November 15, 2023
TO: All Virtual Currency Business Entities Licensed under 23 NYCRR Part 200 or Chartered as Limited Purpose Trust Companies under the New York Banking Law
FROM: Adrienne A. Harris, Superintendent of Financial Services
RE: Guidance Regarding Listing of Virtual Currencies
In 2015, the New York State Department of Financial Services (the “Department” or “DFS”) issued its virtual currency regulation, 23 NYCRR Part 200, under the New York Financial Services Law. Since 2015, DFS has served as the prudential regulator overseeing virtual currency business activity in New York, granting both virtual currency licenses under Part 200 (“BitLicenses”) and limited purpose trust company charters, to ensure that New Yorkers have a well-regulated way to access the virtual currency marketplace and that New York remains at the center of technological innovation and forward-looking regulation.
On June 24, 2020, informed by its experience as the regulator of BitLicensees and New York-chartered limited purpose trust companies engaged in virtual currency business activity (collectively, “VC Entities”), the Department published its prior Guidance Regarding Adoption or Listing of Virtual Currencies (“Prior Guidance”). As discussed in greater detail below, DFS is now providing this Guidance Regarding Listing of Virtual Currencies (“Guidance”), which is effective immediately and entirely supersedes the Prior Guidance.
Proposed Guidance of September 18, 2023
Since the publication of the Prior Guidance, the Department has continued to serve as the leading regulator of VC Entities and their activities, and the market has evolved sufficiently that the Department found it prudent to further enhance the requirements of the Prior Guidance. As a result, on September 18, 2023, the Department issued for public comment “Proposed Updates to Guidance Regarding Listing of Virtual Currencies” (“Proposed Guidance”).
During the comment period, the Department received submissions from VC Entities, industry groups, advisory firms, and the wider public. In addition, the Department conducted direct outreach with VC Entities regarding the Proposed Guidance to socialize proposed requirements and identify areas that could benefit from greater clarity. In response to feedback received, the Department is publishing its Guidance in its final form, which sets the new heightened standards for coin-listing and coin-delisting.
Several themes were identified from the comments and outreach, which have been incorporated into the Guidance in its final form. These themes include:
- Business model considerations. Commenters noted that the risk associated with virtual currencies is in part dependent on the specific nature of a VC Entity’s virtual currency business activities. The Guidance includes risk-based considerations such as enhanced protections for retail consumers by making virtual currencies that exhibit certain characteristics impermissible for self-certification for any virtual currency business activity available to retail consumers.
- Risk assessment expectations. Commenters encouraged more clarity of the risk assessment expectations to reduce regulatory uncertainty and ensure compliance. The Guidance maintains high risk assessment standards while adding tailored risk assessment expectations to account for a VC Entity’s specific virtual currency business activities.
- Advance notification requirements. Commenters noted that in certain cases the advance notification requirements for coin-delistings may not be feasible and could result in unintended consumer harm. The Guidance provides limited exceptions to advance notification requirements based on exigent circumstances.
- Clearer definitions. The Guidance includes updated definitions of certain terms.
Guidance Regarding Listing of Virtual Currencies
VC Entities that had a previously approved coin-listing policy under the Prior Guidance are not permitted to self-certify any coins until they submit to and receive approval from the Department a coin-listing policy that meets the standards of Section (A) of this Guidance, and have an approved coin-delisting policy that meets the standards of Section (B) of this Guidance. Following DFS approval of a coin-listing policy, a VC Entity may proceed with self-certification of coins, thereby making them available for approved virtual currency business activity in New York or to New Yorkers. The Department will not approve a coin-listing policy absent an accompanying coin-delisting policy.
VC Entities must provide written notice to the Department of any coins that are self-certified under an approved coin-listing policy. VC Entities must at all times keep and maintain records available for the Department’s review. Records must be kept in a form and manner consistent with the VC Entity’s recordkeeping requirements to demonstrate continued compliance with the VC Entity’s coin-listing policy and this Guidance.
