skip to Main Content

Everything You Need to Know About NYSDF BitLicense

Since its inception in 2015, the New York State Department of Financial Services (NYSDFS)

BitLicense has been a source of controversy and debate. Most regulators regard the BitLicense controls as reasonable measures to reduce the inherent risks in transmitting and holding custody of cryptocurrency. However, opponents of the BitLicense see it as expensive, intrusive, and unjustly targeting crypto start-ups and violating crypto end-user privacy.

Two of the biggest factors influencing reluctance to acquire the NYSDFS BitLicense are the associated costs and privacy. With a thirty-page application—that comes with a $5,000 application fee—gathering and constructing all the information for the application process alone can amount to upwards of $100,000. Many view the questions in the application as digging too deeply—e.g., it asks about the history of the business as well as information about its’ owners and operators, financial records, and compliance programs such as Anti-Money Laundering (AML) and know your customer (KYC).

Furthermore, much like the standards put on a traditional financial institution, it requires an approved virtual asset business to also have a qualified Chief Information Security officer, written compliance and anti-fraud policies, and disaster recovery procedures.

Nonetheless, these requirements are not much different than those applied by the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), and should generally apply to any virtual asset service provider in the U.S.

BitLicense Offers the Potential to Prevent QuadrigaCX-like Fiascos

Given the broad purview of the BitLicense requirements, one cannot help but believe that had QuadrigaCX been subjected to such a rigorous review the exchange would probably not have been approved for a BitLicense.

This gating factor might have prevented the exchange from growing to the asset size that it reached—much of which has now been lost or possibly stolen from its rightful owners. The co-founder of QuadrigaCX, Michael Patryn aka Omar Patryn, is suspected of actually being Omar Dhanani. In 2004, Dhanani was arrested by the U.S. Secret Service in California as part of an identity theft, credit card fraud and money-laundering ring. He served time in a U.S. prison and was later deported to Canada. Having a regulatory regime similar to BitLicense might have saved more than 100,000 users from losing a collective $190 million in crypto assets.

A Means to Combat Criminal Activities

Without regulation and oversight, cryptocurrencies may be used as a vehicle for money laundering, tax evasion, and other criminal activities. The seemingly anonymous nature of virtual currencies, ease of cross-border and interstate transport and the lack of a formal banking structure make it more difficult for law enforcement to monitor and apprehend individuals who use cryptocurrencies for illegal activities. – _edn7. CipherTrace analysis has proven in numerous cases that countries with lax or non-existent AML and KYC crypto-regulation have a significantly higher occurrence of financial crime and money laundering activity.

Not One-Size-Fits-All

Thus, CipherTrace views the regulations as necessary mitigation for the financial crime risks inherent in the cryptocurrency ecosystem. That said, the BitLicense process may be too burdensome on smaller, newer crypto entities. So should small firms with weak security and no contingency plans be permitted to control consumer financial assets? Should such a requirement be applied nationwide. Perhaps the license application, review and its requirements for continued compliance could be graduated to reflect the asset size of the crypto-entity applying. This might allow for the smaller businesses and start-ups to break into the regulatory framework, without overtaxing the respective entities’ available resources.

Along with a four-page list of application requirements, in order to qualify for a BitLicense an exchange must first comply with all regulations listed in the framework’s text. Below, CipherTrace has compiled a relevant summary of each section in the 44-page document.

Framework Highlights


Compliance in the crypto ecosystem can be complex and is ever changing.  Compiling the required information for a BitLicense is certainly a taxing, expensive process, and one more realistically accomplished only by larger, more well-funded companies. Additionally, any future “material change” by the approved entity, to include M&A deals, must be reported to the NYSDFS, which must then provide its’ consent. This last requirement goes above and beyond requirements for any ordinary business.

The regulation also requires that beyond complying with all applicable federal and state laws, rules, and regulations, in order to receive a BitLicense the Licensee must also have written compliance policies. Additionally, it requires virtual asset businesses to keep cryptocurrency transaction records for up to seven years. Plus, customers’ sensitive information such as physical addresses, bank statements, and names of parties to the transactions must also be recorded and made available to the NYSDFS upon request.

