Industry Letter Regarding Prior Approval for Covered Institutions’ Virtual Currency-Related Activity

TO: Covered Institutions

FROM: Adrienne Harris, Superintendent of Financial Services

RE: Industry Letter Regarding Prior Approval for Covered Institutions’ Virtual Currency-Related Activity

DATE: December 15, 2022

The New York State Department of Financial Services (the “Department”) is issuing this guidance (“Guidance”) to all New York banking organizations,[1] as well as all branches and agencies of foreign banking organizations licensed by the Department (together, “Covered Institutions”), to convey the Department’s expectations for Covered Institutions that wish to engage in virtual currency-related activity.[2] In particular, this Guidance reminds Covered Institutions that, as a matter of safety and soundness, they are expected to seek approval from the Department before engaging in new or significantly different virtual currency-related activity.

In June 2015, the Department adopted its “Part 200” regulation (23 NYCRR Part 200), under the New York Financial Services Law. Part 200 was the United States’ first comprehensive licensing requirement and regulatory framework for non-depository institutions to engage in virtual currency business activity. Exempted from the licensing requirements of Part 200 are “persons that are chartered under the New York Banking Law and are approved by the superintendent to engage in virtual currency business activity.”[3]

As the virtual currency market evolves, and as New York-regulated institutions continue to innovate, the Department expects to thoroughly assess a Covered Institution’s proposed virtual currency-related activity for safety and soundness. This Guidance does not interpret existing law or regulation and does not otherwise take a position on the types of activities that may, as a legal matter, be permissible for Covered Institutions to undertake. Rather, this Guidance describes the process a Covered Institution should observe for seeking prior approval for a proposed virtual currency-related activity and summarizes the types of information the Department considers relevant in assessing such a proposal. The Department takes seriously the potential risks that novel activities, including in particular virtual currency-related activities, may pose to Covered Institutions, to consumers, and to the market in general, and the Department will make a comprehensive assessment of information presented under this Guidance to determine whether any proposed activity would—based on the facts and circumstances presented and including the risk mitigation measures the Covered Institution has developed to support the activity—be appropriate for a Covered Institution to undertake.

This Guidance is in effect as of its release date and applies to all Covered Institutions for all virtual currency-related activities undertaken as of that release date or to be undertaken going forward. The information contained in this Guidance is not intended to be exhaustive, and the Department may update it from time to time for any reason, including, for example, in response to new information, evolving markets, or additional experience. This Guidance is not intended to limit the scope or applicability of any law or regulation.

[1] Banking organization means “all banks, trust companies, private bankers, savings banks, safe deposit companies, savings and loan associations, credit unions and investment companies.” New York Banking Law § 2.11.

[2] For the purposes of this Guidance, “virtual currency-related activity” includes all “virtual currency business activity,” as that term is defined in 23 NYCRR § 200.2(q), as well as the direct or indirect offering or performance of any other product, service, or activity involving virtual currency that may raise safety and soundness concerns for the Covered Institution or that may expose New York customers of the Covered Institution or other users of the product or service to risk of harm.

For example, the Department considers the following types of activities, among others, to be virtual currency-related activities: offering digital wallet services to customers, whether the services are in fact provided by the Covered Institution or by a third party with which the Covered Institution has contracted; lending activities collateralized by virtual currency assets; activities in which a Covered Institution facilitates its own customers’ participation in virtual currency exchange or trading, including by carrying fiat currency on behalf of customers (e.g., in an omnibus account); services related to stablecoins, including providing stablecoin reserve services for stablecoin issuers; engaging in traditional banking activities involving virtual currency through the use of new technology that exposes the Covered Institution to different types of risk (e.g., underwriting a loan, debt product, or equity offering effected partially or entirely on a public blockchain).

[3] 23 NYCRR § 200.3(c)(1) (emphasis added).

Virtual currency business activity means the conduct of any one of the following types of activities involving New York or a New York resident: (1) receiving virtual currency for transmission or transmitting virtual currency, except where the transaction is undertaken for non-financial purposes and does not involve the transfer of more than a nominal amount of virtual currency; (2) storing, holding, or maintaining custody or control of virtual currency on behalf of others; (3) buying and selling virtual currency as a customer business; (4) performing exchange services as a customer business; or (5) controlling, administering, or issuing a virtual currency.

The development and dissemination of software in and of itself does not constitute virtual currency business activity. 23 NYCRR § 200.2(q).

I. Prior Approval

A Covered Institution should seek the Department’s prior approval before commencing any new or significantly different virtual currency-related activity.[4] Prior approval for a Covered Institution to engage in a virtual currency-related activity does not constitute general consent for that institution to engage in other types of virtual currency-related activity, nor does it authorize other Covered Institutions to undertake that same activity.

