3. Cryptocurrency Enforcement Framework from the U.S. Department of Justice. Author of the framework, Attorney General William Barr said, “Cryptocurrency is a technology that could fundamentally transform how human beings interact, and how we organize society. Ensuring that use of this technology is safe, and does not imperil our public safety or our national security, is vitally important to America and its allies.” To that end, the framework sets out the threats, illicit uses and enforcement strategies under the law. Here is a short summary of the framework. At a minimum, crypto businesses should adhere to BSA best practices in AML and risk mitigation and take advantage of the many third party services that help scrub addresses and users for sanctions, dark web and illegal activity.
4. DeFi. For those who missed Bitcoin’s early leaps in value, or the ICO moment, there is now DeFi. Decentralized finance platforms, such as Uniswap and Curve offer the theoretically irresistible opportunity to eliminate centralized exchanges and their fees by allowing users to trade peer-to-peer at a discount through secure and trustless contracts mostly on the Ethereum blockchain. Meanwhile, liquidity providers for the platform earn fees (governance tokens) in consideration for allowing their assets to serve as liquidity in the decentralized exchange. Here is a list of the sixteen largest DeFi platforms together with some notes on them. Like all new crypto services, DeFi has had a handful of blunders, such as the hack at Harvest and the other hack at bzx. A lot of legal work remains to be done (by us 😉 on these platforms.
5. Banks Taking Crypto. The OCC has published guidance expressly permitting banks to accept fiat as reserves for stablecoins. This is a tip-of-the-hat to stablecoins that have already been licensed in states like New York are building impressive balances and backing eye-watering transactions on a daily basis. The OCC guidance does not, however address the many stablecoins that do not track who actually holds them, in the way that a bank account tracks who holds an account. Wyoming has become the darling of crypto by granting charters to Special Purpose Depository Institutions that can take Bitcoin and other crypto on deposit. There is no news on whether those institutions will end up also needing other state MSB licenses as some other trusts have learned. Here is our running tally of www.banksthattakebitcoin.com – there are 5.
Wishing you a very Happy Thanksgiving and Holiday Season!
2. New York – Financial Services in the Empire State. Our thoughts are with New Yorkers who are right now weathering the eye of this storm. New York Governor Cuomo instituted Executive Order 202.6 on March 18, 2020. The Executive Order extends the provisions of Executive Order 202 which declared a state of emergency in New York state. Under E.O. 202.6, any essential businesses in the state will not be subject to the mandated restrictions including work from home mandates and reduced work forces in order to limit the spread of Covid-19. “Banks and related financial institutions” have been included in the enumerated essential business and services in E.O. 202.6. The guidance includes banks, insurance, payroll, accounting and services related to financial markets. Businesses may also apply to be deemed essential by the Empire State Development Corporation.Since it is not explicit that money services businesses qualify as essential services, it is recommended that any money service business operating in New York state apply to be deemed an essential service.
The application is a one page form, where the applicant must include: Name Contact information Number of employees Description of business Description of why business fits within the parameters of E.O. 202.6
E.O. 202.6 can be found here. The application form can be found here.
Executive Order 202.9, dated March 21, 2020 gives powers to the Superintendent to promulgate emergency regulations for the period of the emergency that the fees for using ATMs, overdraft and credit card late fees may be restricted or modified to take into account the financial impacts on New York consumers and the safety and soundness of the licensed or regulated entities.
3. Force Majeure Clauses in Payments and Crypto ContractsSadly, because of the Covid-19 pandemic, some participants in the payments industry will be unable to meet their contractual obligations. The purpose of this newsletter is to give some guidance to people on either side of that terrible turn of events. Specifically, I want to discuss force majeure clauses that are the clauses that are most likely to apply to a pandemic-caused contractual default.
Force Majeure Clause
The force majeure clause in contracts is usually buried in the general provisions at the end of the agreement and is rarely negotiated or even read. The pandemic has suddenly given great importance of force majeure clauses. Case law borne out of this pandemic will be cited for decades to come.
A typical force majeure clause in a payment processing agreement reads as follows:
“Force Majeure. No Party shall be liable for any default or delay in the performance of its obligations under this Agreement if such default or delay is caused, directly or indirectly, by an Act of God, fire, flood, earthquake, conditions or events of nature, war, terrorism, riots, pestilence, civil disturbances, work stoppages, equipment failures, power failures, governmental orders, or any other similar cause or event beyond the reasonable control of the affected party (provided the non-performing Party is without material fault in causing such default or delay).”
The key legal question when facing a force majeure clause is to determine whether it relieves the party of default for non-performance. In other words, but for the force majeure event, would the failure of the party place them in default. For example, without a tornado, I would have delivered the garden shed you ordered. Because of the tornado, I can’t.
Force majeure clauses in contracts are included to allow one or more parties to an agreement to not fulfill their obligations should certain circumstances arise. The event contributing to the application of the force majeure clause should not only be unforeseeable, but also beyond the control of the parties. Unforeseeable here, means unforeseeable at the time the contract was entered into. As in the typical clause example above, force majeure clauses outline the types of situations where the clause may excuse non performance. Since such clauses are a construct of the parties, the meaning and scope shall be those given by the parties in creating the agreement. Where clauses are lacking or where there is room for interpretation, courts will apply common law principles.
What if the force majeure clause does not list ‘pandemic’?
Many drafters of force majeure clauses include “catch-all” phrases to extend the provision to non-enumerated situations by including words such as “other” etc. Courts tend to apply the ejusdem generis (Latin for ‘of the same kind’) theory when determining if a given situation fits within the catch all phrasing. Ejusdem generis dictates that when general terms follow an enumerated list of two or more items, then the general terms must apply only to items of the same class as those enumerated. The potential application of ejusdem generis to a force majeure clause must be kept in mind not only when drafting such clauses, but also when formulating argumentation to either defend or argue the non-applicability of a force majeure clause.
