Home < Misc < NY DFS Bitlicense Lawsky Update

NY DFS Bitlicense Lawsky Update

Date: December 18, 2014

Transcript By: Bryan Bishop

Tags: Regulation

NY DFS BitLicense update 2014-12-18

http://web.archive.org/web/20150511110453/http://bipartisanpolicy.org/events/payment-policy-in-the-21st-century-the-promise-of-innovation-and-the-challenge-of-regulation/

And that’s a serious problem that we all need to address with a hightened sense of urgency and focus. Let me start with the BitLicense and virtual currencies. These came on our radar screen last year at DFS because like all of the other states we regulate money transmitters like Moneygram and Western Union. We were worried that virtual currency firms were transmitting currency. Our regulatory rules were written before the internet and before virtual currencies.

In august of 2013 we launched an extensive inquiry into the appropriate regulatory guardrails for virtual currency. We heard hearings about virtual currencies over 2 days. The goal was to get a 360 degree view of this new and constantly evolving industry, both of its promise and potential pitfalls. Our challenge was to come up with appropriate guardrails to protect consumers, while not stiffling innovation in a fledging industry. MtGox, Silk Road. The ability to send money lal over the world to people. Bring down the cost of international remittances significantly. Some of the real benefits of currency if used properly. Virtual currency does not require credit card information in financial transaction, which can reduce the chance of identity theft and related frauds.

There is also the fascinating idea of programmable currency, to securely transfer something of value besides money, like the deed to property over the internet. It is worth noting that a currency could as a broader matter push banks to really up their game when it comes to considering and implementing new payment technologies.

We looked at all of these benefits that virtual currencies could provide, the more we dug into it, the more we realized there could be some real promise if these technologies could take off. We knew there had to be a regulatory environment that would make it safer for these kinds of technologies to go into full effect around the world.

With this in mind we put forward our BitLicense framework. We wanted to do it by the end of this year. Over the summer we had the collapse of MtGox and that gave us the need to put this framework out there sooner rather than later. That framework considered provisions to protect onsumers from fraud and abuse, setup strong defenses against hackers by emphasizing robust cyber security which we are all thinking about today after this past week of Sony mayhem. Our proposal was the beginning to a healthy discussion about what the regulation should be about it.

Some considered our proposal as take-it-or-leave-it all-or-nothing proposal that would go into effect in a few days. That was not the case. Public comment periods take a long time in government. There has been time for stakeholders to provide input. We have had a ton of comments into putting in the revisions today. Once we put them out there will be a new 30 day comment period.

We appreciate the time that so many people took to submit their comments; I have read their comments (at least some). We think that their proposals are good and good for the long term health. The rules also mirror the types of requirements that banks and money transmitters have to live with. This is a point that is not well understood, in part because virtual currencies sit at that cross-roads of the less regulated tech sector and the more regulated financial sector.

There is a basic bargain: when a financial company is entrusted with safeguarding customer funds, it accepts hightened regulatory scruityin to ensure that money does not disappear into a blackhole. Accounting, record keeping, and compliance is similar to what other financial firms must do every day. Some regulatory areas might be more stronger for virtual currency firms than other financial institutions, like cyber security rules, we are thinking about how to use these new rules for all of our regulated banks and insurance companies as we move into this era for the need for much hightened financial security writ large, as evidenced by the JPM hacks and others. Cyber security is the most important issue that DFS will face in 2015 and maybe the years beyond that. We need to stay ahead of the curve to protect the consumers and markets from devastating disruptions from debilitating cyber attacks. If you want to talk more about hacking and threats to the financial system, I’ll be happy to do that.

There are some important changes to the BitLicense. Some of these reflect the comments we received. We received 3,747 public comments not that we were counting. We took the comments very seriously and incorporated some of them. We are moving forward with some clarifications to make crystal clear the breadth and extent of who we are regulating and not. There was confusion about who would be required to obtain a BitLicense. Some believed that our proposed regulation for all software developers, users and miners to obtain licenses. Let me be clear. The revised regulation will clarify that we do not intend to regulate software developers, like those who provide wallet software to customers for personal use. We are regulating financial intermediaries. We are not regulating software development.

Loyalty programs demoniated in fiat ccurrencies will not fall under the BitLicense regulations. We have made this much more clear. As I said, virtual currency miners will not be required to obtain a BitLicense. Individuals that are purchasing and holding virtual currency as an investment will not be required to get a BitLicense.