Virtual currency-related activity performed by or through a third-party service provider engaged by a Covered Institution may constitute sufficient involvement by the Covered Institution to require the Department’s approval. Therefore, where a Covered Institution intends to engage a third party to assist in performing a new or significantly different virtual currency-related activity, the institution should consult with the Department in advance.

If a Covered Institution has any questions about whether a proposed activity constitutes a new virtual currency-related activity or about any proposed change to an existing virtual currency-related activity, the institution is encouraged to seek clarification from the Department.

A Covered Institution currently engaged in virtual currency-related activity should promptly notify its point of contact at the Department of the relevant activity if it has not already done so, to enable the Department to review and seek additional information or clarification, and impose any supervisory requirements, if needed.

II. Initiation of Approval Process

To facilitate timely and focused review of proposed virtual currency-related activity, a Covered Institution should inform the Department of its intention to engage in any new or significantly different virtual currency-related activity a minimum of 90 days before the Covered Institution intends to commence the activity.

Once informed, the Department will work with the institution to confirm whether approval of the proposed activity is required—whether under Part 200 or otherwise—and if so, to identify the materials necessary to initiate the Department’s review and to establish an expected timeline.

[4] For the purposes of this Guidance, a new or significantly different virtual currency-related activity includes a new virtual currency-related product or service or a proposed change to an existing virtual currency-related product or service that: (1) may raise a legal or regulatory issue about the permissibility of the product, service, or change; (2) may raise safety and soundness, including operational, concerns; or (3) may cause the product or service to be significantly different from that previously approved. See, e.g., 23 NYCRR § 200.10(b).

To obtain superintendent approval to engage in virtual currency-related activity, a Covered Institution should prepare a written submission addressing the information requirements described in this Guidance addressed to the Banking Division via bankingsubmissions@dfs.ny.gov, with a copy submitted to that institution’s point of contact at the Department.

III. Informational Requirements

A Covered Institution should provide the Department sufficient information for the Department to assess the scope of the proposal and any impact on the institution’s safety and soundness, including implications for New York customers of the Covered Institution and other users of the proposed product or service.

This section outlines the types of information that the Department expects to assess in responding to a request for approval of a proposed virtual currency-related activity. Institutions are encouraged to tailor any submission to their specific proposal; if any information called for in this Guidance is inapplicable, the Covered Institution should note the reasons for the inapplicability. Likewise, if the Covered Institution deems pertinent to their initiative any materials not specifically called for in this Guidance, they are encouraged to include that material in their submission.

To avoid unnecessary duplication or repetition in a submission, Covered Institutions may cross-reference or incorporate by reference information responsive to each topic noted below. In the event the proposed activity also requires an application or submission to a federal banking regulator, a Covered Institution may submit to the Department a copy of that application or submission, cross-referenced to the Department’s informational requirements.

A. Business Plan

A complete written submission should include a business plan that provides a comprehensive description of the Covered Institution’s proposed virtual currency-related activity, including any contemplated phases, the business rationale for the activity, the activity’s relationship with the institution’s strategic initiatives and enterprise-wide risk management framework, and alignment with the institution’s legal and compliance framework. The business plan should describe, at a minimum:

• the legal entity or entities that the institution will use to engage in or otherwise support the activity;
• a detailed description of the planned operating model and key technology architecture, including applicable processes and flows of funds, as may be updated or revised from time to time;
• an explanation of the engagement of third-party service providers, if any, including their identities, types of services, any service level agreements, and a description of the due diligence process used in their selection;
• the expected costs and revenue targets for the proposed activity;
• the target customer base for the proposed activity and any fees to be charged;
• how the proposed activity is anticipated to affect users of the proposed product or service;
• a formal project plan that includes defined roles and responsibilities, specific project requirements and deliverables, timeframes and milestones, preliminary/projected budgets, testing plans and schedules, and/or the specific activities and resources required to complete the project, a staffing plan, and training/professional development; and
• a comprehensive risk assessment and risk monitoring framework for the proposed activity, as described in Section B below.

B. Risk Management

A complete written submission should provide a thorough account of the Covered Institution’s enterprise-wide risk-management framework to identify, measure, monitor, and control all risks arising from, or related to, the proposed virtual currency-related activity, in line with the Covered Institution’s board-approved risk appetite. The risk management section of the written submission should include, at a minimum, materials addressing the following:

• operational risk, including a description of the sufficiency of operational capacity, controls, and expertise to engage safely and soundly in the activity;
• credit risk, particularly where virtual currency may serve as collateral for an extension of credit;
• market risk;
• capital risk;
• liquidity risk;
• cyber security and fraud risk;
• technology risk, including an analysis of risks associated with the use of the blockchain technology and efforts taken to monitor, manage, and mitigate the technical (security, architecture), operational (people and processes), and other related risks associated with the use of blockchain and/or internal ledgers to facilitate the activity;
• third-party service provider risk;
• legal and compliance, including financial crime and sanctions risks;
• reputational risk, including negative public opinion regarding the nature of the service or unexpected losses and potential conflicts of interest; and
• strategic risk, including those relating to misalignment with other business activities of the institution or inability to service existing customers.