When analyzing force majeure clauses, courts will often ask three questions:
Is the event in question a force majeure event (as defined by the clause)?
Was the event beyond the reasonable control of the party evoking the clause?
How does the event affect the obligation the party is seeking to be excused from?
Case Study 1: ISO can’t make minimums because of Codiv 19
Taking an extreme but illustrative example, if an ISO has focused on selling merchant services to amusement parks, and all amusement parks are closed by order of the state, even if the force majeure clause in the ISO agreement does not expressly mention pandemics, generic wording on factors beyond the control of the ISO would likely support the ISO in being relieved from its liability for minimums. Most ISOs, however, do not sell to only amusement parks, and will face a challenge of proving that the circumstances are a force majeure, in particular given that online sales are surging right now.
Case Study 2: Crypto platform inoperable because of Covid-19.
Suppose key officers (e.g. CIO, CCO) at a crypto wallet or exchange were all out of action because of Covid-19 for an extended period of time. Suppose as well that, despite having (often legally required) disaster recovery and business continuity plans, those plans were ineffective because other key personnel were out of commission. The crypto business grinds to a halt. Customers will be frustrated because they are not able to get support or possibly access their assets. Here, a court might look to the crypto operator to have had a more robust disaster recovery plan. Assuming the problems are not caused by infrastructure (e.g. Amazon down) or orders to close by the state, the crypto business will have a harder time arguing that they were legally relieved of their obligations on account of force majeure. The reason for this is that, in this case, the causes are not external to the business.
Cases decided on the basis of the Covid-19 pandemic will be studied in law schools for the next 100 years. I hope none of our readers are the basis of that new law.
Community Service: Pro Bono Advice on Force Majeure Clauses
As our way of giving back to the payments and crypto community that sustains us, we will provide free review of any force majeure clause in payments or crypto.
4. Stay Healthy and Safe, Electronic Payments and Crypto Surge (?), Atlas Team Publishing Tools to Help
Our whole team is actively researching solutions for the financial services sector for these difficult time and we will share all useful information as and when we collate it. (Regular readers know how much we love lists, charts and more lists). In the meantime, stay healthy and safe in anticipation of (hopefully) a surge in electronic payments and crypto after Covid-19 like none of us could have ever imagined – when the crisis is over.
Fintechs spend a lot of time trying to understand their US MSB risk. Our firm believes in open source legal information. So, we created the first and only regtech AI MSB risk assessment bot tool. Give it a try and tell us what you think:
Now, in Europe, open banking starts from the premise that users of financial services have a right to compare like providers, access data and easily switch from one to another, a bit like phone service providers. In the US, the difficulty in accessing and comparing financial service data has created a market for non-bank solutions for accessing bank services such as Yodlee, providing consumers with account information, Geezeo connecting APIs of a limited set of participating banks, through to Synapse sitting between a bank and fintechs to enable fintechs to offer everything from DDAs to virtual cards with ease. There is now a run on picking up the technical slack of US banks coupled with the lack of competition in US banking that is driving a good number of new entrants. (Even we, quite shamelessly, picked-up neobank.law a year ago).
(Ok boomer,) US neobanking players fall into three categories.
1. Financial Institutions where APIs Come First. These are licensed US banks, trust companies or MSBs that position API access as a key distinguishing feature. SVB, BBVA, Evolve Bank and Trust, Prime Trust, Dwolla and Bitgo. The opportunity for these suppliers is that they can serve large numbers of new clients via API with assistance from fintechs as agents. The risk for these suppliers is that they may each be operating dozens of different business models that present a challenge for
2. Technology Platforms Between FIs and Fintechs. These entities avoid taking control or possession of transaction funds and remain primarily data-only gateways Examples include Plaid and Synapse. (Some financial institutions have preferred to own the IP to the APIs that connect to their accounts, a leading example of that would be Stripe). The opportunity for these entities is to earn a piece of transaction volume without having to pay the price of being regulated entities. The risk for these suppliers is that regulators will find them to be MSBs despite their carefully avoiding possession of transaction funds. Because of their tight integration with financial institutions, these platforms make ‘classic’ boomer gateways, like Authorize.net and NMI, look quaint.
3. Fintechs. These entities navigate gingerly between avoiding regulation by relying on their financial partners (see Item 1 above) and being regulated as MSBs. These 50 or so fintechs use APIs of the FI’s identified above to operate their businesses. We have indicated which are the most likely financial services that each has outsourced to the FI indicated and they include DDA, Card issuing, ACH, crypto custody and money transmission. The opportunity for these entities is to decrease the cost of compliance (using FI’s identified in Item 1), decrease the cost of development (using technology identified in Item 2 above) and focus on the business of selling their service. The risk for these entities is excessive reliance on third parties for compliance and technology and the risk that regulators will perceive them as MSBs, even though licensed financial institutions take legal liability for the movement of client funds.
Whether the OCC clamps down on FI’s in the space or state banking regulators deem tech platforms to be MSBs, there is an overwhelming momentum in the US neobanking space that is driven by real demand for competition and variety in consumer and business financial services that we think will be met ever more in 2020. At Adam Atlas Attorneys at Law, we provide commercial and compliance advice for US neobanks, such as they may be.
Money services businesses (such as money transmitters, prepaid card program managers, currency exchangers and providers of virtual currency) (“MSBs”) that operate outsider of the United States are likely familiar with the laws applicable to them in their home jurisdictions. Given the electronic nature of many MSB businesses, it is altogether likely that a non-U.S. MSB will wish to provide services to residents of the U.S. without having accounts, offices or any other presence in the U.S. Doing so requires compliance with U.S. law. Whether a given MSB is an MSB for the purposes of U.S. federal or state law is a matter of U.S. law. At the federal level, MSB status in the U.S. is determined pursuant to the Bank Secrecy Act (“BSA”), its regulations (“Regulations”) and the Financial Crimes Enforcement Network, of the United States Department of the Treasury (“FinCEN”). FinCEN is the U.S. equivalent of, for example, the FCA in the U.K. or FINTRAC in Canada.
