Last week, BitAML Founder & President, Joe Ciccolo, submitted public comment to the California Department of Financial Protection and Innovation (DFPI) on behalf of the California Blockchain Advocacy Coalition (CBAC) in direct response to many of the specific questions posed by the Department.
The questions were wide-ranging and addressed several matters pertaining to crypto money transmitter licensing requirements in preparation for DFPI’s implementation of licensure and oversight under Assembly Bill 39 (AB39).
Additionally, the public comment addressed our ongoing concern for the $1,000 per person, per day threshold imposed upon crypto kiosk operators under Senate Bill 401 (SB401). This arbitrary limit is in direct conflict with the Suspicious Activity Report (SAR) filing threshold of $2,000. Effectively, this would mean that a scam victim would unnecessarily have to be revictimized before a SAR is filed with law enforcement.
Read the public comment in its entirety, below.
January 12, 2024
Via Electronic Submission
Regulations@DFPI.CA.Gov
Mary Tomé
Senior Counsel for the Commissioner
Department of Financial Protection and Innovation
2101 Arena Boulevard
Sacramento, CA 95834
Re: Invitation for Comments on Proposed Application-Related Rulemaking Under the Digital Financial Assets Law (PRO-02-23)
Ms. Tomé:
The California Blockchain Advocacy Coalition (CBAC) and our members that span the blockchain and virtual asset sector appreciate the opportunity to provide comments on implementation of the Digital Financial Assets Law (DFAL).
California is the nation’s leader in Web3, and serves as an innovation hub. There are 2,060 blockchain related companies in the state, of which 1,774 are startups. CBAC appreciates the collaborative spirit DFPI and this Administration has demonstrated to ensure the right balance is struck between regulation and spurring innovation.
CBAC worked collaboratively with the author of AB 39, Assembly member Grayson, throughout the session to address many initial concerns with the bill as introduced with the goal of ensuring the licensure program and technology limitations will not result in an overly prescriptive framework that would close the door to the digital asset industry in California. While we greatly appreciated the author’s attempt to address as many stakeholder concerns as possible, we understand that advancing an entirely new regulatory framework for a rapidly evolving and growing industry is not an easy feat. To that end, we appreciate DFPI’s leadership in addressing remaining issues to ensure greater clarity and protection of California consumers.
Please consider CBAC a resource as you have technology or regulatory questions, our members stand ready to work alongside regulators to ensure common-sense protections for consumers. We appreciate DFPI’s willingness to provide a transparent and interactive process as the agency implements the DFAL, and we are hopeful to see this continue throughout the rulemaking so the regulated community can ensure compliance.
Thank you for your time and consideration and please do not hesitate to reach out with any questions or concerns to jaime@blockadvocacy.com or joe@blockadvocacy.com.
Sincerely,
Jaime Minor & Joseph Ciccolo
California Blockchain Advocacy Coalition
Response:
I. License application form and related fees (Fin. Code, § 3203)
1. Section 3203 requires the license application to include “any other information” the DFPI reasonably requires by rule. In addition to the information that is listed in the law, what other information should the application include?
CBAC encourages alignment with comparable licensees under DFPI jurisdiction, including, most appropriately, those that hold a Money Transmission License. While the information required is already extremely robust and should be sufficient for decisioning, if there is a case in which additional information may be needed, it should be limited only to a request for information that pertains to the prospective or current licensed activity and the specific criteria being evaluated. This is especially important to facilitate efficient and fair evaluation of all licensees and to account for businesses for which DFAL activities are simply one of many other relatively unrelated offerings.
2. Financial Code section 3203, subdivision (a)(3) requires the license application to be accompanied by a nonrefundable fee to cover the reasonable costs of application review. Additionally, Financial Code section 3203, subdivision (e) requires the applicant to pay the reasonable costs of the DFPI’s investigation under section 3203, subdivision (b).
a. Are there aspects of the costs and fees in Financial Code section 3203 that should be clarified through rulemaking?
CBAC welcomes additional refinements and certainty when it comes to fee assessments so prospective applicants can anticipate the cost of compliance and licensure in the state.
