- The existence of a process for ceasing use of the coin, with respect to some or all Virtual Currency Business Activity of the VC Entity, including notice to affected customers and counterparties in such event; and
- The existence of a process to keep DFS informed, no later than at the time of its next quarterly filing, of all Greenlisted coins used or offered in connection with its Virtual Currency Business Activities.
VC Entities must provide their customers appropriate written disclosures regarding the coins they offer for use and must indicate to their customers whether a coin is drawn from the Greenlist, added through self-certification, or added through specific DFS approval.
The information contained in this Guidance is not intended to be exhaustive, and DFS may update it from time to time for any reason, including, for example, in response to new information, evolving markets, or additional experience. This Guidance is not intended to limit the scope or applicability of any law or regulation. DFS may, at any time and in its sole discretion, prohibit or otherwise limit a coin’s use before or after a VC Entity begins using a coin; require that any VC Entity delist, halt, or otherwise limit or curtail activity with respect to any coin; remove any coin from the Greenlist; refrain from placing any coin on the Greenlist; or discontinue the Greenlist process entirely.
Please note that each VC Entity is responsible for understanding and complying with all applicable laws and regulations, including any applicable legal and regulatory requirements imposed by other state or federal regulatory agencies. This Guidance is not intended to address and does not address any such other state or federal legal or regulatory requirements.
[i] This written notice shall be in the form posted on the DFS website.