California Governor Gavin Newsom’s signature on the Digital Financial Assets Law last month sent shock waves through the industry and proved the old adage that scandal leads to reform. The collapse of cryptocurrency exchange FTX, the indictment of Sam Bankman-Fried, and crypto-associated bank instability (Signature Bank, Silicon Valley Bank, Silvergate Bank), true or not, spurred politicians to act. Perception is reality.
Linda A. Lacewell is the former Superintendent of the New York Department of Financial Services, which licenses and regulates financial services including cryptocurrency companies.
The California bill is expressly based on New York’s bitlicense regime, written in 2015 and overseen by the New York Department of Financial Services (DFS). The California bill puts the onus of filling in the details to California’s Department of Financial Protection and Innovation (DFPI), itself a newly expanded and reorganized entity.
Many lessons may be learned from the New York experience. We know DFPI and DFS have been conferring. So, what should DFPI be prepared to do, and what should industry expect? Here are some thoughts and strategies for DFPI to consider and industry to anticipate.
Virtual currency companies, like most financial services companies, have multiple stakeholders. Consumers, investors, and industry are the relevant stakeholders and each must be served and protected. Protecting the consumer also protects both investors and the company itself against the risk of theft, hacking, and criminal acts.
In this regard, protecting the company against intrusion and attack must be a high priority. For financial services, cybersecurity is a central concern. The biggest risk to business and government bar none is cyber threats. New York’s regulatory standard, written and enforced by DFS, is the national standard and a model for other state and federal regulators, including the National Association of Insurance Commissioners and the Federal Trade Commission. Here, the goal is to guard against theft of assets, crippling of cyber infrastructure, and ransomware attacks.
Companies must also guard against criminal misuse of their products and services. Anti money laundering and transactions monitoring must be tackled through robust policies. However, a successful compliance program is not just about the paperwork. Policies should be tailored to the business and must be consistently deployed and enforced. A responsible company will invest in these protective mechanisms even though it diminishes profits.
The agency should expressly forbid the commingling of company and customer funds, and examiners should test this issue. This violation was at the root of the collapse of FTX and loss of customer assets.
Before issuing licenses, the agency should fully understand the company that seeks to be regulated. Rigorous disclosure of true owners hiding behind the veil of LLCs and other corporate vehicles, as well as relevant finances, must be enforced so that the appropriate risks can be mitigated. Transparency is key.
The agency would do well to draft the regulations long before they are due. The agency will want to hit the ground running as the effective date approaches. At the outset, define terms and determine the scope of regulation. Vagueness is one of the biggest industry criticisms of the bill. The regulations will be contentious and will benefit from broad input from industry, consumer groups, and experts. Consider private and public conferences to air views before pen is put to paper. Let all sides share input. This helps build smart and effective regulations while building trust and transparency.
Consider having companies register with the agency before they apply for licensing. This way the agency will have the universe of potential applicants, the ability to anticipate the potential workload, and the ability to communicate with potential applicants as a group. This is a time-tested strategy for new regulation of any financial services industry.
Plan to hire or reassign sufficient resources with the right experience to process applications, especially because an applicant is allowed to operate pre-licensing under certain conditions. In New York, we created a new Innovation and Research Division to elevate virtual currency as a priority and attract high-level talent. We also reassigned examiners to help clear backlogs of licensing applications. We streamlined review of applications and provided written guidance to industry.
The bill allows DFPI to give reciprocity to bitlicenses and limited purpose trust company charters granted by DFS on or before January 1, 2023. Long term, it would be helpful to work out an arrangement where DFS also gives reciprocity to virtual currency licenses granted by DFPI. This would reduce the burden on companies having to seek multiple licenses involving the same due diligence and compliance regimes. Reciprocity should ultimately go both ways between California and New York, the two most stringent virtual currency regulators with the lion’s share of virtual currency companies.
Regulating an industry in full for the first time is heavy lifting. DFPI might consider doing it in phases so that progress is made as the new regime is rolled out. Since you will be essentially building the plane as you fly it, be flexible, and be prepared to tailor it along the way. In New York, we continued to innovate with coin listing guidance and a conditional licensing framework. This paid off in dividends. PayPal was the first to obtain a conditional license from DFS, partnering with Paxos Trust Company to allow PayPal customers to buy, sell, and hold certain cryptocurrencies.
There is much work to do and no time to waste. The California bill is law and its licensing requirements become effective July 1, 2025. DFPI has eighteen months to issue the regulations. But industry does not need to wait to see the regulations to start fortifying defenses against money laundering, sanctions violators, and cyber intrusions, and building robust consumer disclosures and protections. Given the New York model, there should be no surprises as to the guardrails that will apply, so get started building them now.