NYDFS Expands Scope of Virtual Currency Prior Approval Requirement

On December 15, 2022, the New York Department of Financial Services (NYDFS) released immediately effective guidance that updates its expectations for banking organizations engaging in virtual currency activity. The guidance expands the scope of activities that require prior approval from the NYDFS and outlines its approval request process and evaluation criteria. The guidance applies to all New York-regulated banking organizations, including branches and agencies of foreign banking organizations licensed by the NYDFS (“Covered Institutions”). It directs Covered Institutions that currently engage in virtual currency-related activities to promptly notify their NYDFS contact if they have not already done so.

What Changed?

Under the NYDFS’s BitLicense law,[1] Covered Institutions that receive prior approval from the NYDFS before engaging in “virtual currency business activity” are exempt from licensure. Under the new guidance, however, prior NYDFS approval is required for virtual currency-related activity, which encompasses a wider range of activity than virtual currency business activity. Thus, NYDFS approval may be required even for virtual currency activity that does not trigger a BitLicense requirement. The difference between virtual currency business activity and virtual currency-related activity is discussed in greater detail below.

Prior approval is now required from the NYDFS to engage in any: (i) new virtual currency-related activity; and (ii) additional virtual currency-related activity that is significantly different from the virtual currency-related activity in which a Covered Institution is currently engaged. Covered Institutions should consider the virtual currency activities they perform or support to determine whether further engagement with the NYDFS is required.

What’s the Difference Between Virtual Currency Business Activity and Virtual Currency-Related Activity?

Virtual currency business activity includes four specific types of activities, which generally include: (i) virtual currency money transmission; (ii) holding virtual currency on behalf of others; (iii) buying and selling virtual currency as a customer business; and (iv) performing virtual currency exchange services as a customer business.[2]

Virtual currency-related activity is broader, encompassing all virtual currency business activity and “the direct or indirect offering or performance of any other product, service, or activity involving [virtual currency] that may raise safety and soundness concerns for the Covered Institution or that may expose New York customers of the Covered Institution or other users of the product or service to risk of harm.” The guidance provides a non-exclusive list of examples of virtual currency-related activity, which include:

1. Offering digital wallet services to customers;[3]
2. Lending activities collateralized by virtual currency assets;
3. Activities in which a Covered Institution facilitates its own customers’ participation in virtual currency exchanges or trading;
4. Services related to stablecoins, including providing stablecoin reserve services for stablecoin issuers; and
5. Engaging in traditional banking activities involving virtual currency through the use of new technology that exposes the Covered Institution to different types of risks.

What Is the Approval Process?

Under the new guidance, a Covered Institution is expected to submit a request to the NYDFS at least 90 days before it intends to commence a new or significantly different virtual currency-related activity. This includes virtual currency activity performed by or through a third-party service provider.  In evaluating a request, the NYDFS will assess the scope of the Covered Institution’s proposed activities, and any impact on the institution’s safety and soundness, including implications for New York customers and other users of the proposed product or service.  Covered Institutions are expected to submit detailed information about the proposed activity, including:

1. Business Plan: Among other information, the NYDFS asks for information on the expected phases, business rationale for the activity, enterprise-wide risk management framework, any third-party service providers and related service-level agreements, potential effects on users, and a comprehensive risk assessment and risk monitoring framework for the proposed activity.
2. Risk Management: NYDFS requests an explanation of the enterprise-wide risk management framework to identify, measure, monitor, and control all related risks, in line with the Covered Institution’s board-approved risk appetite. Among other risks, this information should address credit, market, capital, liquidity, and cybersecurity risks.
3. Corporate Governance and Oversight: NYDFS asks to review the corporate governance framework applicable to the proposed activity, including, e.g., an explanation of the board and senior management’s awareness and understanding of the associated risks and a designated board member responsible for the ongoing oversight of assessment and management of the risks.
4. Consumer Protection: Consumer protection is a key concern for the NYDFS, and the NYDFS expects applications to include an analysis of any impact on customers and other users. Covered Institutions should provide their customer protection policies and procedures and sample agreements applicable to customers and other users.
5. Financials: The Covered Institution should explain the anticipated impact of the proposed activity on its own capital and liquidity.
6. Legal and Regulatory Analysis: Finally, the request should include analysis of the permissibility of the proposed activity and any potential legal risks and risk mitigating strategies.

Applicants will be able to provide or cross-reference existing materials, such as materials submitted to federal banking agencies.

Upon receiving a request, the NYDFS will review the materials to establish an expected timeline, and this will be communicated to the Covered Institution. Receiving prior approval for one virtual currency-related activity is not general consent to engage in any virtual currency-related activity, and it does not authorize other Covered Institutions to engage in that activity.

The Bigger Picture

The NYDFS was a pioneer with respect to developing a virtual currency framework when it created the BitLicense regime. The new guidance, which was issued shortly after a high-profile collapse in the virtual currency market, is notable in striking a more holistic and prescriptive approach to the oversight of Covered Institutions’ virtual currency activities. In releasing the new guidance, Superintendent Adrienne Harris emphasized that regulators must communicate the evolution of their regulatory approach in a timely and transparent manner to ensure Covered Institutions remain “resilient and competitive” while ensuring consumer protection. Even though the guidance is final, it is not exhaustive. The NYDFS continues to engage with stakeholders on important issues and will continue to supplement and refine its supervisory framework. Questions regarding the guidance may be directed to any of the authors of this alert.

[1] 23 NYCRR Part 200.

[2] 23 NYCRR § 200.3(c)(1); 23 NYCRR § 200.2(q).

[3] Since the guidance is specific to virtual currency, this example likely refers only to digital wallet services for virtual currency (e.g., Bitcoin or stablecoins) and does not encompass digital wallet services for fiat currency.