This week, the New York DFS announced the extension of the comment period on its proposal to create a regulatory licensing framework for virtual currency companies, including a so-called BitLicense. Given the “significant amount of public interest in and commentary on” the proposal, the DFS doubled the length of the comment period from 45 to 90 days. Comments are now due by October 21, 2014. Further information about the proposal and related issues is available here.
FinCEN Rules Regulations on Money Services Businesses Do Not Apply to ISOs and Exempt Payment Processors
On August 27, FinCEN issued FIN-2014-R009, an administrative ruling clarifying that Independent Sales Organizations (“ISOs”) and exempt payment processors are not money transmitters subject to Bank Secrecy Act (“BSA”) regulations applicable to Money Services Businesses (“MSBs”). Under BSA MSB regulations, the term “money transmitter” applies to any person that provides money transmission services or otherwise engages in the transfer of funds. The term “money transmission services” includes the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means. Applying these standards, FinCEN determined that BSA MSB regulations do not apply to an ISO, so long as it: (i) merely solicits merchants to offer them the credit and debit card processing services of two counterparties; and (ii) does not take possession or control of merchant funds at any point. However, FinCEN concluded that BSA MSB regulations will apply to a payment processor unless the payment processor qualifies for the payment processor exemption established by 31 CFR § 1010.100(ff)(5)(ii)(B) and clarified by FIN-2013-R002. Under this exemption, BSA MSB regulations do not apply to a payment processor, so long as it: (i) facilitates the purchase of goods or services, or the payment of bills for goods or services (other than money transmission itself); (ii) operates through clearance and settlement systems that admit only BSA-regulated financial institutions; (iii) provides its services pursuant to a formal agreement; and (iv) the agreement itself is at a minimum with the seller or creditor that provides the goods or services and receives the funds. For a copy of the ruling, please see: Application of Money Services Business Regulations to a Company Acting as an Independent Sales Organization and Payment Processor.
On August 11, the Consumer Financial Protection Bureau (the CFPB or Bureau) issued a “consumer advisory” concerning virtual currency and also announced that it would begin accepting consumer complaints about virtual currency or virtual currency companies. These actions are the consumer agency’s first foray into virtual currencies, and they follow a recent GAO report that recommended the CFPB play a larger role in the development of federal virtual currency policy. Read more…
On July 17, the New York Department of Financial Services (NYDFS) proposed a rule intended to govern the virtual currency marketplace. The proposed rule is extremely broad and as currently drafted would appear to capture products provided by traditional brick and mortar banks and other regulated financial institutions. For example, as proposed, the rule could regulate:
- Reward programs, “thank you” offers, or digital coupons that offer cash back or statement credits;
- Generated numbers that access cash;
- Prepaid access and other cards that will allow customers to receive cash, including those customarily exempt such as government funded transfers;
- P2P transfers; and
- Wallet providers where the customer can access cash.
If left unaddressed, these apparent unintended consequences could create a confusing regulatory environment for certain bank and card products. It is also noteworthy that the rule does not provide any customary exclusions for chartered entities, raising substantial preemption questions. Read more…
BuckleySandler Webinar Recap: Top 10 Things You Need to Know About the New York BitLicense Proposed Rule
On August 6, BuckleySandler hosted a webinar, Top 10 Things You Need to Know about the New York BitLicense Proposed Rule. Michael Zeldin, Special Counsel at BuckleySandler, moderated the panel, which featured presentations by Partner Margo H. K. Tank and Counsel Amy Davine Kim of BuckleySandler’s Digital Commerce and Payments Group.
Overall, our presenters agreed that the regulatory framework proposed by the New York Department of Financial Services (DFS) would establish a different and more difficult standard for the virtual currency industry than for the traditional money transmitter industry. The rigorous data security, consumer protection, and anti-money laundering provisions may unintentionally operate as a high barrier to entry into the virtual currency industry while favoring established companies with experience and resources to handle these issues. Our presenters also offered specific areas of improvement and clarification for organizations to take into account when drafting comments on the proposal.
The following provides a more detailed summary of the discussion: Read more…
On August 1, the FTC released a staff report on the agency’s review of shopping apps—those used for comparison shopping, to collect and redeem deals and discounts, and to complete in-store purchases. The FTC staff examined information available to consumers before they download the software onto their mobile devices—specifically, information describing how apps that enable consumers to make purchases dealt with fraudulent or unauthorized transactions, billing errors, or other payment-related disputes. The staff also assessed information on how the apps handled consumer data. The FTC staff determined that the apps studied “often failed to provide pre-download information on issues that are important to consumers.” For example, according to the report, few of the in-store purchase apps provided any information prior to download explaining consumers’ liability or describing the app’s process for handling payment-related disputes. In addition, according to the FTC, most linked privacy policies “used vague language that reserved broad rights to collect, use, and share consumer data, making it difficult for readers to understand how the apps actually used consumer data or to compare the apps’ data practices.” The FTC staff recommends that companies that provide mobile shopping apps to consumers: (i) disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions; (ii) clearly describe how they collect, use, and share consumer data; and (iii) ensure that their strong data security promises translate into strong data security practices. The report also includes recommended practices for consumers.
