In recent news, New York State is the first US state to issue rules for cryptocurrencies or virtual currency. The new rules will apply to financial intermediaries that manage virtual currencies for their customers. These companies are now required to obtain a “BitLicense” as well as comply with a comprehensive guideline that requires heightened consumer protection with robust anti-money laundering and cyber security programs.
This comes amid ongoing debate on whether federal regulations should be enacted to govern the use of digital currencies such as Bitcoin. The growth of cryptocurrencies in the last few years have left little choice but for financial intermediaries (i.e. banks or payment aggregators) to establish a way for consumers to conduct business through digital channels. The digital currency trend is quickly becoming the new normal and the expectation is that cryptocurrencies and virtual currencies are definitely here to stay. This means that cyber security will become increasingly important as a result of increased cyber risk and heightened regulatory scrutiny with the use of virtual currencies.
Summary of New York State Rules:1
a. Digital currency companies operating in New York state that hold customer funds and exchange virtual currencies for dollars or other currencies are required to apply for what is known as a state “BitLicense.”
b. The “BitLicense” rules include consumer protection, anti-money laundering and cybersecurity protections.
c. Digital currency companies are required to obtain prior approval for material changes to their products or business models, such as wallet firms offering exchange services. They would also need approval for new controlling investors.
d. But they would not need approval from the state for every round of venture capital funding or standard software updates.
e. Companies that want both a BitLicense and a money transmitter license can work with the state regulator to have a “one-stop” application submission to cover the requirements for both.
f. The rules do not apply to software developers, individual users, customer loyalty programs, gift cards, currency miners, or merchants accepting bitcoin as payment.
g. Each licensee must establish and maintain a robust and effective Anti-money Laundering and Cyber Security Program.
For more information, please read the complete Reuters article: New York regulator issues final virtual currency rules
What is a Digital Currency?
Digital currency is an internet based form of currency and is used as a medium of exchange for transactions or the transfer of ownership through a digital channel. Crypto currencies and virtual currencies are a type of digital currency which are traded through decentralized and unregulated systems. The lack of oversight and visibility into these systems perpetuates the idea that these digital currencies are risky and dangerous. However, digital currencies continue to gain momentum as a medium of exchange. Rules such as those issued by New York are being contemplated all over the world and in our view it is imminent that more state, federal and international legislature will be enacted in the near future.
Importance of Cyber Security
In order to further discuss the impact of regulation on digital currencies, we need to understand the connection with cyber security. Digital currencies are being used as the digital version of a physical currency, therefore a channel is required to conduct transactions which means infrastructure has a very important role to play in the distribution and flow of digital currencies between parties. Infrastructure includes an organization’s network, online applications or software, hardware, counterparty systems, third party/vendor software, and payment aggregators. Most elements of an organization’s infrastructure are interconnected and have a global reach, so any increase in the use of digital channels should result in an increase in risk exposure. In our view, a robust Cyber Policy and Security program helps digital firms and organizations conduct digital transactions in a safer and more secure manner.
Impact of Regulation
While federal legislature is yet to be enacted for digital currencies, most regulators agree that all organizations should have ‘reasonable’ data safeguards. There are quite a few regulations and guidelines such as those from the Federal Trade Commission (FTC) and the Financial Industry Regulatory Authority (FINRA) policies that address the protection of customer data. These tie-in to the IT infrastructure and security policy organizations should have in place in order to safeguard customer assets, data and privacy. A challenge for some institutions as in the case of two major banks hit with multi- million dollar fines in late 2014 for a computer malfunction resulting from inadequate infrastructure.
We also continue to see regulators monitor organizations for adherence to data privacy laws, the prevention of security breaches (which includes surveillance), the adequacy of infrastructure and cybersecurity programs and the ability to respond to or manage a security breach or incident. Any organization holding, managing or trading digital currencies may also be subject to these same rules as well as other regulatory rules that may apply.
Accenture’s Top Trends to Watch for:
- Federal Regulation: A federal Cyber Security Bill which has been pending for the last 5 years could offer legal liability protection for organizations that share cyber threat information with the federal government. The passing of the bill by Senate will likely be the first wave of legislation to help conform how organizations approach the management of cyber risk.
- International Perspectives: Cyber crime is considered an international issue and it is generally agreed that regulation will enforce accountability and disclosure. Europe is closer to implementing new rules that will require compliance starting in 2016 while the US has been more sectoral in its approach for regulation.
- Socio-economic Activities: While cyber crimes are more prevalent in some industries, the increase of digital trading and trading with virtual currencies is a growing trend which has an unlimited scale due to the global nature of borderless transactions.
- Cyber Security Programs: Some organizations are beginning to adopt a more holistic approach to their Cyber Security programs. Others may look to reengineer their initiatives to increase the effectiveness of their programs. The SEC and FINRA has now issued guidance on leading practices to consider when implementing a cybersecurity program.2 Read more here.
The New Normal for Compliance
Compliance Officers should begin to contemplate how these trends and future regulations will impact their organizations. While the Compliance function should not be solely responsible for creating a Cyber Risk and Security Policy, they should be a contributor to the policy and resulting programs. Compliance could also be engaged in defining or reinventing cyber initiatives that would support adherence to future regulation. The Compliance function should continue to monitor and support compliance with current regulatory rules but it can also help define and support a standard operating model for the “new normal”.
Key Consideration for Clients
- Organizations should conduct an assessment of the effectiveness of their cyber security initiatives in order to identify and address potential gaps within current programs
- Compliance can take an active role in helping to develop a Cyber Risk Policy and shape the framework for operating in a more regulated environment
- A leading Cyber Security Program will be dependent on the collaborative efforts between the IT, Risk Management and Compliance functions
- “New York regulator issues final virtual currency rules,” Reuters, June 3, 2015. Access at: http://www.reuters.com/article/2015/06/03/us-bitcoin-regulation-new-york-idUSKBN0OJ23X20150603
- “Going for Brokerages: FINRA and SEC Take Aim at Deficient Cyber Policies and Practices,” Privacy and Security Law Report, Bloomberg BNA, June 2015. Access at: http://s3.amazonaws.com/cdn.orrick.com/files/Bloomberg-BNA-Going-For-Brokerages-SEC-FINRA-Article.pdf
Disclaimer: This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.
Accenture is a global management consulting, technology services and outsourcing company, with approximately 336,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$30.0 billion for the fiscal year ended Aug. 31, 2014. Its home page is www.accenture.com.
Copyright © 2015 Accenture. All rights reserved.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture. This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.
If you require advice or further details on any matters referred to, please contact your Accenture representative.