An entity that is deemed an MSB under the BSA has to register with FinCEN, for AML and transaction reporting purposes and may also be required to obtain money transmitter licenses from each individual state in which the MSB has customers.
Being entirely foreign to the U.S. and having no accounts, office or employees in the U.S. does not diminish the application of the BSA to an MSB that services U.S. residents. This information often comes as a surprise to the many thousands of non-U.S. MSBs that, de facto, service U.S. residents.
By way of example, the UK money transmitter in the flow of funds described below that takes funds from a U.S. resident and forwards those funds, as a money transmitter, to a payee or recipient in Germany, is required to be registered with FinCEN and licensed as a money transmitter in the state where the US payer is located:
Our recent post to LinkedIn of the US Payments Family Tree generated record feedback. There is thirst for a above-the-tree-line view on who is who the payments landscape. Once upon a time, everyone read the Nilson Report that amazingly published regular figures on the volume of processing at each US acquirer. Divining competitors is not that easy anymore. Here are a few reasons why the competitive landscape is more complex and interesting:
1. ‘Big hat, no cattle’ processors. With bountiful capital (2017 fintech investments $31 billion, 2018 $39.6 billion and the first half of 2019, $27.9 billion), fintech startups have had the luxury of being unprofitable. Square and Stripe exemplify fintechs for which profit is a difficult question. Possibly profitless market-leaders like Uber, Airbnb and WeWork had investors mesmerized by the idea of losing a lot of money for a chance to capture a whole market. It’s hard to assess competition in payments when some of the ostensibly largest players do not answer to the real world of profit. All that glitters is not gold; some of the putative payment market leaders might not be real-world leaders.
3. Processor Consolidation. Speaking of old standards, where there was once about 13 large US processors, now there are about half that number. The chart above keeps alive some of the old, now consolidated brands, to give you a sense of the dramatic reduction in US processing competition. The FTC has a large mandate, including its Bureau of Competition. If you are an ISO shopping for a processor, or a bank shopping for a processor for your card issuing business, or a merchant shopping for payment processing, the last year has seen a material reduction in the number of competitors for your business. The FTC has brought recent cases against fraudulent or dishonest processors, but it has yet to bring a case concerning the reduction in US payment processing. Perhaps the titans of US processing are circling the wagons in the face of competition from novel payment methods, such as crypto. Too much consolidation, however, is illegal.
5. Neobanking, Open banking, Payments as API. There was a time when a payor knew their financial institution and chose them for their brand, relationship and location. That time is over. Now, the financial service provider has been moved into the background in support of neobanking fintechs that provide the consumer-facing service related to bank accounts, card issuing, bill payment and other traditional bank services. Five examples from a growing list come to mind: Evolve Bank & Trust, a bank that is integrated with Synapse, an API platform, Prime Trust, a Nevada trust that provides both crypto and fiat custodial services, Silvergate Bank, a cornerstone of crypto banking now branded as being API driven, Cross River Bank, focusing on fintech with a history of supporting new lending models and arivalbank, that boasts reinventing the bank and an upcoming US launch. By outsourcing technology to startups and keeping the core banking function in-house, these financial institutions are perhaps in a strong position to challenge the older brick-and-mortar / brand-based banking incumbents. The key question for neobanking is, how far into the background will the OCC let financial institutions go.
The Federal Reserve Board on August 5, 2019 that the Federal Reserve Banks will develop a new round-the-clock real-time payment and settlement service, called the FedNow℠ Service, to support faster payments in the United States. This is welcome news for banks that are having a hard time competing with the theoretical allure of cryptocurrencies and other instant secure payment methods.
FedNow could resolve domestic payments speed issues, but would not unlock international payments or money transmission, all of which are still plagued by massive delays of 1 or more business days, especially in countries outside of North America and the EU.
From a legal perspective, the challenge will be to allocate risk for instant – and perhaps irreversible – payments. Today there is already fraud on the ACH rails, which have slower settlement times. Instant payments would need a new set of rules governing chargebacks, fraud and other losses.
We are following FedNow closely and will provide updates as to the new rules as and when they are published.
For better or for worse, centralized control of value (and values 😉 is eroding. It takes less than an hour to launch a crypto currency. For example, there are a million Adam Atlas Coin in existence. (They have no value and are not for sale.) As a defensive measure, the established players are circling the wagons (or should I say, building centralized ledgers) into various controlling portions of the market. Taken together, the market looks like it’s admitting defeat to decentralized exchanges of value (i.e. virtual currency) and attempting to extract one last round of return before a more complete paradigm shift.
Single Suppler for Credit Card Processing?
There now exists a single predominant payment processor in the US and, perhaps, the world following the recent mergers of WorldPay, Vantiv,First Data, BluePay, CardConnect into FIS. A small band of outliers are still going it alone, including TSYS, Elavon, Paysafe and Sage. The anti-trust implications of these mergers are substantial and we are already witnessing decreased competition for ISO relationship opportunities. None of the merged entities have an interest in competing with the others as they are all part of a predominant supplier of payment processing in the US. The competitive impacts should be monitored by merchants, ISOs, but also issuing banks that would probably prefer greater competition in transaction processing.
Libra payment processing: Facebook and sharing economy eating from bank deposit balances
Libra Money Transmission: Crypto’s promise of free transmission of funds?
If money transmission were free, no one would be in the business of money transmission. The promise of Bitcoin and other virtual currencies has been to allow more or less free P2P and B2B payment transactions on a secure and fast blockchain. Perhaps because most crypto users today are wealthy western or eastern speculators and gamblers, that promise has not yet come true. Libra drives past the worldwide smorgasbord of crypto to create what its visionaries believe will marry the best of crypto technology together with their omnichannel ability to tip the scales into their network of users.
