The New York State Department of Financial Services (DFS) has released a first draft of regulations for businesses operating Bitcoin services in the state.
The new 'BitLicense' regulatory framework, published on Thursday, outlines new rules for businesses that trade, store, or provide exchange services for virtual currencies proposed by the state. The framework looks to introduce consumer protections, anti-money laundering compliance, and security rules particular to virtual currency firms.
The framework follows a DFS inquiry into Bitcoin regulation that kicked off last August, as well as a public hearing and efforts by the department to engage the Bitcoin community on a Reddit 'ask me anything' session earlier this year.
The public has been given 45 days to respond to the DFS proposals. While commending the DFS' efforts to date, Bitcoin Foundation global policy counsel Jim Harper said the period is too short, given the subject's breadth and complexity. The foundation has also argued against technology-specific regulation.
Businesses that will need a license include companies that receive or transmit virtual currency on behalf of consumers; any businesses that stores virtual currencies; companies that provide exchange services; those that buy and sell virtual currencies as a customer business; and anyone who issues or administers a virtual currency.
Those that won't need a license include currency miners, as well as merchants and consumers that use Bitcoin to buy or sell.
Some of the consumer protections that would be introduced by the proposal include rules on how much virtual currency the business holds, properly formatted and detailed receipts of all transactions, consumer complaints policies, and risk disclosures.
BitLicensees will also need to verify the identity of account holders and hold on to detailed customer records of transactions, which runs contrary to some of the anonymity features that Bitcoin users enjoy today. They'll also need to monitor and report suspended fraud and report when a person's transactions for a day exceed $10,000.
Among the standard requirements covering security, such as systems to detect and prevent breaches, businesses will also need to conduct penetration testing at least once a year alongside quarterly vulnerability tests. They'll also need to appoint a chief information security officer.
The regulations would also introduce new capital requirements for businesses, with the exact level determined by the department.
The new license regime of course will also mean that department's superintendent has the authority to suspend or revoke a license, or issue a preliminary injunction to prevent a company from violating existing finance, banking or insurance laws.
If and when the proposal is adopted, existing virtual money businesses will have a 45-day period of grace to apply for a license — and the department will have 90 days to determine whether one should be issued.