News & Insights

Client Alert

April 1, 2020

Developing Contingency Plans: The NYDFS Mandate on Licensed Virtual Currency Businesses


The events surrounding COVID-19 have increased the use of fintech products, both out of necessity and convenience. Shelter-in-place directives have moved customers towards fintech solutions, as have concerns aligned with the World Health Organization’s statements encouraging people to use contactless payment methods, with the reminder that bank notes may transfer bacteria and viruses.

Some governments, such as South Korea and countries in Africa,[i] have taken steps in response to the pandemic to encourage movement to fintech solutions. When governments assess best practices in light of the current crisis, regulations in many countries may change to remove barriers placed on the industry. Facilitation of the entry and use of fintech solutions will likely be paired with strengthened reporting obligations on businesses involved in digital payments, banking and investing, including in relation to virtual currency. As more customers seek to handle banking, trading and payment transactions through digital means, regulators are expected to take stronger measures to monitor the use, protection and security of the data collected and assets transferred or held digitally.

One requirement that might be expanded is a mandate to have adequate contingency plans in place. New York’s Department of Financial Services (NYDFS) is requiring the state’s licensed virtual currency businesses to provide detailed COVID-19 preparedness plans to NYDFS by April 9, 2020. NYDFS also noted related responsibilities of boards of directors and senior management in its March 10, 2020 letter.[ii] Specifically, the board should oversee the approval of a contingency plan that is appropriate to the business and ensure the allocation of sufficient resources to implement the plan. Senior management takes responsibility for executing the plan, including putting in place policies, processes and procedures to implement the plan and effectively communicating the plan across the organization.

The letter from NYDFS emphasized the possibility of hackers exploiting the pandemic and stressed the importance of implementing enhanced cybersecurity measures to detect fraudulent actions, for instance, related to trading and withdrawals. The need to protect custodied assets was also emphasized, in particular as movement of assets from “cold” to “hot” storage would increase in a remote working environment.

NYDFS’s call for contingency plans may portend an acceleration of regulatory action mandating procedures and reporting geared towards safeguarding customer assets. Even if not currently falling under a regulated category with mandatory reporting requirements to a state or federal agency, companies involved in the storage, tracking or movement of digital assets would be well advised to put in place contingency plans.

Following are the points NYDFS set forth for inclusion in contingency plans, all of which should be tailored to the specific profile and operations of the particular business. These points can serve as a guide to developing a plan, whether or not the NYDFS mandate applies to you.

1. Develop measures to mitigate the risk of operational disruption and identify the impact on customers and other third parties, such as suppliers and partners.

2. Formulate a strategy that addresses the impact of the disruption in stages and that outlines how efforts can be scaled as events unfold.

3. In the event staff are unavailable or working remotely for long periods of time, assess the suitability (including effectiveness and security) of facilities, systems, policies and procedures necessary to continue critical operations and services.

4. Assess cybersecurity and fraud related risks that might increase in relation to a disruptive event.

5. Develop employee protection strategies, such as steps to reduce the likelihood of contracting COVID-19 and employee awareness of recommended actions.

6. Assess the preparedness of third-party service providers and suppliers critical to the business and consider alternative sources.

7. Formulate a communication plan covering communications to customers, counterparties and the public, as well as employees, and a means for such parties to ask questions and receive responses.

8. Establish procedures to test the effectiveness of policies, processes and procedures.

9. Establish governance and oversight of the plan, including ongoing review and revisions, the critical members of response teams, and the monitoring of information from government and other relevant sources.

Given the varied financial impact on regulated entities impacted by COVID-19, NYDFS further outlined that contingency plans should include provisions for assessing and monitoring financial risk, including the valuation of assets and investments that might be impacted by the disruption; the overall expected impact of the disruption on earnings, profits, capital, and liquidity; and steps the business would take to assist those adversely impacted by the disruption. 

Disruptions such as the current pandemic expose businesses to a broad range of vulnerabilities. As businesses work through the current situation, using the contingency plan outline provided by NYDFS could serve as an effective means of documenting lessons learned during this time and capturing insights to improve going forward plans. Taking the time to develop plans while experiences are still fresh and a process to update plans could serve companies well in the future.

 

[i] See https://techcrunch.com/2020/03/25/african-turns-to-mobile-payments-as-a-tool-to-curb-covid-19/

[ii] See https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200310_coronavirus_vc_business_oper_fin_risk