It won’t be long before exchanges will pair Libra with USD and Bitcoin, making Libra just another stablecoin – but more complicated than those pegged to the USD. The irony of Libra and all crypto-based money transmission models is that, logically, they should become ever more efficient and therefore ever less profitable per unit transacted. In money transmission, Libra is a race to the bottom of fees. The bottom, of course, is crypto itself where fees are negligible (on some chains).
Facebook and the other partners in the Libra Association might generate more value by simply enabling existing crypto on their networks and focusing on the value they add – i.e. sharing of data, sharing of cars, sharing of rooms.
If we look at the FIS consolidation of payment processing, we see a defensive strategy by processors to fend-off technology-driven upstarts like Stripe, Square and Paypal. Relying on legacy culture and technology, the FIS conglomerate is drawing its last bit of value from the market before capitulating to the long-term leaders in business in the form of big tech, Amazon, Apple, Google and Microsoft. Similarly, Libra is a circle-the-wagons closed-loop crypto vision that can take the currency only so far, until faster cheaper chains displace it. In summary, the value of payment processing and money transmission is one of diminishing returns. Payments entrepreneurs of our time are stuck on replacing old toll booths (i.e. payment processing fees) with new ones (Libra float interest and fees), which has been the guiding light of payments since the invention of the credit card in 1950. Now is the best time for a new generation of payments entrepreneurs to think past the toll-booth model. Maybe Ripple and Moneygram are on to something?
Engineers, being engineers, might think that these early days of autonomous vehicles are their exclusive private domain for debates over lidar versus cameras or object recognition. We respectfully disagree and believe that self-driving cars should be engineered to take into consideration the following 5 legal principles.
1. Risk Assessment and Disclosure: In bio (i.e. human) driven cars, the assumption of risk by the drive for their own follies is baked into the model. Autonomous vehicles, however, will represent a different formula for the assumption of risk and drivers will expect to have the right to know the quantum of those risks. For example, what are the chances that this car will slam into a truck, when taking into consideration the various engineering components of the car. Unlike bio-driven cars, autonomous vehicles are able to quantify risk at every turn. It is natural, therefore, that consumers (or their lawyers or insurers) will wish to access that data. A heuristic risk assessor should be build into autonomous vehicles.
2. Privacy Controls – location. Assuming self-driving car fleets will be in constant communication with their respective manufacturers, as well as other cars on the road, drivers will wish to secure a measure of control over the data concerning their whereabouts. Today, we worry about this issue because of mobile phones that relay geolocation information to app developers. In the self-driving scenario, however, like with MAC addresses of phones, other cars and roads etc.. will be able to identify your unique vehicle throughout its whole trip. If the smart road at the end of my driveway knows my car has started to move and where it goes etc… cities will have intimate knowledge of the trips of citizens. Drivers will demand a measure of control over location data of their cars which will be housed in many locations all at the same time.
3. Privacy Controls – on-board. Many Ubers and taxis have cameras today, some are required by law. Autonomous fleets without internal cameras are very unlikely. Drivers will wish to secure a measure of control over the recording of their – often intimate – moments in self-driving cars.
4. Sanitation Gauge. By force of economics, autonomous vehicles will, to a large extent, be shared. This means that a single vehicle could transport a hundred or more people in a day. That’s a lot of sweaty passengers in a small space. Autonomous vehicle manufacturers would be at a disadvantage if they fail to build into their vehicles and the surfaces of the vehicles automated sanitation gauges to determine when the vehicle needs to be cleaned. Self-cleaning is not a bad option either for urban settings with heavy usage.
5. Maximum Utility Platform. Given that passengers in driverless cars will have free hands and minds, the possibilities for leisure or work activities in self-driving cars are as wide as those for any home or office. The interiors should therefore be designed for maximum utility and flexibility. One take on this is the Mercedes Urbanetic concept. From a legal perspective, the flexibility of the car gives rise to a need for disclosing to passengers the range of safe activities and controls over preventing unsafe activities. For example, what does a self-driving car do when it detects that a firearm has been discharged in the car; should it divert to the nearest hospital or police station? Should it lock the passengers inside or eject them. These are all questions that require coordination between engineering and legal advisors at the earliest instances of the design stage.Having advised in electronic transactions for 15 years, Adam Atlas Attorneys at Law is pivoting to engage with the self-driving and autonomous vehicle designers to learn from them and plan for a legal framework supporting the new transportation network they are building.
Nothing in this email should be construed as legal advice Adam Atlas Attorney at Law is licensed in NY and QC.
As we at drivebywire.law grapple with legally
allocating rights, obligations and risk in AI, we realized that we have to invent
new legal classes of data to set the expectations of consumers, startups and
regulators. Here are some rough categories
to get this conversation going:
Type of sensor present: A device, like a door knob, that
seemingly has no interest in temperature, might still contain a temperature
sensor, placed as a sleeper sensor to be activated much later in the life of
the product for purposes not yet imagined at the time of manufacture. Manufacturers wish to keep a degree of secrecy
concerning the sensors that are in their products.
Sensor degree of precision: This data set logs the degree of
precision of a sensor. For example, an
accelerometer in a car can be more or less sensitive, which information is, of
itself, valuable. A vehicle manufacturer
might not want to reveal that its accelerometer is less sensitive than one used
by a competitor. Therefore, data
concerning the precision of sensors is to be treated as a distinct category of data
subject to its own set of confidentiality parameters.
Raw sensor data: This is the data collected by
sensors in vehicles, fridges, homes, wearables etc… We are having to define who owns this data
from its point of origin – i.e. from the sensor onwards. Does the sensor manufacturer have rights in
that data even though it is not involved in the larger product being produced?
Sensor-device correlation: This data set includes the sensor
and the type of device in which it resides.
