Two-Year Transitional License
In a nod to the difficulties of starting up a company, the new BitLicense permits the Superintendent to grant, at his discretion, a conditional license that lasts two years. These licenses may be renewed at the discretion of the Superintendent, but the intent appears to be that companies will then graduate to a full license.
It appears that companies granted a conditional BitLicense will generally be those companies that may satisfy some, but not all, of the regulatory requirements upon licensing. They may be subject to heightened review, including more frequent examinations, and are subject to any other reasonable conditions that may be imposed upon them by the Superintendent.
The new regulations provide an eight-factor analysis to help the Superintendent decide when to issue, renew, or remove the conditional status of a company.
The prior version did not state with much specificity how a company could meet its capital requirements. The new version clarifies that businesses may hold their capital in “cash, virtual currency, or high-quality, highly liquid, investment-grade assets, in such proportions as are acceptable to the superintendent.” The revisions do not define “acceptable” in this context.
It also states that the amount and form of capital requirements will be based on an “assessment of the specific risks applicable to each” company. This may mean that a high-volume exchange open to the public could have stricter capital requirements than an over-the-counter market that only permits institutional trading.
Material Changes to Business and Changes of Control
The rules require a licensed company to obtain approval prior to making a material change to its business. The new rules now permit companies to seek opinions about the materiality of a business change directly from the Superintendent.
Further, while the regulations governed change of control over the company, in that they provided that any change of control would have to be approved in writing by the Superintendent, the prior version did not give detailed processes or standards for how the Superintendent could determine whether a change of control actually took place. The latest revision rectifies that by including detailed guidance for the Superintendent to make this determination, and thus provide guidance to companies as to when companies should seek approval.
Anti-Money Laundering (AML)
The most significant change to the AML discussion relates to the removal of the requirement that companies must collect the name, physical address, and other information from non-customer counterparties. The new regulations only require such collection “to the extent practicable.” Various companies, including Coinbase, criticized the original requirement, as it would have required companies to collect personal information from all parties to a transaction, which is something generally not supported by open payments protocols.
The new proposal also clarifies that if a company picks internal personnel to audit a company, the company cannot choose the same person who was responsible for the design, installation, maintenance, or operation of the AML program or its policies.
The revision now requires businesses to verify the identity of a customer when establishing a service relationship, but does not define the term “service relationship.”
Importantly, the new rules no longer require companies to obtain third-party review of a business’s source code. They do, however, require the Chief Information Security Officer to perform an annual review and update of the company’s cybersecurity program.
The rules now generally require limiting physical access permissions to hardware, but no longer specifically require hardware to be locked in cages.
The regulations change the recordkeeping requirement for books, records, and advertising and marketing materials to seven years post-creation. This recordkeeping still requires companies to hold on to website captures, but only captures that indicate “material changes” to internet advertising and marketing.
Tracking the most significant change to the AML requirements, a company need only obtain information of non-customer counterparties “to the extent practicable.”
Disclosure and Fraud Prevention
The new version no longer permits customers of a company who are also victims of fraud to claim compensation from any trust account, bond, or insurance policy maintained by that company.
Further, companies no longer need to disclose in their general terms and conditions what liability they may have to a customer under any applicable laws.
The new draft contains a severability provision, which provides that if one part of the regulation is deemed invalid, the remainder of the BitLicense will remain intact.