Bitcoin

This article, the second of a two-part series, appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

The proliferation of cryptocurrency and blockchain is being driven by the efficiencies and protections afforded to early adopters. The operational efficiencies and resulting cost savings are readily apparent in the financial services industry and are equally coveted by the entities trying to implement them and by the customers who will benefit from the implementation. However, neither party can fully enjoy these benefits without first understanding and overcoming the various regulatory hurdles.

By no means is this meant to be an exhaustive discussion of the financial regulatory burdens faced by this technology. To cover the entire regulatory landscape would be too great an endeavor, given what we can cover in this article. In Part Two of this article, we will continue to focus on additional common regulatory issues faced by market participants in this space. (See Part One here.)

The U.S. Commodity Futures Trading Commission (CFTC)

The CFTC regulates the futures and option markets within the U.S. financial services industry. In July 2017, the CFTC issued an order granting LedgerX, LLC registration as a derivatives clearing organization (DCO) for BitCoin options (the first of its kind). While this registration further legitimized cryptocurrencies/virtual currencies (specifically BitCoin) by demonstrating acceptance by a federal regulator, the CFTC was sure to include the following language in the press release accompanying the order, “[t]his authorization to provide clearing services for fully-collateralized digital currency swaps does not constitute or imply a Commission endorsement of the use of digital currency generally, or bitcoin specifically.” Also, while the legitimacy was welcomed, it did come at the cost of setting a precedence of adhering to federal regulators.

The CFTC's seemingly favorable view of virtual currencies and the underlying blockchain technology was exhibited earlier in the year during a speech at the New York FinTech Innovation Lab. Here, the CFTC's chair (J Christopher Giancarlo) stated the agency “might collaborate with other authorities on leading development of best practices to support the development of “regulator nodes” on distributed ledgers, or experiment with collecting or distributing existing CFTC reports through blockchain technology.” This again legitimized the adoption of the technology.

Anti-Money Laundering (AML) / Know Your Customer (KYC) and Office of Foreign Assets Control (OFAC) Concerns

Without getting too bogged down into the operation of the various underlying regulations, Anti-Money Laundering (AML), Know Your Customer (KYC) and the Office of Foreign Assets Control (OFAC) all require banks and other financial services industry participants to have policies, procedures and controls in place to identify the source of funds (AML), have a reasonable understanding of who your customer is (KYC) and checks in place to identify individuals and companies owned or controlled by certain countries that the U.S. government has blocked from utilizing the U.S. banking system and for individuals, groups and entities, such as terrorists and narcotics traffickers designated under various programs that are not country-specific.

These regulations are at odds with one of the fundamental ideologies of cryptocurrency and blockchain technology. When blockchain was developed to create BitCoin, the developers were looking to create a secure way to store and move value while also protecting the owner's privacy from everyone, including any government. This creates problems for anyone subject to AML, KYC and OFAC regulations. As mentioned earlier, when an entity is deemed a MSB, it must have robust programs covering these regulations. Also, depositories may want to maintain a correspondent relationship with a virtual currency exchange. The challenge then arises as to how to develop programs to implement these requirements.

Currently, there are no bright-line tests or rules put forth by any of the financial services regulators when creating AML/KYC and OFAC procedures and controls to govern a product or process using blockchain technology. Nor are there any safe harbors for those who want to pioneer the applications. At the same time, most of the regulators have identified AML/KYC concerns as an area of focus for 2017 and 2018. This all adds to the regulatory uncertainty and apprehension within the industry while the severity of AML fines leaves no room for noncompliance. Finally, the fact that a majority of the teams of legal and compliance professionals who support the financial services industry do not understand the technology or the possible remedies to achieve compliance while implementing the technology add to the headwinds and the uncertainty.

On the flip side to viewing the use of blockchain as a roadblock for those working in KYC compliance, there are entities that are exploring how the Ethereum blockchain technology can ease the burden of KYC compliance through the use of a smart contract. This can be accomplished because the technology can operate as “self-proving” through verification of its own chain/dataset. This provides an opportunity to build customer identification into the technology itself where it can be set as a condition precedent prior to contract execution. If successful, this would drastically lower the cost of each institution's having to investigate and identify each customer as the chain would have the ability to authenticate said customer.