Here the data takes it’s first dive into depth because mere device /
sensor correlation triggers a number of safe assumptions and accelerates
triangulation on the ‘big picture’ of the subject. For example, windspeed
indicator in an airplane is a fact that is, in and of itself, rich.
data reveals that the sensor is tracking data for a person, but not the identity
of that person. Consider a temperature
sensor on a city bus, used to track the temperature of commuters in order to assess
the spread of a fever in a community.
Sensor-subject correlation (subjective): At the moment, this is the most
sensitive dataset, as it connects data to an identified individual. At the moment, this is considered highly valuable
as it can be exploited to ‘hack’ the consumer into making one or another decision.
Sensor-subject correlation – community-wide: This is really just a large sample
of subjective sensor-subject data, giving the controller the ability to peer
into the data of a cohort of people and predict community-wide events.
Regardless of where your data set resides, it’s important to frame its legal status, otherwise you risk breaching the privacy rights of individuals or giving up commercial opportunities in the data you encounter. At drivebywire.law Adam Atlas and his colleagues are busy parsing the data sets to help document who owns what, no-matter the shade.
We have advised hundreds of clients across almost all business models new and old. This site is not legal advice; it is information only. You should obtain qualified legal advice prior to operating any money services business (MSB) or virtual currency business (VCB).
We are proud to lead the preeminent open-source payments law practice where sharing information related to payments regulation is one of our core principles. By way of example, here is what we learned at the most recent Emerging Payments conference in Washington, D.C.
The Atlas Payments Data Vault, a treasure trove of information on regulators, laws, banks, lawyers, consultants, MSBs, VCBs, surety bonders and everything else you are likely to need in getting your payments business going. Adam was perhaps the first lawyer to accept Bitcoin as a form of payment.
U.S. Federal Registration of Money Services Businesses (MSB) with FinCEN
With few exceptions, each money services business (MSB) must register with the Department of the Treasury. Virtual currency businesses (VCB) may also be MSBs requiring registration. Note that failure to register when required to do so or obtain necessary state licensed, can lead to jail time. A person that is an MSB solely because that person serves as an agent of another MSB is not required to register. US Federal registration is done through the Financial Crimes Enforcement Network of the United States Department of the Treasury (FinCEN). Registering with FinCEN is very easy, takes about 20 minutes and can be done through the BSA E-Filing System, described below.Here is the contact information for FinCEN:
FinCEN BSA E-Filing System Entities that are registered with FinCEN are required to maintain and AML program and make filings with FincEN under the US Bank Secrecy Act. Such filings must be electronic and made through the BSA E-Filing System. If you are an MSB, you must register with FinCEN.
New to FinCEN?
If you are an MSB (to be confirmed by advice from a lawyer) after registering a supervisory user, through BSA E-Filing System, you will have to complete a Form RMSB – Form 107. Its hard to find that form on the FinCEN website, so we have provided one here so you can actually read it before completing it online.
FinCEN has a collection of published administrative rulings that give us an understanding of some of the rules concerning which kinds of businesses should and which need not register as MSBs with FinCEN.
Our firm has published a summary of most of FinCEN’s guidance if you are interested.
Bureau of Consumer Financial Protection (BCFP) (f.k.a. CFPB) The BCFPis a U.S. government agency that makes sure banks, lenders, and other financial companies treats consumers fairly. The BCFP requires that as of February 7, 2013, all providers of international remittances issue to the senders thereof receipts that contain certain prescribed information.
Payments businesses should monitor BCFP regulation as it may creep into areas of payments that were previously unregulated.
Adam Atlas Attorney at Law maintains a 50-state database on the rules applicable in each state related to MSBs. State regulators remain the arbiters of which entities may be licensed within the state. Below are links to the various state regulators:
State Regulators and other useful state information
Marketplaces (many of which we list here), being more the norm and less disruptive, are asking themselves if they are MSBs or not on account of their handling money for their participants. Depending on how they are structured, the result will be MSB status or not.
Is an E-Wallet a Money Transmitter? Most likely, yes.
This is the single most frequently asked question in MSB compliance today. Some e-wallets are categorized as providers of prepaid access within the meaning of the FinCEN Prepaid Access Final Rule, which is summarized here, while others are registered with FinCEN as money transmitters. The definitive answer to this question lies in the applicable federal and state law in each of the states in which you propose to operate your e-wallet. That said, the ability to: (i) load real currency into an e-wallet; (ii) maintain a balance; (iii) transfer e-currency between users; and (iv) unload e-currency and convert it to real currency, together, would most often fall within what state regulators would characterize as a prepaid access provider or money transmitter. Given that the definition of a prepaid access provider is relatively new (2011), we have only seen a handful of entities claim that that is their primary activity, most of which are classic prepaid branded card issuers or sellers.
There are about 38,859 MSBs registered with FinCEN, but that number includes many duplicate registrations for multiple entities each with common ownership or a common brand. Below are examples of entities that have had multiple money transmitter licenses. For fun, we provide links to the MSB license disclosure for each entity:
The Payment Facilitator or Payment Services Provider were created by the payment networks, like Visa and MasterCard, to expedite the boarding of smaller merchants. Payfacs contract with the merchant (payee) not so much with the customer (payer). The model, however, proves to be of limited value to some who want to offer customers more flexibility. We have therefore seen an evolution of payfacs into MSBs in the following examples:
Virtual currency business (VCB) is the term used way back in July of 2014 by the NY DFS to describe businesses operating in the virtual currency space, and it is a term that we believe is likely to stick. A VCB may or may not be an MSB, depending on which law you are interpreting.
