InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS orders digital currency trading company to pay $8 million
On January 12, NYDFS announced that it had entered into a consent order with a digital currency trading company after an investigation that found the company responsible for compliance failures that violated NYDFS’s virtual currency and cybersecurity regulations, leaving the company vulnerable to illicit activity and cybersecurity threats.
NYDFS found that the company failed to meet its compliance obligations due to (i) deficiencies in the company’s AML program; (ii) failure to file compliant suspicious activity reports; (iii) failure to conduct required OFAC screening; and (iv) failure to maintain an adequate cybersecurity program. In connection with the settlement, the company will surrender its BitLicense, the license required to be held by any company conducting virtual currency business in New York state and pay an $8 million penalty.
NYDFS introduces guidelines for coin-listing and delisting policies in virtual currency entities
On November 15, NYDFS announced new regulatory guidance which adopts new requirements for coin-listing and delisting policies of DFS-regulated virtual currency entities, updating its 2020 framework for each policy. After considering public comments, the new guidance aims to enhance standards for self-certification of coins and includes requirements for risk assessment, advance notification, and governance. It emphasizes stricter criteria for approving coins and mandates adherence to safety, soundness, and consumer protection principles. Virtual currency entities must comply with these guidelines, requiring DFS approval for coin-listing policies before self-certifying coins, and submitting detailed records for ongoing compliance review. The guidance also outlines procedures for delisting coins and necessitates virtual currency entities to have an approved coin-delisting policy.
As an example under coin listing policy framework, the letter states that a virtual currency entity risk assessment must be tailored to a virtual currency entity's business activity and can include factors such as (i) technical design and technology risk; (ii) market and liquidity risk; (iii) operational risk; (iv) cybersecurity risk; (v) illicit finance risk; (vi) legal risk; (vii) reputational risk; (viii) regulatory risk; (ix) conflicts of interest; and (x) consumer protection. Regarding consumer protection, NYDFS says that virtual currency entities must “ensure that all customers are treated fairly and are afforded the full protection of all applicable laws and regulations, including protection from unfair, deceptive, or abusive practices.”
Similar to the listing policy framework, the letter provides a fulsome delisting policy framework. The letter also stated that all virtual currency entities must meet with the DFS by December 8 to preview their draft coin-delisting policies and that final policies must be submitted to DFS for approval by January 31, 2024.
FinCEN announces NPRM for new regulation to combat CVC mixing
On October 19, FinCEN announced a notice of proposed rulemaking (NPRM) that identifies international Convertible Virtual Currency mixing (CVC) as a primary money laundering concern. In its NPRM, FinCEN highlighted the prevalence of illicit actors, including Hamas and Palestinian Islamic Jihad, who use CVC mixing to fund their illegal activity, and how increased transparency can combat their efforts. According to FinCEN, CVC mixing is used to conceal the source, destination, or amount involved in transactions. The proposed rule would require covered financial institutions to collect records of, and report suspicious CVC mixing transactions, as defined, to FinCEN within 30 days of initial detection. The proposed rule would not require covered financial institutions to source additional report information from the transactional counterparty, adding that the information required for the report is similar to information already collected by financial institutions. FinCEN also noted this is its first ever use of its authority under Section 311 of the USA PATRIOT Act.
FinCEN invites comments for the proposed rule, including responses to questions addressing the impact of the proposed rule, definitions, reporting, and recordkeeping. Comments must be received by January 22, 2024, and they can be submitted via instructions found in the announcement.
NYDFS updates criteria for virtual currency regulation
Adrienne Harris, Superintendent of the New York State Department of Financial Services (“DFS”) issued an update on the VOLT initiative, an ongoing project to enhance DFS’s role as a virtual currency regulator. Superintendent Harris published proposed guidance adopting enhanced criteria for procedures to list and de-list virtual currencies as well as updated guidance for designating virtual currencies to the DFS “Greenlist.”
The new General Framework for Greenlisted Coins sets (i) heightened risk assessment standards for coin-listing policies and enhances requirements for consumer-facing products; and (ii) new requirements associated with coin-delisting policies. Under the new guidance, a virtual currency entity that seeks to self-certify coins must create a coin-listing policy and may not self-certify any coins until such possibly has a written approval from DFS. A coin-listing policy must contain and be based on a robust governance structure; comprehensive risk assessment; consideration of factors to identify and mitigate risks involved in each coin and its uses; and policies and procedures to conduct continued monitoring of the coin to ensure consistent safety and soundness compliance.
