Publications

Regulating Bitcoin: Practical Approaches for Virtual Currencies

■ by Duncan B. Douglass, Partner, Alston & Bird, and Lauren P. Giles, Senior Associate, Alston & Bird

“Hi Reddit,” began a post this summer on the popular internet discussion site, “this is Ben Lawsky, Superintendent of Financial Services at the New York State Department of Financial Services.” Lawsky went on to announce to the Reddit community that the department had released its long-awaited proposed virtual currency1 licensing regulations, the “BitLicense Regulations.”2

This unusual move reflected the department’s desire to engage with the virtual currency community.3 However, responses to the announcement reflect an emerging divide within the virtual currency community over Bitcoin’s future. Those who seek to preserve Bitcoin’s origins as an anonymous, unregulated tool of financial disruption have decried the regulations as out-of-touch, or worse, as an attempt to destroy Bitcoin. On the other hand, venture capitalists and investors who have made significant bets that Bitcoin will become a mainstream consumer payment method have hailed the regulations as a key step in increasing the credibility and reliability of virtual currencies.4

As the Bitcoin Foundation pointed out in a comment letter submitted to the New York State Department of Financial Services (“NYDFS”), many in the virtual currency community are unfamiliar with existing financial services regulations and unaccustomed to the regulatory process.5 Thus, many Bitcoin supporters may be unaware that the debate over regulating virtual currencies is part of a larger conversation about how to mitigate the prudential and consumer risks posed by the growth of alternative payment methods.

Recent years have seen a significant increase in consumer adoption of alternative payment products, such as prepaid cards, person-to-person payment systems, and virtual currencies. Traditional payment methods, such as debit cards, credit cards, and automated clearing house payments, are heavily regulated. Providers of these traditional products are subject to prudential oversight, and consumers are afforded protections, including in the event of erroneous (including unauthorized) transactions. Such protections are limited, and frequently nonexistent, with respect to many alternative payment methods, including virtual currencies. As a result, the appropriate means of regulating alternative payment products currently is a significant focus of attention for state and federal regulators.

If Bitcoin is to become a mainstream payment product, the prudential and consumer risks associated with virtual currency transactions must be addressed. Although virtual currencies pose certain unique regulatory challenges, recent approaches to regulation of other nonbank financial service providers and alternative payment products can serve as useful models for mitigating risks associated with ownership and use of virtual currencies.

Defining Virtual Currency

Virtual currency is an emerging concept and, as yet, has no fixed regulatory definition. Federal and state regulators have generally proposed defining virtual currency as a digital representation of value that is not government-issued legal tender.6 Within that broad definition, virtual currencies are often further classified: as either non-convertible or convertible (i.e., having an equivalent value in, or acting as a substitute for, fiat currency) and as either decentralized or centrally administered (i.e., managed by an entity with authority to issue new units of currency and withdraw existing units from circulation).7

Bitcoin, a convertible, decentralized virtual currency, is the largest virtual currency, with a total circulating value currently in excess of US$6.7 billion, and serves as the paradigmatic example of virtual currency for purposes of this article.8 Bitcoin’s open-source protocol is the basis for most other major virtual currencies, and therefore, understanding Bitcoin transactions is helpful to understanding the risks associated with virtual currency systems in general.9

Characteristics of Bitcoin Transactions

Bitcoin users typically purchase Bitcoins using fiat currency (or another virtual currency) through a Bitcoin exchange. The most basic exchanges simply provide a platform for advertising Bitcoins available for sale, bringing buyers and sellers together for direct transactions. More sophisticated exchanges permit users to establish accounts, maintain Bitcoin and fiat currency balances in accounts, place standing buy/sell orders (similar to traditional brokerage accounts), and facilitate the purchase and transfer of Bitcoins between users. Many exchanges also offer integrated wallet functionality to facilitate use of acquired Bitcoins to make payments (e.g., to make purchases from Bitcoin-accepting retailers) or acceptance of Bitcoins for retail payment transactions.