VC Entities without DFS-approved coin-listing policies may only list coins that are included on the Department’s Greenlist, unless a VC Entity has otherwise been approved by DFS to list a coin as a material change to business under 23 NYCRR § 200.10. The Department may, at any time and in its sole discretion, require VC Entities to delist or otherwise limit New Yorkers’ access to coins that are not included on the Greenlist. Any such action will be taken over an appropriate timeline to mitigate any impact to New Yorkers and the broader marketplace.
This Guidance also clarifies the Department’s expectations with respect to coin-delistings. In the event a listed coin is identified as presenting newly elevated risk, whether through a VC Entity’s monitoring process, a DFS-identified weakness or vulnerability, or otherwise, VC Entities must be able to discontinue support of that coin in a manner that is consistent with safety and soundness principles and with the protection of customers and the general public. As a result, VC Entities are required to have a coin-delisting policy that meets the requirements of this Guidance, regardless of whether they have a DFS-approved coin-listing policy. All VC Entities must meet with the Department by December 8, 2023 to preview their draft coin-delisting policy. Final coin-delisting policies must be submitted to the Department for approval by January 31, 2024.
(A) General Framework for the Creation of a VC Entity’s Coin-Listing Policy
A VC Entity that wishes to self-certify coins for listing without the prior approval of DFS must create a coin-listing policy in accordance with this Guidance.1 Until DFS has provided a VC Entity with written approval of its coin-listing policy, a VC Entity may not self-certify any coins.
Prior to listing any coin under a DFS-approved coin-listing policy, the VC Entity must provide written notice to DFS of its intent to use the coin. VC Entities are also required to keep DFS informed of all coins used or available in connection with their virtual currency business activity.
A VC Entity’s coin-listing policy must include robust procedures that comprehensively address all the steps involved in the review and approval of coins. The policy must be tailored to the VC Entity’s specific business model, operations, customers and counterparties, geographies of operations, and service providers; and must also account for the use, purpose, and specific features of the coins being considered.
The policy should result in the approval of a coin only if the VC Entity concludes that the coin’s intended use is consistent with this Guidance, the standards embodied in 23 NYCRR Part 200 (including, without limitation, consumer protection principles), and with the safety and soundness of the VC Entity. A VC Entity with a DFS-approved coin-listing policy must demonstrate continued compliance with this Guidance, which DFS will assess as part of its regular, continuous monitoring.
Failure to do so may result in DFS taking action to revoke a coin-listing policy.
A coin-listing policy must, at a minimum, contain and be based on the following attributes:
The VC Entity must ensure that:
- Its board of directors or an equivalent governing authority (“Governing Authority,” which shall consist of a board of directors or a committee formally delegated by the board of directors) approves the coin-listing policy to ensure the robustness of the governance, monitoring, and oversight framework;
- Its Governing Authority, at least annually, reviews and determines whether to re-approve the coin-listing policy to ensure that it continues to identify, assess, and mitigate risks properly;
- Its Governing Authority reviews and makes decisions to approve or disapprove each new coin;
- Its Governing Authority is independent from those responsible for making the initial recommendations whether to list or delist a coin;
- Any actual or potential conflicts of interest in connection with the review and decision-making process have been assessed, effectively addressed, and fully disclosed to the public, whether such actual or potential conflicts of interest are related to the VC Entity, the VC Entity’s affiliates, or the VC Entity’s owners, principals, employees, or their respective families;
- The VC Entity keeps records consistent with applicable recordkeeping requirements and makes them readily available for the Department’s review at all times. This includes meeting minutes for all Governing Authority meetings which discuss a specific coin or coins—including all documentation reviewed and produced by Governing Authority members in connection with each coin’s approval or disapproval. This also includes all documentation reviewed and produced by those responsible for approval/disapproval recommendations related to coin-listing as well as to the risk assessment conducted on the specific coin or coins under consideration;
- The VC Entity informs DFS immediately in writing if, at any time after DFS approves its coin-listing policy, the VC Entity’s coin-listing policy ceases to meet the requirements of this Guidance; and
- The VC Entity does not make any material changes or revisions to its coin-listing policy without the prior, written approval of DFS.