Banks, investors and consumers are not wasting their time in learning about virtual currencies. Some believe that virtual currency will completely displace traditional ‘real currency’ issued by sovereign states. While that scenario is far flung for now, it is not hard to imagine a near future where a substantial portion of world economic activity takes place through virtual currency. Communication and commerce are international and instantaneous, banking is not. The contemporary disconnect between the reality of peoples personal and consumer lives, that are essentially instantaneous, and their banking activity that is subject to delays and fees that bear no connection to the cost of the underling service (transfer of digital value) sets the scene for virtual currency to now take deep root in the economy of the world.
Virtual Currency Toolbox
Everything you wanted to know but couldn’t didn’t want to waste time finding:
Our firm also has a subscription service through which clients can obtain an MSB risk assessment of various crypto models in all 50 states, updated monthly.
Note that virtual currencies, such as Bitcoin have also been associated with substantial and very serious criminal activity, as in the case of SilkRoad, accessible through the anonymous browser Tor, as reported in the New York Times. The most popular virtual currency is Bitcoin.
Bitcoin (比特币) is the leading virtual currency and is thought to be invented by a mysterious Japanese mathematician by the name of Satoshi Nakamoto. Bitcoin is a virtual currency that is more or less anonymous and de-coupled from traditional banking. Bitcoin is created by using CPU time and energy. The algorithm by which it exists dictates that there shall be no more than 21 million Bitcoin when all mining is complete – which has not yet occurred. This makes some believe that it is destined for a monumental and colossal leap in value as the supply comes to a definite halt. Bitcoin operates, de facto, largely in the unlicensed arena. Here is a site that helps explain Bitcoin. The Bitcoin marketplace is interesting from an academic perspective, because it serves as a nexus for interesting debates between libertarians, anti-statists, statists, privacy advocates and others. The efficiency of Bitcoin, being a means for the free and secure exchange of value, poses challenging questions for (a) traditional banking that offers the same service, but at enormously higher costs; and (b) law enforcement that has a legitimate right to oversee suspicious activity in the financial system. There are competing visions for the future of Bitcoin. Some see it replacing ordinary currency, others see it as simply another currency destined to be mined for fees interest etc… like existing currencies. Like all forms of exchange, Bitcoin has value only because people believe that it does.
ICO Initial Coin Offering (ICO), Initial Token Offering (OTP) are like an IPO, but without the regulatory compliance of securities laws. It’s very easy to raise money with an ICO and there are hundreds of ICOs. The legality of a given ICO depends on a number of factors including whether the buyers expect a return on their investment.
Many ICOs are either securities or MSBs providing prepaid access. In order to escape one of those two classifications, quite a lot of legal thought needs to go into the piece.
Neobanks are small banks, bank-like services or resellers of limited bank services which present an alternative to traditional big-bank banking with annoying fees, like overdraft fees etc… Some examples of neobanking players include:
Is a neo-bank a regular bank with a better UI or something else entirely? Time will tell. Note that use of the term ‘bank’ or ‘banking’ is legally restricted to entities that are actually banks, so tread lightly with those terms. Office of the Comptroller of Currency (OCC)
The OCC charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. The OCC is an independent bureau of the U.S. Department of the Treasury.
Banks that open bank accounts for MSBs have to prove to the OCC that they have adequate AML / CIP / KYC and risk mitigation programs in place to provide banking services to MSBs. The OCC’s Bank Supervision Process Comptroller’s
OCC Special Purpose National Bank Charters for Fintech Companies
The basic requirements for a special purpose national bank charter for a fintech company are:
National Bank Act Charter
Robust, well-developed business plan
Good governance structure
Capital commensurate with the risk and complexity of the proposed activities (including on- and off-balance sheet activities). Because these banks do not make loans or rely on deposit funding, the OCC typically requires them to hold a specific minimum amount of capital, which often exceeds the capital requirements for other types of banks.
Liquidity. In assessing the liquidity position of a proposed bank, the OCC considers a proposed bank’s access to funds as well as its cost of funding. Some key areas of consideration include projected funding sources, needs, and costs; net cash flow and liquid asset positions; projected borrowing capacity; highly liquid asset and collateral positions (including the eligibility and marketability of such assets under a variety of market environments); requirements for unfunded commitments; and the adequacy of contingency funding plans.
Compliance Risk Management.
Financial Inclusion. These principles include “encouraging” the national bank “to provide fair access to financial services by helping to meet the credit needs of its entire community” and “promoting fair treatment of customers including efficiency and better service.”
As financial institutions and gateways to the financial infrastructure, MSBs are expected to make appropriate provisions for cyber security. Most U.S. states will wish to see an MSB taking security seriously, but some have gone further and mandated that the MSB have a Cyber Security Program that meets certain prescribed criteria.
We do not have any referral relationships with any banks, but if you call the above banks, please mention where you learned about them.
Marijuana Payments Law
It is a U.S. federal crime to process payments in the U.S. related to marijuana because marijuana is restricted under the U.S. Federal Controlled Substances Act, at Schedule I. Our firm does not advise on marijuana payments law.
FinCEN has published guidance setting out the specific kinds of due diligence and risk assessments required of financial institutions that wish to service marijuana businesses. This is just the beginning of an evolving body of law that navigates between Federal and state law related to marijuana.
US State Sales Tax for Online Sales It has become common for US merchants and marketplaces that service US buyers and sellers to collect US state sales tax and remit it to US state departments of revenue. There have been various efforts in the U.S. Congress to adopt national legislation on this topic, but none are yet in effect. Retailers and marketplaces, however, are not waiting as the penalties for non-compliance can be very substantial.
Financial Consumer Agency of Canada The FCAC (like its US counterpart, the CFPB) was created to bolster regulation of consumer financial services, but its mandate has gone further into merchant-facing credit card payment processing, in part through the Code of Conduct for the Credit and Debit Card Industry in Canada. Payments businesses operating in Canada, should monitor CFPB regulations as they may creep into previously unregulated payments markets.