A user must have a Bitcoin wallet to make purchases with Bitcoins. A wallet is a software program that performs two principal functions:

  • Generating Bitcoin addresses and cryptographic keys for Bitcoin users.
  • Facilitating Bitcoin transactions by enabling users to send and receive Bitcoins, and publishing the associated transactions to reflect the change in ownership of the transferred Bitcoins.

The most basic wallets are simple, open-source software available for free download—there is no “wallet provider” that facilitates the transaction (i.e., neither the software developer nor a third party provides additional, ongoing services to the users of the wallet software). More sophisticated wallets are actively managed by providers; may have integrated Bitcoin exchange or payments processing services; and often charge fees.

Bitcoin addresses are a fundamental component of the Bitcoin model. A Bitcoin address is a string of letters and numbers that identifies a user for purposes of Bitcoin transactions. Each Bitcoin address is derived from an associated pair of public and private keys, which are used to verify ownership of the Bitcoins linked to the public address. Like the Bitcoin address, the keys are generated by the wallet. A user must have a Bitcoin address and the associated keys in order to conduct Bitcoin transactions. Bitcoin ownership and Bitcoin transactions are anonymous in the sense that there is no comprehensive registry associating Bitcoin addresses or keys to their true owners. The transaction history of each Bitcoin address is viewable through the public registry of Bitcoin transactions—the “blockchain,” but the blockchain does not include any identifying information about the owner of that address.

To conduct a purchase transaction using Bitcoins, the buyer transfers a Bitcoin from his wallet to the retailer’s wallet (or, if the retailer uses a processor as an intermediary, to the processor’s wallet). The retailer’s wallet then broadcasts the record of the transfer to the blockchain.

Regulatory Opportunities for Mitigating Virtual Currency Risks

Prudential Regulation

To date, only one federal financial regulator has taken official action with respect to virtual currency. In early 2013, the Financial Crimes Enforcement Network (“FinCEN”) issued guidance describing the circumstances in which persons engaged in virtual currency transactions are classified as money transmitters for purposes of the Bank Secrecy Act (“BSA”)’s implementing regulations.10 The guidance was followed in January 2014 by two FinCEN administrative rulings, which applied the guidance to specific Bitcoin fact patterns.11 Together, the FinCEN guidance and rulings clarified that the agency categorizes many virtual currency system participants (including exchanges and wallet operators) in the United States as money transmitters and that such entities are required to comply with the BSA’s know-your-customer and anti-money-laundering requirements. In issuing its guidance and rulings, FinCEN focused on the prevention of money laundering (rather than on prudential concerns, which are outside of the agency’s jurisdiction). However, FinCEN’s guidance and rulings have had a powerful framing influence on the debate regarding the appropriate means of addressing the prudential risks posed by virtual currencies.

While the federal government exercises prudential regulatory authority over depository financial institutions, the states have traditionally borne responsibility for prudential regulation of nonbank financial services providers, such as money transmitters, check cashers, and payday lenders. Indeed, existing federal laws likely do not provide federal regulators with authority to engage in broad-based prudential regulation of nonbank companies engaged in virtual currency business activities.12

Further, there appears to be an emerging consensus among state regulatory authorities that the states can and should act to address the prudential risks associated with virtual currency companies.

After FinCEN’s release of the virtual currency rulings, state regulators in Washington and Texas issued guidance that certain types of virtual currency activities constitute money transmission for state-law purposes.13 In early 2014, the Conference of State Bank Supervisors established the Emerging Payments Task Force, which is charged with evaluating payments system innovations (including virtual currencies) and developing “ideas for connecting the emerging payments landscape to the financial regulatory fabric.”14 Subsequently, the Uniform Law Commission established the Study Committee on Alternative and Mobile Payment Systems to consider, in part, whether a new uniform state law should be proposed to cover virtual currency companies and transactions.15 Finally, in July 2014, the NYDFS released the proposed BitLicense Regulations, a comprehensive set of licensing and oversight regulations for virtual currency businesses.

From a prudential perspective, the risks posed by virtual currency companies are largely similar to those associated with money transmitters, and existing money transmitter statutes and regulations can serve as a model for state prudential regulation of virtual currency businesses. For example, money transmitters typically must submit extensive financial and background information in order to obtain licenses and, once licensed, must meet minimum capital requirements, comply with permissible investment restrictions, and establish a bond or other mechanism of securing certain obligations to customers. In addition, money transmitters are subject to ongoing oversight to ensure their safety and soundness, including review of their financial statements, business-continuity plans, and other business practices.