We are making clear that merchants that accept virtual urrency for their goods and services will not be required to get a BitLicense if that is the only virtual currency engagement activity they engage in.

Now let’s turn our attention to startups. One of the most consistent concerns was about the impact of compliance costs on new or fledging virtual currency enterprises. We have faced similar issues in the community banking context as a regulator and we wanted to work in good faith to identify a solution. The revised regulation will offer a 2 year transitional BitLicense which can be issued to those firms that cannot satisfy the requirements of a full license, tailored to startups and small businesses. This will provide an onramp as they build up their operations. Those firms will be required to meet robust standards for anti-money laundering and customer protection, but we did want to provide some flexibility as they work to get off the ground.

Licensees may apply to the department that certain specific parties should not be deemed control parties if they are not involved in the major management decisions of the company. This ma ysound like a tehcnical change; but it’s key to helping to encourage angel investment in virtual currency. When someone is a control person, it triggers a full host of requirements that may not be necessary if those people are not involved in the management o the company.

We have made changes in response to some comments. We hvae shortened the proposed … from 10 to 7 years. They are not required to obtain addresses for all parties; only this information for their own customers or their own account holders, and to the extent possible, counterparties to the transaction. We determined that the original requirement that they get it from everyone in the transation would not be in workable in the virtual currency ontext. We didn’t want to have a requirement that couldn’t be met.

A broader range of financial assets may now count towards a licensee’s capital requirements. We had a few comments about this. We think these proposed changes are sensible, and we think it is an appropriate balance to strongly protect consumers and root out illicit activity. The full version should be released in a few days. After the 30 days we will be releasing a final version. After that, we hope to have a few licensed exchanges and companies running in NY.

That regulatory process will end in late January, but this is so unique that we plan to continue to listen and monitor closely how these regulations impact the world basically. One thing we learned is that in a new area like this with very complex issue, it is important for regulators to be able to listen, to see where regulations may not make sense, and be willing to course correct as we go around.

It wouldn’t surprise me that down the road we start thinking carefully about tinkering the regulations in response to how things roll out. We are not opposed to fixing this. We are in a new world now. Virtual currency is only one part of a much broader evolution occurring in payments technology.

No questions about Amtrak please.

If banks fail to innovate, they could eventually face a real challenge. Blockbuster video stores used to be on every corner in our country. With the emergence of Netflix and other companies, they practically disappeared over night. Money is no different. I think that people feel more comfortable trusting an old established FDIC-protected company than they currently trust Bitcoin. Our children and our children’s children will not hesitate to bank digitally. My guess is that banks will adjust, and we are starting to see that a little bit. It is in those institution’s long-term interest to do so. They will probably co-opt or acquire some of the most promising technology after a period of trial and error. Regulators will have to keep up and permit innovation. But if banks do not make significant progress soon, regulators should mandate improvements. This is not how we like to operate, it’s better to let the market make these determinations, but at a certain point, enough is enough. 4 decades of slow or no progress in banking is enough. We are excited about what we are seeing in payment technology. It presents challenges for banks. We are not experts in all forms of new technology. Regulators tend to be slow moving and plodding, and sometimes that’s good. Sometimes when we get around to approving some new technology for use, that tech is already outdated. But to return to the earlier metaphor, if we can’t adjust and adopt in a timely fashion, then we should be humble about what we do not know, we need to move more quickly to provide clarity and guidance on important issues like consumer protection. Our BitLicense experience has been an interesting attempt at regulating in this fashion. It is difficult, but I think it can be done. It is important to get this right. Happy to take any questions.

Q: The conference of state bank supervisors put out their framework for digital currency regulation. I wonder if you have looked? What are your thoughts?

I think it’s great, it’s not all that dissimilar from what we’re doing. It’s somewhat broader, CSBS you’re dealing with 50 different state systems. Different states have different laws. In New York, the way our laws are written, the money transmission laws and regs, we just couldn’t fit virtual currency in there, it just doesn’t work. So we figured it would be better to develop our own unique framework. Some states have thought about shoehorning virtual currency into their existing money transmission laws, and I think that CSBS has done a nice job of setting out some general principles that all the states can look at. Margarett led a task force that drew the states that are more interested, like Texas, Ma, Florida, Illinois I think, Georgia, and I think that worked out well, and once our reg is in place that my hope is that you will see virtual currency firms coming to New York and succeeding in NY because I hope this will give people confidence that they are being carefully regulated. If that happens and we’re successful, then hopefully other states will look at what we’ve done and take our best parts in the regs and go from there.

