Compliance Insight Weekly Update

Compliance Insight Update Header

New York State Department of Financial Services

The New York State Department of Financial Services issued December 15 a guidance for banking institutions doing crypto-related business in the state and it came into effect as of its release date.

This guidance is aimed at local and foreign institutions that fall under the definition of Banking organization under New York Banking Law: “all banks, trust companies, private bankers, savings banks, safe deposit companies, savings and loan associations, credit unions and investment companies”.

Virtual currency business activity is defined as a „the conduct of any one of the following types of activities involving New York or a New York resident:

(1) receiving virtual currency for transmission or transmitting virtual currency, except where the transaction is undertaken for non-financial purposes and does not involve the transfer of more than a nominal amount of virtual currency;

(2) storing, holding, or maintaining custody or control of virtual currency on behalf of others;

(3) buying and selling virtual currency as a customer business;

(4) performing exchange services as a customer business; or

(5) controlling, administering, or issuing a virtual currency.

Additional to these activities, entities engaging in the “direct or indirect offering or performance of any other product, service, or activity involving virtual currency that may raise safety and soundness concerns for the Covered Institution or that may expose New York customers of the Covered Institution or other users of the product or service to risk of harm„ are also required to obtain prior approval to conduct business.

A non-exhaustive list of such activities is shared in the Guidance:

-offering digital wallet services to customers, whether the services are in fact provided by the Covered Institution or by a third party with which the Covered Institution has contracted;

– lending activities collateralized by virtual currency assets;

– activities in which a Covered Institution facilitates its own customers’ participation in virtual currency exchange or trading, including by carrying fiat currency on behalf of customers (e.g., in an omnibus account);

– services related to stablecoins, including providing stablecoin reserve services for stablecoin issuers;

– engaging in traditional banking activities involving virtual currency through the use of new technology that exposes the Covered Institution to different types of risk (e.g., underwriting a loan, debt product, or equity offering effected partially or entirely on a public blockchain).

Entities that develop and disseminate software used for the use of VAs are exempted from VASP licensing requirements.

The scope of the guidance is to describe the prior approval request process and the information which needs to be submitted for the request to be successful.

Interested parties in doing VA business must submit all relevant documentation to the Banking Division via bankingsubmissions@dfs.ny.gov, „with a copy submitted to that institution’s point of contact at the Department”.

Required documentation:

  1. Business Plan: Operating Model and Technology Architecture
  2. Risk Management: Controls, Policies, and Procedures
  3. Corporate Governance and Oversight
  4. Consumer Protection
  5. Financials
  6. Legal and Regulatory Analysis


The FSOC issued on December 16, its annual report which enumerates Digital Assets as one of the identified financial risks.

The conclusion that the Crypto-asset market is a vulnerability stems from the Council’s report issued in October 2022 (Report on Digital Asset Financial Stability Risks and Regulation) in response to Executive Order 14067 combined with FTX’s collapse and its reverberating consequences.

Two concerning areas were identified regarding digital assets:

  1. their interconnectedness with the traditional financial system
  2. Due to the limited links with the traditional financial system, crypto-assets do not pose a real risk to the traditional financial system
  3. Vulnerabilities confined to the digital asset sphere:
    1. drops in asset prices,
    1. financial exposures via interconnections inside that ecosystem,
    1. operational vulnerabilities,
    1. funding mismatches,
    1. risk of runs,
    1. use of leverage.

Proposed recommendations

  • Continuation of enforcing existing laws;
  • Improvement of the regulatory landscape of digital assets;
  • Assessment of the impact of potential vertical integration by crypto-asset firms.
  • Obliged entities’ risk exposure reporting and proper mitigation thereof.


FinCEN issued December 15 a Notice of Proposed Rulemaking regarding the circumstances under which beneficial ownership information can be disclosed to Federal agencies, state, local, tribal, and foreign governments, and financial institutions, and how it must be protected.

In 2022 a new beneficial ownership information reporting rule was implemented with the scope of unveiling shell companies and restricting the abuse of the US financial system by criminals and sanctioned parties. This reporting rule requires legal entities registered in the US to report to FinCEN information about their beneficial owners. Access to this information would be granted only to:

  • Federal agencies engaged in national security, intelligence, or law enforcement activities;
  • state, local, and Tribal law enforcement agencies with court authorization;
  • foreign law enforcement agencies, prosecutors, judges, and other agencies that meet specific criteria;
  • Treasury officers and employees under certain circumstances;
  • financial institutions with customer due diligence requirements and regulators supervising them for compliance with such requirements.

The notice letter assists in the effort of combatting financial crime by:

  • detailing on how government officials’ access is granted to the database in order to support law enforcement, national security, and intelligence activities;
  • specifying under which conditions financial institutions and their regulators can access the data base in order to fulfill customer due diligence requirements and conduct supervision;
  • describing what measure are taken to protect this sensitive information according to CTA requirements;
  • proposing amendments to the final reporting rule to specify “when reporting companies may report FinCEN identifiers associated with entities”.