However, there are some prudential risks that are unique to or more significant in the virtual currency context. For example, cyber theft is one of the most significant risks associated with holding and using virtual currency, and strong security requirements are a critical aspect of ensuring the safety and soundness of virtual currency companies. In addition, the anonymity associated with virtual currency transactions creates opportunities for money launderers, terrorists, and other bad actors to move funds without detection. NYDFS recognizes these concerns in the proposed BitLicense Regulations, requiring licensees to establish and maintain data security standards intended to prevent and detect intrusions, and to implement anti-money laundering measures, including a customer identification program. Many in the virtual currency community have strongly criticized the NYDFS’s proposed prudential requirements for virtual currency businesses, largely due to the burden they would impose on the many small companies dominating the current virtual currency marketplace. However, the risk posed to customers by a virtual currency business often does not correspond to the size of the company.16

Given the states’ traditional role as the prudential regulator for nondepository financial service providers, it is appropriate for states to take action to address and protect against the prudential risks posed by virtual currency companies. Existing state laws that set licensing and ongoing compliance standards for money transmitters, such as the Uniform Money Services Act, if expanded or modified to address unique or enhanced risks inherent to virtual currency businesses and transactions, as the NYDFS has done in its proposed BitLicense Regulations, represent an appropriate starting point for this effort.

Consumer Protection

The lack of consumer protections will likely be one of the greatest barriers to widespread consumer adoption of virtual currencies. Federal law has established protections for consumers who use traditional payment methods, including extensive disclosures and protection against unauthorized transactions, but such protections are absent in the virtual currency context—in fact, the absence of substantive consumer protections is often cited by virtual currency promoters as a benefit in seeking to convince merchants to accept virtual currency for payment.

In August, the CFPB released a consumer advisory warning of the risks of holding and using virtual currency.17 The CFPB did not announce intent to issue regulations, but it invited consumers to submit complaints regarding virtual currency, noting that the CFPB will use such complaints “to enforce federal consumer financial laws and, if appropriate, take policy steps.”18 Therefore, it seems likely that the CFPB is considering how it may act under existing federal law to protect consumers who use virtual currency.

Existing federal consumer protection laws and regulations, as written, may not in all cases be easily applied to virtual currencies, but given significant functional similarities, the application of these regulatory tools (whether directly or through additional adaptation) to virtual currencies could mitigate certain risks posed by an unregulated virtual currency economy.

Prepaid Cards and Bitcoin Credentials

Existing regulatory definitions of “reloadable general-use prepaid card” reflect certain functional similarities between prepaid cards and Bitcoin addresses and keys (“Bitcoin Credentials”) that may merit similar regulation. The CFPB and the Board of Governors of the Federal Reserve have defined a “general-use prepaid card” to be a card, code, or device that is (i) issued on a prepaid basis primarily for personal, family, or household purposes in a specified amount, whether or not that amount may be increased or reloaded, in exchange for payment; and (ii) redeemable upon presentation at multiple, unaffiliated merchants for goods or services, or usable at automated teller machines.19

When a consumer receives Bitcoin Credentials and purchases Bitcoins to associate with those Bitcoin Credentials, the Bitcoin Credentials function similarly to a reloadable general-use prepaid card. The Bitcoin Credentials consist of codes that are associated with prepaid value (value denominated in Bitcoins20) and the Bitcoin Credentials may be presented for redemption at multiple, unaffiliated merchants in the purchase of goods or services. Further, a consumer can “reload” the Bitcoin Credentials by purchasing additional Bitcoins and associating them with the Bitcoin Credentials. Subpart A of Regulation E provides key consumer protections (including disclosure requirements, fraud protection, and protection against transaction errors) in connection with electronic fund transfers, including those initiated with debit and payroll cards. Although reloadable general-use prepaid cards currently are subject to limited federal consumer protections, the CFPB is imminently expected to announce regulations extending Subpart A of Regulation E to such cards. The CFPB may not use the occasion to expressly extend Subpart A of Regulation E to virtual currencies (like Bitcoin) that have characteristics akin to reloadable general-use prepaid cards, but Subpart A may provide a reasonable model for the CFPB to follow in extending consumer protections to virtual currencies.

