The Inspirational Story of Julio Herrera Velutini - Global Finance Leader
Digital Asset Transfer Authority Comments to Conference of State Bank Supervisors
1.
DATA CSBS COMMENTS 1
February 20, 2015
Attn: Emerging Payments Task Force
Conference of State Bank Supervisors
1129 20th Street NW, 9th Floor
Washington, D.C. 20036
Re: Proposed Regulatory Framework: Virtual Currency
Dear Members of the Task Force:
This letter is submitted on behalf of the Digital Asset Transfer Authority (“DATA”)
in response to the proposed Draft Model Regulatory Framework and Policy
Statement on Virtual Currency Regulation issued by the Conference of State
Bank Supervisors (“CSBS”) on December 16, 2014 (collectively, the “Proposed
Model Framework”).
Background
DATA is a global non-profit trade association established in July 2013 focused
on digital assets, including distributed ledger technologies such as Bitcoin.1
DATA was founded to (1) act as a conduit and feedback mechanism between
the digital asset business community and policymakers and subject matter
experts; (2) to inspire confidence in such products by spearheading the
development of best practices across AML, data security, consumer protection
and privacy; and (3) to evolve in compliance with applicable laws and regulation
governing digital currencies including decentralized ledger technologies such as
the Bitcoin protocol (referred to collectively herein as “digital assets”). Our
members represent a broad range of digital asset businesses including
currencies, exchanges, administrators, and payment platforms, as well as
service providers such as established law firms that are actively engaged in the
digital asset space.
General Comments
We appreciate the opportunity to provide comments to the Proposed Model
Framework. We are encouraged by the efforts of the CSBS and its Emerging
Payments Task Force to establish a model regulatory regime for digital
1
More information available at www.datauthority.org.
2.
DATA CSBS COMMENTS 2
currency2
firms. We applaud the collaborative approach taken by the CSBS and
hope to continue to have the ability to offer industry input into the process. We
believe that the proposal offers a positive starting point in developing a
regulatory framework that can protect consumers while also allowing this
important technology to evolve and thrive.
Several DATA member companies are registered as a money service business
at the federal level and are seeking state licenses. These companies face
uncertainty as the current regulatory framework for digital currency firms has not
been established. Several states have attempted to place digital currency firms
under existing money transmitter laws while the New York Department of
Financial Services (“NYDFS”) has proposed a separate regulatory regime for
digital currency firms. A few states like Texas and Kansas have issued guidance
on how digital currency applies to current laws. More guidance and uniformity
in a state regulatory framework is needed to allow these companies to operate
efficiently across state lines.
Listed below are some general comments on the Proposed Model Framework
followed by responses to the specific questions posed by the CSBS.
1. The definition of virtual currency is too broad
The Proposed Model Framework appropriately focuses on activities based
regulations. The framework, however, should offer a narrower interpretation of
regulated activities. Digital currency firms have diverse business models,
including exchanges, wallets services, ATMs, security services, software
services, and payment processors. It is appropriate to regulate those firms that
exchange digital currency or hold the currency as a custodian due to the
heightened risks to consumers of those activities. However, we believe that
payment processors or “facilitators” of digital currency transactions should be
exempt from the rules.
2. Smaller firms should be treated differently under the framework
The Proposed Model Framework should exempt (or limit oversight over) smaller
start-ups to allow them the ability to enter the market without the licensing costs
and compliance burdens. These smaller firms pose less risk and should be
allowed to operate without the liabilities and costs associated with full licensure.
DATA believes there is a need to create a tiered, risk-based onramp to an
2
For purposes of this letter, we use “digital currency” and “virtual currency” as interchangeable
terms.
3.
DATA CSBS COMMENTS 3
otherwise high barrier licensing regime, including a safe harbor provision that: (1)
takes into account the rapidly evolving technologies and business models; and
(2) ensures that regulatory requirements correspond to actual risk to the
consumer and are balanced against the net public benefit of the technology. At
a minimum, this safe harbor should allow small startups to operate with
minimum thresholds and clear guidance on correspondingly low safety and
soundness requirements, with at least six months to apply for a license once
thresholds are crossed.