II. Risk Assessment
The VC Entity must perform a comprehensive risk assessment designed to ensure that any coin and the uses for which it is being considered are consistent with the consumer protection and other standards embodied in 23 NYCRR Part 200, and with the safety and soundness of the VC Entity. The risk assessment must be tailored to a VC Entity’s approved virtual currency business activity and should include factors such as, but not limited to, the following:
- Technical Design and Technology Risk. A VC Entity must assess the risk associated with the listing of a coin based on the coin’s issuance, governance, usage, and/or design. The VC Entity must conduct a thorough due diligence process to ensure that the coin is created or issued for lawful and legitimate purposes and not for the purpose of evading compliance with any law, rule, or regulation;
- Operational Risk. A VC Entity must assess operational risk associated with a coin, including the resulting demands on the VC Entity’s resources, infrastructure, and personnel, as well as its operational capacity for continued customer onboarding and customer support;
- Cybersecurity Risk. A VC Entity must assess the risk to the confidentiality, integrity, and availability of all systems relating to each coin and its supporting blockchain. This includes risks relating to application security, unauthorized access, and other threats;
- Market and Liquidity Risk. A VC Entity must assess the risk relating to a concentration of coin holdings or control by a small number of individuals or entities, price manipulation, fraud, and the impact of the coin’s wider or narrower adoption on market risk, as well as the VC Entity’s ability to source sufficient liquidity to meet potential customer demand upon listing of a coin;
- Illicit Finance Risk. A VC Entity must assess the illicit finance risk associated with each coin, including its historical or potential use in facilitating illicit financial activity or potential sanctions evasion, and must ensure that mitigating controls are in place. The VC Entity must also consider broader risks of malfeasance, including, for example, theft;
- Legal Risk. A VC Entity must assess the legal risk associated with any new coin, including any pending or potential civil, regulatory, criminal, or enforcement action relating to the issuance, distribution, or use of each coin;
- Reputational Risk. A VC Entity must assess the potential impact of any negative publicity on the VC Entity’s business resulting from a decision to self-certify a specific coin; and
- Regulatory Risk. A VC Entity must assess any risk relating to potential non-compliance with the requirements of the VC Entity’s supervisory agreement with DFS and the requirements of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) as a result of the listing of each coin. Further, each coin must comply with all applicable laws, rules, regulations, and regulatory guidance.
In addition to these areas of the risk assessment, the VC Entity must also consider other factors to identify and mitigate the risks involved in each coin and its uses. As part of these considerations, VC Entities must incorporate the Department’s “Guidance on Prevention of Market Manipulation and other Wrongful Activity,” where applicable. Additional considerations include, but are not limited to, the following:
- Conflicts of Interest. A VC Entity must have effective policies and procedures in place to mitigate any conflicts of interest from impacting the decisions, recommendations, and assessments made for each coin under review. In addition, a VC Entity must ensure that all potential conflicts of interest relating to coin-listing decisions are clearly disclosed to the public; and
- Customer Protection. A VC Entity must ensure that all customers are treated fairly and are afforded the full protection of all applicable laws and regulations, including protection from unfair, deceptive, or abusive practices.
