On September 15, 2015, the Conference of State Bank Supervisors (CSBS) issued its Model Regulatory Framework for State Regulation of Certain Virtual Currency Activities (the Model Framework)1 to assist states in developing regulatory approaches to licensing and supervising virtual currency activities. The Model Framework takes into account comments received on a draft developed by the CSBS Emerging Payments Task Force and published for comment in December 2014.2 While important changes were made, the Model Framework remains a high level outline that will require substantial elaboration as individual states attempt to use it to guide their own rule-writing efforts. Nonetheless, it provides useful insight into the direction of state regulation of virtual currency activities.
Definition of Virtual Currency and Covered Activities
Virtual currency is defined by the Model Framework as “a digital representation of value used as a medium of exchange, a unit of account or a store of value, but does not have legal tender status as recognized by the United States Government.” Virtual currency expressly includes “digital currency” and “cryptocurrency,” and expressly excludes:
- The software or protocols governing the transfer of the digital representation of value
- Stored value redeemable exclusively in goods or services limited to transactions involving a defined merchant, or
- Units of value that are issued in affinity or rewards programs and that cannot be redeemed for either fiat or virtual currencies.
Importantly, the Model Framework applies to activities involving third party “control” of virtual currency. The following virtual currency activities, when carried out on behalf of another, are specifically identified as being covered by the Model Framework:
- Transmission of virtual currency;
- Exchanging sovereign currency for virtual currency (or vice versa) or different virtual currencies; and
- Services that facilitate the third-party exchange, storage and/or transmission of virtual currency.
A number of important questions are raised by this definition and set of examples, including how broadly the concept of “control” will be applied (e.g., whether any single party “controls” a virtual currency that is held with multi-signature technology) and how broadly the concept of “facilitate” might be applied. Among other things, the Model Framework gives as examples of such facilitation “wallets, vaults, kiosks, merchant-acquirers, and payment processors,” yet some of these activities may not be considered licensed money transmission when they involve fiat currency, thereby begging the question what attributes of virtual currency warrant such new levels of regulation.
The Model Framework helpfully provides an express exclusion of the following activities:
- Merchants and consumers who use virtual currencies solely for the purchase or sale of goods or services;
- Activities that are not financial in nature but utilize technologies similar to those used by digital currency;
- Activities involving units of value that are issued in affinity or rewards programs and that cannot be redeemed for either fiat or virtual currencies; and
- Activities involving units of value that are used solely within online gaming platforms and have no market or application outside of those gaming platforms.
Questions will remain in the implementation of even these exemptions such as whether an illicit market in gaming currency, which can exist despite the best efforts of the platform provider, could transform the provider’s unregulated gaming feature into a highly regulated functionality. The Model Framework also does not suggest a standard for interaction with other regulatory regimes such as for banks, securities firms and licensed money transmitters, leaving open questions as to the potential for overlapping regulation when otherwise licensed financial services providers become involved in virtual currency activities. Finally, the Model Framework does not suggest an “on ramp” in the form of a temporary or conditional license for startups that may pose lower levels of risk, although it leaves open the possibility that a “courageous” state may experiment in that regard.
Regulatory Requirements for Virtual Currency Activities
The Model Framework sets forth the following recommended areas of coverage for virtual currency activity oversight:
- Licensing requirements related to both the business and its owners, including details of the entity’s business plan and banking arrangements
- Use of licensing systems (e.g. the Nationwide Multistate Licensing System)
- Financial strength and stability, including:
- Net worth or capital requirements
- Flexible permissible investment reserve requirements, which may include reserves held in virtual currencies (an important acknowledgement of the industry concern that in many circumstances like-kind reserves are the only sensible way of addressing reserve issues)
- Defined mechanisms for holding and validating reserves
- Surety bonds
- Information on the method for calculating the value of virtual currency
- Policies and procedures for disaster recovery and business continuity and customer access to funds in the event of a failure
- Consumer protection policies, documentation and disclosures, including:
- Holding an actual amount of virtual currency in trust for customers and ensuring that amount is identifiable separately from any other customer or entity holdings
- Disclosures regarding complaints, error resolution, virtual currency risks and the uninsured status of virtual currency (such requirements are recommended regardless of whether a service provider is targeting a consumer or commercial customer base)
- Receipts with exchange rate information
- Cybersecurity program, policies and procedures, including cybersecurity audits with flexible standards to vary the level of the audit as appropriate to the business model and level of activity (in particular, the Model Framework acknowledges that third party audits may not be appropriate in some circumstances)
- General compliance with federal and state laws
- Bank Secrecy Act/Anti-Money Laundering implementation and compliance, including verification of service user, not just “account holder,” identity
- Access to books and records, including:
- “To the extent practicable,” transaction-level data such as names, addresses, and IP addresses of the parties to the transaction, identifiable information regarding the virtual currency owner, transaction confirmations and destinations for foreign transactions
- Importantly, it appears that the Model Framework contemplates that such transaction-specific information might be included in affirmative reporting requirements, rather than just being available for review through examinations, a potentially substantial expansion of the general regulatory approach to transaction-level reporting
- General supervision authorities, such as examination, investigative and enforcement, and access to private keys in the event of an institution’s insolvency
In sum, the Model Framework provides a helpful window into the future direction of virtual currency regulation and supervision at the state level, but much work remains to be done before any individual state will be able to translate the Model Framework into actionable rules and regulations.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
David E. Teitelbaum
+1 202 736 8683
Joel D. Feinberg
+1 202 736 8473
1The Model Framework is available here.
2The draft Model Framework is available here.
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.