Canadian Provincial MSB Licensing In Canada, government has effectively outsourced protection of the financial system to banks. It is relatively easy to become registered with FINTRAC and licensed in the one Canadian province that requires MSB licensing, Quebec. Opening a bank account for an MSB, which is necessary for its operation, is however, very difficult. Be weary of Canadian banks that put MSBs through long account-opening procedures, sometimes lasting as much as a year, only to close the account because it is for an MSB.
For the moment, it appears that FINTRAC has decided that Bitcoin is not real currency, but don’t that this as legal advice, get a written confirmation from FINTRAC before operating in Canada. Note that operating a Bitcoin exchange in Canada that services US residents would require compliance with US law.
In order to increase efficiency in the licensing of financial services in the European Union, the European Commission has enacted directives concerning financial services within the EU. For example, the EU E-Money Directive (2009/110/EV) (EMD) provides for the licensing of electronic money institutions and issuers which licenses are recognized throughout the EU.
SEPA B2B Mandate Forms. These are the EU equivalent of a business ACH consent. They aren’t specific to payment institutions, but they are new in 2014 and frequently asked for.
The Financial Conduct Authority (FCA) is the competent authority for most aspects of money services businesses in the UK under the Payment Services Regulations (PSR) of the Payment Services Directive (PSD). The UK implemented the PSD through the Payment Services Regulations 2009 (PSRs), which came into effect on 1 November 2009.
The FCA is creating the Professional Body Anti-Money Laundering Supervision (OPBAS) to bring coherence to AML rules.
The Singapore SVF is astonishingly easy to setup thanks to the efficacy of the MAS. That said, if you have an SVF and take on customers in the US, EU, Canada or other countries that license MSBs, make sure the entity is compliant with the local MSB / payment institution licensing and registration requirements. Getting ewallet banking in one jurisdiction does not make compliance with AML laws in other jurisdictions disappear.
China (中国汇款，支付服务) (Money Transfer, Payment Service in China)
On 18 March 2018, China’s lawmaker, the National People’s Congress approved a reform plan for the institutional organizations of the State Council. According to the Reform, the regulator of banking industries and the regulator of insurance industry will be merged into China Banking and Insurance Regulatory Commission (CBIRC).
When planning a payments business, it’s important to have a clear understanding of the flow of funds and who is taking risk on the loss of funds at each moment. Here is a sample 3D model to jog your imagination. You can also check out our www.paymentsbusinessideas.com.
MSB Compliance and Civil Cases: Notable U.S. Cases
Payments business operators should make no mistake about the seriousness of U.S. law enforcement of MSB laws, such as the Bank Secrecy Act or state MSB licensing laws. Whether or not your payments business is an MSB, you should be aware of recent enforcement actions against MSB and non-MSB entities alike to see that you are not the target of this kind of case. Here is the language of the Federal law that makes it a crime to transmit money in the U.S. without the necessary Federal registration and state licenses. Anyone who is new to the payments industry should read this section:
Title 18 U.S.C. ß 1960 (a) Whoever conducts, controls, manages, supervises, directs, or owns all or part of a business, knowing the business is an illegal money transmitting business, shall be fined in accordance with this title or imprisoned not more than 5 years, or both. (b) As used in this section – (1) the term “illegal money transmitting business” means a money transmitting business which affects interstate or foreign commerce in any manner or degree and – (A) is intentionally operated without an appropriate money transmitting license in a State where such operation is punishable as a misdemeanor or a felony under State law; or (B) fails to comply with the money transmitting business registration requirements under section 5330 of title 31, United States Code, or regulations prescribed under such section; or (C) otherwise involves the transportation or transmission of funds that are known to the defendant to have been derived from a criminal offense or are intended to be used to promote or support unlawful activity; (2) the term “money transmitting” includes transferring funds on behalf of the public by any and all means including but not limited to transfers within this country or to locations abroad by wire, check, draft, facsimile, or courier; and (3) the term “State” means any State of the United States, the District of Columbia, the Northern Mariana Islands, and any commonwealth, territory, or possession of the United States.
With the benefit of the above bit of law, you can now read the following civil, criminal or other regulatory enforcement cases of interest.
Selling Bitcoin under Federal law, two early 2019 conflicting cases:
1. Agent-of-the-payee up for comment in California: On February 8, 2019, the California Department of Business Oversight published an invitation for comments on possible amendments to the California Financial Code / Money Transmission Act concerning the agent-of-the-payee exemption. The exemption allows agents of the payee to be exempt from money transmitter status if they meet certain specific criteria, including contracting with the payee and accept funds for goods or services sold by the payee and received by the payor. The good news is that the exemption itself is not on the chopping block. Instead, DBO is wondering whether key defined terms should be narrowed or more precisely defined. Specifically, “goods or services” and “receive”. The invitation distinguishes between the types of goods sold at online marketplaces like Amazon and Airbnb (see agent language for each) and other goods sold at (perhaps less popular) marketplaces that handle housing, real estate, insurance etc… Any attempt to distinguish between one kind of payee, giving some the right to the exemption and others not, will create a flurry of requests for guidance and, perhaps, niche processors that try to walk a line between permitted processing and processing that needs a license. The deadline for comments is April 9, 2019.
Agent-of-the-payee is expressly available in only a handful of states, tolerated in many other states and downright confusing the the remainder of states that take a case by case approach. At least under the BSA, the availability of the exemption is fairly clear thanks to guidance produced as a result of an enquiry by our firm.
4. Quadrega.ca Security Policy Case Study. The now defunct virtual currency exchange, Quadega.ca, fell apart because its CEO passed away in India with private keys controlling $250 million of crypto. This is a case study in why payments companies (not just crypto exchanges) need security policies and disaster recovery policies. It goes without saying, that no single person should have the unique keys to substantial reserves of client assets.
Adam Atlas Attorney at Law is licensed in New York and Quebec. This email is ATTORNEY ADVERTISING. Nothing in this e-mail should be construed as a legal opinion or commentary on laws other than in the two jurisdictions where the author is admitted.