Regulatory compliance costs are a significant expense for many digital financial asset companies, which must comply with a patchwork of laws, regulations, and licensing requirements across all U.S. states and territories in addition to comprehensive federal regulatory oversight under the Bank Secrecy Act. We encourage further clarity and cost containment parameters DFPI can provide to prospective licensees so California can continue to lead the nation in the Web3 space, which to date represents an $18 billion investment and economic impact to the state.
Specifically, it is appropriate to align application fees with that of traditional money transmission licensees, which is currently $5,000. For additional examination and evaluation, while reasonable expenses should be covered by licensees, eligible expenses should be well-aligned with similar oversight such as money transmitter licenses.
Another important factor of cost management is the application timeframe. DFPI should provide applicants with timely processing estimations before, during, and throughout the application process. Additionally, advance notice should be provided to licensees for any requests or other activities that require more staffing and preparation.
b. Are there factors the DFPI should consider in determining these reasonable costs and fees? For example, should the DFPI charge every applicant the same application fee, or charge different fees depending on the type or complexity of the application? Where applicable, please provide information about the methodology and impact of costs and fees in other state or federal regulatory environments.
In determining fee and cost structures, clarity and predictability are most important for reasonable implementation. If the fee is reasonable and clear at the outset through the rulemaking process, DFPI should implement a flat fee for all applicants and utilize cost recovery as appropriate and proportional depending on risk and business model. It is critical that in administering DFAL, DFPI recognizes that the digital financial industry is diverse in size, products, services, and risk profile. Additionally, there are companies for which digital assets represent only a small proportion of their overarching business offering. In any case, costs should be proportionate to the covered activities within the state of California. In order to ensure that the industry continues to thrive and innovate responsibly in the state of California, close attention should be paid to avoid disproportionate fiscal or operational burdens on small entities and new entrants.
II. Surety bond or trust account (Fin. Code, § 3207, subd. (a))
3. What factors should the DFPI consider in determining the dollar amount of surety bond or trust account it may require under section 3207?
Surety bond requirements should be set in alignment with similar regulatory precedent such as DFPI-licensed money transmitters. The amount should be determined at the time of application approval, and upon annual renewals thereafter, to allow licensees the ability to plan appropriately.
Trust accounts from California-based banks are virtually non-existent for the crypto industry at this stage. This leaves securing a surety bond as one of the only options for licensees who need to comply with Section 3207.
Surety bond amounts should be determined based on the applicant’s risk profile and exposure to California customers. This may take into account such measures as quarterly transaction volume in California, or the number of California customers.
Applicants that custody customer funds have a different risk profile than applicants that purely exchange customer funds, and any collateral requirement should reflect this. The driving factor should be the licensee’s average daily outstanding obligations attributable to digital financial business activity with customers in California, consistent with Section 2037(e) of the California Money Transmission Act.
CBAC also believes there is merit in a waiver process for requiring a surety bond depending on risk profile. In the event that an applicant cannot secure a surety bond, DFPI should have a process for such consideration to ensure this is not a barrier to entry as products and technologies innovate.
Given the difficulty of securing a California-based trust account, DFPI should also allow companies to use a trust account outside of California with written permission.
4. Should the DFPI require a minimum amount of surety bond or trust account? Please explain.
Given our previous comments around the need for flexibility to account for the extremely wide variety of digital asset businesses that may be captured by the license, DFPI should not set a minimum surety bond amount.
5. Should surety bond or trust account amounts vary by the type of activity requiring licensure? Please explain.
DFPI should categorize applicants based on how they interact with customers. Exchanges custodying customer funds should be in a different category than, for example, a crypto trade desk or kiosk, which facilitate a direct, non-custodial exchange with the customer.
Additionally, CBAC believes there is merit in DFPI developing a waiver process for the surety bond requirement, depending on an applicant’s risk profile or customer volume. In the event that an applicant cannot secure a surety bond due to industry conditions or availability, DFPI should have a process for such a consideration to ensure this is not a barrier to entry as products and technologies innovate.
6. How should specific activity requirements provided for, such as the custody requirements of section 3503 or the reserve requirements of section 3601, impact surety bond or trust account amounts?
Capital holding requirements, similar to surety bonds, should be based on the operating and risk profile of the licensee, especially as it pertains to any custodying of customer assets. AB 39 requires digital asset companies to disclose capital reserve protections and assurances; including FDIC or SIPC assurances in 3501 (A).
