Section 200.1 Introduction
Section 200.2 Definitions
Section 200.3 License
Section 200.4 Application
Section 200.5 Application fees
Section 200.6 Action by superintendent
Section 200.7 Compliance
Section 200.8 Capital requirements
Section 200.9 Custody and protection of customer assets
Section 200.10 Material change to business
Section 200.11 Change of control; mergers and acquisitions
Section 200.12 Books and records
Section 200.13 Examinations
Section 200.14 Reports and financial disclosures
Section 200.15 Anti-money laundering program
Section 200.16 Cyber security program
Section 200.17 Business continuity and disaster recovery
Section 200.18 Advertising and marketing
Section 200.19 Consumer protection
Section 200.20 Complaints
Section 200.21 Transitional period
This Part contains regulations relating to the conduct of business involving Virtual Currency, as defined herein, in accordance with the superintendent’s powers pursuant to the above-stated authority.
For purposes of this Part only, the following definitions shall apply:
have a centralized repository or administrator;
are decentralized and have no centralized repository or administrator; or
may be created or obtained by computing or manufacturing effort. Virtual Currency shall not be construed to include digital units that are used solely within online gaming platforms with no market or application outside of those gaming platforms, nor shall Virtual Currency be construed to include digital units that are used exclusively as part of a customer affinity or rewards program, and can be applied solely as payment for purchases with the issuer and/or other designated merchants, but cannot be converted into, or redeemed for, Fiat Currency;
receiving Virtual Currency for transmission or transmitting the same;
securing, storing, holding, or maintaining custody or control of Virtual Currency on behalf of others;
buying and selling Virtual Currency as a customer business;
performing retail conversion services, including the conversion or exchange of Fiat Currency or other value into Virtual Currency, the conversion or exchange of Virtual Currency into Fiat Currency or other value, or the conversion or exchange of one form of Virtual Currency into another form of Virtual Currency; or
controlling, administering, or issuing a Virtual Currency.
Statutory Authority: Financial Services Law, sections 102, 201, 301, and 302
Persons that are chartered under the New York Banking Law to conduct exchange services and are approved by the superintendent to engage in Virtual Currency Business Activity; and
merchants and consumers that utilize Virtual Currency solely for the purchase or sale of goods or services.
Statutory Authority: Financial Services Law, sections 102, 201, 301, and 302
the exact name of the applicant, including any doing business as (DBA) name, the form of organization, the date of organization, and the jurisdiction where organized or incorporated;
a list of all of the applicant’s Affiliates and an organization chart illustrating the relationship among the applicant and such Affiliates;
a list of, and detailed biographical information for, each individual applicant and each director, Principal Officer, Principal Stockholder, and Principal Beneficiary of the applicant, as applicable, including such individual’s name, physical and mailing addresses, and information and documentation regarding their personal history, experience, and qualification, which shall be accompanied by a form of authority, executed by such individual, to release information to the Department;
a background report prepared by an independent investigatory agency acceptable to the superintendent for each individual applicant, and each Principal Officer, Principal Stockholder, and Principal Beneficiary of the applicant, as applicable;
for each individual applicant, and each Principal Officer, Principal Stockholder, and Principal Beneficiary of the applicant, as applicable, and for all individuals to be employed by the applicant:
a set of completed fingerprints, or a receipt indicating the vendor (which vendor must be acceptable to the superintendent) at which, and the date when, the fingerprints were taken, for submission to the State Division of Criminal Justice Services and the Federal Bureau of Investigation;
if applicable, such processing fees as prescribed by the superintendent; and
two portrait-style photographs of the individuals measuring not more than two inches by two inches;
an organization chart of the applicant and its management structure, including its Principal Officers or senior management, indicating lines of authority and the allocation of duties among its Principal Officers or senior management;
a current financial statement for the applicant and each Principal Officer, Principal Stockholder, and Principal Beneficiary of the applicant, as applicable, and a projected pro forma balance sheet and income and expense statement for the next year of the applicant’s operation;
a description of the proposed, current, and historical business of the applicant, including detail on the products and services provided and to be provided, all associated website addresses, the jurisdictions in which the applicant is engaged in business, the principal place of business, the primary market of operation, the projected customer base, any specific marketing targets, and the physical address of any operation in New York;
details of all banking arrangements;
all written policies and procedures, including those required by this Part;
an affidavit describing any administrative, civil, or criminal action, litigation, or proceeding before any governmental agency, court, or arbitration tribunal and any existing, pending, or threatened action, litigation, or proceeding against the applicant or any of its directors, Principal Officers, Principal Stockholders, and Principal Beneficiaries, as applicable, including the names of the parties, the nature of the proceeding, and the current status of the proceeding;
if applicable, a copy of any insurance policies maintained for the benefit of the applicant, its directors or officers, or its customers;
an explanation of the methodologies used to calculate the value of Virtual Currency in Fiat Currency; and
such other additional information as the superintendent may require.