3. Regulations should be principles-based
Regulation of digital currency firms should focus on high-risk areas and should
not establish rules that are overly burdensome. In striking the correct balance,
regulators should consider principles-based guidelines rather than detailed
prescriptive rules. Prescriptive rules and a check the box approach may be
ineffective, especially in a fast moving industry like digital currency. Prescriptive
rules could have a chilling effect on technological innovation and the ability of
consumers to realize the benefits of digital currency. Regulators can achieve
the same objectives by offering principles that need to be addressed and
allowing industry to create programs to comply with these risk areas. Groups
like DATA, and other industry representatives, have been taking a proactive
approach toward establishing best practices to satisfy these types of criteria. In
a principles-based regime, state supervisors still maintain examination authority
to hold firms accountable and determine whether further prescriptive rules are
needed.
4. The Proposed Model Framework needs to be adopted across all states
in a consistent manner
DATA requests that the CSBS create a framework that will be adopted by all
states and eliminates the current uncertainty in the marketplace. We request
that any model rule eliminate the need for multiple licenses for digital currency
firms that may also be conducting more traditional money transfer services.
While we encourage the CSBS to make the rules flexible, we also caution that
providing state supervisors excessive discretion, it could lead to disparities on
the application of the rules. Also, we encourage the CSBS to ensure a level
playing field by establishing similar guidelines for both digital currency firms and
other money transmitters. DATA members would also like to see a more
streamlined process in terms of applications and ongoing oversight. All states
4.
DATA CSBS COMMENTS 4
should be mandated to utilize NMLS and certain forms and procedures should
be standardized to the extent possible.
5. The recordkeeping rules are unnecessary
We believe the AML rules set by FinCEN in the March 2013 guidance is an
appropriate level of regulation for digital currency firms. The AML requirements
in the Proposed Model Framework propose recordkeeping rules that require
gathering personal information for all parties related to digital currency
transactions. This requirement is not aligned with federal rules making it
impractical when it comes to collecting counterparty information. We cannot
identify a public policy aim that justifies the collection of PII for every de minimus
transaction for it presents little net gain to reducing AML risks, additional burden
to the licensee, and increased privacy risk to the consumer. At a minimum,
CSBS should eliminate the requirement for PII collection of non-customer of the
licensee and indicate a minimum transaction threshold for identity verification
(e.g., conduct proper risk/benefit calculation). As the recent massive data
breaches at Target, Home Depot, Kmart and JP Morgan show,3
the continued
practice of unsecured personal data collection to process transactions—a
practice that originated in a brick-and-mortar world—presents serious dangers
to consumer privacy and control of personal identities even for large, global
companies. These dangers will be exacerbated where proposed rules seek to
require smaller, less sophisticated businesses that accept digital assets as
payment to safeguard personal data in their corporate records. We further
request that the CSBS clarify that any records for counterparties be kept to the
extent practical.
Responses to Questions for Public Comment
1. Policy Implementation – Entities engaged in virtual currency activities
might not be engaged in traditional money transmitter activities involving
only fiat, government-backed currencies. Similarly, traditional money
transmitters might not be engaged in virtual currency activities.
a. Within the umbrella of state money transmitter regimes, how can state
regulators appropriately tailor licensing and supervision to each set of
licensees?
3
Jake Swearingen, “Why the JP Morgan Data Breach Is Like No Other”, The Atlantic, October 3,
2014, available at http://www.theatlantic.com/business/archive/2014/10/why-the-jp-morgan-data-
breach-is-like- no-other/381098/.
5.
DATA CSBS COMMENTS 5
DATA believes that any framework should avoid creating a disparity among
digital currency firms and traditional money transmitters. We believe that
licensing, examination and oversight questions/requirements should be
expanded to capture all types of activities for money transmitters and/or digital
currency businesses. Depending on the business model, some of these
requirements may or may not be applicable to digital currency institutions.
Examiners should be trained on specific risk areas and examination manuals
can be expanded to request the required information to assess risks.
b. In order to properly tailor licensing and regulatory regimes to virtual
currency activities, should states consider a virtual currency-specific
“amendment” or “endorsement” to a traditional money transmitter
license?
DATA believe that states should attempt to govern digital currency firms through
current money transmitter laws and treat these entities as money transmitters
offering a specific type of service. This approach may be challenging due to the
language in current statutes and therefore could require legislative changes. If
CSBS chooses to create an entirely separate framework for digital currency
firms, regulators should avoid requiring multiple licenses for digital currency
businesses.