If a coin is designed or substantially used to circumvent laws and regulations, or has features designed to facilitate the obfuscation or concealment of the identity of an individual or entity, it cannot be self-certified. Further, if any coin shares any features noted immediately below and is not separately included on the Greenlist—or if a VC Entity is unable to determine that a coin does not have any such feature using all reasonable efforts—it cannot be self-certified for virtual currency business activity available to retail consumers:2
- Stablecoins. A VC Entity cannot self-certify any stablecoin that is not included on the Greenlist. This restriction extends to any coin designed to serve as collateral for a stablecoin not included on the Greenlist;
- Exchange Coins. A VC Entity cannot self-certify any coin that is issued by or on behalf of any online platform operated by an entity acting as an intermediary between purchasers and sellers of virtual currency (e.g., virtual currency exchange);
- Protocol Resiliency. A VC Entity cannot self-certify any coin that is the native asset for a protocol where there are concerns related to the protocol’s decentralization, for example if a single entity or individual controls more than 51% of the hash power for protocols with proof-of-work or similar consensus mechanisms, or similar levels of susceptibility of concentration risk for protocols with proof-of-stake or similar consensus mechanisms. This restriction extends to all coins issued on protocols that meet the above thresholds;
- Bridged Coins. A VC Entity cannot self-certify any coin that circulates on a protocol in which it is not natively issued by the coin’s creator or issuer. This restriction extends to any coin designed to serve as collateral or governance for an application that enables the transfer of coins across different protocols (e.g., coin bridge platforms); and
- Circulating Supply. A VC Entity cannot self-certify any coin in which the circulating supply is less than 35% of its total supply.3
If a VC Entity wants to list a coin that has any of the above characteristics for virtual currency business activity available to retail consumers, the VC Entity must request in writing approval from DFS as a material change to business under 23 NYCRR § 200.10. Any such request must include a risk assessment for the coin that meets the standards described within this Guidance as well as specify a particular business use case for listing the coin. In reviewing any such request, DFS will take into consideration such factors as DFS deems appropriate, including whether effective compensating controls are in place to, for example, address safety and soundness concerns and ensure consumer protection.
In connection with a VC Entity listing a new coin, the VC Entity must have policies and procedures in place to monitor the coin to ensure that continued listing of the coin remains consistent with safety and soundness considerations, the protection of customers and the general public, and all the requirements of this Guidance. Such policies and procedures must include, but are not limited to:
- Periodic re-evaluation of the coin by those responsible for approval/disapproval recommendations related to coin-listing, including whether material changes have occurred (e.g., hard forks), with a frequency and level of scrutiny tailored to the particular coin, provided that in all cases the frequency of re-evaluation must be not less than annual;
- Adoption, documentation, and implementation of control measures to manage risks associated with the coin, including but not limited to those risks involving cybersecurity and illicit activity; and
- A coin-delisting policy, as described in Section (B) of this Guidance, that contains a process that can be readily implemented if the ongoing monitoring of a coin or other reasons results in a delisting decision.
In addition, as part of a VC Entity’s coin monitoring, the VC Entity is expected to meet the expectations of the Department’s “Guidance on Use of Blockchain Analytics” and other BSA/AML and sanctions-related control requirements, including its regulatory reporting obligations.
VC Entities must also verify that their coin-listing policies are appropriately integrated into the VC Entity’s overall risk and compliance framework. For example, as part of ongoing monitoring to meet all cybersecurity requirements and illicit finance risk-related obligations, VC Entities should assess and review any controls relating to the VC Entity’s governance and coin-listing inventory periodically and when there are any significant changes in the broader risk environment, or when required by DFS. Similarly, VC Entities with coin-listing policies should verify that independent testing includes coin-listing and coin-delisting in its scope as part of annual planning.
(B) General Framework for the Creation of a VC Entity’s Coin-Delisting Policy
Regardless of whether a VC Entity has a DFS-approved coin-listing policy, the VC Entity must maintain a separate policy that governs the steps the VC Entity must take to ensure safety and soundness and the protection of customers and the general public in the event the VC Entity ceases support for a coin (a “coin-delisting policy”). Coin-delisting policies must be tailored to the virtual currency business activity a VC Entity has been approved by DFS to conduct and must be submitted to DFS for approval.4 VC Entities should coordinate with the Department around development with respect to its coin-delisting policy and must submit a coin-delisting policy to DFS for approval by January 31, 2024. VC Entities must meet with DFS by December 8, 2023 to discuss their draft coin-delisting policy.
