NYDFS Issues Guidance to Virtual Currency Businesses and Requests Assurances Relating to Operational and Financial Risk Arising from COVID-19 | Practical Law

NYDFS Issues Guidance to Virtual Currency Businesses and Requests Assurances Relating to Operational and Financial Risk Arising from COVID-19 | Practical Law

The New York State Department of Financial Services (NYDFS) issued guidance and a request for assurance to ensure that regulated institutions engaged in virtual currency business activity have preparedness plans in place to address operational and financial risk posed by the outbreak of COVID-19.

NYDFS Issues Guidance to Virtual Currency Businesses and Requests Assurances Relating to Operational and Financial Risk Arising from COVID-19

by Practical Law Finance
Published on 08 Apr 2020USA (National/Federal)
The New York State Department of Financial Services (NYDFS) issued guidance and a request for assurance to ensure that regulated institutions engaged in virtual currency business activity have preparedness plans in place to address operational and financial risk posed by the outbreak of COVID-19.
On March 10, 2020, the New York State Department of Financial Services (NYDFS) issued guidance and a request for assurance to ensure that regulated institutions engaged in virtual currency (VC) business activity have preparedness plans in place to address operational and financial risk posed by the outbreak of COVID-19.
The guidance requires that each regulated VC institution submit a response to NYDFS describing the VC institution's preparedness plan no later than April 9, 2020. Affected VC businesses must submit responses to the designated NYDFS email address: [email protected].
The guidance mandates that a VC institution's preparedness plan be sufficiently flexible to effectively address a range of possible effects that could result from an outbreak of COVID-19, and that it also reflects the institution's size, complexity, and activities. At a minimum, the institution's plan should include the following nine components specified in the guidance:
  • Tailored preventative measures. Preventative measures tailored to the specific profile and operations of the VC institution to mitigate the risk of operational disruption, which should include identifying the impact on customers, and counterparts.
  • Appropriately staged strategy. A documented strategy addressing the impact of the outbreak in stages, so that the efforts of the VC business can be appropriately scaled, consistent with the effects of a particular stage of the outbreak.
  • Off-site procedures. Assessment of all facilities, systems, policies, and procedures necessary to continue critical operations and services if staff members are unavailable for longer periods or are working off-site, including assessment of the effectiveness and security of remote access.
  • Potential cyberattacks. An assessment of potential increased risk of cyberattacks and fraud due to the COVID-19 outbreak.
  • Employee protection. Employee protection strategies, including employee awareness and steps that employees can take to reduce the likelihood of contracting COVID-19.
  • Critical business third parties. Assessment of the preparedness of critical third-party service providers and suppliers to the VC business.
  • Communication plan. Development of a communication plan to enable the VC business to effectively communicate with customers, counterparties, and the public during the pandemic and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed.
  • Plan testing. Testing the VC business preparedness plan to ensure its policies and procedures are effective.
  • Plan oversight. Governance and oversight of the VC preparedness plan, including identifying the critical members of a response team to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the regulated VC institution's own monitoring program.
The guidance requires that the preparedness plan for each VC institution includes a plan to assess and monitor the financial risk that may arise from COVID-19, covering, at a minimum: valuation of assets, impact on earnings and profits, and steps to assist those parties adversely impacted.
The guidance also imposes responsibilities on the directors and management of the regulated VC businesses, who must ensure that an appropriate preparedness plan is in place and that sufficient resources are allocated by the VC businesses to implement that plan. The guidance also imposes responsibility on senior management of each VC business to ensure that effective policies, processes, and procedures are in place by the VC business to execute the preparedness plan. Senior management is also charged with responsibility for communicating the preparedness plan throughout the VC institution to ensure consistency in approach so that employees understand their roles and responsibilities under the plan.
NYDFS includes in the guidance an alert to regulated VC businesses to be aware of possible needs for heightened cyber security. The guidance specifically identifies the risk to VC businesses of increased instances of hacking, cybersecurity threats, and similar events, as bad actors attempt to take advantage of the COVID-19 outbreak. The guidance identifies the possible need for heightened security measures, such as enhanced triggers for fraudulent trading or withdrawal behavior.
NYDFS further underscores the possibility of custody risk for VC, such as the possible need for special arrangements to move VC from "cold" to "hot" wallets during times when employees may not all be working from their usual locations.
Finally, the guidance reminds VC businesses that they may have obligations to notify NYDFS if positive net worth of the VC businesses falls below a certain threshold above the minimum required capitalization.
For more information on VC regulation, see Virtual Currency and Digital Asset Regulatory Tracker.