2. Licensing Process
a. Though states largely have the same licensing requirements, there is not
a common implementation process. Please comment on the functionality
of the NMLS or other licensing systems.
NMLS has streamlined the application process, but there are several efficiencies
and enhancements that can be made to this process. Uniformity in applications
would improve the process and reduce costs.
b. Would a common application and guide to licensure enhance the
efficiency of the licensing system?
A common application seems appropriate as most states have similar
requirements. This application should be comprehensive enough to capture any
state specific requirements. One other issue is that nearly all states that accept
money transmitter license applications through NMLS require additional
6.
DATA CSBS COMMENTS 6
materials to be submitted in hard copy which negates the benefits of a
streamlined online process.
c. Obtaining required criminal background checks has been flagged as an
administrative challenge in the licensing process. What procedures can
states uniformly adopt to facilitate obtaining criminal background checks
as part of the licensing process?
The differences in the fingerprinting procedures for various states increases
costs and places burdens on firms. If all states were to accept FBI standard
fingerprint cards completed by a police department or an approved third party
vendor, individuals could complete all necessary fingerprinting at once.
d. Credentialing business entity key personnel can be a hands-on process,
but has proved indispensable for financial services licensing. Are there
alternative means of credentialing that may facilitate the process?
In addition to the fingerprinting process and the credit checks run through
NMLS, many states require officers and directors of applicants to complete
extensive forms covering information such as employment and residential
history even though such information is provided through the NMLS MU2 filings.
The need for these forms could be eliminated by simply expanding the scope of
the MU2 filing on NMLS to cover all relevant information.
3. Training and Education – Educating regulators about virtual currency
business activities and business models is an important part of building a
responsive and robust regulatory structure.
a. What education may be necessary for state regulators to aid in the
licensing
process?
Due to the complexity of digital currency, regulators should ensure that training
takes place to understand the technology and regulators have staff and
resources to properly oversee digital currency firms. Training should be
provided on blockchain technology and digital currency transactions.
b. What resources are available to explain technology and business models
across the virtual currency industry?
7.
DATA CSBS COMMENTS 7
The CSBS and state regulators can utilize groups like DATA and industry trade
associations to get a broad perspective on the technology and related business
models. Also, groups like the Bitcoin Foundation would helpful based on their
mission to oversee the core development of Bitcoin.
4. Technological Innovations – What changes and innovations have been
seen and/or can be anticipated in the technological aspects of virtual
currencies and the resulting marketplace?
New products and services are emerging in an attempt to disrupt current
payment systems. Many companies are trying to make digital currency easier to
use by consumers and merchants and to create products to directly address the
risks associated with digital currency. Blockchain technologies may shift the
policy goalposts and traditional mechanisms that, when applied to these
technologies, may produce unintended negative consequences.
Blockchain technologies enable companies, regulators and auditors to conduct
real-time risk analysis of transactions with immutable data collection and
auditability, which was previously technologically impossible. Furthermore,
emerging innovations and practices in the ecosystem such as multisignature
(segregation in controls, granularity in corporate and treasury duties,
impossibility of internal fraud, real-time transparency and auditability), the
advent of proof-of-reserves methods (users can verify their balances online at
platforms in real-time), and “continuous real-time accounting” may aid CSBS in
their policy goals. Innovations in areas such as Big Data and the Internet of
Things are facilitated by blockchain technologies, which utilize smart contracts
enabling automated interactions without human intervention, reducing
transaction costs, and offer secure, efficient communication and payment
networks.4
These emerging innovations also directly bear on CSBS policy goals and CSBS
should work with organizations like DATA to better understand the capabilities
of these technologies. Working with the industry to understand these
technologies may change CSBS evaluation of the policy tradeoffs and the
mechanisms used to achieve CSBS policy goals, including facilitating safety and
soundness of licensees, and enabling more consumer choice and control. It is
essential that policymakers understand that Internet and p2p technologies
4
See IBM ADEPT White Paper using blockchain to show proof-of-concept for machine-to-
machine interaction in the Internet of Things, available at
http://www.computerweekly.com/news/2240238627/IBM-uses-Bitcoin-technology-to-build-
internet-of-things-platform.
