This is Part II of our series on Virtual Asset Service Providers, focusing on New York state regulation of VASPs. Part I is available here.
New York State regulates virtual asset service providers (VASPs) either operating in its jurisdiction or providing virtual asset services from offshore to persons in the state.
A. New York State Department of Financial Services
The New York State Department of Financial Services (DFS) is the regulatory authority for VASPs operating in the state or providing virtual asset services to persons in the state. DFS regulates VASPs under Chapter 23 of the New York Codes, Rules, and Regulations (NYCRR) Part 200. Chapter 23 is also known as the “BitLicense” Regulation.[1] Entities that wish to conduct business as VASPs must either apply for the BitLicense on application to DFS or for a charter under the New York Banking Law (for example, as a New York State limited purpose trust company or New York State bank) with approval to conduct virtual currency business.[2] The DFS places analogous requirements on New York State limited purpose trust companies that engage in virtual currency business activity.[3]
B. VASP Regulations Apply to Entities Conducting Virtual Currency Business Activity in New York State
23 NYCRR 200.2(q) defines “Virtual Currency Business Activity” as the conduct of any one of the following types of activities involving New York or a New York Resident:
(1) receiving Virtual Currency for Transmission or Transmitting Virtual Currency, except where the transaction is undertaken for non-financial purposes and does not involve the transfer of more
than a nominal amount of Virtual Currency;
(2) storing, holding, or maintaining custody or control of Virtual Currency on behalf of others;
(3) buying and selling Virtual Currency as a customer business;
(4) performing Exchange Services as a customer business; or
(5) controlling, administering or issuing a Virtual Currency.
Part 200.2(q) further states that the “development and dissemination of software in and of itself does not constitute virtual currency business activity.”[4]
C. Cybersecurity Regulations
DFS has updated its cybersecurity regulations to further protect against online threats, requiring more robust controls and risk assessments from regulated entities. Most VASPs are subject to these regulations, which are included in Chapter 23 of the New York Codes, Rules and Regulations (NYCRR), Part 500.[5] Initially established in 2017, Part 500 has undergone significant amendments to enhance its protections and requirements in response to evolving cybersecurity threats.
Some important aspects of 23 NYCRR Part 500 include:
- Cybersecurity Program Requirements: Covered entities are required to implement and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of their information systems.
- Cybersecurity Policy: Entities must adopt a written policy approved by senior management, addressing areas like data governance, asset inventory, access controls, and incident response, among others.
- Chief Information Security Officer (CISO): Covered entities must designate a CISO responsible for overseeing and implementing the cybersecurity program and enforcing its policies.
- Penetration Testing and Vulnerability Assessments: The regulation mandates regular testing and monitoring to identify and mitigate cybersecurity threats and vulnerabilities.
- Risk Assessment: Entities are required to conduct periodic risk assessments to inform the design of the cybersecurity program.
- Multi-Factor Authentication (MFA): MFA is required for any individual accessing the entity’s internal networks unless specific compensating controls can be justified.
- Training and Monitoring: Regular cybersecurity awareness training for all personnel is mandatory, as well as ongoing monitoring of user activity and detection of unauthorized access.
- Incident Response Plan: Entities must establish a written incident response plan capable of responding to and recovering from cybersecurity events to mitigate any negative impacts.
- Annual Certification of Compliance: Entities must annually file a certification of compliance, signed by the CISO and the top executive.
Updates to Part 500 in 2023 introduced stricter requirements, such as enhanced roles for CISOs, which include mandatory annual reporting to the board, improved access controls, a written password policy aligned with industry standards, and a business continuity and disaster recovery plan. These amendments also expand the definition and requirements of risk assessments and emphasize the importance of cybersecurity in the corporate governance framework. The revised regulation mandates that covered entities report cybersecurity events more swiftly and in greater detail.
D. Penalties
DFS has the authority to impose penalties as deemed appropriate under the law. Penalties may include monetary sanctions or the requirement that an entity retain an independent consultant for performing evaluations of the entity’s compliance with DFS regulations.[6] DFS may also suspend or revoke an entity’s license to perform virtual currency business activity in New York State “on any ground on which the superintendent might refuse to issue an original license or for failure of the Licensee to pay a judgment relating to the Licensee’s Virtual Currency Business Activity. DFS imposed a $50 million penalty on Coinbase, a publicly traded cryptocurrency trading exchange based in the United States, for letting customers open accounts without conducting sufficient background checks in violation of anti-money-laundering laws. The settlement also requires Coinbase to invest $50 million to bolster its compliance program.
****
[1] https://www.dfs.ny.gov/industry_guidance/industry_letters/il20230123_guidance_custodial_structures
[2] https://www.nysenate.gov/legislation/laws/BNK; https://www.dfs.ny.gov/virtual_currency_businesses
[3]https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202301231#:~:text=New%20York%E2%80%99s%20virtual%20currency%20regulation%20requires%20entities%20to%2C,deceptive%20representations%20or%20omissions%20in%20their%20marketing%20materials.
[4] https://govt.westlaw.com/nycrr/Document/I85908c68253711e598dbff5462aa3db3?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default)
[5] https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)
[6] https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202208021
****
Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. © 2024 Carter Ledyard & Milburn LLP.