State and federal regulators do excellent work in keeping up with payments models. However, some of their excellent work has led to legal dead-ends. Here are five quandaries that regulators might rather not face.
1. California DBO: Does a non-California money transmitter need a California MSB license to send money to California?
Cutting right to the chase, the California Money Transmission Act requires all those who “receive money for transmission” 2003(q)(3) “in this state”, meaning in, to or from California 2003(k) to have a money transmitters license from the DBO. So, every money transmitter in the U.S., and possibly the whole world, that sends money to California may need a license from DBO. If this were true, a lot of U.S. payments would instantly be ‘shutdown’, so to speak.
2. New York DFS: Are NYDFS-approved stablecoins being used in OFAC-sanction jurisdictions?
[Rant Alert] Stablecoins are virtual currency backed by real currency. For example, one Tether is backed by one USD. Earlier this month, the Texas DOBupdated its very elegant memo 1037 on virtual currency regulation and included discussion of stablecoins. OFAC, other federal and state regulators and the compliance professionals who answer to them, spend a lot of time trying to prevent bad actors from abusing the privilege of accessing the U.S. financial system. In plain English, bad guys are not supposed to bank in USD or through US-licensed financial institutions. NYDFS has sanctioned the issuance of a USD-backed stablecoin. Unlike USD, virtual currency tokenized stablecoins can generally be held and transferred without a bank account or any KYC and using a virtual currency wallet. Regardless of the amount of KYC and OFAC-checking of the first buyer of stablecoin and the first redeemer (i.e. the distant-future theoretical person who finally asks for a USD in exchange for their token), it’s not clear what controls are in place in between. The ‘in between’ is where the majority of stablecoin transactions will occur and is the whole purpose of stablecoins. We don’t understand how NYDFS’ position on the majority of stablecoin transactions, some being licensed USD instruments and potentially de-coupled from OFAC oversight. In a test transaction, we were able to purchase stablecoin and send it to an unverified recipient. But don’t take my word on this, check out this news item this blog, this blog, and, humorously, this shutterstock image that, effectively, pose the same question by depicting stablecoin as an opportunity for sanction countries.
There are lots of stablecoins out there. Here are links to a handful of popular ones:
3. Pennsylvania DBS: Why are Pennsylvania virtual currency exchanges able to hold USD in their own bank accounts without an MSB license while prepaid issuers and money transmitters need licenses to do the same?
The Pennsylvania Department of Banking and Securities has, helpfully, published guidance answering a number of key questions concerning virtual currency regulation in the state. The guidance says, concerning virtual currency exchanges or Platforms: “These Platforms never directly handle fiat currency; any fiat currency paid by or to a user is maintained in a bank account in the Platform’s name at a depository institution. […] Under the MTA, these Platforms are not money transmitters. The Platforms, while never directly handling fiat currency, transact virtual currency settlements for the users and facilitate the change in ownership of virtual currencies for the users. There is no transferring money from a user to another user or 3rd party, and the Platform is not engaged in the business of providing payment services or money transfer services.” The language of that guidance suggests, perhaps mistakenly, that because money of the exchange is held at a bank, the exchange is somehow not a money transmitter. This is, of course, not true of other money transmitters, who require licenses in Pennsylvania regardless of where they keep their money.
4. FinCEN: Exactly where is the line between virtual currency investor (not MSB) and a virtual currency exchanger (MSB)?
FinCEN has published excellent guidance on number of aspects of virtual currency, including key definitions, mining, investing, software, trading platform and processors. Taken as a whole, however, the guidance comes up as somewhat inconsistent on the practice of buying and selling virtual currency for your own account (as a user or investor). A person or company that buys and sells virtual currency for their own account (not involving third parties) in only two-party transactions, in any quantity, at any speed and for any volume, should naturally be exempt from MSB status. If they were not, a few hedge funds could be promptly indicted.
Owing to the ever-growing methods of exchanging value, regulators will never achieve perfection in regulating each of them. It is perfectly normal for the ‘range of the possible’ to be much broader than the ‘range of the regulated’. That said, it is incumbent on payments businesses to help regulators understand the latest payment methods so that they can be, where necessary, subject to oversight for the security and soundness of the financial system and weed-out bad actors.
Traditional law firms keep knowledge off-line and charge for access. Since our founding in the early days of fintech, our firm has opted for an open source approach to legal knowledge and collaborative study with clients, other firms and regulators to produce a quicker and deeper understanding of issues for all.
Leave a founder and a calculator alone in a room for 10 minutes and out comes a unicorn payments company. Let’s test this theory.
1. Uber, Didi Kauaidi, Lyft. Uber and most of its competitors are classic biller models. Some, such as Uber, may actually be going further and becoming MSBs. The Uber Gift Card terms, for example, allow a payer to deliver up to $2,000 of value from one user to another through a promotion code. Uber still has no FinCEN registration.
2. Airbnb. Using classic biller model language, Airbnb terms state: “Airbnb Payments serves as the limited authorized payment collection agent of the Host for the purpose of accepting, on behalf of the Host, payments from Guests […].” Airbnb has had its FinCEN MSB registration since 2014.
3. Palantir. According to Techcrunch reporting, one of the three industries serviced by this big data company is the finance sector, making Palantir payments support business.
4. Snapchat. With Snapcash, a Paypal collaboration, Snapchat hops on the band-wagon of other startups eyeing the presumed billions in P2P transactions.
6. WeWork. WeWork is perhaps the unicorn that best distinguishes itself from a payments company, because its members are tenants of WeWork and actually purchase WeWork services, as per its terms of service.
8. ApplePay. In the inverse of all the other examples, everyone thinks of ApplePay as a payments business except Apple itself which thinks it’s just a gateway. The ApplePay terms refer to it as creating a virtual representation of a card for which Apple is not responsible.