8.
DATA CSBS COMMENTS 8
present unique challenges to oversight regimes historically based on centralized
systems and gatekeepers, and that emerging technologies exacerbate the
governance gap. Therefore, multi-stakeholder collaboration is necessary in
building the correct frameworks, and there are many organizations and
individuals who are willing to assist CSBS in understanding the risks and
benefits of these emerging innovations. Regulations should be flexible enough
to deal with these changes and also evolve to address emerging risks.
5. Denomination of Capital, Permissible Investments, and Bond Coverage –
Capital, permissible investments, and surety bond requirements exist to
create financial security in the event of failed transactions or a failed
business. For financial services companies dealing in virtual currencies,
should these safety funds be denominated in the applicable virtual
currency or in dollars?
In addition to holding reserves, digital currency firms maintain minimum capital,
surety bonds, and in some cases private insurance against theft of assets, to
further protect customer funds. Like any other money transmitter, state
supervisors have the authority to require firms maintain additional levels of
protection. In this context, DATA believes it is appropriate for digital currency to
be held as permissible investment.
6. Distressed or Failed Companies – Certain requirements in the Draft
Framework are designed to provide regulators with tools for dealing with
distressed or failed companies. Please comment on the practical issues
and challenges facing regulators in the case of a distressed or failed
company. What other tools should regulators have for resolving a failed
virtual currency company, minimizing consumer harm and market impact?
Digital currency firms have a duty to protect client funds. As a result, firms have
full reserves for these assets and are subject to capital requirements and other
rules around risk controls. State regulators can protect against failures by
ensuring that digital currency companies operate in a safe and sound manner
and have adequate safeguards over client funds. Regulators can guarantee
safeguards are in place through licensing, reporting and examinations. State
regulators should also consider resolution procedures that ensure customer
funds receive priority in the event a failure.
7. Consumer Protections – What consumer remedies should policy makers
consider for virtual currency financial activities and transactions?
9.
DATA CSBS COMMENTS 9
Digital currency firms have a fiduciary duty to protect client funds. Regulators
must therefore ensure these funds are protected at the front end and remedies
are established in the event of a loss. In terms of controls, consumers must be
given adequate disclosures to understand transactions, including the risks and
liability. Digital currency firms should have security protocols in place to ensure
funds are not lost. If there is a loss, funds should be protected or reserved for in
a manner in which the customer can recoup funds with minimal exposure. There
should be resolution procedures for digital currency companies to be able to
handle customer complaints.
8. State Insurance or Trust Funds – Some states have laws that create a
trust or insurance fund for the benefit of instrument holders (i.e., holders of
checks, money orders, drafts, etc.) in the event that a licensed money
transmitter defaults on its obligation or is otherwise unable to make
payment on the instrument. Is it appropriate to allow holders of
instruments denominated in virtual currency access to such insurance or
trust funds?
Yes. We believe that the holders of digital currency assets are holding value
similar to holders of other negotiable instruments and therefore should be
provided these additional protections.
9. BSA/AML – Fraud and illicit activities monitoring are increasingly
technology based and proprietary, especially for virtually currency
companies. Are state and federal exam procedures current with regards to
new methods of detecting BSA/AML activity?
We believe that current state and federal exam procedures provide a starting
point for a general framework to oversee digital currency firms. Existing
guidelines for money transmitters, along with the March 2013 FinCEN guidance,
provide details on who should be regulated and how. As the industry develops,
exam procedures need to be updated to reflect specific risks and controls being
used by digital currency businesses. Companies in this area have developed
new ways to detect fraud and illicit activity. Regulators need to have the
expertise and be made aware of these methods.
10. Customer Identification – The Draft Framework includes maintaining
records on the identification of virtual currency owners. Credentialing
consumers for identification purposes can be accomplished to varying
degrees, from basic account information to verified personal identification.
What is the appropriate level of identification?
10.
DATA CSBS COMMENTS 10
DATA believe that the determining the appropriate level customer identification
information required should be based on risks presented. At a minimum, digital
currency firms should have KYC procedures for non-de minimus transactions to
ensure that they understand the identity and risks for each customer. CSBS
should consider a de minimus threshold that exempts certain de minimus
transactions from data collection (which presents clear privacy risks) but would
require more rigorous KYC procedures as the risk increases with transaction
amount and volume. Firms should screen customers against sanction party lists
and should conduct enhanced due diligence in scenarios where higher risks are
presented. Ultimately, firms need to gather enough data to demonstrate they
understand the risks presented.
