NY Bitlicense definitive framework [pt.4]




AML/KYC Requirements

Licensees must implement an anti-money laundering program. The AML program is to be based upon an initial risk assessment performed by the Licensee. Risk assessments must be performed on an annual basis, or more frequently if risks change, and the AML program revised based on the updated assessments if necessary. (§.200.15 (b))

The AML program must provide for a system of internal controls, policies, and procedures to ensure ongoing compliance with AML laws, rules, and regulations. The program must provide for independent testing for compliance, and must be tested at least annually. The findings of the testing must be submitted to the superintendent. A compliance officer or officers must be designated to oversee and monitor the day-to-day compliance of the Licensee, and those individuals must provided with ongoing training. (§.200.15 (c))

Information on all virtual currency transactions must be maintained, including the identities and addresses of parties to transactions, both customers and other parties to the extent practical, the amount of the transaction, the method of payment, dates initiated and completed, and a description of the transaction. (§.200.15 (e))

Transactions “that are not subject to currency transaction reporting requirements under federal law” and exceed $10,000 in a single day as well as transactions or activity labeled ‘suspicious’, must be reported to the NYDFS. (§.200.15 (e))

Licensees are also required to implement a KYC program. (§.200.15 (h))

Cyber Security Program

Licensees are required to implement a cyber security program. It must be designed to perform five core cyber security functions.

  • identify internal and external cyber risks by, at a minimum, identifying the information stored on the Licensee’s systems, the sensitivity of such information, and how and by whom such information may be accessed;
  • protect the Licensee’s electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures;
  • detect systems intrusions, data breaches, unauthorized access to systems or information, malware, and other Cyber Security Events;
  • respond to detected Cyber Security Events to mitigate any negative effects; and
  • recover from Cyber Security Events and restore normal operations and services. (§.200.16 (a))

Furthermore, a thorough cyber security policy must be drafted and implemented, overseen by a Chief Information Security Officer. The cyber security program must be auditable by a third party. Cyber security employees are required to be regularly updated and trained to stay abreast of evolving threats. (§.200.16 (b)(c)(e)(g))