Application of the Remittance Transfer Rule

The CFPB requires any company that electronically transfers funds from a U.S. consumer to a recipient outside the U.S. to provide certain disclosures to the consumer regarding the transfer; to facilitate the resolution of errors; and to permit a sender to cancel the remittance transfer during the thirty-minute period after the transfer was requested. These requirements are described in the Remittance Transfer Rule, which constitutes Subpart B of Regulation E.21

The Remittance Transfer Rule defines the term “remittance transfer” broadly to include the vast majority of electronic fund transfers sent by U.S. consumers to consumers and businesses in foreign countries.22 The CFPB has not taken a public position on whether the Remittance Transfer Rule applies to cross-border virtual currency transactions. However, the CFPB clearly contemplated transactions involving virtual wallets in its remittance transfer rulemakings.23 In order to provide comparable consumer protections for remittance transfers, whether funded in fiat currency or virtual currency, the CFPB may elect to expressly extend the Remittance Transfer Rule to transactions in virtual currency. Given the novelty and unfamiliarity of virtual currencies to many users, application of Remittance Transfer Rule disclosure requirements and protections are particularly appropriate for consumers funding remittance transfers in virtual currency (indeed, the proposed BitLicense Regulations would require licensed entities to provide certain customer disclosures akin to those required under the Remittance Transfer Rule). Investor Protection

Despite recent high-profile announcements by several retailers (including Dell and Overstock) that they now accept or plan to accept Bitcoins, the majority of Bitcoins are currently held for investment purposes and are not used for payment transactions. Therefore, there has been some question regarding the extent to which virtual currencies are subject to regulation by the Securities and Exchange Commission (“SEC”) or Commodities Futures Trading Commission (“CFTC”).

Although the CFTC gave an early indication that it might consider regulation of virtual currencies as commodities, no official action from either the CFTC or the SEC has followed. Presently, it is unclear how the public interest would be served by federal action to directly regulate units of virtual currency as either securities or commodities, although the SEC, the Financial Industry Regulatory Authority, and securities regulators in several states have issued investor advisories regarding the risks of holding virtual currencies.24 In addition, as consumer use of virtual currencies in retail payment and purchase transactions increases, treating such currencies as securities or commodities may become impractical. That said, recent SEC enforcement actions have clearly signaled that the SEC believes that investment programs in virtual currency are within the scope of its regulatory authority.25 In addition, virtual currency-based derivative securities seem likely to fall within the jurisdiction of the SEC without the need for further regulation or guidance.

Innovation and Regulation

Virtual currencies, like other alternative payment products and services, have significant potential to foster innovation and customer choice, but regulators are rightly concerned that the growth of such alternative products may be outpacing existing prudential and consumer protections—or at least the clear application of these requirements to virtual currency businesses and transactions.

Efforts to regulate virtual currency businesses and transactions are embedded in a larger regulatory effort to ensure that customers can rely on the safety and soundness of any financial service provider to which they entrust funds, whether that entity is a regulated depository institution or a nonbank, and that consumers are protected when they conduct transactions, regardless of whether those transactions are denominated in fiat currency or virtual currency.

The regulatory landscape for virtual currencies is likely to look different in the coming years than it does today, as regulators act to apply prudential and consumer protections to the virtual currency marketplace. Whether consumers will broadly adopt virtual currencies as a payment method remains to be seen, but the likelihood of that result should be bolstered by the greater trust engendered by appropriate industry regulation.

1 There is disagreement in the virtual currency community regarding whether Bitcoin and similar currencies are properly referred to as “virtual currencies” or “digital currencies.” The majority of U.S. regulators use the former term, and we have followed suit in this article.