11. Regulatory Flexibility – The Draft Framework stresses regulatory
flexibility to accommodate different activity levels and business models
and to avoid inhibiting innovation.
a. Given the rapidly evolving nature of virtual currencies, what should be
the nature of any necessary flexibility?
Regulators should consider a principles-based approach instead of prescriptive
rules, which may quickly become outdated given the fast-changing
technology. There should be flexibility within the regulations for digital currency
firms to be able to comply with the spirit, as well as the letter, of the law.
Regulators should grant a level of flexibility to supervisors, but too much
discretion could lead to excessive differences between state regulators. CSBS
should implement a transparent appeals process to ensure that discretion is not
improperly exercised because of an individual regulator’s lack of education
about the business model or technology.
b. How can laws and regulations be written to strike a balance between
setting clear rules of the road and providing regulatory flexibility?
Regulators can achieve their objectives through establishing clear principles that
establish areas of risk that need to be addressed. Implementing safe harbor
provisions will also provide regulatory certainty and flexibility for these nascent
technologies. As mentioned, regulators can hold firms accountable and adjust
criteria based on ongoing examinations and reviews.
12. Reporting Requirements – Most states require money transmitter
licensees to submit periodic reports of business activities.
11.
DATA CSBS COMMENTS 11
a. For licensed virtual currency companies, what types of information and
data should be included in periodic reports?
Periodic reporting for digital currency companies should mirror reporting by
other money transmitters. This information may include financial data, risk
profile metrics and other major business changes.
b. What technology solutions exist to mitigate regulatory reporting
requirements?
Regulators can leverage the blockchain to audit and review digital currency
firms and related transactions. In addition, regulators can place some level of
reliance on independent third party assessments. The industry is working on
ways to further leverage the blockchain and the core technology associated with
Bitcoin and other cyptocurrency to provide further transparency.
13. Technological Solutions to Improve Supervision – State exams and
reporting requirements reflect an institution at a point in time. Conversely,
operational standards and internal compliance audits increasingly offer the
opportunity for real time data collection, interacting with transmission data
to ensure adequate funding, anti-money laundering compliance, fraud
protection, and consumer protection. What technology solutions can
regulators and licensees deploy to close information gaps in a manner that
makes the supervisory process more efficient and “real time?”
Blockchain technologies enable companies, regulators and auditors to conduct
real-time risk analysis of transactions with immutable data collection and
auditability, which was previously technologically impossible. Furthermore,
emerging innovations and practices in the ecosystem such as multisignature
(segregation in controls, granularity in corporate and treasury duties,
impossibility of internal fraud, real-time transparency and auditability), the
advent of proof-of-reserves methods (users can verify their balances online at
platforms in real-time), and “continuous real-time accounting” may aid CSBS in
their policy goals. CSBS should work with organizations like DATA to better
understand the capabilities of these technologies which may change the
mechanisms used to achieve policy goals, and facilitate safety and soundness
of licensees, and enable more consumer choice and control.
While state examinations are point in time, state supervisors may rely on audits
and internal compliance reviews to get some insight into the ongoing operations
12.
DATA CSBS COMMENTS 12
of digital currency firms. Supervisors can also use internal and external data
points to have continued insight into firms, including periodic reporting and
reviews of customer complaints with the federal and state regulators.
14. Cyber Risk Insurance. Companies have begun looking to insurance to
help manage cyber risks, and there are a growing number of companies
offering cyber liability insurance. What role should cyber risk insurance
have in a licensed virtual currency entity's approach to managing cyber
risks? Please discuss the potential costs and benefits for virtual currency
companies securing cyber risk insurance.
With the fall of Mt. Gox and issues at other digital currency exchanges,
regulators and consumers have expressed concern over the safety of digital
assets held by firms. Cyber Risk Insurance is another level of protection for
customer funds beyond what is in place involving security controls, surety
bonds, capital requirements, etc. On one hand, it is encouraging that the
industry has been able to create this market opportunity and provide more
protection for the consumer. However, on the other, at this early stage, the
costs are high for this type of coverage and the carriers are selective on who
they will insure, but there are a lot of benefits. Therefore the requirement of
cyber risk insurance at present would present a barrier to entry for
entrepreneurs and smaller firms. We would expect these coverages to evolve
and expand over time. The current coverage protects against the theft of digital
assets.
