The catastrophic collapse of FTX has once again placed the cryptocurrency industry in the crosshairs of policymakers with calls for more regulation and tougher rules. The headwinds of bad press, the perception that crypto is un- or under-regulated, and the betrayal felt by so many consumers who held funds with FTX, could not come at a worse time as California resumes the process of architecting the state’s regulatory framework for crypto money transmitters. Indeed, California legislators, the Governor’s Office, and the Department of Financial Protection & Innovation (DFPI) are all expected to begin anew in early 2023, after failing to establish and agree upon regulatory guardrails in 2022.
First, some background on California’s recent efforts to establish a crypto regulatory framework in 2022:
In May 2022, Governor Newsom issued an executive order (EO) on cryptocurrency designed to “spur responsible web3 innovation, grow jobs, and protect consumers.” When the EO was first published, we at BitAML recognized this as a big step toward an ambitious regulatory vision that balanced innovation with consumer protection and a myriad of other priorities aimed at the greater good (e.g., job creation, research, and diversity/inclusion, etc.). The Governor’s EO envisioned fostering an environment that was both pro-innovation and pro-consumer.
In the background, AB 2269 – Digital Financial Asset Businesses: Regulation, was quietly making its way through the California State Assembly. AB 2269 was a one-sized fits all framework that would have effectively required any crypto money transmitter to obtain a permission-based license with the DFPI. The bill would have compelled virtually all crypto money transmitters operating in California and/or offering services to customers in California to apply for a license. We at BitAML were not shy in our analysis that this would create a line a mile long with thousands of individuals and entities based on the number of current participants in the marketplace. For those who have been involved in the crypto space for any length of time, the plot sounds eerily similar to what’s unfolded in New York since the “BitLicense” was enacted in 2015.
On August 30, 2022, AB 2269 passed with a 71-0 vote, before being subsequently delivered to the Governor’s desk. Less than a month later, on September 23, Governor Newsom vetoed the bill. Within his official reply to the Legislature, the Governor appeared to share several concerns echoed by us here at BitAML. Specifically, the Governor remarked that, “A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.”
We at BitAML could not agree more…
When AB 2269 was introduced in the legislature last year, we spoke out strongly against it, arguing instead for a risk-based approach that would require custodial business models to obtain a license from the DFPI, while requiring non-custodial business models to register with the DFPI. Licensing would be permission-based, while registration would be more of a declaration form on one’s oath, not all that different from FinCEN registration at the federal-level.
What lessons can we apply from the FTX collapse to a crypto regulatory framework for California?
“Not your keys, not your crypto” which has been a popular refrain in the crypto space for years, is once again front and center. Those echoing this sentiment (and for good reason) have been warning consumers that by leaving crypto on an exchange, you are effectively trusting a third-party (who has access to your funds) to ensure those funds will be there tomorrow. Essentially, consumers are trusting their funds to a third-party, and that this third-party would not take those funds and engage in risky transaction and any other shenanigans. However, that’s exactly what FTX did…allegedly. Consumers trusted that the funds they maintained on account with the now-defunct exchange would be there, safe and secure, and available at their convenience. They were not.
In stark contrast, non-custodial business models do not hold or have access to customer funds; instead, they merely facilitate a direct wallet-to-wallet exchange. The distinction in risk profile couldn’t be starker and, (unfortunately) thanks to the collapse of FTX, more obvious. While non-custodial business models in crypto are certainly not without their fair share of risks to be sure, the importance and relevancy of drawing the preverbally “line in the sand” between custodial and non-custodial business models could not be any clearer.
Imagine for a moment that FTX did not hold, have access to, or otherwise maintain any customer funds. Instead, they merely offered the contemporaneous or near contemporaneous exchange of fiat and crypto assets. How could they have misappropriated customer funds? Afterall, the funds would be held for only as long as it takes to complete the process of each individual customer-requested transaction. The temptation to touch, much less misappropriate, customer funds having been removed, non-custodial businesses are only able to transact with interested consumers using the company’s own funds.
What does this mean for California’s potential regulatory framework?
We remain more convinced than ever that California should implement a two-prong approach to the regulation of cryptocurrency money transmitters. Custodial business models should be required to obtain a license from the DFPI, while non-custodial business models should be required to register with the DFPI. Permission-based licensing of all crypto money transmitters in California is nonsensical and unrealistic, and ultimately sets up the DFPI, the eyes and ears of Californian consumers, to fail.
As FTX taught us, there is a big difference between holding customer money on the promise it will be there at a later date, and simply processing a customer-requested transaction. Regulators ought to have a separate and more aggressive set of requirements and expectations for those that maintain customer funds ensuring to greatest extent possible that the funds will be there tomorrow. (We trust DFPI will do just that.) Non-custodial business models, which are not without their fair share of risk, should be required to submit to formal registration with the DFPI. Thus, regulators would have a more complete view of the entire marketplace and its participants, while taking a risk-based approach to regulation.
One-sized fits all aggressive permission-based licensing does not protect consumers, and it certainly doesn’t promote innovation. Protecting consumers means identifying nuanced inherent risks, applying thoughtful and targeted countermeasures, and promoting a healthy, diverse marketplace.
We’re hopeful that those establishing the regulatory guardrails for crypto in California agree.