III. Capital (Fin. Code, § 3207, subd. (b) & (c))
7. Section 3207 requires a licensee to maintain capital “in an amount and form as [DFPI] determines is sufficient to ensure the financial integrity of the licensee and its ongoing operations based on an assessment of the specific risks applicable to the licensee.” It provides nine factors the DFPI may, but is not required to, consider when determining the minimum amount of capital required of a licensee. Are the factors provided sufficient, or are additional factors needed and if so, what should those potential additional factors be and why?
The criteria outlined in Section 3207 is sufficient; however, we encourage transparency in how decisions are made and the possibility for appeal in the event of unique disruptions to certain factions of the industry.
The DFPI should also consider allowing for reciprocity if the licensee is holding capital in connection with another state’s virtual asset licensing program or money transmitter license. If, for example, an applicant is holding a percentage of its capital in connection with a money transmitter license it maintains in another state, the DFPI should consider allowing the applicant to apply that to the DFAL capital requirements.
8. Should capital minimums vary by the type of activity requiring licensure? CBAC believes DFPI should work with industry participants to create business product offering categories based on customer risk exposure and the licensee’s risk profile. Capital requirements should be consistent among those categories proportional to volume, and have the possibility for review and comment.
IV. Additional Comments
13. Are there any additional matters related to the DFAL license application, licensure requirements, or stablecoin approval that the DFPI should consider when proposing regulations?
Potential License Application
We encourage additional clarity of application of the DFAL for those that serve solely as a platform for connecting buyers and sellers where the purchase or sale of goods or services may be transacted with digital financial assets. Such goods and services purchased do not include digital financial assets, and the platform itself is exclusively for bona fide transactions of goods and services.
SB 401 & Additional Regulations on Crypto Kiosk Operators
CBAC members support a licensing framework in California for those that operate in the digital asset industry. However, CBAC continues to have concerns with the implementation of SB 401, regulating crypto kiosks. In particular, concerns are centered around the transaction limit application for all customers and the unintended consequences such a requirement poses to the detection of fraudulent schemes and its direct conflict with established mandatory U.S. Treasury federal reporting requirements under 31 CFR 103.20 (a)(2) and (3). We encourage DPFI to pause enforcement on this transaction limit requirement until further investigation of the impacts to data collection of critical information that helps law enforcement track and detect scammers and fraudsters is performed, and the DFPI addresses the limit’s potential conflict with federal reporting requirements.
SB 401 requires kiosk operators to impose a $1,000 per person, per day daily transaction limit. The Suspicious Activity Report (SAR) threshold imposed by FinCEN, a bureau of the U.S. Treasury, for crypto kiosks, and other money transmitters, is $2,000. As a result, SARs will not be filed below the $1,000 threshold. Effectively, this means a scam victim would unnecessarily have to be revictimized before a SAR is filed with law enforcement.
SARs relating to, and filed by, crypto ATMs contain unique and valuable information that may include, for example, crypto wallet identifiers, email addresses, phone numbers, customer identification information or images, website URL addresses, transaction timestamps, and more. This unique information provides law enforcement with transparency into illicit activity relating to cryptocurrency. This information becomes even more important to law enforcement as crypto and traditional finance become more and more integrated.
Additionally, the federal requirement to obtain the customer’s taxpayer identification number (e.g., SSN, ITIN) begins at $3,000. Importantly, this threshold is on a per transaction basis. So, a customer could transact several modest transactions aggregating to $3,000 or more and not have to provide their taxpayer identification number. The $1,000 per person, per day transaction limit denies tax authorities valuable information and records pertaining to taxable events conducted in California.
Collection of this information is a huge deterrent to committing fraud and laundering money, and provides law enforcement with valuable information and intelligence. Not to mention, ATMs capture one or more photographic images of the customer transacting via an embedded camera.
Know Your Customer (KYC) transaction thresholds are a mix of hard-and-fast rules from the federal government (FinCEN) and compliance best practices that have been in place and reinforced through Title 31 IRS exams for decades. Law enforcement will get less information and find it more difficult to carry out investigations on illicit activity if all the elements of SB 401 are enforced before fully investigating these potential unintended consequences. Therefore, CBAC would recommend DFPI pause enforcement of the transaction limit threshold until further investigation can be done on potential impacts to, or conflicts with, federal law enforcement data gathering efforts.