C. Corporate Governance and Oversight

A complete written submission should describe the corporate governance framework applicable to the proposed activity, including, for instance:

• the internal product development and approval by the board and/or senior management that accompanied the determination to engage in the proposed virtual currency-related activity and copies of all internal approvals and presentations made in support of the request for board and/or senior management approval;
• an explanation of the board and senior management’s adequate understanding and knowledge of the risks associated with the proposed activity, designation of one or more board members or committees of the board responsible for the ongoing oversight of assessment and management of such risks, including clear and specific allocation of roles and responsibilities, and allocation of appropriate resources for management of such risks;
• an explanation of the integration of risks in the Covered Institution’s risk appetite framework, including limits and thresholds, and an escalation process for when risk limits are breached; and
• an explanation of the board and senior management oversight relating to the development of policies and procedures that contain the Covered Institution’s risk management framework, including the internal control framework across the three lines of defense (i.e., risk ownership and management, controls and compliance, internal audit) to ensure clear lines of responsibility for monitoring and adhering to policies and procedures.

D. Consumer Protection

The Department has a particular interest in ensuring that all customers of a Covered Institution and other users of a Covered Institution’s product and services, including individual consumers, are treated fairly and are afforded the full protection of all applicable laws and regulations, including protection from unfair, deceptive, or abusive practices. A complete written submission should provide an analysis of whether and to what extent the proposed virtual currency-related activity will have any impact on customers and other users, including where they interact with a third-party service provider engaged by the Covered Institution, rather than with the Covered Institution directly. The written submission should include:

• the Covered Institution’s policies and procedures relating to customer protection; and
• sample agreements applicable to customers and other users, including all relevant terms and conditions, disclosures, and acknowledgements, whether maintained or managed by the Covered Institution or a third-party service provider.

Covered Institutions should review carefully and submit to the Department any customer-facing agreements, disclosures, and/or acknowledgments and a representative sample of marketing materials, whether those materials are produced, maintained, or managed by one or more third parties engaged by the Covered Institution in connection with the proposed virtual currency-related activity or by the Covered Institution itself, to ensure accuracy and clarity and to avoid misrepresentations.[5]

E. Financials

A complete written submission should provide the Department with an explanation of the expected impacts of the proposed activity on the Covered Institution’s capital and liquidity.

F. Legal and Regulatory Analysis

Covered Institutions are expected to consider the application of all relevant laws and regulations to the proposed activity as part of their initial assessment and internal approval process for the activity, including an analysis of the permissibility of the proposed activity and key legal risks and mitigants. A complete written submission should provide a thorough account of this analysis and its conclusions.

IV. Contact Information

A Covered Institution that seeks further clarification regarding this Guidance should address inquiries to bankingcomments@dfs.ny.gov. Any organizations with a designated point of contact at the Department should also copy that individual in their communications.

NOTE: Section IV of this guidance was updated on April 11, 2025, to remove the additional requirement for Covered Institutions to copy Banking Division leadership when sending inquiries related to this guidance to the Department.

[5] See, e.g., FDIC, Advisory to FDIC-Insured Institutions Regarding FDIC Deposit Insurance and Dealings with Crypto Companies, FIL-35-2022 (July 29, 2022), available at https://www.fdic.gov/news/financial-institution-letters/2022/fil22035.html.

APPENDIX: SUPPLEMENTAL CHECKLIST

A complete written submission should provide the Department with a comprehensive understanding of an institution’s proposal and any related regulatory considerations. To aid in preparing a complete written submission, the Department has prepared this checklist of materials that may be relevant in evaluating a proposed virtual currency-related activity. A Covered Institution may therefore find it useful to consider this checklist and assess whether any of the below-noted materials are applicable to the proposal.

Recognizing that each Covered Institution and each proposed activity may present unique considerations, the Department welcomes the opportunity to work with Covered Institutions in identifying specific information and materials relevant to and necessary for the Department’s consideration of the proposal.

