California Governor Gavin Newsom’s signature on the Digital Financial Assets Law last month sent shock waves through the industry and proved the old adage that scandal leads to reform. The collapse of cryptocurrency exchange FTX, the indictment of Sam Bankman-Fried, and crypto-associated bank instability (Signature Bank, Silicon Valley Bank, Silvergate Bank), true or not, spurred politicians to act. Perception is reality.
Linda A. Lacewell is the former Superintendent of the New York Department of Financial Services, which licenses and regulates financial services including cryptocurrency companies.
The California bill is expressly based on New York’s bitlicense regime, written in 2015 and overseen by the New York Department of Financial Services (DFS). The California bill puts the onus of filling in the details to California’s Department of Financial Protection and Innovation (DFPI), itself a newly expanded and reorganized entity.
Many lessons may be learned from the New York experience. We know DFPI and DFS have been conferring. So, what should DFPI be prepared to do, and what should industry expect? Here are some thoughts and strategies for DFPI to consider and industry to anticipate.
Virtual currency companies, like most financial services companies, have multiple stakeholders. Consumers, investors, and industry are the relevant stakeholders and each must be served and protected. Protecting the consumer also protects both investors and the company itself against the risk of theft, hacking, and criminal acts.
In this regard, protecting the company against intrusion and attack must be a high priority. For financial services, cybersecurity is a central concern. The biggest risk to business and government bar none is cyber threats. New York’s regulatory standard, written and enforced by DFS, is the national standard and a model for other state and federal regulators, including the National Association of Insurance Commissioners and the Federal Trade Commission. Here, the goal is to guard against theft of assets, crippling of cyber infrastructure, and ransomware attacks.
Companies must also guard against criminal misuse of their products and services. Anti money laundering and transactions monitoring must be tackled through robust policies. However, a successful…