New York has released a final framework for regulating digital currencies, requiring organizations that provide virtual currency services in the state to obtain a special license.
Only businesses that hold customer funds will need a so-called a "bitlicense," said Benjamin Lawsky, superintendent of financial services for the state of New York, who discussed the regulations Wednesday during an emerging payments conference in Washington, D.C.
These regulations make New York the first state to introduce oversight for digital currency. The rules only apply to companies that do business in the state.
The "ossified payment system" needs to be updated, said Lawsky, adding he wants to permit innovation while protecting consumers and guarding against illegal activity.
Software developers will be excluded from the new rules, even though they may create programs that could be used to handle virtual currency.
The regulations also won't apply to consumers, currency miners and businesses that accept virtual currencies as payment, said Lawsky, whose presentation was also webcast.
The new rules won't require virtual currency businesses to inform the state when minor changes are made to software and apps, said Lawsky. Critics of Lawsky's efforts to enact bitcoin regulations raised concerns over language in earlier drafts that called for companies to alert regulators when they updated software.
The state only needs to approve "material changes" that affect a company's business model or products.
"We have no interest in micro-managing minor app updates. We're not Apple," said Lawsky.
The rules are the culmination of a two-year effort by Lawsky to develop a regulatory framework for virtual currencies. This is the third and final version of the rules. The public was allowed to review two earlier drafts of the proposed regulations. Lawsky said the final version reflects the concerns brought up by the virtual currency industry.
The new rules, which were also posted online, emphasize cybersecurity.
Companies that obtain a license must appoint a chief information security officer (CISO) who will present an annual security report to the firm's executives. A cybersecurity policy must be developed that addresses areas like customer data privacy, network security and information security, among other topics. Other security measures that license holders need to implement are the ability to detect data breaches and malware and how to restore operations after an attack.
Some bitcoin exchanges have folded after being targeted by hackers. Mt. Gox, once the world's largest bitcoin exchange, went under last year after attackers stole US$474 million worth of bitcoins. Bitstamp, another exchange, lost $5 million worth of bitcoins in an attack this past January.
The regulations spell out other criteria that businesses must meet to obtain a license, like implementing consumer fraud protections and anti-money laundering procedures, and requiring companies to submit quarterly financial statements to state regulators.
Digital currency businesses must apply for a license within 45 days after the regulation goes in the effect, a date that hasn't yet been determined.