by Jerry Brito & Peter Van Valkenburgh
The New York Department of Financial Services has released a revision of its proposed BitLicense. This revised draft will soon be published in the New York State Register and that will begin a 30-day public comment period. We’ve produced a red-lined version to highlight how this proposal differs from its July 2014 predecessor and you can download it here.
We’ll need some time to carefully review all that new language, but, for now, here are our first impressions. First, some of the positive aspects of the new draft:
Humility and Care
NYDFS has shown a willingness to embrace criticism that should be celebrated by the Bitcoin community. This new draft clearly indicates that the many comments submitted in the previous comment period were reviewed and considered.
Carve-Out for Software Developers
The definition of virtual Currency Business Activity now provides a carve-out for the “development and dissemination of software in and of itself.” Clearly stating that individuals do not need a license to merely write computer code (and in that sense never actually hold the valuables of customers) is a major win for innovation, competition, and free speech.
Steps Toward Preserving Open Platforms
One of our greatest concerns with the first draft of the BitLicense was that its recordkeeping requirements would have obligated licensees to collect identifying information not only of their customers, but of “all parties to a transaction” facilitated by a licensee.
These recordkeeping requirements have been scaled back. Identification of parties to a transaction who are not a business’ customers is now only necessary “to the extent practicable.” This is fundamentally important because Bitcoin and other decentralized virtual currencies are open platforms. That openness means that senders will not always know the ID of their recipients, just as you don’t always know who lies behind an email address or a website.
That openness is also what makes Bitcoin so important: no one needs to sign up to a central user database in order to transact, no one holds the keys to such a database, can censor some participant, charge exorbitant fees for entry, or hemorrhage personal data because of lax data security practices or a desire to profit off of data-mining.
By permitting business to operate without necessarily recording recipient data when it is not provided by the customer, the DFS shows that they understand the importance of that open technology and wish to preserve it. Similar issues may emerge in Federal law, particularly the so-called “travel rule” of the Bank Secrecy Act, and the DFS’s accommodation of fundamental realities in these exciting technologies should be emulated at all levels of government.
That all said, there is much that can still be improved in the new draft proposal. Here are some of the issues that still concern us:
Discretion to Grant Exemptions is not an On-Ramp for Startups
The revised Bitlicense rightly contemplates the need to exempt small and innovative virtual currency startups from the costly burdens of licensure. However, under the new BitLicense, those exemptions are granted purely at the discretion of the superintendent.
Discretion can be an important tool for lessening the unduly harsh effects of a statute, but it should not be the only tool. Discretion also generates regulatory uncertainty: a citizen never knows whether conduct she has freely engaged in before will suddenly become punishable simply because a government official changed his mind, or was replaced, or—in the worst case—was influenced by a competitor or someone who wished our hypothetical citizen harm.
A carve-out for small startups is essential to preserve the freedom to innovate using these technologies and it should be accomplished in a way that sets clear standards and safe-zones for budding entrepreneurs: a new business that moves less than $X amount per day need not seek a license; a business that finds itself moving more than $X shall have Y number of days to seek a license. Such clear standards treat innovators with respect, saving them from nasty surprises and setting milestones. Simple rules like these also deter regulatory abuse because there’s no sense leaning on an enforcer to abuse her discretion and shutter a competitor’s business when that discretion is cabined by law.
Decentralized Currency Issuers May Still Require License
The first draft of the BitLicense stated that, “controlling, administering, or issuing a Virtual Currency” qualifies as Virtual Currency Business Activity subject to licensing. This remains unchanged in the new draft, and that’s unfortunate.
In a comment letter to DFS, we noted that “It is only centralized digital currencies that can be said to be ‘controlled, administered, or issued’ by a central authority. Indeed, the key feature of decentralized virtual currencies is that there is no central authority that ‘controls, administers, or issues’ the currency.” As a result, a plain reading of this section should lead one to conclude that it only applies to centralized digital currencies, and that it has no relevance for decentralized currencies like Bitcoin. But plain readings can be hard to come by.
If one read this section to apply to decentralized currencies, would mining be considered “administering” the currency? Would launching a new decentralized altcoin or sidechain be considered “issuing”? The new exemption for software development may arguably cover some of these activities, but why leave it unclear?
We suggested in our previous comment that the definition could be easily clarified by simply adding the word “centralized” to the definition, and we’ll reiterate that suggestion in the next round of comments.
State-level Suspicious Activity Reports
The original BitLicense boldly duplicated—at the state level—the role that the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) plays in anti-money-laundering regulation. We thought that duplication was unnecessary and burdensome for virtual currency businesses: no other money services business needs to report suspicious activity to both a federal and a state regulator, and the Bitlicesnse requirement doesn’t even set a minimum floor of transaction value below which reports are unnecessary.
Unfortunately that language remains unchanged in the new BitLicense. It looks like DFS might genuinely be interested in a deluge of low-value suspicious activity reports and the promiscuous exchange of sensitive customer data that would necessarily follow. We’re against any requirement that would mandate reporting of suspicious bubblegum purchases, and think the DFS should scale back their efforts here, particularly when FinCEN has the situation well under control at the federal level.
Multi-sig/Infrastructure Providers Exempted?
The original BitLicense made merely “securing” another’s Bitcoins the sort of activity that warranted licensure. Fortunately that word is now gone from the definition of virtual currency business activity. This is a step in the right direction: a business should only be required to acquire a license if it actually has control or custody of a consumer’s actual funds. Multi-signature wallets are promising new tools for preventing bitcoin theft and the providers of these tools need not actually ever hold the Bitcoins. They could, for example, hold only one of three keys to a wallet that requires two keys to transact. This is a key innovation that bitcoin offers the financial services industry: fraud protection or escrow providers can be effective without ever holding the funds they help secure.
It’s critical that multi-sig infrastructure providers be exempted from the Bitlicense: they engender none of the risks associated with holding consumer funds and offer real opportunities for enhanced consumer protection. As we argued in our previous comments, only businesses with full custody should be licensed.
No Protections for Businesses that Take Steps to Secure User Privacy
Both the old and the new Bitlicense contain the following passage:
No Licensee shall engage in, facilitate, or knowingly allow the transfer or transmission of Virtual Currency when such action will obfuscate or conceal the identity of an individual customer or counterparty. Nothing in this Section, however, shall be construed to require a Licensee to make available to the general public the fact or nature of the movement of Virtual Currency by individual customers or counterparties.
As we’ve discussed before, Bitcoin transactions are not particularly anonymous. Techniques can be used to link personal identities to the many bitcoin pseudonyms individual users control. It’s imperative then that bitcoin businesses be free to obfuscate the identities of their customers as they appear on the Bitcoin blockchain. The second sentence of the BitLicense paragraph may be intended to protect such reasonable steps to secure user privacy. However, it neglects the fact that securing privacy requires taking action rather than forgoing an action (i.e. ‘make available to the general public’). That savings clause should read:
Nothing in this Section, however, shall be construed to prohibit a Licensee from obfuscating or concealing the identity of an individual customer from the general public, so long as they can comply with the reporting and recordkeeping requirements of this chapter.
Again, the changes we see in this new BitLicense are encouraging. NYDFS is living up to its promise to take the unique and welfare-enhancing qualities of virtual currency technologies into account. Are there necessary changes remaining to be made? Yes, absolutely. But that’s what comment periods are for and we’re excited to engage yet again.