2 Reddit.com, http://www.reddit.com/r/Bitcoin/comments/2aycxs/hi_this_is_ben_lawsky_at_nydfs_here_are_the.

3 Superintendent Lawsky has stated that, in developing the BitLicense Regulations, “we want to get detailed feedback from all sides so we can make smart, modern, forward-looking decisions. See http://www.reddit.com/r/IAmA/comments/1ygcil/as_requested_im_ben_lawsky_superintendent_of_the

4 See Ember, S. “Proposed Rules Expose Rifts Among Bitcoin Enthusiasts,” The New York Times, July 29, 2014, available at http://dealbook.nytimes.com/2014/07/29/proposed-rules-expose-rifts-among-bitcoin-enthusiasts/.

5 Bitcoin Foundation, Letter to NYDFS, Aug. 5, 2014, available at https://bitcoinfoundation.org/wp-content/uploads/2014/08/Bitcoin-Foundation-Letter-to-NYDFS.pdf.

6 See, e.g. FinCEN, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies, March 18, 2013, available at http://fincen.gov/statutes_regs/guidance/pdf/FIN-2013-G001.pdf. General Accounting Office, Virtual Currencies: Emerging Regulatory, Law Enforcement, and Consumer Challenges, May 2014, available at http://www.gao.gov/assets/670/663678.pdf.

7 Given the dynamic, rapidly changing nature of the virtual currency marketplace, the definitions above are necessarily imperfect. There is significant debate, for example, regarding whether representations of value such as customer affinity or rewards points and in-game currencies should be considered virtual currencies. We do not offer an opinion in this article regarding the specific types of digital units that should or should not be treated as virtual currencies for regulatory purposes.

8 Prices and circulating value of the majority of virtual currencies are viewable at http://coinmarketcap.com.

9 Bitcoin was originally proposed in “Bitcoin: a Peer-to-Peer Electronic Cash System,” a paper published online by an individual or group identified as Satoshi Nakamoto on Nov. 1, 2008, available at https://bitcoin.org/bitcoin.pdf.

10 FinCEN, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies, March 18, 2013, available at http://fincen.gov/statutes_regs/guidance/pdf/FIN-2013-G001.pdf.

11 FinCEN, Application of FinCEN’s Regulations to Virtual Currency Mining Operations, Jan. 30, 2013, available at http://www.fincen.gov/news_room/rp/rulings/pdf/FIN-2014-R001.pdf; FinCEN, Application of FinCEN’s Regulations to Virtual Currency Software Development and Certain Investment Activity, Jan. 30, 2014, available at http://www.fincen.gov/news_room/rp/rulings/pdf/FIN-2014-R002.pdf.

12 For example, Janet Yellen, Chairwoman of the Board of Governors of the Federal Reserve, has stated that the board lacks authority to regulate virtual currencies. Russolillo, S. “Yellen on Bitcoin: Fed Doesn’t Have Authority to Regulate It in Any Way,” The Wall Street Journal, Feb. 27, 2014, http://blogs.wsj.com/moneybeat/2014/02/27/yellen-on-bitcoin-fed-doesnt-have-authority-to-regulate-it-in-any-way/.

13 Texas Dep’t of Banking, Regulatory Treatment of Virtual Currencies Under the Texas Money Services Act, Apr. 3, 2014, available at http://www.dob.texas.gov/public/uploads/files/Laws-Regulations/New-Actions/sm1037.pdf; Washington Dep’t of Fin. Institutions, Virtual Currency Regulation, undated, available at http://www.dfi.wa.gov/cs/pdf/virtual-currency-regulation.pdf.

14 Conference of State Bank Supervisors, http://www.csbs.org/regulatory/ep/Pages/default.aspx; Uniform Law Commission, http://www.uniformlaws.org/Committee.aspx?title=Alternative%20and%20Mobile%20Payment%20Systems.

15 Uniform Law Commission,

http://www.uniformlaws.org/Committee.aspx?title=Alternative%20and%20Mobile%20Payment%20Systems.

