“BitLicensing”: New York Virtual Currency Regulations Include Cybersecurity Program Requirement

| 4 minutes

On June 3, 2015, the New York Department of Financial Services (“NYDFS”) issued its final virtual currency regulations after spending a year considering multiple proposals and thousands of comment letter submissions. Notably, the New York regulations include a requirement that businesses providing virtual currency services establish and maintain a cybersecurity program.

The New York regulations constitute the first comprehensive regulatory regime for virtual currency in the United States, although various American federal agencies have issued guidance and some other states have also proposed virtual currency legislation. In contrast, in Canada, there is currently no comprehensive regime to regulate virtual currencies. To date, regulatory developments in respect of virtual currencies in Canada have essentially been limited to anti-money laundering reforms (please see our blog post AMF Now Requires Quebec Virtual Currency ATMs and Trading Platforms to be Licensed for further detail on some of these developments), and have not addressed cybersecurity concerns in relation to virtual currency businesses.

Scope of BitLicensing Regime

The New York regulations introduce the “BitLicense” which will require businesses providing virtual currency services, with certain exceptions, in the State of New York to apply and obtain a special license to do so. Specifically, the BitLicense will apply to any virtual currency business activity involving virtual currency, where “virtual currency “ includes any type of digital unit of exchange that:

  • has a centralized repository or administrator;
  • is decentralized and has no centralized repository or administrator; or
  • is created or obtained by computing or manufacturing effort,

and where “virtual currency business activity” includes any of the following:

  • receiving virtual currency for transmission or transmitting it;
  • holding virtual currency for others;
  • buying and selling virtual currency as a customer business;
  • providing exchange services as a customer business; or
  • controlling, administering or issuing virtual currency.

The regulations carve out certain exceptions. For example, the scope of virtual currency, for the purposes of licensing, does not include digital units that are used solely within online gaming platforms, that cannot be converted into or redeemed for fiat or qualifying virtual currency, that may not be redeemable for real-world goods, services, purchases or discounts, or that are redeemable for goods, services, purchases or discounts in connection with a customer affinity or rewards program. Similarly, the regulations will not apply to software developers or currency miners and the regulations expressly exclude non-financial uses of virtual currency for nominal amounts or merchant or consumer use of virtual currency solely to buy or sell goods or services.

Finally, despite the BitLicense regime only being applicable to business activities involving New York, the extent of the New York jurisdiction will likely include any non-New York company’s dealings with any New York customers, including through online services, and might therefore apply to Canadian entities.

Criteria for License

Under the regulations, applicants for BitLicenses are required to provide certain initial and ongoing disclosure obligations, including with respect to financial disclosure and to consumer disclosure such as irreversibility, volatility and hacking). There are further requirements for licensees including:

  • establishing and maintaining certain consumer protection policies and procedures;
  • maintaining required capital levels, reserves and bond or trust accounts;
  • keeping certain books and records;
  • establishing and maintaining a cybersecurity program, which must involve the designation of a chief information security officer, annual assessment reports to the board of the cybersecurity program, and the institution of a business continuity and disaster recovery plan;
  • establishing and maintaining an anti-money laundering program; and
  • successfully completing examination by the NYDFS.at least once every two years.


The New York BitLicensing regime will undoubtedly result in increased compliance costs for businesses providing virtual currency services. However, BitLicenses should also encourage heightened trust from consumers, investors and financial institutions, and, consequently, enhance stability in the virtual currency industry. It will be interesting to see whether Canada follows suit in contemplating broader regulation of the virtual currency industry, including instituting requirements relating to cybersecurity, or whether regulatory developments in Canada remain limited to the anti-money laundering area.[i]



[i] Please note that we are not licensed to practice law in the State of New York or in the United States more generally. The foregoing should not be construed as legal advice.

cyber security



Stay Connected

Get the latest posts from this blog

Please enter a valid email address