Statutory authority: Financial Services Law, sections 102, 201, 202, 301, and 302
Statutory authority: Financial Services Law, sections 202, 206, 301, 302, and 304-a; State Administrative Procedures Act, section 102
Statutory Authority: Financial Services Law, sections 102, 301, 302, 305, and 309
Statutory Authority: Financial Services Law, sections 102, 301, and 302
the composition of the Licensee’s total assets, including the position, size, liquidity, risk exposure, and price volatility of each type of asset;
the composition of the Licensee’s total liabilities, including the size and repayment timing of each type of liability;
the actual and expected volume of the Licensee’s Virtual Currency Business Activity;
whether the Licensee is already licensed or regulated by the superintendent under the Financial Services Law, Banking Law, or Insurance Law, or otherwise subject to such laws as a provider of a financial product or service, and whether the Licensee is in good standing in such capacity;
the amount of leverage employed by the Licensee;
the liquidity position of the Licensee; and
the financial protection that the Licensee provides for its customers through its trust account or bond.
Statutory Authority: Financial Services Law, sections 102, 202, 301, and 302
Statutory Authority: Financial Services Law, sections 102, 202, 301, and 302
a change is proposed to an existing product, service, or activity that may cause such product, service, or activity to be materially different from that previously listed on the application for licensing by the superintendent;
the proposed change may raise a legal or regulatory issue about the permissibility of the product, service, or activity; or
the proposed change may raise safety and soundness or operational concerns.
Statutory Authority: Financial Services Law, sections 102, 202, 301, and 302
Prior to any change of control, the Person seeking to acquire control of a Licensee shall submit a written application to the superintendent in a form and substance acceptable to the superintendent, including detailed information about the applicant and all directors, Principal Officers, Principal Stockholders, and Principal Beneficiaries of the applicant, as applicable.
For purposes of this Section, the term “control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of a Licensee whether through the ownership of stock of such Licensee or the stock of any Person that possesses such power. Control shall be presumed to exist if a Person, directly or indirectly, owns, controls, or holds with power to vote ten percent or more of the voting stock of a Licensee or of any Person that owns, controls, or holds with power to vote ten percent or more of the voting stock of such Licensee.
The superintendent shall approve or deny every application for a change of control of a Licensee hereunder within 120 days from the filing of an application deemed by the superintendent to be complete. Such period of 120 days may be extended by the superintendent, for good cause shown, for such additional reasonable period of time as may be required to enable compliance with the requirements and conditions of this Part.
In determining whether to approve a proposed change of control, the superintendent shall, among other factors, take into consideration the public interest and the needs and convenience of the public.
Prior to any such merger or acquisition, an application containing a written plan of merger or acquisition shall be submitted to the superintendent by the entities that are to merge or by the acquiring entity, as applicable. Such plan shall be in form and substance satisfactory to the superintendent, and shall specify each entity to be merged, the entity that is to receive into itself the merging entity, or the entity acquiring all or substantially all of the assets of the Licensee, as applicable, and shall describe the terms and conditions of the merger or acquisition and the mode of carrying it into effect.
The superintendent shall approve or deny a proposed merger or a proposed acquisition of all or a substantial part of the assets of a Licensee within 120 days after the submission of the proposed plan to the Department. Such period of 120 days may be extended by the superintendent, for good cause shown, for such additional reasonable period of time as may be required to enable compliance with the requirements and conditions of this Part.
In determining whether to so approve a proposed merger or acquisition, the superintendent shall, among other factors, take into consideration the public interest and the needs and convenience of the public.