16 The collapse of Bitcoin exchange Mt. Gox, for example, wiped out approximately 7% of the total value of Bitcoins then in circulation. In the year prior to its collapse, Mt. Gox had revenues of less than $300,000. See Takemoto, Y. et al, “Mt. Gox Files for Bankruptcy; Hit with Lawsuit,” Reuters, Feb. 28, 2014; Farivar, C. “Leaked: Just Before Bitcoin Catastrophe, MtGox [id] Dreamed of Riches,” Ars Technica, Feb. 27, 2014, http://arstechnica.com/business/2014/02/leaked-just-before-bitcoin-catastrophe-mtgox-dreamed-of-riches/.

17 CFPB, Consumer Advisory: Risks to Consumers Posed by Virtual Currencies, Aug. 11, 2014, available at http://files.consumerfinance.gov/f/201408_cfpb_consumer-advisory_virtual-currencies.pdf.

18 CFPB Blog, “Consumer Advisory: Virtual Currencies and What You Should Know About them,” Aug. 11, 2014, http://www.consumerfinance.gov/blog/consumer-advisory-virtual-currencies-and-what-you-should-know-about-them/.

19 See 12 C.F.R. § 1005.20(a)(3) (“Regulation E”) and 12 C.F.R. § 205.235.1(i) (“Regulation II”).

20 It is worth noting that neither the CFPB nor the Federal Reserve Board has excluded products denominated in currencies other than fiat (or real) currencies from the definition of general-use prepaid card or reloadable general-use prepaid card for purposes of Regulation E or Regulation II. In contrast, FinCEN has interpreted its regulations applying BSA requirements to certain providers of prepaid access as applying only to prepaid products denominated in real (fiat) currency, and not to prepaid products denominated in virtual currency. See FinCEN Virtual Currency Guidance.

21 12 C.F.R. § 1005.30 et seq.

22 “Remittance transfer” is defined generally to mean “the electronic transfer of funds requested by a sender to a designated recipient that is sent by a remittance transfer provider.” 12 C.F.R. § 1005.30(e). “Sender” is defined to mean “a consumer in a State who primarily for personal, family, or household purposes requests a remittance transfer provider to send a remittance transfer to a designated recipient.” Id. § 1005.30(g). “Designated recipient” is defined to mean “any person specified by the sender as the authorized recipient of a remittance transfer to be received at a location in a foreign country.” Id. § 1005.30(c).

23 For example, in its discussion of the types of international transfers that would be subject to the rule, the CFPB stated that “funds can also be transferred among consumers’ ‘virtual wallets,’ through accounts identified by individuals’ email addresses or mobile phone numbers.” Electronic Fund Transfers (Regulation E) 77 Fed. Reg. 6194, 6196. (Feb. 7, 2012). In addition, in its discussion of a sender’s right to cancel a remittance transfer to the extent that funds have not already been deposited into an “account” of the designated recipient, the CFPB noted that “such accounts need not be accounts held by a financial institution so long as the recipient may access the transferred funds without any restrictions regarding the use of such funds. For example, some Internet-based providers may track consumer funds in a virtual account or wallet and permit the holder of the account or wallet to make purchases or withdraw funds once funds are credited to the account or wallet.” Id. at 6263.

24 See, e.g., SEC, Investor Alert: Bitcoin and Other Virtual Currency-Related Investments, May 7, 2014, http://investor.gov/news-alerts/investor-alerts/investor-alert-bitcoin-other-virtual-currency-related-investments#.VAdln_ldVw4; Financial Industry Regulatory Authority, Bitcoin: More than a Bit Risky, May 7, 2014, http://www.finra.org/Investors/ProtectYourself/InvestorAlerts/FraudsAndScams/P456458; Missouri Secretary of State’s Office, Investor Alert: Kander Cautions Missouri Investors on Bitcoin, April 2, 2014, http://www.sos.mo.gov/news.asp?id=1383; Georgia Secretary of State, Georgia Secretary of State Warns Investors to Be Cautious With Virtual Currencies, May 21, 2014, http://sos.ga.gov/index.php/securities/georgia_secretary_of_state_warns_investors_to_be_cautious_with_virtual_currencies.

25 See Magistrate’s August 6, 2013 memorandum decision in SEC v. Trendon T. Shavers and Bitcoin Savings and Trust, Case 4:13-cv-00416-RC-ALM (E.D. Tex.).