State Regulation

The regulatory burden is again amplified when you start to consider the pace at which states are introducing and adopting legislation that governs the use of blockchain. For example, in June 2017, Arizona signed House Bill 2417 into law that acknowledges the legitimate use of blockchain technology to secure an electronic signature and that states that “smart contracts” (which utilize blockchain) cannot be denied effect. In 2016, North Carolina signed House Bill 289 into law which updated North Carolina's Money Transmitter Act to include the transmission of virtual currency. In Connecticut, the governor just signed House Bill 07141 in June 2017.

If and when this regulation is adopted, it will establish capital requirements for money transmitters dealing in virtual currency. Texas, Nevada, Delaware, Florida, New Hampshire and others have all recently adopted legislation that addresses blockchain technology in certain aspects. The speed at which states are adopting legislation around virtual currency and blockchain makes the need for a current 50-state survey of applicable state law a necessity to minimize your regulatory risk in the space.

Unsurprisingly, New York perhaps has the most robust regulations codified at 23 CRR-NY 200 entitled “Virtual Currencies.” New York requires any person engaged in any “virtual currency business” activity to obtain a license. The regulation defines “virtual currency business” as activity involving any one of the following types of conduct that takes place in New York or involves a New York Resident:

  • Receiving virtual currency for transmission or transmitting virtual currency, except where the transaction is undertaken for non-financial purposes and does not involve the transfer of more than a nominal amount of virtual currency;
  • Storing, holding, or maintaining custody or control of virtual currency on behalf of others;
  • Buying and selling virtual currency as a customer business;
  • Performing exchange services as a customer business; or
  • Controlling, administering, or issuing a virtual currency.

The regulation goes on to require that each licensee maintain and enforce written compliance policies, including policies with respect to anti-fraud, AML, cybersecurity, privacy and information security and a customer identification program. The AML and customer identification requirements are further discussed in a separate section (23 CRR-NY 200.15).

For example, a complaint customer identification program under the regulation will require at a minimum: 1) verification of the customer's identity, to the extent reasonable and practicable; 2) maintenance of records of the information used to verify such identity, including name, physical address, and other identifying information; and 3) a check of customers against the Specially Designated Nationals (SDNs) list maintained by OFAC. The regulation also goes on to state that enhanced due diligence may be required based on additional factors, such as for high-risk customers, high-volume accounts or accounts on which a suspicious activity report has been filed.

While the regulation is very dense, the fact that it covers activity involving any New York resident is almost a relief, given the fact that it insures that if you want New Yorkers as customers, you will now have a clear set of guidelines for best practices in multiple areas.

Although the regulation of blockchain technology and virtual currencies within the financial services industry presents certain challenges, and is evolving month to month, the explosion in the use of the technology is not slowing down. As of October 2017, there were slightly less than 1,200 different virtual currencies in circulation that can trade on a little more than 6,000 different exchanges. All while depositories, lenders, FinTech vendors and other players all continue to innovative by creating new ways to deploy blockchain technology every day. The speed of the development of the technology, as well as the regulation, demands that you consult an attorney well versed in both financial regulation and the underlying technology as a means to best limit your regulatory exposure.

Craig Nazzaro is Of Counsel in the Atlanta office of Nelson Mullins Riley & Scarborough LLP. His practice areas include Alternative Lending & Other Non-Bank Financial Services, FinTech, and Payments & Digital Commerce. Dowse Bradwell “Brad” Rustin, IV, is a partner in the firm's Greenville, SC, office whose practice areas include Banking & Financial Services, FinTech and Payments & Digital Commerce. John M. Jennings is a partner in the firm's Greenville office whose practice areas include Banking & Financial Services, Blockchain & Digital Currency, Private Equity and Securities Offerings.