Statutory authority: Financial Services Law, sections 102, 202, 301, and 302
for each transaction, the amount, date, and precise time of the transaction, any payment instructions, the total amount of fees and charges received and paid to, by, or on behalf of the Licensee, and the names, account numbers, and physical addresses of the parties to the transaction;
a general ledger containing all assets, liabilities, capital, income, expense accounts, and profit and loss accounts;
bank statements and bank reconciliation records;
any statements or valuations sent or provided to customers and counterparties;
records or minutes of meetings of the board of directors or an equivalent governing body;
records demonstrating compliance with applicable state and federal anti-money laundering laws, rules, and regulations, including customer identification and verification documents, records linking customers to their respective accounts and balances, and a record of all compliance breaches;
communications and documentation related to investigations of customer complaints and transaction error resolution or concerning facts giving rise to possible violations of laws, rules, or regulations;
all other records required to be maintained in accordance with this Part; and
all other records as the superintendent may require.
Statutory authority: Financial Services Law, sections 102, 202, 301, 302, and 306
the financial condition of the Licensee;
the safety and soundness of the conduct of its business;
the policies of its management;
whether the requirements of laws, rules, and regulations have been complied with in the administration of its affairs; and
such other matters as the superintendent may determine, including, but not limited to, any activities of the Licensee outside the State of New York if in the opinion of the superintendent such activities may affect the Licensee's business involving New York or New York Residents.
Statutory authority: Financial Services Law, sections 102, 202, 301, and 302
a statement of the financial condition of the Licensee, including a complete balance sheet, income statement, profit and loss statement, statement of retained earnings, statement of net liquid assets, statement of net worth, statement of cash flows, and statement of change in ownership equity;
a statement demonstrating compliance with any financial requirements established under this Part;
financial projections and strategic business plans;
a list of all off-balance sheet items;
a chart of accounts, including a description of each account; and
a report of permissible investments by the Licensee as permitted under this Part.
a statement of management’s responsibilities for preparing the Licensee’s annual financial statements, establishing and maintaining adequate internal controls and procedures for financial reporting, and complying with all applicable laws, rules, and regulations;
an assessment by management of the Licensee’s compliance with such applicable laws, rules, and regulations during the fiscal year covered by the financial statements, including management’s conclusion as to whether the Licensee has complied with those laws, rules, and regulations during such period; and
certification of the financial statements by an officer or director of the Licensee attesting to the truth and correctness of those statements.
Statutory authority: Financial Services Law, sections 102, 202, 301, 302, and 306
All values in United States dollars referenced herein must be calculated using the methodology to determine the value of Virtual Currency in Fiat Currency that was approved by the Department under this Part.
provide for a system of internal controls, policies, and procedures designed to ensure ongoing compliance with all applicable anti-money laundering laws, rules, and regulations;
provide for independent testing for compliance with, and the effectiveness of, the anti-money laundering program to be conducted by qualified personnel of the Licensee or by a qualified outside party, at least annually, the findings of which shall be summarized in a written report submitted to the superintendent;
designate a qualified individual or individuals in compliance responsible for coordinating and monitoring day-to-day compliance with the anti-money laundering program; and
provide ongoing training for appropriate personnel to ensure they have a fulsome understanding of anti-money laundering requirements and to enable them to identify transactions required to be reported and maintain records required to be kept in accordance with this Part.
Records of Virtual Currency transactions. Each Licensee shall maintain the following information for all transactions involving the payment, receipt, exchange or conversion, purchase, sale, transfer, or transmission of Virtual Currency: the identity and physical addresses of the parties involved, the amount or value of the transaction, including in what denomination purchased, sold, or transferred, the method of payment, the date(s) on which the transaction was initiated and completed, and a description of the transaction.
Reports on transactions. When a Licensee is involved in a transaction or series of transactions for the receipt, exchange, conversion, purchase, sale, transfer, or transmission of Virtual Currency, in an aggregate amount exceeding the United States dollar value of $10,000 in one day, by one Person, the Licensee shall notify the Department, in a manner prescribed by the superintendent, within 24 hours.
Reporting of Suspicious Activity. Each Licensee shall monitor for transactions that might signify money laundering, tax evasion, or other illegal or criminal activity and notify the Department, in a manner prescribed by the superintendent, immediately upon detection of such a transaction(s).
Each Licensee shall file Suspicious Activity Reports (“SARs”) in accordance with applicable federal laws, rules, and regulations.