Business Plan: Operating Model and Technology Architecture

• For each type of transaction or service, a technical description of how the activity will be conducted, including:
  • the proposed activity’s process (including process flows, as applicable);
  • a description of relevant parties and their expected interactions (including third-party service providers); and
  • all flows of funds for the activity, including all virtual currency and traditional fiat funds flows, specifying who directs each flow and how, the name and address of each entity through which the funds flow, the relevant title(s) of accounts used in each flow, the ownership or control of all relevant accounts and addresses, and who or what entity is liable for the funds at all points.
• A technical explanation of how the institution uses blockchain and/or internal ledgers to facilitate the activity, including reconciliation processes.
• An explanation of the engagement of third-party service providers whose services relate to the proposed virtual currency-related activity, such as those relating to compliance obligations, including:
  • a list of all third parties to be engaged;
  • a description of the services to be provided by the third parties; and
  • copies of service-level agreements entered into or expected to be entered into with the third parties.
• Any critical dependencies on third-party technology, including for example blockchain-specific features related to the offering.
• Sample customer agreements, including all relevant terms and conditions.
• Sample customer disclosures and applicable acknowledgments.
• Sample marketing or advertising materials.
• The methodologies for valuation of virtual currency in terms of fiat currency.

Risk Management: Controls, Policies, and Procedures

Where materials have been tailored specifically to address virtual currency-related risks, Covered Institutions are encouraged specifically to identify those sections.

• Materials that constitute the Covered Institution’s Bank Secrecy Act / anti-money laundering (“BSA/AML”) and Office of Foreign Assets Control (“OFAC”) compliance program, including:
  • BSA/AML policy and procedures, associated risk assessment(s), the risk assessment’s associated methodology relevant to the proposed virtual currency-related activity, including those related to transaction monitoring and filtering or Know Your Customer-related control processes;
  • the most recent independent review of the BSA/AML and OFAC compliance programs.
• Materials that constitute the Covered Institution’s privacy compliance (whether a standalone program or incorporated into another risk management framework, such as the institution’s cybersecurity program), including the institution’s privacy policy and procedures, and related risk assessment(s).
• Materials that constitute the Covered Institution’s cybersecurity and information security program, including the institution’s cybersecurity and information security policy and procedures, related risk assessment(s), and independent review of the cybersecurity program.
• The Covered Institution’s past and planned remediation of information security gaps and deficiencies, including those identified during self-assessments, audits, and regulatory examinations.
• Materials that constitute the Covered Institution’s third-party oversight program, including its third-party service provider management and onboarding policy and procedures, a description of the due diligence performed on all third parties prior to engagement, and all other requirements in 23 NYCRR §500.11.
• Materials that constitute the Covered Institution’s business continuity and disaster recovery program, including its business continuity and disaster recovery policy and procedures and related risk assessment.
• Materials that constitute the Covered Institution’s anti-fraud program, including its anti-fraud policy and procedures and related risk assessment.
• Materials that constitute the Covered Institution’s assessment of key and wallet management risk, including its policy and procedures associated with the generation, management, storing, or use of private and public keys, a description of the solution used to manage custody services, and an explanation of the customer service infrastructure to support customers experiencing difficulty with key or wallet access.

Corporate Governance

• A description of the analysis undertaken to establish risk limits, thresholds, and/or activity caps applicable to specific activities, products, asset types or customers, and a description of the change management process by which those limits will be assessed re-calibrated over time.
• Materials showing execution of the oversight framework the Covered Institution has developed in connection with the proposed activity, including, for instance, minutes of relevant meetings and sample reports.

Consumer Protection

• The analysis undertaken by the Covered Institution to assess suitability of a product or service offered to customers as part of or in connection with the proposed activity.
• Materials that constitute the organization’s awareness training for consumers on best practices related to the activity contemplated, including for example securing their accounts.
• A description of all optional and required access controls, such as multi-factor authentication and password policy.
• A description of the customer service and product management systems that will support the proposed activity, including an explanation of the customer redress framework.

Financials

• Pro forma balance sheet(s) and income statement(s) of the legal entity proposing to conduct the virtual currency-related activity reflecting the effect of the proposed virtual currency-related activity.
• Pro forma calculations of the Covered Institution’s risk-based capital and liquidity ratios as of the most recent quarter reflecting the effect of the proposed virtual currency-related activity.
• An explanation of the expected costs, sources of funding, and fees to be imposed on customers.
• Projected cash flows for the proposed activity.

Legal and Regulatory Analysis

• A description of the controls in place to ensure ongoing compliance with applicable laws and regulations.
• A copy of and/or description of the material terms of any licensure, authorization, or approval from any other domestic or international regulatory authority granted to the Covered Institution, or any parent, affiliate, or subsidiary of the Covered Institution, related to the proposed virtual currency-related activity, including any applicable limitations or restrictions.
• If the Covered Institution is in the process of seeking any other license, authorization, or approval from any domestic or international regulatory authority on behalf of the Covered Institution, or any parent affiliate, or subsidiary of the Covered Institution, related to the proposed virtual currency-related activity, a copy of or description of materials submitted in support of that process.
• To the extent not otherwise described or provided, a list of any other licenses, authorizations, or approvals that the Covered Institution knows to be necessary for it to proceed with the proposed virtual currency-related activity.
• A copy of any legal memorandum or opinion from counsel regarding legal and regulatory issues pertaining to the proposed virtual currency-related activity.