Q: As an insurance regulator, it looks as if we will have some period of time in January where TRIA is not available. If they do not have that ability, will we have certain commercial real estates such as malls or stadiums that will have to shut down if the lapse happens?

Well, I hope that lapse is a very short time. I was on the phone with the treasury department yesterday and they want to know what will happen in NY on Jan1. We are talking to our insurers that are impacted by this, the real estate industry in NY is very worried. Projects could grind to a halt. That’s not going to happen on Jan1, on day 1, but it’s something we’re analyzing very closely now.

Q: I hear that commercial real estate could be in violation if they.. and they are actively talking about…

We shall see. I hope it’s not that dire. If it continues throughout January we will see all kinds of bad repercussions. it was shocking that TRIA was not re-authorized.

Q: Please broadly discuss the philosophy driving the investigation for the non-backed mortgage service areas. Where does this end up?

I think our look at the non-bank mortgage servicing industry was triggered by what we saw in the massive growth in that industry. Hundreds of billions of dollars flowing out of MSRs and non-bank servicers, and it’s not to say that all non-bank servicers are bad. Some of them are doing a good job. At the time this huge growth took place, we had a monitor in one of those firms which gave us a lot of insight into how they were doing. As they grew they were having real difficulties with keeping up wit hthat growth. What’s so difficult is that the nature of servicing is that having a better tech platform or the ability to onboard more loans more efficiently is not going to address the unique nature of mortgage servicing which is on the other end of every single one of those MSRs especially in the subprime world is often a family in great distress who needs help figuring out what to do with an under-water home and a mortgage payment they can’t meet, and just because you have a better tech platform does not mean you know how to deal with those individuals. And this massive growth was what caused us to look into this. We got more worried the more we looked. We are seeing some firms who are doing a much better job than others, and when you see that, it’s a tell-tale sign that there could be real improvements at the firms that are falling down when it comes to that spectrum. That’s my elevator ride answer.

Q: Consumer protections for virtual currency. Are you thinking in terms of regE, regZ, will it depend on what payment system is underlying the virtual currency?

Sure. I think we lay out in the reg a whole series of consumer protections that consumers need. I think that revolve now around very adequate disclosures when people are getting into virtual currency transactions. So if you look at the reg, the initial reg or the revised one, basically the same when it comes to consumer protections, very robust set of disclosures around consumers knowing what they are getting. That’s a central tenant to the whole thing. So that’s our basic focus.

Q: American banker. I am wondering what your cyber security changes will be?

Sure. So we, let me answer it this way. We layed out last week that we approached banking institutions that we regulate, and sent them new information about more detailed questions that we were going to ask when it comes to cybersecurity. In the past, I’ll just speak for DFS, cybersecurity was a checklist just like everything else. Do you have this, do you have not. We have learned over the course of the last year that this needs to be a much more robust process. Part of what we have to do is train our own people, we have 1400 people, and 1000 are examiners. Many of them have been doing exmainations a certain way for a long, long time, for decades. Not all of them are attuned to new threats from cyber security. So we are bringing in technology security companies to train our examiners so that when they go into the institutions and look at the cybersecurity that they will be ableto see this in a much more modern, careful way. It’s two sets of people we’re training- both everyday examiners hwo have a certain level of knowledge, but we also have an IT group that does IT exams, and those IT exams are going to be much more in depth in terms of cyber security. We will read about these in the paper every day, the kinds of hacks are happening. If all of us, both the regulators and the industry, if we don’t start upping our game when it comes to security, we will regret it later. I am not prepared to compare with what we do, to the federal regulators. I think many regulators, like the treasury department, is deeply focused on this. Deputy… has .. she is focused on this as much as anyone I know, and I think other regulators are as well. What we need to do is that we stay coordinated. We do not need OCC having a separate standard, our own standards, and treasury standards, that will be nutty. I think the process that should take place, especially if you believe in states as a lab of democracy, if a state has some ideas to make cybersecurity examines even better, then hopefully the stuff that we got right can be adapted in some way, but we all need to make something fairly uniform for our institutions.

Thank you very much. Enjoy lunch.