Each Licensee that is not required to file SARs under federal law shall file with the superintendent, in a form prescribed by the superintendent, reports of transactions that indicate a possible violation of law or regulation within 30 days from the detection of the facts that constitute a need for filing. Continuing suspicious activity shall be reviewed on an ongoing basis and a suspicious activity report shall be filed within 120 days of the last filing describing continuing activity.
Identification and verification of account holders. When opening an account for a customer, each Licensee must, at a minimum, verify the customer’s identity, to the extent reasonable and practicable, maintain records of the information used to verify such identity, including name, physical address, and other identifying information, and check customers against the Specially Designated Nationals (“SDNs”) list maintained by the Office of Foreign Asset Control (“OFAC”), a part of the U.S. Treasury Department. Enhanced due diligence may be required based on additional factors, such as for high risk customers, high-volume accounts, or accounts on which a suspicious activity report has been filed.
Enhanced due diligence for accounts involving foreign entities. Licensees that maintain accounts for non-U.S. Persons and non-U.S. Licensees must establish enhanced due diligence policies, procedures, and controls to detect money laundering, including assessing the risk presented by such accounts based on the nature of the foreign business, the type and purpose of the activity, and the anti-money laundering and supervisory regime of the foreign jurisdiction.
Prohibition on accounts with foreign shell entities. Licensees are prohibited from maintaining relationships of any type in connection with their Virtual Currency Business Activity with entities that do not have a physical presence in any country.
Identification required for large transactions. Each Licensee must require verification of accountholders initiating transactions having a value greater than $3,000.
Monitor changes in anti-money laundering laws, including updated OFAC and SDN lists, and update the program accordingly;
Maintain all records required to be maintained under this Section;
Review all filings required under this Section before submission;
Escalate matters to the board of directors, senior management, or appropriate governing body and seek outside counsel, as appropriate;
Provide periodic reporting, at least annually, to the board of directors, senior management, or appropriate governing body; and
Ensure compliance with relevant training requirements.
Statutory authority: Financial Services Law, sections 201, 202, 302, and 404
(1) identify internal and external cyber risks by, at a minimum, identifying the information stored on the Licensee’s systems, the sensitivity of such information, and how and by whom such information may be accessed;
(2) protect the Licensee’s electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures;
(3) detect systems intrusions, data breaches, unauthorized access to systems or information, malware, and other Cyber Security Events;
(4) respond to detected Cyber Security Events to mitigate any negative effects; and
(5) recover from Cyber Security Events and restore normal operations and services.
information security;
data governance and classification;
access controls;
business continuity and disaster recovery planning and resources;
capacity and performance planning;
systems operations and availability concerns;
systems and network security;
systems and application development and quality assurance;
physical security and environmental controls;
customer data privacy;
vendor and third-party service provider management;
monitoring and implementing changes to core protocols not directly controlled by the Licensee, as applicable; and
incident response.
Penetration testing. Each Licensee shall conduct penetration testing of its electronic systems, at least annually, and vulnerability assessment of those systems, at least quarterly.
Audit trail. Each Licensee shall maintain audit trail systems that:
track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting;
protect the integrity of data stored and maintained as part of the audit trail from alteration or tampering;
protect the integrity of hardware from alteration or tampering, including by limiting access permissions to hardware, enclosing hardware in locked cages, and maintaining logs of physical access to hardware that allows for event reconstruction;
log system events including, at minimum, access and alterations made to the audit trail systems by the systems or by an authorized user, and all system administrator functions performed on the systems; and
maintain records produced as part of the audit trail for a period of ten years in accordance with the recordkeeping requirements set forth in this Part.
Source code reviews. Each Licensee shall have an independent, qualified third party conduct a source code review of any internally developed proprietary software used in the Licensee’s business operations, at least annually.
employ cyber security personnel adequate to manage the Licensee’s cyber security risks and to perform the core cyber security functions specified in Subsection 200.16(a)(1)-(5);
provide and require cyber security personnel to attend regular cyber security update and training sessions; and
require key cyber security personnel to take steps to stay abreast of changing cyber security threats and countermeasures.
Statutory Authority: Financial Services Law, sections 102, 202, 301, and 302
identify documents, data, facilities, infrastructure, personnel, and competencies essential to the continued operations of the Licensee’s business;
identify the supervisory personnel responsible for implementing each aspect of the BCDR plan;
include a plan to communicate with essential Persons in the event of an emergency or other disruption to the operations of the Licensee, including employees, counterparties, regulatory authorities, data and communication providers, disaster recovery specialists, and any other Persons essential to the recovery of documentation and data and the resumption of operations;
include procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing and other resources to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible following a disruption to normal business activities;
include procedures for the back-up or copying, with sufficient frequency, of documents and data essential to the operations of the Licensee and storing of the information off site; and
identify third parties that are necessary to the continued operations of the Licensee’s business.
