The New York State Department of Financial Services (DFS) proposed guidance that will ease the approval for companies licensed for virtual currency business in New York to offer new types of virtual currencies.
Licensed companies with approved coin listing policies will be able to create risk assessment processes to self-certify the listing of new assets.
Comments on the proposed DFS guidance are due on January 27, 2020.

On December 11, 2019, DFS published a proposal to create a public list of approved virtual currencies and a self-certification methodology for holders of NY Bitlicenses and New York trust companies approved to engaged in a virtual currency business (together, VC Licensees) to offer to New York consumers virtual currencies without the need for additional approvals of the DFS.

The DFS proposal, if adopted, would be a significant step at the state regulatory level toward treating digital assets in a manner commensurate with other more traditional financial assets. Until now, most regulatory activity at the state level has related to the approval of licenses or charters for different types of digital asset providers or the regulatory definition of digital assets. For example, the Conference of State Bank Supervisors has proposed a model law to define money and virtual currency, and Arizona, Utah, Wyoming and Colorado have adopted fintech sandboxes that extend to virtual currency providers. The DFS proposal, in contrast, attempts to create a regulatory framework more similar to that of other banking, securities and commodities products, in that VC Licensees can develop their own listing policies and, once a policy is approved by DFS, the VC Licensee will be able to self-certify new digital products offered in New York.

The DFS proposal has two components. First, DFS will maintain a webpage that will contain a list of approved digital coins. Without any additional approval of DFS, a VC Licensee could broker, sell, exchange, custody or conduct other business with respect to the coins on that list. The initial list is expected to include: Bitcoin, Bitcoin Cash, Ether, Ether Classic, Litecoin, Ripple, Paxos Standard and Gemini Dollar. Second, DFS has proposed that VC Licensees could self-certify the listing or adoption of new digital coins (with notice to DFS but without additional DFS approvals) as long as the VC Licensee has adopted a tailored coin listing or adoption policy that has been approved by DFS. VC Licensees that have not had such a policy approved will still be required to get DFS approval for any coin other than those listed on the DFS website.

The policy must include robust procedures that comprehensively address all steps involved in the internal review and approval of virtual currencies. Notably, the framework requires that the risk assessment procedures described below are subject to an external audit. The policy should be tailored to the business model, operations, customers and counterparties, geographies of operations, service providers, and the use, purpose and specific features of the digital coins being considered. The following are components of a coin listing policy:

  1. Governance: The Board of directors or equivalent governing body of the VC Licensee must approve the coin listing policy and each new coin being offered. Governance decisions must be free from conflicts of interest and documented, including keeping records of the decision makers and all documents reviewed, such as the legal, compliance, cybersecurity, and operations teams of the licensee, including an assessment of all associated risks;
  2. Risk Assessment: The listing policy must require a risk assessment of each new coin. First, adequate due diligence must be conducted to ensure that each new coin is created or issued by a reputable entity for legitimate purposes and must specifically determine that the coin was not designed in a manner that evades compliance with applicable laws and regulations, such as anti-money laundering laws. The VC Licensee must then consider all of the following in its formal, written risk assessment of the new coin: (i) operational risks posed by the new coin; (ii) the need for technological or systems enhancements or modifications to ensure timely adoption or listing of each new coin; (iii) technological risks, including those relating to cyber security, theft, code defects and other breaches; (iv) market risks, including concentration of coin holdings or control by a small number of individuals or entities, price manipulation and fraud; (v) regulatory risks of potential non-compliance with DFS supervisory and capital requirements and requirements of relevant federal regulatory bodies; and (vi) other legal risks associated with pending or potential regulatory, criminal, or enforcement actions relating to the issuance, distribution, or use of the new coin, such as actions relating to coins that may facilitate the obfuscation or concealment of the identity of a customer or counterparty, or coins used to circumvent laws and regulations; and
  3. Monitoring: Coin listing policies must specifically define the kinds of processes and procedures that will be implemented to effectively monitor the performance of each new coin, which address risks identified during the risk assessment. In addition, the policy must require a periodic review of whether there are material changes to the coin or the control environment and establish basic de-listing procedures in the situation where the coin’s risks become too great that include notice to affected customers and all affected counterparties.

DFS is seeking comments on its proposed guidance by January 27, 2020.