The new framework does not require prior approval from the DFS to list coins included on the Greenlist, but does require virtual currency entities that choose to list such coins to (i) provide advance notification to DFS and (ii) have a DFS-approved coin-delisting policy.
Connecticut establishes rules for virtual currency kiosks
On June 27, the Connecticut governor signed HB 6752 (the “Act”) to establish certain requirements for owners or operators of virtual currency kiosks in the state. Among other things, the commissioner has the authority to establish regulations, forms, and orders that govern the use of digital assets, such as virtual currencies and stablecoins, by regulated entities and individuals. When adopting, amending, or rescinding any such regulation, form, or order, the commissioner may consult with federal financial services regulators, regulators from other states, as well as other stakeholders and industry professionals to promote the consistent treatment and handling of digital assets. Definitions for “virtual currency address,” “virtual currency kiosk,” and “virtual currency wallet” have also been added.
The Act further provides that prior to engaging in an initial virtual currency transaction with a customer, the owner or operator of a virtual currency kiosk is required to provide clear and conspicuous written disclosures in English regarding the material risks associated with virtual currency. These disclosures should cover several key points, including a prominent and bold warning acknowledging that losses resulting from fraudulent or accidental transactions may not be recoverable, transactions in virtual currency are irreversible, and that the nature of virtual currency may lead to an increased risk of fraud or cyber-attack. Disclosures must also address a customer’s liability for unauthorized virtual currency transactions, a customer’s right to stop payment for a preauthorized virtual currency transfer (along with the process to initiate a stop-payment order), and circumstances in which the owner or operator will disclose information regarding the customer’s account to third parties, unless required by a court or government order. Additionally, customers must be provided upfront information relating to the amount of the transaction, any fees, expenses, and charges, and any applicable warnings. It is the responsibility of the owner or operator of a virtual currency kiosk to ensure that every customer acknowledges the receipt of all disclosures mandated by the Act, and to provide receipts upon completion of any virtual currency transaction. The Act is effective October 1.
Louisiana amends virtual currency licensing
On June 13, the Louisiana governor signed SB 185 (the “Act”), which amends provisions relating to the regulation and licensure of virtual currency businesses and is effective immediately. The Act adds and amends several definitions, including “acting in concert,” “affiliate,” “blockchain,” “mining,” “non-fungible token,” “responsible individual,” “unsafe or unsound act or practice” “virtual currency business activity,” and “virtual currency network.” With respect to licensure, the Act now requires applicants to provide a copy of their business plan, detailing, among other things, the anticipated volume of virtual currency business activities in the state, the expected number of virtual currency locations (including kiosks) in the state, and information on surety bonds and tangible net worth. Applicants must also provide audited financial statements and certificates of coverage for each liability, casualty, business interruption, and cybersecurity insurance policies (applicable policies for affiliates, agents, and control persons are required as well) with respect to an applicant’s virtual currency business activities. The Act also adds numerous licensing conditions and includes new requirements relating to background checks/criminal records/character fitness and fees and costs. Applicants will now be required to provide their financial services-related regulatory history, including information concerning money transmission, securities, banking, insurance, and mortgage-related industries. The Act extended the time that the state’s office of financial institutions has after the completion of an application to notify an applicant of its decision from 30 days to 60 days. If the office denies a license application, an advanced change of control notice, or an advanced change of responsible individual notice, an applicant has 30 days to appeal. Information on submitting annual licensing renewal applications, as well as guidance on providing appropriate disclosures is also included.
Furthermore, the Act outlines provisions to protect residents’ assets, including prohibitions on selling, transferring, and assigning virtual currency and commingling assets belonging to a resident with assets belonging to a licensee. Also stipulated within the Act are authorities granted to the commission relating to examinations, investigations, and enforcement activity, as well as the authority to coordinate and share information and conduct joint examinations with other state regulators of virtual currency business activities.
NYDFS calls its virtual currency framework the “gold standard”
On May 25, NYDFS Superintendent Adrienne Harris testified before the New York assembly to address the regulation of virtual currency in the state. Harris highlighted the value and “gold standard” set by NYDFS’s virtual currency regulatory framework. She detailed how novel risks in that landscape were met with subsequential growth of the virtual currency unit since her arrival, including the addition of 50 professionals and a range of seasoned experts to streamline enforcement investigations.
