Key Takeaways
- New York is allocating more resources and devoting more attention to the cryptocurrency industry, which will likely result in increased regulatory oversight, potential new rulemaking, significant sanctions for compliance violations, and an increase in its speed of reviewing BitLicense applications.
- A recent consent order where bitFlyer USA’s failure to comply with cybersecurity requirements under New York’s Virtual Currency and Cybersecurity Regulations resulted in a $1.2 million penalty underscores this increasing focus and the potential consequences of noncompliance for licensees.
- Cybersecurity compliance is a fundamental compliance task with which the DFS expects every licensee, including BitLicense holders, to comply without exception.
On May 1, 2023, the New York State Department of Financial Services (DFS or Department) issued a consent order (Consent Order), imposing a $1.2 million fine on bitFlyer USA, a cryptocurrency trading platform and custodial wallet service provider. The Consent Order described various alleged failures by bitFlyer USA to establish and maintain an effective cybersecurity program, as required by the DFS’s Virtual Currency and Cybersecurity Regulations.[1] This marks the third DFS consent order involving a crypto market actor. While the previous two focused on alleged anti-money laundering failures,[2] the bitFlyer USA consent order is significant because it focused exclusively on cybersecurity violations, which remain a DFS priority.
BitLicense Cybersecurity Requirements
DFS is the primary regulator of financial services in New York State, including licensing and overseeing financial institutions within the state. In 2014, DFS proposed rules and regulations requiring businesses engaged in certain cryptocurrency activities in the state to apply for a “BitLicense” through DFS (23 NYCRR Part 200, the “Virtual Currency Regulation”).[3] In response to concerns from businesses subject to the BitLicense requirement, DFS subsequently revised its practices with respect to BitLicense applications in 2020.[4] New York State’s Cybersecurity Regulation, 23 NYCRR 500, became effective in 2017.
Businesses seeking to obtain a BitLicense from DFS must undergo an application process that includes a comprehensive review of the applicant’s business, compliance program, personnel, security measures, and accounting.[5] Among other requirements, under New York’s Virtual Currency and Cybersecurity Regulations, BitLicense licensees are required to establish and maintain cybersecurity programs that are designed to protect the confidentiality, integrity, and availability of their information systems, as well as any nonpublic information contained within those systems.[6] The Cybersecurity Regulations require entities like bitFlyer USA to “conduct periodic risk assessment[s] as necessary to address changes to [its] information systems, [nonpublic information], or business operations.”[7] Under the Virtual Currency Regulation, BitLicense holders are required to establish and maintain “an effective cybersecurity program to ensure the availability and functionality of the licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering.”[8]
DFS’s Examination and Findings Regarding bitFlyer USA
bitFlyer USA was granted a BitLicense on November 27, 2017. DFS conducted examinations of bitFlyer USA in 2018 and 2020. Over the course of its examination period, DFS found that bitFlyer “failed to meet its regulatory obligations both by failing to fully comply with the Department’s Cybersecurity Regulation and by failing to establish and maintain an effective cybersecurity program via the implementation of written policies, as required by the Virtual Currency Regulation.” The Consent Order cited the following specific compliance deficiencies during the time period of the DFS examinations:
- Failure to perform periodic assessments of internal and external cybersecurity risks and threats, and improper reliance on an information technology audit in place of a cybersecurity risk assessment; and
- Failure to implement a cybersecurity program designed “to protect its electronic systems, and the information stored on those systems from unauthorized access, use, or other malicious acts” because its written cybersecurity policy was not approved by its board of directors or tailored to its organizational structure and associated risks.
According to the Consent Order, during the course of the DFS investigation, bitFlyer USA performed a comprehensive review of its current compliance programs with respect to the Virtual Currency and Cybersecurity Regulations. Based on this review, bitFlyer USA presented a remediation plan designed to bring bitFlyer USA into compliance by December 31, 2023. DFS approved the remediation plan, which requires quarterly progress reports to DFS. Notably, the $1.2 million penalty credits bitFlyer USA for its cooperation and remediation efforts, indicating DFS could have levied an even larger civil penalty for these violations.
New York’s Increased Focus on Cryptocurrency Businesses
Recent events indicate cryptocurrency businesses operating in New York State should take steps to prepare for increased oversight, and potentially new laws or regulations governing their activities. On April 25, in testimony before the New York State Senate Standing Committee on Banks, Virtual Currency Chief Peter Marton said DFS is increasing the resources allocated to regulation and oversight of the cryptocurrency industry,[9] including strengthening its licensing program, increasing staff, and implementing new technology, with the goal of protecting both cryptocurrency businesses and their customers.[10] The increased staff is also expected to increase the speed at which BitLicense applications are reviewed. Virtual Currency Chief Marton testified that DFS has approved only four licenses in the past 15 months and that the BitLicense queue “remains high,” and that since his appointment in January 2022, more than 40 examiner-trainees have been added to the virtual currency unit. He further testified that the “most important consumer protection is often not one written in the black and white letter of the law, but to have a nimble regulator who understands the space and has the flexibility and agility to respond to industry developments as they arise.”
