News

New York’s top regulator warned startup firms that provide cryptocurrency-related services, including swaps of U.S. dollars for bitcoins, to show they have the full range of anti-money laundering controls in place if they want to operate in the state.

Budding cryptocurrency firms often focus their license applications to the New York State Department of Financial Services, or DFS, on their innovative business models and products, but fail to show they grasp the kind of policies, software, staff and training they need to mitigate their exposure to financial crime, Linda Lacewell, the agency’s top official, said Wednesday.

“All too often we see a company applies, they race through the system … and towards the end, a series of questions comes up about their AML program [and] transactions monitoring, and the company is taken by surprise,” Lacewell told attendees of the ACAMS New York conference.

Thirty cryptocurrency firms seeking to operate in New York have obtained an industry-specific “BitLicense” from DFS in the past six years, or successfully registered as limited purpose trust companies pursuant to the state’s traditional banking charter.

Lacewell said Wednesday that a large share of aspiring cryptocurrency firms submit incomplete applications in the misplaced hope of accelerating the licensing process, then gradually complete them over the following months or years.

“We can’t review an application until it’s complete,” Lacewell said. “You can get your application in, but nothing is going to happen.”

DFS examiners often conduct an initial test of a cryptocurrency firm’s AML controls within six months of issuing a license to ensure everything works as expected, and initiate an ongoing dialogue with compliance staff.

“This is not meant to be a ‘gotcha’ … it’s a long road before we ever get to [enforcement], especially for a new company,” the superintendent said. “If the company is willing and able … is strengthening the system as it goes along and gets the input and is working with us, that’s going to be a productive relationship.”

For the past four years, DFS has been embroiled in a legal fight with the U.S. Office of the Comptroller of the Currency over whether state or federal regulators, or both, have authority to issue licenses to cryptocurrency operators.

A U.S. appeals court last week sided with the OCC in dismissing a lower court’s decision from December 2019 that blocked the federal regulator from licensing cryptocurrency firms under its own 2017 regime. DFS argued that giving the federal government licensing power would undermine the state’s authority.

Lacewell on Wednesday separately pressed financial institutions large and small to boost their cybersecurity protocols in line with heightened requirements that DFS imposed in March 2017.

Her call for more robust cybersecurity within the financial services industry comes amid a spate of high-profile ransomware attacks, including against Colonial Pipeline, the country’s largest oil distribution network, and against JBS, a Colorado-based meat processor.

“It’s a little shocking actually when you peel back the onion … and you see multifactor authentication is still not in place,” Lacewell said.

Contact Valentina Pasquali at vpasquali@acams.org