On December 15, 2022, the New York Department of Financial Services (“NYDFS”) published an Industry Letter detailing the Department’s guidance regarding banking organizations that wish to engage in virtual currency-related activities. Specifically, while the guidance reminds New York banking organizations, branches, and agencies of foreign banking organizations licensed by the Department (together, “Covered Institutions”) of the preexisting obligation to seek approval from the Department before engaging in new or significantly different virtual currency-related activity, the guidance describes the process and types of information that the Department considers relevant to its approval process. The guidance is effective as of December 15, 2022, and was accompanied by a press release from NYDFS’ Superintendent Adrienne A. Harris.
For the purposes of the Industry Letter, “virtual currency-related activity” includes “all ‘virtual currency business activity,’ as that term is defined in 23 NYCRR § 200.2(q), as well as the direct or indirect offering or performance of any other product, service, or activity involving virtual currency that may raise safety and soundness concerns for the Covered Institution or that may expose New York customers of the Covered Institution or other users of the product or service to risk of harm.” As we will discuss, any Covered Institution seeking NYDFS approval should focus in part on addressing the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) and Office of Foreign Asset Control (“OFAC”)-related risks posed by the virtual currency-related activity.
While a license is normally required to conduct virtual currency business activity, 23 NYCRR § 200.3(c)(1) provides an exemption for any “persons that are chartered under the New York Banking Law and are approved by the superintendent to engage in virtual currency business activity.” Pursuant to the NYDFS’ new guidance, any such approval must be requested from the Department at least 90 days prior to the day that any Covered Institution intends to commence virtual currency-related activity. To gain approval from the Department, the guidance mandates that sufficient information be provided that would allow it to assess the scope of the Covered Institutions proposal and any impact on the institution’s safety and soundness.
Specifically, the following are provided as examples of information that would allow the Department to properly assess the Covered Institution’s proposal:
- Business Plan: A written plan covering the proposed virtual currency-related activity, including any contemplated phases, the business rationale for the activity, the activity’s relationship with the institution’s strategic initiatives and enterprise-wide risk management framework, and alignment with the institution’s legal and compliance framework.
- Risk Management: The enterprise-wide risk-management framework used to identify, measure, monitor, and control all risks arising from, or related to, the proposed virtual currency-related activity, in line with the Covered Institution’s board-approved risk appetite.
- Corporate Governance and Oversight: A description of the corporate governance framework applicable to the proposed activity.
- Consumer Protection: An analysis of whether and to what extent the proposed virtual currency-related activity will have any impact on customers and other users, including where they interact with a third-party service provider engaged by the Covered Institution, rather than with the Covered Institution directly.
- Financials: An explanation of the expected impacts of the proposed activity on the Covered Institution’s capital and liquidity.
- Legal and Regulatory Analysis: An analysis of the permissibility of the proposed activity and key legal risks and mitigants
To avoid unnecessary duplication, Covered Institutions may cross-reference or incorporate by reference any information response to each topic.
In addition to the written guidance, the Industry Letter contains a Supplemental Checklist as an appendix, which is intended to assist with the preparation of a complete written submission. Under the heading noted above regarding Risk Management, the Industry Letter enourages Covered Institutions submitting information to NYDFS to specifically address how the proposed virtul currency-related activity would impact the Covered Institution’s BSA/AML and OFAC compliance program, including:
- BSA/AML policy and procedures;
- associated risk assessment(s);
- the risk assessment’s associated methodology relevant to the proposed virtual currency-related activity, including those related to transaction monitoring and filtering or Know Your Customer-related control processes; and
- the most recent independent review of the BSA/AML and OFAC compliance programs.
The Industry Letter’s focus on KYC, transaction monitoring and OFAC screening is entirely consistent with recent guidance issued by the NYDFS. As we previously blogged, the NYDFS previously issued Guidance on Use of Blockchain Analytics, a document directed to all virtual currency business entities that either have a NYDFS Bitlicense or are chartered as a limited purpose trust company under the New York Banking Law. The Guidance emphasized “the importance of blockchain analytics to effective [AML and OFAC] policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.”