On June 3, the New York Department of Financial Services (NYDFS) issued final rules establishing a licensing and regulatory framework for companies engaged in activities relating to virtual currencies, such as Bitcoin. Our colleagues provided an in-depth analysis of this “BitLicense” framework in a recent LawFlash.
The rules require companies with virtual currency operations in New York to obtain a license from the NYDFS and to comply with additional requirements as set forth in the rules. For the purposes of this blog, some highlights of the rules include the following:
- Compliance obligations. Each licensee must comply with all applicable laws, designate a compliance officer, and maintain and enforce compliance policies relating to antifraud, antimoney laundering, cybersecurity, and privacy and information security.
- Cybersecurity program. Each licensee must “establish and maintain an effective cyber security program to ensure the availability and functionality of the Licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering.” The rules lay out five “core cyber security functions” that the cybersecurity program must address and also describe specific areas that each licensee must address through a written cybersecurity policy. In addition, each licensee must (i) designate a Chief Information Security Officer responsible for overseeing the cybersecurity program and policy, (ii) comply with certain reporting and audit requirements relating to cybersecurity, and (iii) ensure that applications follow written security standards and guidelines.
- Business continuity and disaster recovery. Each licensee must “establish and maintain a written business continuity and disaster recovery (‘BCDR’) plan reasonably designed to ensure the availability and functionality of the Licensee’s services in the event of an emergency or other disruption to the Licensee’s normal business activities.” The rules set forth minimum requirements for each BCDR plan and require at least annual testing of such plan.