This coin-delisting policy must include robust procedures that comprehensively address all steps involved in removing support for a coin and must be tailored to the VC Entity’s specific business model, operations, customers and counterparties, geographies of operations, and service providers; and to the use, purpose, and specific features of coins being considered. Accordingly, the determination to delist a coin should occur only if the VC Entity concludes that the coin’s delisting is consistent with this Guidance, the standards embodied in 23 NYCRR Part 200 (including, without limitation, consumer protection principles), and with safety and soundness.
A coin-delisting policy should, at a minimum, contain and be based on the following attributes in this Guidance. There may be very limited exceptions where all delisting requirements may be inapplicable with a particular business model, in which case a VC Entity may come to the Department to tailor how this requirement applies to it.
When a VC Entity ceases support for a coin, it must do so in an orderly manner. In light of the impact that delisting a coin may have on consumers and others, it is imperative that VC Entities have the appropriate oversight and management to govern a delisting process.5 Specifically, each VC Entity must ensure that:
- Its Governing Authority approves the coin-delisting policy to ensure the robustness of the governance, monitoring, and oversight framework;
- Its Governing Authority, at least annually, reviews and determines whether to re-approve the coin-delisting policy to ensure it continues to properly identify, assess, and mitigate risks properly;
- Its Governing Authority is independent from those responsible for making the initial recommendations whether to list or delist a coin;
- The VC Entity keeps records consistent with applicable recordkeeping requirements and makes them readily available for the Department’s review at all times. This includes, without limitation, all documentation associated with the delisting decision as well as the broader operational processes supporting that decision;
- The VC Entity informs DFS in writing of any decision to delist a coin following such a determination at least ten (10) business days prior to informing its customers, and includes the rationale and all elements of the proposed delisting timeline, unless exigent circumstances exist outside the VC Entity’s control requiring more immediate action, in which case the VC Entity must make all reasonable efforts to provide advance notice to DFS before delisting a coin; and
- The VC Entity does not make any material changes or revisions to its coin-delisting policy without the prior, written approval of DFS.
In addition to the governance standards, a coin-delisting policy must detail the process that underpins a delisting event. Specifically, the VC Entity must implement a clear set of roles and responsibilities that establishes who has the authority to initiate a delisting event, the chain of approval through management, and the escalation to the Governing Authority for final approval. The VC Entity must also maintain a record of coins held in a personal capacity by its Governing Authority members and other internal stakeholders that might influence a delisting decision in order to account for any potential conflicts of interest that may arise in a delisting process. The VC Entity should use this record to implement information barriers around conflicted decisionmakers and others to avoid the risk of market manipulation or insider trading.
A VC Entity’s coin-delisting policy must clearly incorporate its ongoing monitoring procedures, be reviewed and periodically updated at risk-based intervals to take into account and reflect changes in the coins it currently supports, and establish clear thresholds on criteria that may prompt a delisting. Moreover, the VC Entity must also include the types of events that may cause a delisting to be necessary or appropriate. Event types include, but are not limited to:
- New findings resulting from the periodic re-evaluation or ongoing monitoring of a listed coin;
- A change in the legal or regulatory environment that makes support for a coin no longer permissible or practical; or
- Receiving a directive from DFS to delist a coin.
The VC Entity must also establish roles and responsibilities in connection with each type of event to provide clear instructions for the VC Entity’s stakeholders depending on the specific facts and circumstances.
Once the decision to delist a coin is reached, a VC Entity must communicate clearly with its customers regarding the delisting in advance of taking action to cease support of the coin in order to minimize any potential risk of consumer harm. Unless otherwise approved or directed by DFS, the VC Entity must use all reasonable efforts to provide customers with at least 30 calendar days’ prior, written notice of the specific coin or coins that will be delisted, the timing of the delisting, and the steps that customers who are impacted may take to either sell a delisted coin or transfer it off the VC Entity’s platform, when permitted.
