Key Takeaways
- New York is allocating extra assets and devoting extra consideration to the cryptocurrency business, which can probably end in elevated regulatory oversight, potential new rulemaking, vital sanctions for compliance violations, and a rise in its velocity of reviewing BitLicense purposes.
- A latest consent order the place bitFlyer USA’s failure to adjust to cybersecurity necessities underneath New York’s Digital Forex and Cybersecurity Rules resulted in a $1.2 million penalty underscores this growing focus and the potential penalties of noncompliance for licensees.
- Cybersecurity compliance is a elementary compliance job with which the DFS expects each licensee, together with BitLicense holders, to conform with out exception.
On Might 1, 2023, the New York State Division of Monetary Companies (DFS or Division) issued a consent order (Consent Order), imposing a $1.2 million advantageous on bitFlyer USA, a cryptocurrency buying and selling platform and custodial pockets service supplier. The Consent Order described varied alleged failures by bitFlyer USA to determine and preserve an efficient cybersecurity program, as required by the DFS’s Digital Forex and Cybersecurity Rules.[1] This marks the third DFS consent order involving a crypto market actor. Whereas the earlier two targeted on alleged anti-money laundering failures,[2] the bitFlyer USA consent order is critical as a result of it targeted completely on cybersecurity violations, which stay a DFS precedence.
BitLicense Cybersecurity Necessities
DFS is the first regulator of economic companies in New York State, together with licensing and overseeing monetary establishments throughout the state. In 2014, DFS proposed guidelines and rules requiring companies engaged in sure cryptocurrency actions within the state to use for a “BitLicense” by DFS (23 NYCRR Half 200, the “Digital Forex Regulation”).[3] In response to considerations from companies topic to the BitLicense requirement, DFS subsequently revised its practices with respect to BitLicense purposes in 2020.[4] New York State’s Cybersecurity Regulation, 23 NYCRR 500, turned efficient in 2017.
Companies in search of to acquire a BitLicense from DFS should bear an software course of that features a complete assessment of the applicant’s enterprise, compliance program, personnel, safety measures, and accounting.[5] Amongst different necessities, underneath New York’s Digital Forex and Cybersecurity Rules, BitLicense licensees are required to determine and preserve cybersecurity applications which might be designed to guard the confidentiality, integrity, and availability of their info techniques, in addition to any nonpublic info contained inside these techniques.[6] The Cybersecurity Rules require entities like bitFlyer USA to “conduct periodic threat evaluation[s] as crucial to handle adjustments to [its] info techniques, [nonpublic information], or enterprise operations.”[7] Beneath the Digital Forex Regulation, BitLicense holders are required to determine and preserve “an efficient cybersecurity program to make sure the supply and performance of the licensee’s digital techniques and to guard these techniques and any delicate information saved on these techniques from unauthorized entry, use, or tampering.”[8]
DFS’s Examination and Findings Concerning bitFlyer USA
bitFlyer USA was granted a BitLicense on November 27, 2017. DFS performed examinations of bitFlyer USA in 2018 and 2020. Over the course of its examination interval, DFS discovered that bitFlyer “failed to satisfy its regulatory obligations each by failing to completely adjust to the Division’s Cybersecurity Regulation and by failing to determine and preserve an efficient cybersecurity program through the implementation of written insurance policies, as required by the Digital Forex Regulation.” The Consent Order cited the next particular compliance deficiencies through the time interval of the DFS examinations:
- Failure to carry out periodic assessments of inner and exterior cybersecurity dangers and threats, and improper reliance on an info expertise audit rather than a cybersecurity threat evaluation; and
- Failure to implement a cybersecurity program designed “to guard its digital techniques, and the knowledge saved on these techniques from unauthorized entry, use, or different malicious acts” as a result of its written cybersecurity coverage was not authorised by its board of administrators or tailor-made to its organizational construction and related dangers.
Based on the Consent Order, through the course of the DFS investigation, bitFlyer USA carried out a complete assessment of its present compliance applications with respect to the Digital Forex and Cybersecurity Rules. Primarily based on this assessment, bitFlyer USA offered a remediation plan designed to carry bitFlyer USA into compliance by December 31, 2023. DFS authorised the remediation plan, which requires quarterly progress stories to DFS. Notably, the $1.2 million penalty credit bitFlyer USA for its cooperation and remediation efforts, indicating DFS may have levied an excellent bigger civil penalty for these violations.
New York’s Elevated Give attention to Cryptocurrency Companies
Current occasions point out cryptocurrency companies working in New York State ought to take steps to arrange for elevated oversight, and doubtlessly new legal guidelines or rules governing their actions. On April 25, in testimony earlier than the New York State Senate Standing Committee on Banks, Digital Forex Chief Peter Marton mentioned DFS is growing the assets allotted to regulation and oversight of the cryptocurrency business,[9] together with strengthening its licensing program, growing workers, and implementing new expertise, with the objective of defending each cryptocurrency companies and their clients.[10] The elevated workers can be anticipated to extend the velocity at which BitLicense purposes are reviewed. Digital Forex Chief Marton testified that DFS has authorised solely 4 licenses up to now 15 months and that the BitLicense queue “stays excessive,” and that since his appointment in January 2022, greater than 40 examiner-trainees have been added to the digital forex unit. He additional testified that the “most essential shopper safety is commonly not one written within the black and white letter of the legislation, however to have a nimble regulator who understands the house and has the flexibleness and agility to reply to business developments as they come up.”
Moreover, on Might 5, the New York Legal professional Normal independently announced new proposed laws that might enhance oversight of the cryptocurrency business, present the Legal professional Normal with broader enforcement authority, and codify the DFS’s authority to license individuals within the business.[11] The Crypto Regulation, Safety, Transparency, and Oversight Act (CRPTO Act) “seeks to guard New York traders by bringing rules and oversight which might be utilized to different monetary companies to the cryptocurrency business” in addition to tackle different points distinctive to the business. Amongst different issues, the CRPTO Act would search to (1) cease conflicts of curiosity by putting sure prohibitions on particular business gamers corresponding to marketplaces, issuers, and brokers; (2) require public reporting of economic statements by cryptocurrency firms; and (3) bolster investor protections by enacting “know-your-customer” provisions and “banning the usage of the time period ‘stablecoin’” except a digital asset is backed 1:1 with U.S. forex or different high-quality property as outlined by federal rules. By means of the invoice, the Legal professional Normal’s Workplace additionally seeks discretion to implement cryptocurrency corporations’ violations, together with the ability to challenge subpoenas, impose civil penalties, and shutter these companies that interact in fraud and illegality. Particularly, the proposed penalties for violations underneath the invoice are $10,000 per violation per particular person and $100,000 per violation per agency in addition to restitution, damages, and penalties. Given all this, the proposed CRPTO Act additional demonstrates the elevated give attention to regulating cryptocurrency actions within the New York State.
Conclusion
As New York regulators work to strengthen and proactively evolve digital forex regulation, digital asset companies working in New York ought to be sure that their cybersecurity applications adjust to the necessities of New York’s Digital Forex and Cybersecurity Rules or threat dealing with substantial penalties. BitLicense licensees and candidates ought to set up an ongoing working relationship with DFS and give attention to the continual enchancment of their compliance applications, particularly as new dangers and regulatory priorities come up within the fast-paced cryptocurrency market. Moreover, as New York lawmakers think about new proposed legal guidelines and rules, cryptocurrency market actors ought to perceive the implications for his or her companies and think about taking proactive steps to have interaction with lawmakers to teach them on potential unintended penalties of proposed regulation and put together for brand new necessities.