Statutory Authority: Financial Services Law, sections 102, 202, 301, and 302
Statutory authority: Financial Services Law, sections 102, 202, 301, and 302
virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to Federal Deposit Insurance Corporation or Securities Investor Protection Corporation protections;
legislative and regulatory changes or actions at the state, federal, or international level may adversely affect the use, transfer, exchange, and value of Virtual Currency;
transactions in Virtual Currency are generally irreversible, and, accordingly, losses due to fraudulent or accidental transactions may not be recoverable;
some Virtual Currency transactions shall be deemed to be made when recorded on a “block chain” ledger, which is not necessarily the date or time that the customer initiates the transaction;
the value of Virtual Currency is derived from the continued willingness of market participants to exchange Fiat Currency for Virtual Currency, which may result in the potential for permanent and total loss of value of a particular Virtual Currency should the market for that Virtual Currency disappear;
there is no assurance that a Person who accepts a Virtual Currency as payment today will continue to do so in the future;
the volatility and unpredictability of the price of Virtual Currency relative to Fiat Currency may result in significant loss or tax liability over a short period of time;
the nature of Virtual Currency may lead to an increased risk of fraud or cyber attack;
the nature of Virtual Currency means that any technological difficulties experienced by the Licensee may prevent the access or use of a customer’s Virtual Currency; and
any bond or trust account for the benefit of customers may not be sufficient to cover any and all losses incurred by customers.
the customer’s liability for unauthorized Virtual Currency transactions;
the customer’s right to stop payment of a preauthorized Virtual Currency transfer and the procedure to initiate such a stop-payment order;
the Licensee’s liability to the customer under any applicable federal or state laws, rules, or regulations;
under what circumstances the Licensee will, absent a court or government order, disclose information concerning the customer’s account to third parties;
the customer’s right to receive periodic account statements and valuations from the Licensee;
the customer’s right to receive a receipt, trade ticket, or other evidence of a transaction;
the customer’s right to prior notice of a change in the Licensee’s rules or policies; and
such other disclosures as are customarily given in connection with the opening of customer accounts.
the amount of the transaction;
any fees, expenses, and charges borne by the customer, including applicable exchange rates;
the type and nature of the Virtual Currency transaction;
a warning that once executed the transaction may not be undone, if applicable; and
such other disclosures as are customarily given in connection with a transaction of this nature.
the name and contact information of the Licensee, including a telephone number established by the Licensee to answer questions and register complaints;
the type, value, date, and precise time of the transaction;
the fee charged;
the exchange rate, if applicable;
a statement of the liability of the Licensee for non-delivery or delayed delivery;
a statement of the refund policy of the Licensee; and
any additional information the superintendent may require.
the identification and assessment of fraud-related risk areas;
procedures and controls to protect against identified risks;
allocation of responsibility for monitoring risks; and
procedures for the periodic evaluation and revision of the anti-fraud procedures, controls, and monitoring mechanisms.
Statutory Authority: Financial Services Law, sections 102, 201, 202, 301, 302, 306, and 404
the Licensee’s mailing address, email address, and telephone number for the receipt of complaints;
a statement that the complainant may also bring his or her complaint to the attention of the Department;
the Department’s mailing address, website, and telephone number; and
such other information as the superintendent may require.
Statutory authority: Financial Services Law, sections 102, 201, 202, 301, and 302
A Person already engaged in Virtual Currency Business Activity must apply for a license in accordance with this Part within 45 days of the effective date of this regulation. In doing so, such applicant shall be deemed in compliance with the licensure requirements of this Part until it has been notified by the superintendent that its application has been denied, in which case it shall immediately cease operation in this state. Any Person engaged in Virtual Currency Business Activity that fails to submit an application for a license within 45 days of the effective date of this regulation shall be deemed to be conducting unlicensed Virtual Currency Business Activity.
Statutory authority: Financial Services Law, sections 202, 206, 302, 303, 305, 306, 309, 404, and 408; Executive Law, section 63.