On Thursday, December 15, 2022, the New York Department of Financial Services (“DFS”) released a letter (the “Guidance”) outlining the pre-approval application and evaluation process for New York regulated banking organizations that seek to engage in new or significantly different virtual currency-related activities, including virtual currency business activity. While conceptually similar to the approach federal banking regulators have taken in requiring supervisory non-objection (the OCC) or prior notice (the FRB and FDIC) before banking organizations can engage in certain crypto-asset-related activities, the Guidance introduces additional procedural requirements that will likely prove onerous to New York banking organizations. The Guidance is final and effective immediately, and explicitly applies to institutions currently engaged in virtual currency-related activity, who are advised to “promptly notify” their point of contact at the DFS.
Banking Organizations Subject to Prior Approval
Under the DFS’s “BitLicense” regulation (23 NYCRR Part 200), prior approval from the superintendent of the DFS was already required for organizations chartered under New York Banking Law that wished to engage in virtual currency business activities (without formally applying for a BitLicense). The Guidance clarifies the process and requirements for this prior approval and also appears to expand the requirement to encompass virtual currency-related activities (as opposed to just virtual currency business activity).
The Guidance applies not just to organizations chartered under New York Banking Law but to all New York banking organizations, which includes all banks, trust companies, private bankers, savings banks, safe deposit companies, savings and loan associations, credit unions and investment companies. It also applies to branches and agencies of foreign banking organizations that are licensed by the DFS (together with the institutions above, “covered institutions”).
What Types of Activities are Covered?
The DFS notes that for purposes of the Guidance, “virtual currency-related activity” includes all “virtual currency business activity,” as well as “direct or indirect offering or performance of any other product, service, or activity involving virtual currency that may raise safety and soundness concerns for the covered institution or that may expose New York customers of the covered institution or other users of the product or service to risk of harm.”
Virtual currency business activity means the following activities:
- receiving or transmitting virtual currency for financial purposes;
- custodying or holding virtual currency on behalf of others;
- buying and selling virtual currency as a customer business;
- performing exchange services as a customer business; or
- issuing, controlling, or administering virtual currency.
The Guidance provides further examples of the types of activities that the DFS considers to be virtual currency-related activities, many being traditional banking activities, including:
- offering digital wallet services to customers;
- lending activities collateralized by virtual currency assets;
- facilitation of a covered institution’s customers’ participation in virtual currency exchange or trading;
- services related to stablecoins, including reserve services for stablecoin issuers; and
- engaging in traditional banking activities involving virtual currency through the use of new technology that exposes the covered institution to different types of risk (e.g., underwriting a loan, debt product, or equity offering effected partially or entirely on a public blockchain).
Under the Guidance, covered institutions are required to seek prior approval from the DFS before commencing any “new or significantly different virtual currency-related activity.” The DFS defines a “new or significantly different virtual currency-related activity” to include a new, or a proposed change to an existing, virtual currency-related product or service that (i) may raise a legal or regulatory issue about permissibility; (ii) may raise safety and soundness, including operational, concerns; or (iii) may cause the product or service to be significantly different from that previously approved. This test appears to be derived from the definition of a “materially new product, service, or activity” or a “material change” from the DFS’s BitLicense regime.
The Guidance explicitly notes that activities performed through a third-party service provider may still warrant prior approval, where there is sufficient involvement by the covered institution. Accordingly, the Guidance advises covered institutions to consult with the DFS prior to engaging a third party to assist in performing a new or significantly different virtual currency-related activity.
Prior Approval Process
A covered institution must inform the DFS of its intention to engage in any new or significantly different virtual currency-related activity 90 days before commencing the activity. The DFS will then confirm whether approval is required.
To obtain approval, the Guidance requires a written submission, which must include information corresponding to six different informational categories. The informational content required is extensive, but the Guidance indicates that covered institutions may cross-reference to other materials.
The Guidance provides a detailed checklist for each informational category that should be included in the written submission. Below, we briefly summarize each category:
- Business Plan should detail the proposed activity’s business rationale, operational model, timeline and deliverables, relevant stakeholders, target customer base and fees, expected costs, projected revenues, third-party engagement, and alignment with the business’s legal and compliance frameworks.
- Risk Management should provide a “thorough account” of the covered institution’s enterprise-wide risk-management framework, including how the covered institution will identify, monitor, and control the operational risk, credit risk, market risk, capital risk, liquidity risk, cyber security and fraud risk, technology risk, third-party service provider risk, legal and compliance risks, reputational risk, and strategic risk related to the proposed activity. This section should explain how the proposed activity is in line with the covered institution’s board-approved risk appetite.
- Corporate Governance and Oversight should describe the corporate governance framework applicable to the proposed activity, including internal product development, approval by the board and/or senior management, including copies of internal approvals and presentations, an explanation of the board and senior management’s understanding of the risks, integration into the covered institution’s risk appetite framework, including risk limits and escalation process, and an explanation of board and senior management oversight of policies and procedures.
- Consumer Protection should analyze the risks for customers and other users, and include customer protection policies and procedures, sample customer agreements, and marketing materials, policies, and procedures.
- Financials should include corporate financial documents, and describe the expected impact of the activity on the covered institution’s capital and liquidity. The checklist requests pro forma balance sheet(s) and income statement(s), among other information.
- Legal and Regulatory Analysis should detail the permissibility of the proposed activity and key legal risks and mitigants, and should include legal opinions from counsel and any licenses or authorizations from any domestic or international regulators.
While the Guidance is conceptually similar to the prior approval requirements established by the federal banking regulators for crypto related activities, it is far more onerous and prescriptive in its procedural requirements. The Guidance requires covered institutions to provide a substantial amount of detailed and confidential information to the DFS, such as internal policies, internal control frameworks and legal memoranda from outside counsel, among others. Further, the Guidance requires a new application and approval every time a covered institution modifies or adds to its virtual currency activity, even if the covered institution has previously received approval from the DFS. The Guidance does not establish a timeline for DFS review of these applications. Ultimately, the Guidance forces New York banking organizations to comply with requirements similar to the BitLicense application requirements themselves.
Recent developments in the crypto industry, including the recent bankruptcies of large crypto exchanges FTX and BlockFi, have heightened attention to the potential risks both consumers and the market face from virtual currency-related activities. Superintendent Adrienne Harris stated that the Guidance is intended both to protect consumers and to ensure that covered institutions remain resilient and competitive. In light of the current regulatory environment, banking organizations should expect particular scrutiny over prior approval applications submitted pursuant to the Guidance.
For further discussion and analysis of developments regarding banking organization prior approval requirements for crypto related activity, see another related post:
To subscribe to the Debevoise Fintech Blog, click here.