Capital requirements

Each Licensee must maintain a specific amount of assets to ensure their “financial integrity and ongoing operation.” The exact amount will be based on a number of factors determined by the superintendent (the NYSDFS department executive). These factors include the composition of the Licensee’s total assets and liabilities, the actual and expected volume of the Licensee’s “Virtual Currency Business Activity,” and the types of products or services to be offered.

Custody and protection of customer assets

To protect customer assets the Licensee must maintain a surety bond or trust account in USD, in an amount determined by the superintendent. Additionally, if a Licensee holds, stores or maintains custody of a clients’ Virtual Currency (VC), the Licensee must be able to match the type and amount they are holding, and cannot sell or transfer the clients’ VC without direct permission.

Material changes to business

The Licensee cannot introduce new products, services, or activities, or make material changes to existing products, services, or activities without the superintendent’s approval.

Change of control; mergers and acquisitions

Also not allowed without the superintendents’ approval.

Books and records

The Licensee must make, keep, and preserve (in their original format) all of its’ books and records for a minimum of seven years. The Department of Financial Services should be allowed immediate access to “all facilities, books, records, documents, or other information maintained by the Licensee or its’ Affiliates.” For a complete list of requirements for record keeping, please consult Section 200.12 of the regulatory text.


The Licensee will be examined by the superintendent at least every two years to ensure the Licensees’ healthy financial condition, strong safety and soundness practices, and its complete compliance with these regulations.

Reports and financial disclosures

Quarterly financial statements and audited annual financial statements must be submitted to the superintendent. An exhaustive list of requirements for these statements can be found in Section 200.14 of the regulatory text.

Anti-Money Laundering program

The Licensee must have a written anti-money laundering policy and monitor for suspicious activity that may signify money laundering, tax evasion, or other illegal or criminal activity, filing SARs when appropriate. Additionally, the Department must receive a notification if aggregate transaction amounts exceed $10,000 USD in one day by one person, even if the transactions are crypto-to-crypto.

The Licensee must have a KYC program for the identification and verification of account holders. Customer Due Diligence (CDD) must be performed to verify a customer’s identity before on-boarding and Enhanced Due Diligence (EDD) is required for high-risk customers, high-volume accounts, accounts on which a SAR has previously been filed, or accounts involving foreign entities. The Licensee must also check customers against the OFAC SDN list.

Cybersecurity program

The Licensee must establish and maintain an effective cybersecurity program to protect the confidentiality, integrity, and accessibility of its’ data. The Licensee must appoint a Chief Information Security Officer (CISO) to oversee, implement and enforce the policy. The CISO will prepare a report for the Department every year, assessing the program and proposing how it will address any liabilities.

Business continuity and disaster recovery

The Licensee must have a written Business Continuity Plan (BCP) and Disaster Recovery (DR) plan to ensure their availability and functionality if there is ever an emergency situation that would otherwise disrupt their normal business activities. This plan should be tested annually at the very least.

Advertising and marketing

The phrase “Licensed to engage in Virtual Currency Business Activity by the New York State

Department of Financial Services” must be included in all advertisements. The Licensee must keep all advertising and marketing materials for a minimum of seven years.

Consumer protection

The Licensee must disclose all material risks associated with its’ products, services, and activities, as well as the risks associated with virtual currency in general, prior to any type of transaction with a customer. This includes, but is not limited to, disclosure statements such as:

  • “Virtual Currency is not legal tender; is not backed by the government…”
  • “The volatility and unpredictability of the price of Virtual Currency relative to Fiat Currency may result in significant loss over a short period of time…”
  • “The nature of Virtual Currency may lead to an increased risk of fraud or cyber attack…”

A comprehensive list can be found under Section 200.19 of the BitLicense regulation text.

In addition, the Licensee must disclose general terms and conditions, terms of transactions, provide receipts upon completion of any transaction, and establish a written anti-fraud policy.


The Licensee must have written policies and procedures to resolve complaints in a fair and timely manner. Part of this policy includes adding the Licensees’, as well as the Departments’, mailing address, email address, and telephone number online for the receipt of complaints.


If a court deems any portion of the BitLicense regulatory text or the way it has been applied to specific Licensees invalid, that does not invalidate the entire document.


The License requires quarterly financial report, annual audits and annual inspections.

Back To Top