Revised NY Bitcoin Regulations Better, But Problems Remain
The New York Department of Financial Services issued a revised draft BitLicense proposal in February. The Department made a clear effort to improve the BitLicense from its original 2014 proposal to regulate digital currency, such as Bitcoin. However, the new draft still contains problems CDT and others had pointed out in the original proposal. As written, the Department’s new “BitRegs” still undermines the privacy of digital currency users and covers an unnecessarily broad range of services.
[Check out CDT’s blog post and our joint comments with Coin Center and TechFreedom to the original BitLicense draft.]
Digital currency is a fledgling technology with disruptive potential that can enhance the privacy and ease of financial transactions. Because New York is a global financial hub, the digital currency standards that the Department enacts can have a significant impact on the future of this innovation and users’ privacy interests. Other jurisdictions will issue their own digital currency regulations, and the precedent that New York sets will be closely scrutinized – so it’s important to craft nuanced and forward-looking rules.
Improvements Made
The Department made several positive changes from its original BitLicense proposal and deserves credit for listening to comments.
One of the most important improvements is that the new draft regulations make clear that merely developing and disseminating software by itself does not require a BitLicense. We urged the Department to avoid applying the BitLicense’s heavy record-keeping requirements to software developers that create digital currency applications but that do not have any ongoing relationship users – such as a small developer that makes a digital currency wallet application available freely on the Internet.
The new BitLicense draft also removed the requirement that any businesses which “secured” digital currency would be required to get a license. We pointed out that such a change was necessary to avoid needless inclusion of cybersecurity vendors and contractors.
Another improvement is an explicit carve-out for non-financial uses of digital currency protocols, such as using nominal sums of BitCoins to memorialize non-financial transactions on the block chain.
Remaining Problems
Here are three big remaining issues with the BitLicense, and our recommendations for addressing them.
1) Counterparty Identification
One of the most severe problems we raised with the original BitLicense was its blanket requirement that license-holders collect, maintain, and share the identities and physical addresses of every party and counterparty to every virtual currency transaction. (The counterparty is the party who is not the user of the service, such as the merchant who receives the funds of a digital currency user.) This requirement would be highly damaging to user privacy and undermine innovative digital currency applications. The Department’s new draft makes an improvement in this area, which is appreciated, but it is unclear that the improvement will be effective.
The new BitLicense proposal would require digital currency services to identify every counterparty to every transaction “to the extent practicable.” As drafted, this requirement gives businesses unclear guidance, may undermine the pseudonymous appeal of digital currencies like BitCoin, and may dissuade consumers from using digital currency to complete embarrassing but legitimate transactions. Requiring identification of the parties to each transaction can also create security liabilities for digital currency services, which must collect and secure the data for – as the BitLicense would require – “at least seven years.”
It is unclear how the BitLicense’s “to the extent practicable” standard would be implemented and under what circumstances the requirement would be waived for not being practicable. For example, if vendors developed commercially available software capable of fulfilling the requirement, would it become “practicable” – and therefore required under the Department’s regulations – for all digital currency businesses to fulfill the counterparty identification requirement because they can purchase the software? What if a digital currency service is technically capable of performing counterparty identification, but doing so would undermine a core feature of the service – such as strong user privacy controls?
The new BitLicense draft, like the original proposal, seems to place a new administrative burden on digital currency businesses. The new BitLicense proposal would go beyond recordkeeping requirements for money services businesses under Financial Crimes Enforcement Network (FinCEN) “travel rule” on transmittal of funds. FinCEN public guidance states that information about transaction counterparties must only be recorded when received.
As with the original BitLicense draft, CDT recommends aligning digital currency regulations with existing FinCEN rules – requiring the identification of counterparties only if received with the transaction order. Alternatively, the Department could issue public guidance interpreting “practicable” in this context to mean that BitLicense-holders should collect counterparty identifications if that information is received in transactions. If that is not possible, then limiting the counterparty identification requirements only to high-value, high-risk, or high-volume transactions would be more appropriate than the BitLicense requirement as it is currently written.
2) Ban on identity obfuscation
The new BitLicense draft would continue to require that digital currency businesses collect the identities and physical addresses of each of their users, and forbids BitLicense-holders from allowing any transfer or transaction that would “obfuscate or conceal” the identity of a user or counterparty. This requirement implies that service providers must monitor their users’ transactions to prevent obfuscation, and at times, prevent users from spending their own digital currency.
As we pointed out in joint comments, digital currencies – including Bitcoin – record transactions on a public ledger, the “block chain.” The records show a pseudonymous public address and transaction information, which can be traced back to the individual user. An individual’s financial and transaction histories are sensitive data, especially if the individual uses digital currency for many micropayments throughout the course of a normal day, so it is understandable that some individuals may wish to avoid creating public records of some transactions. Some digital currency innovations provide a means to scramble transaction records as they appear on the public block chain, though such a service may not necessarily scramble the non-public records of the BitLicense-holders of which the user is a customer. Yet the BitLicense appears to forbid the use of such scrambling services.
As with the original BitLicense draft, CDT recommends the Department revise the BitLicense to allow for identity obfuscation on the block chain, so long as digital currency services remain in compliance with BitLicense recordkeeping requirements. That way, users could still scramble their transactions as they appear on the block chain without scrambling the internal records of the BitLicense-holder.
3) Gaming currencies
The original BitLicense proposal would have created an exemption from BitLicense requirements for digital currency used solely in video gaming platforms with no market or application outside of the game. Yet the digital currencies for many popular online games have (usually unauthorized) markets and exchanges that sell or exchange the gaming currency for fiat money and other gaming currency. As a result, video game vendors – as digital currency issuers and administrators – may be needlessly subject to BitLicense requirements. This may seem like a small or novel problem, but the BitLicense risks creating legal uncertainty and privacy problems for numerous large companies with many millions of users.
The new BitLicense proposal takes a step to correct this problem, but does not completely solve it. The original draft would exempt gaming currencies with no market or application outside of the gaming platform, and the new draft would also exempt gaming currencies that can be redeemed for real-world goods and services. However, the new draft would include gaming currency that can be converted to fiat currency or other digital currency, as well as gaming currency with marketplaces outside the game.
The new BitLicense draft would appear to apply recordkeeping requirements to gaming vendors if the game’s users – even without the authorization of the vendors – set up a marketplace around the currency external to the game. As we noted in our joint comments, many external marketplaces exist where users can purchase or trade fiat currency for gaming currency or other digital currency. Two examples are marketplaces trading dollars or euros for Eve Online’s Interstellar Kredit, and trading Second Life Linden Dollars for Bitcoin.
As with the original BitLicense draft, CDT recommends limiting the BitLicense gaming currency requirements only to gaming currencies with external marketplaces authorized by the game vendor or operator. It would be better still to limit BitLicense requirements to the external marketplace itself, rather than the administrator or issuer of the digital currency – that way, only users engaged in the marketplace would be subject to the BitLicense recordkeeping requirements, not every user of the game.
Hopefully Further Refinement Ahead
The Department clearly considered many of the requests made by the digital currency community, and the notable improvements on the previous draft are welcome. We urge the Department to refine the BitLicense further to provide clarity to digital currency businesses and protect user privacy.