The elements related to executing a delisting event that must be addressed in a coin-delisting policy include, but are not limited to:
- Advance Notice. A VC Entity’s customers must be provided with at least 30 days’ prior, written notice of any coin-delisting using all reasonable efforts, unless the VC Entity is otherwise approved or directed by DFS. If a VC Entity believes that more immediate action is necessary given exigent circumstances outside of the VC Entity’s control, the VC Entity must provide immediate notice to DFS and provide as much advance notice to its customers as is possible. The coin-delisting policy should detail explicitly when and how a customer will be informed of a delisting and outline any other communications the VC Entity would routinely make when delisting a coin (e.g., public communications). Importantly, the coin-delisting policy must take all reasonable efforts to ensure protection of customers and the general public in executing a delisting event.
- Customer Support. Following the communication of a coin-delisting decision, a VC Entity must make available the requisite level of customer support to answer any questions and assist customers with safely selling the impacted coin or otherwise transferring it off the VC Entity's platform, when permitted. Depending on factors such as the volume of trading or number of holders of a coin being delisted, the VC Entity should consider whether it must dedicate separate or additional resources to respond to phone, email, or chat inquiries made by impacted customers and whether to provide tailored FAQs related to the specific delisting event.
- Documentation. A VC Entity must ensure that it appropriately documents all key details of any coin-delisting decision. This includes, at a minimum, documentation related to the monitoring that led to a delisting decision, approval of the delisting decision, data regarding the estimated impact on the VC Entity’s customer base, communications shared with customers and regulators, and documentation responsive to any issues related to customer support. The VC Entity must make readily available to DFS all documents created with regard to a delisting event and must maintain such documents consistent with the VC Entity’s recordkeeping requirements.
- Ongoing Monitoring. A VC Entity must dedicate resources to monitoring the safety and soundness of a delisting, including the necessary expertise to detect for issues with the financial health of the business, the possible introduction of cybersecurity vulnerabilities, illicit finance risk, or any technological or other challenges that would affect the customer experience.
- Impact Analysis. A VC Entity must consider second-order impacts a delisting decision might have on the VC Entity’s internal business operations as well as on any counterparties and third-party service providers leveraged in supporting a coin.
The information contained in this Guidance is not intended to be exhaustive, and DFS may update it from time to time for any reason, including, for example, in response to new information, evolving markets, or additional experience. This Guidance is not intended to limit, and does not limit, the scope or applicability of any law or regulation.
Each VC Entity is responsible for understanding and complying with all applicable laws and regulations, including any applicable legal and regulatory requirements imposed by other state or federal regulatory agencies. This Guidance is not intended to address and does not address any such other state or federal legal or regulatory requirements.
DFS will continue to engage with VC Entities and other stakeholders to evaluate this Guidance in the context of the evolving virtual currency marketplace.
1 Listing within the context of this Guidance refers to a VC Entity making any virtual currency available in New York or to New Yorkers for any virtual currency business activity.
2 Virtual currency business activity available to retail consumers refers to any virtual currency business activity that is open to all individuals without restriction based on factors such as income or customer type. This restriction does not apply to institutional custody or services only available to businesses.
3 Circulating supply refers to the number of a virtual currency that are publicly available for purchase in the marketplace and are not subject to lock-up or similar vesting periods. Total supply refers to the total number of a virtual currency, including any of the virtual currency that is locked or held in reserve and are not publicly available in the marketplace.
4 In the event that a coin-delisting involves the VC Entity no longer conducting any virtual currency business activity, the VC Entity’s coin-delisting policy may be included as part of the VC Entity’s broader wind-down plan, subject to DFS approval and provided the requirements of this Guidance are satisfied.
5 A VC Entity’s coin-delisting policy may be included as part of a VC Entity’s coin-listing policy, so long as it meets all of the criteria described in this section.