Objective

To determine whether the Department of Financial Services (DFS) provides adequate oversight of the applications for, and the supervision and examination of, virtual currency licensees to ensure compliance with New York Codes, Rules and Regulations (NYCRR) Title 23, Part 200. The audit covered the period from July 2018 through July 2023.

About the Program

DFS is New York State’s financial services regulator, and its Superintendent is responsible for ensuring the safety and soundness of the State’s financial services industry and promoting the elimination of fraud, abuse, and unethical conduct within financial institutions licensed to operate in the State. DFS supervises and regulates the activities of nearly 3,000 financial institutions with assets totaling more than $9.1 trillion (as of December 31, 2022), including 21 virtual currency licensees with assets totaling more than $175 billion. For this report, we reviewed a list provided by DFS in October 2022 that contained 22 active virtual currency licensees.

In June 2015, DFS issued NYCRR Title 23, Part 200 (Part 200) to regulate virtual currency. According to Part 200, virtual currency is “any type of digital unit that is used as a medium of exchange or a form of digitally stored value. Virtual currency shall be broadly construed to include digital units of exchange that have a centralized repository or administrator; are decentralized and have no centralized repository or administrator; or may be created or obtained by computing or manufacturing effort.” To engage in virtual currency business activities in the State, businesses must obtain a license (BitLicense) from DFS. DFS’ Virtual Currency Unit is responsible for the intake and preparation of applications and reviewing and monitoring BitLicensees in accordance with the requirements of Part 200.

Key Findings

We found there is limited assurance that DFS is adequately performing its oversight responsibilities related to the application for and supervision of BitLicenses in the State, creating the risk that licenses could be granted to applicants whose financial stability has not been thoroughly verified or that, once licensed, businesses may not maintain financial or cybersecurity standards. For example:

• Two of the eight sampled BitLicense applicants did not fully complete the fingerprinting process that DFS uses to assess the backgrounds of applicants’ major shareholders and officers prior to application approval.
• For its review of BitLicense applicants, DFS stated it used a website to search for tax warrants but could not document this action and did not provide documentary evidence that it was sufficiently verifying applicants’ tax obligations.
• We discovered lags between the submission of required anti-money laundering risk assessments and the granting of licenses – with one application approval coming nearly 4 years after the assessment – creating the possibility that outdated information could be used to approve BitLicenses.
• DFS did not ensure that licensees submitted all required financial reports used to assess the safety and soundness of their business operations, including those related to maintaining a minimum net worth to protect against unexpected losses, nor could DFS provide documentation of its analysis of the reports that were submitted.
• BitLicensees were also not in compliance with DFS’ cybersecurity regulations, although in some cases they self-certified that they were.
• On average, we found a 3-year gap between biennial examinations to determine licensees’ financial condition and the safety and soundness of their business, and DFS could not demonstrate it tracked and followed up on issues discovered during the examinations that were completed.

Key Recommendations

• Continue to take steps to ensure that all BitLicense applications are complete and comply with Part 200 requirements, any issues are addressed prior to approval, and decisions and actions taken on applications are documented.
• Continue to develop and implement procedures and tools to collect and analyze required information to ensure the safety and soundness of BitLicensee operations.
• Continue to develop and implement policies and procedures to ensure safety and soundness examinations are conducted in a timely manner.
• Establish formal policies and procedures for the examination follow-up process to ensure issues are addressed promptly.