15. Commercial Fund Transfer Liability – Article 4A of the Uniform
Commercial Code establishes liability for wire transfers, relying on
definitions strictly applicable to banks. Are provisions like those in Article
4A necessary for commercial transfers denominated in virtual currencies?
If so, is the Article 4A construct an appropriate model to be adapted in a
manner that is not bank-centric?
Digital currency has some unique characteristics that should be contemplated in
determining some type of Article 4A liability. These transactions are anonymous
and are not subject to chargeback. Some elements of Article 4A may be used
as a guideline for creating a regime to address these issues, but more analysis is
needed to determine what is appropriate for these types of transactions and
what type of rules could provide protections without significantly interfering with
the beneficial nature of the transactions.
13.
DATA CSBS COMMENTS 13
16. Banking Services for Virtual Currency Companies – Banking
arrangement information is necessary for evaluating the safety and
soundness of a licensee. However, virtual currency businesses are not
immediately understood by most banks that provide traditional money
services accounts. What are the risks facing banks that consider banking
virtual currency companies, and how can those risks be mitigated?
DATA members continue to have issues finding banking partners willing to
assume the risk of working with a digital currency business. Most banks
continue to de-risk entire legitimate business models (e.g., money services
businesses) due to regulatory and business pressures.
In considering whether to offer banking services to a digital currency firm, banks
should take a risk-based approach and treat these firms similar to any other
MSB. Providing regulatory certainty as to relevant risk metrics and exempt
business models would better enable banks to make reliable business decisions
for accounts. Banks should evaluate the risk management program as a whole,
including staff, policies, procedures and controls. Banks should perform due
diligence and look at the highest risk areas, such as financial crimes and
security and determine whether controls are adequate in these areas. Banks
that do business with digital currency firms should monitor activity on an
ongoing basis and seek to get reports from digital currency firms. For their part,
digital currency firms seeking banking partners should conduct a
comprehensive risk assessment to outline and rank risks and then create
appropriate controls.
17. Merchant-Acquirer Activities – Companies processing credit card
payments between a buyer’s bank and a seller’s bank (Merchant-
Acquirers) have historically been presumably exempt from money services
businesses statutes because of their nexus to the highly regulated banking
system. A company processing virtual currency payments for merchants
who accept virtual currency as payment for goods and/or services may
exchange virtual currency to dollars, which can then be transferred to the
merchant’s bank account. Is this activity akin to the activities of traditional
Merchant-Acquirers, or is it the exchange and subsequent transmission of
value that is typically regulated by the states?
Most payment processor activity is similar to the activities of traditional
Merchant-Acquirers and therefore should be treated separately for regulatory
purposes. Furthermore, blockchain technologies reduce former risks and
increases transparency associated with similar service providers. As previously
14.
DATA CSBS COMMENTS 14
discussed, DATA believes that facilitators should be exempt from the Proposed
Model Framework.
18. Cost – State regulators are cognizant of the costs associated with
licensure and ongoing compliance. What processes can be implemented to
reduce these costs, including any shared services or technology-based
reporting?
DATA members are varied in terms of costs associated with licensure and
compliance. We believe that the regulatory framework needs to strike the right
balance and weigh benefits against costs and burdens. Digital asset firms are
leveraging technology and third party resources to comply with laws. We believe
this is appropriate as long as proper diligence is performed and the licensed
entity maintains control and responsibility over systems.
19. Escheatment – How should virtual currency be treated under state
escheatment laws?
Virtual currency should be treated as any other asset under state escheatment
laws and abandoned funds should be treated accordingly.
Conclusion
DATA is encouraged by the Proposed Model Framework and look forward to
working with the CSBS in finalizing this proposal. Regulatory clarity is needed
for businesses to deliver this important technology to mainstream consumers.
If you have any questions, please feel free to contact me at 202-530-4821 or
chris.mitchell@datauthority.org.
Sincerely,
Christopher Mitchell
Executive Director