On August 1, the U.S. Senate passed by unanimous consent H.R. 4386, which will permit FinCEN, in fulfilling its responsibility to supervise registered money services businesses (MSBs), to rely on state agency examinations of MSBs. The bill also covers other non-bank financial institutions such as gaming establishments and jewel merchants. The bill passed the House by voice vote in May. The President, who sought this authority for FinCEN in budget requests, is expected to sign the bill.
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
On August 6, in remarks at a financial technology conference, the UK’s Chancellor of the Exchequer, George Osborne, outlined the UK government’s plans for the UK to become a world leader in financial innovation and financial technology. Mr. Osborne noted the UK’s science and technology resources and its history of leading the way in financial innovation. He called for new means of banking and payments for consumers and businesses that go beyond just viewing statements online and that “bypass traditional banks altogether, and lend money directly – through peer-to-peer platforms.” Mr. Osborne believes that “with the right backing from government,” London can become “the Fin Tech capital of the world.” To that end, he detailed the government’s plans to support financial innovation, including by: (i) establishing an appropriate tax regime for the industry; (ii) committing funds for government investment programs; (iii) establishing a favorable regulatory regime; (iv) creating a new partnership between Innovate Finance and the British Business Bank to champion financial innovation and technology; and (v) launching a “major program of work exploring the potential of virtual currencies and digital money.” For example, as part of the regulatory changes, Mr. Osborne described several pieces of legislation, including those that will: (i) require the large UK banks to “pass on information on small businesses they reject for loans, so that FinTech Companies and alternative lenders can step in and offer finance instead”; and (ii) allow consumers to use their smart phones to pay in checks.
The New York Department of Financial Services riveted the attention of the virtual currency world (and just about everyone else involved with digital financial services), with its July 17 proposal to issue licenses for Virtual Currency Business Activities. The so-called BitLicense proposal features broad coverage; open ended capital and bonding requirements; personal investigation of founders, investors and even employees; and prior regulatory approval of new products and activities.
These and other aspects of BitLicensing beg the question: will licensing protect the public and investors? Or just drive Bitcoin participants out? (If they leave, they may find roadblocks elsewhere; days before New York’s announcement, France’s Ministry for the Economy and Finance, for example, proposed regulating Bitcoin.) Opportunistic locales for virtual currency operators are already being identified, such as the Isle of Man, a self-governing British Crown Dependency, whose Financial Supervision Commission says it is “not the appropriate time” to introduce a regulatory regime, while warning there is no consumer protection in the digital currency market. Think about this: Tiny Delaware is a corporate legal haven, Switzerland created an international bank haven, and a virtual currency haven may be next. Regulatory exercises like New York’s could advance that option. Read more…
Recently, the Federal Reserve Board released two payments-related reports: (i) a report to Congress on government-administered general use prepaid cards; and (ii) a detailed report on the Federal Reserve’s 2013 payments study. The report on government-administered prepaid cards analyzes the $502 million in fee revenue collected by issuers in 2013, a majority of which was attributable to interchange fees. For consumer-related fees, the report indicates such fees derived primarily from ATM-related charges. The second report details findings from the 2013 Federal Reserve Payments Study, the fifth in a series of triennial studies conducted by the Federal Reserve System to comprehensively estimate and study aggregate trends in noncash payments in the United States. The paper expands on the 2013 summary findings originally published last December, and includes, among many other things, the following new findings: (i) credit cards are more prevalent than other general-purpose card types; (ii) among general-purpose cards with purchase activity in 2012, consumers preferred debit cards, with an average use of 23 payments per month, compared with an average of 11 payments per month for general-purpose credit cards and 10 payments per month for general-purpose prepaid cards; (iii) although the number of ATM cash withdrawals using debit cards and general-purpose prepaid cards dropped slightly, growth in the value of ATM withdrawals continued to exceed inflation; (iv) the number of online bill payments reported by major processors, which included those initiated through online banking websites and directly through billers and settled over ACH, exceeded three billion in 2012; and (v) there were more than 250 million mobile payments made using a mobile wallet application, and at least 205 million person-to-person or money transfer payments.