In her testimony, Harris also voiced how the framework responsibly supports innovation for entities engaging primarily in virtual currency activities, leveraging their licensing (BitLicense) and chartering (the limited purpose trust company charter) regimes, whereas other states license virtual currency entities only as money transmitters. Adding on, she specified how NYDFS’s customized approach continues after approval, specifically, “NYDFS creates a detailed supervisory agreement that is tailored to the specific risks presented by the company’s business model. Licensed and chartered entities also are subject to ongoing supervision and are regularly examined for compliance with broadly applicable virtual currency regulations and other rules, as well as with their supervisory agreements.” The development of these tools, among other safeguards, is demonstrative of NYDFS’ focus on addressing the inherently high-risk nature of virtual currency business activity with respect to illicit transactions, she noted.
Harris further clarified that secure, customized regulatory requirements, as outlined in the framework, coupled with transparency, ushers in more business for the state, especially in the case of crypto startups. Further, other regulators, jurisdictions, and economic development agencies are seeking to replicate the framework, Harris commented, as consumer protection is not only achieved as outlined in the law, but by regulators that are able to move at a faster pace than the former.
Crypto company settles NY AG’s hidden-fee claims
On May 18, the New York attorney general announced a settlement with a Brooklyn-based cryptocurrency company to resolve claims that it charged investors “exorbitant and undisclosed fees” to store cryptocurrency in an account that was advertised as being free on its website. The fees charged to investors to use its wallet storage were allegedly so high that they completely cleaned out investors’ accounts, the AG said. The company agreed to the AG’s findings that it regularly charged and increased fees without properly notifying investors. According to the AG’s investigation, the company changed the wallet storage fee structure four times without clearly disclosing the fee increase, which led to some investors being charged fees equal to 96 percent of the value of their account holdings. In total, the company took approximately $4.25 million from investors. The AG maintained that the company also failed to register as a commodity broker dealer in the state for a period of time, and that while it was eventually granted a virtual currency license pursuant to 23 NYCRR Part 200, it failed to file a registration statement. Under the terms of the assurance of discontinuance, the company is required to pay $508,910 in restitution to the state and provide full restitution to all investors who were misled. The company is also required to provide monthly refund status updates to the AG, limit the amount of fees charged for using its wallet service to 0.002 percent per cryptocurrency per month for at least five years, and ensure that it adequately discloses all fees to investors.
Crypto platform reaches $1.2 million settlement on alleged compliance failures
On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged deficiencies in the respondent’s cybersecurity program, as required by both the cybersecurity regulation and the state’s virtual currency regulation (23 NYCRR Part 200). Following the examinations, NYDFS initiated an investigation into the respondent’s cybersecurity program. The Department concluded that the respondent failed to conduct periodic cybersecurity risk assessments “sufficient to inform the design of the cybersecurity program,” and failed to establish and maintain an effective cybersecurity program and implement a reviewed and board-approved written cybersecurity policy. Moreover, NYDFS claimed the respondent’s policies and procedures were not customized to meet the company’s needs and risks. Under the terms of the consent order, the respondent must pay a $1.2 million civil monetary penalty and submit quarterly progress reports to NYDFS detailing its remediation efforts.
OFAC sanctions facilitators of DPRK virtual currency laundering
On April 24, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Orders 13722 and 13382, against three individuals for providing material support to the Democratic People’s Republic of Korea (DPRK) through several previously designated entities. According to OFAC, the DPRK uses illicit facilitation networks to access the international financial system, launder stolen virtual currency, and generate revenue to support the regime’s weapons of mass destruction and ballistic missile programs. “The United States and our partners are committed to safeguarding the international financial system and preventing its use in the DPRK’s destabilizing activities, especially in light of the DPRK’s three launches of intercontinental ballistic missiles (ICBMs) this year alone,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in the announcement. OFAC explained that the DPRK deploys IT workers to fraudulently obtain employment to generate revenue in virtual currency, and said that in 2022 alone, DPRK cyber actors were able to steal an estimated $1.7 billion in virtual currency through various hacks. The stolen virtual currency was converted into fiat currency using a network of over-the-counter virtual currency traders (including traders based in China) to avoid detection by financial institutions or authorities, OFAC said.
As a result of the sanctions, all property and interests in property belonging to the sanctioned entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC further warned that “persons that engage in certain transactions with the individuals or entities designated today may themselves be exposed to designation,” and that “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.”