Additionally, on May 5, the New York Attorney General independently announced new proposed legislation that would increase oversight of the cryptocurrency industry, provide the Attorney General with broader enforcement authority, and codify the DFS’s authority to license participants in the industry.[11] The Crypto Regulation, Protection, Transparency, and Oversight Act (CRPTO Act) “seeks to protect New York investors by bringing regulations and oversight that are applied to other financial services to the cryptocurrency industry” as well as address other issues unique to the industry. Among other things, the CRPTO Act would seek to (1) stop conflicts of interest by placing certain prohibitions on specific industry players such as marketplaces, issuers, and brokers; (2) require public reporting of financial statements by cryptocurrency companies; and (3) bolster investor protections by enacting “know-your-customer” provisions and “banning the use of the term ‘stablecoin’” unless a digital asset is backed 1:1 with U.S. currency or other high-quality assets as defined by federal regulations. Through the bill, the Attorney General’s Office also seeks discretion to enforce cryptocurrency firms’ violations, including the power to issue subpoenas, impose civil penalties, and shutter those businesses that engage in fraud and illegality. In particular, the proposed penalties for violations under the bill are $10,000 per violation per individual and $100,000 per violation per firm as well as restitution, damages, and penalties. Given all this, the proposed CRPTO Act further demonstrates the increased focus on regulating cryptocurrency activities in the New York State.
Conclusion
As New York regulators work to strengthen and proactively evolve virtual currency regulation, digital asset businesses operating in New York should ensure that their cybersecurity programs comply with the requirements of New York’s Virtual Currency and Cybersecurity Regulations or risk facing substantial penalties. BitLicense licensees and applicants should establish an ongoing working relationship with DFS and focus on the continuous improvement of their compliance programs, especially as new risks and regulatory priorities arise in the fast-paced cryptocurrency market. Additionally, as New York lawmakers consider new proposed laws and regulations, cryptocurrency market actors should understand the implications for their businesses and consider taking proactive steps to engage with lawmakers to educate them on potential unintended consequences of proposed regulation and prepare for new requirements.
[1] https://www.dfs.ny.gov/system/files/documents/2023/05/ea20230502_bitflyer_usa_inc.pdf
[2] The first such consent order was published on August 1, 2022, between DFS and a large consumer trading platform. BakerHostetler, New York State Department of Financial Services Publishes First Crypto Industry Consent Order (Aug. 11, 2022), https://www.bakerlaw.com/alerts/new-york-department-of-financial-services-publishes-first-crypto-industry-consent-order. The second consent order was published on January 4, 2023, between DFS and a crypto exchange. BakerHostetler, US Crypto Exchange Consents to $100M DFS Settlement for AML Compliance Failures (Jan. 12, 2023), https://www.bakerlaw.com/alerts/us-crypto-exchange-consents-100m-dfs-settlement-aml-compliance-failures.
[3] BakerHostetler, The Empire Strikes Back: New York Proposes Rules for Virtual Currency (Aug. 7, 2014), https://www.bakerlaw.com/alerts/the-empire-state-strikes-back-new-york-proposes-rules-for-virtual-currency
[4] https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200624_notice_vc_busact_lic_app_procedure
[5] Public Hearing to Educate Legislators and the Public on Cryptocurrency, Discuss Regulation of FinTech Companies, and Discuss FinTech Licensing Legislation, S.1450 (N.Y. April 25, 2023) (testimony of Deputy Superintendent Peter Marton), available at https://www.youtube.com/watch?v=Jlq1IPrzAuQ
[6] Consent Order, In the matter of bitFlyer USA Inc. (May 1, 2023), https://www.dfs.ny.gov/system/files/documents/2023/05/ea20230502_bitflyer_usa_inc.pdf; see 23 NYCRR 500.02.
[7] Consent Order, supra note 6; see 23 NYCRR 500.09(a).
[8] Consent Order, supra note 6; see 23 NYCRR 200.16.
[9] Public Hearing to Educate Legislators and the Public on Cryptocurrency, Discuss Regulation of FinTech Companies, and Discuss FinTech Licensing Legislation, S.1450 (N.Y. April 25, 2023) (testimony of Deputy Superintendent Peter Marton), available at https://www.youtube.com/watch?v=Jlq1IPrzAuQ
[10] Public Hearing to Educate Legislators and the Public on Cryptocurrency, Discuss Regulation of FinTech Companies, and Discuss FinTech Licensing Legislation, S.1450 (N.Y. April 25, 2023) (testimony of Deputy Superintendent Peter Marton), available at https://www.youtube.com/watch?v=Jlq1IPrzAuQ
[11] N.Y. Attorney General, Press Release, Attorney General James Proposes Nation-Leading Regulations on Cryptocurrency Industry (May 5, 2023), available at https://ag.ny.gov/press-release/2023/attorney-general-james-proposes-nation-leading-regulations-cryptocurrency
[View source.]