On July 18, FinCEN published SAR Stats—formerly called By the Numbers—an annual compilation of numerical data gathered from the Suspicious Activity Reports (SARs) filed by financial institutions using FinCEN’s new unified SAR form and e-filing process. Among other things, the new form and process were designed to allow FinCEN to collect more detailed information on types of suspicious activity. As such, FinCEN describes the data presented in this first SAR Stats issue as “a new baseline for financial sector reporting on suspicious activity.” The primary purpose of the report is to provide a statistical overview of suspicious activity developments, including by presenting SAR data arranged by filing industry type for the more than 1.3 million unique SARs filed between March 1, 2012 and December 31, 2013. In addition, the redesigned annual publication includes a new SAR Narrative Spotlight, which focuses on “perceived key emerging activity trends derived from analysis of SAR narratives.” The inaugural Spotlight examines the emerging trend of Bitcoin related activities within SAR narrative data. It states that FinCEN is observing a rise in the number of SARs flagging virtual currencies as a component of suspicious activity, and provides for potential SAR filers an explanation of virtual currencies and the importance of SAR data in assessing virtual currency transactions.
On July 17, the New York DFS announced a proposal to establish a licensing regime for virtual currency businesses, the first by any state. In January, the DFS held a two-day hearing on developing a regulatory framework for virtual currency firms, and subsequently sought applications for virtual currency exchanges pending completion of the regulations. The proposed regulations define virtual currency as “any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.” This would include digital units of exchange that: (i) have a centralized repository or administrator; (ii) are decentralized and have no centralized repository or administrator; or (iii) may be created or obtained by computing or manufacturing effort. It would exclude digital units that are used solely within online gaming platforms or that are used exclusively as part of a customer affinity or rewards program.
Under the proposal, the state would require companies engaged in the following activities to obtain a so-called BitLicense: (i) receiving or transmitting virtual currency on behalf of consumers; (ii) securing, storing, or maintaining custody or control of such virtual currency on the behalf of customers; (iii) performing retail conversion services; (iv) buying and selling virtual currency as a customer business (as distinct from personal use); or (v) controlling, administering, or issuing a virtual currency. To obtain a license, a business would be required to, among other things: (i) hold virtual currency of the same type and amount as any virtual currency owed or obligated to a third party; (ii) provide transaction receipts with certain required information; (iii) comply with AML rules; (iv) maintain a cyber security program; and (v) establish business continuity and disaster recovery policies. Licensed entities would be subject to DFS supervision, with examinations taking place no less than once every two calendar years. The proposal will be published in the New York State Register’s July 23, 2014 edition, which begins a 45-day public comment period.
On June 28, California Governor Jerry Brown signed AB 129, which repeals a state ban on the issuance or circulation of anything but lawful money of the United States. As described in a legislative staff analysis of the bill, the repeal is designed to ensure that forms of alternative currency such as digital currency, points, coupons, or other objects of monetary value do not violate the law when those methods are used for the purchase of goods and services or the transmission of payments in California.
On July 4, the European Banking Authority (EBA) released an Opinion that outlines for the EU Council, the European Commission, and the European Parliament requirements that would be needed to regulate virtual currencies. The EBA identified more than 70 risks across several categories and numerous causal drivers for those risks, including that (i) a virtual currency scheme can be created, and then its function subsequently changed, by anyone, and in the case of decentralized schemes, by anyone with a sufficient share of computational power; (ii) payer and payee can remain anonymous; (iii) virtual currency schemes do not respect jurisdictional boundaries and may therefore undermine financial sanctions and seizure of assets; and (iv) market participants lack sound corporate governance arrangements. To address those drivers, the EBA believes a regulatory framework would need to comprise, among other elements: (i) governance requirements for certain market participants; (ii) segregation of client accounts; (iii) capital requirements; and (iv) the creation of “scheme governing authorities” accountable for the integrity of a virtual currency scheme and its key components, including its protocol and transaction ledge. Given that the creation of such a regulatory framework will take time, the EBA recommends that European national prudential regulators take action in the immediate term to discourage financial institutions from buying, holding or selling virtual currencies while no regulatory regime is in place. In addition, the EBA recommends that EU legislators consider declaring market participants at the direct interface between conventional and virtual currencies, such as virtual currency exchanges, to become “obliged entities” under the EU Anti Money Laundering Directive and thus subject to its anti-money laundering and counter terrorist financing requirements. The EBA report follows a recent reportby the inter-governmental Financial Action Task Force (FATF) that provides an overview of virtual currency terms, markets, risks, and law enforcement actions announced to date.