23 CRR-NY 200.15NY-CRR

OFFICIAL COMPILATION OF CODES, RULES AND REGULATIONS OF THE STATE OF NEW YORK
TITLE 23. FINANCIAL SERVICES
CHAPTER I. REGULATIONS OF THE SUPERINTENDENT OF FINANCIAL SERVICES
PART 200. VIRTUAL CURRENCIES
23 CRR-NY 200.15
23 CRR-NY 200.15
200.15 Anti-money laundering program.
(a) All values in United States dollars referenced in this section must be calculated using the methodology to determine the value of virtual currency in fiat currency that was provided to the department under this Part.
(b) Each licensee shall conduct an initial risk assessment that will consider legal, compliance, financial, and reputational risks associated with the licensee’s activities, services, customers, counterparties, and geographic location and shall establish, maintain, and enforce an anti-money laundering program based thereon. The licensee shall conduct additional assessments on an annual basis, or more frequently as risks change, and shall modify its anti-money laundering program as appropriate to reflect any such changes.
(c) The anti-money laundering program shall, at a minimum:
(1) provide for a system of internal controls, policies, and procedures designed to ensure ongoing compliance with all applicable anti-money laundering laws, rules, and regulations;
(2) provide for independent testing for compliance with, and the effectiveness of, the anti-money laundering program to be conducted by qualified internal personnel of the licensee, who are not responsible for the design, installation, maintenance, or operation of the anti-money laundering program, or the policies and procedures that guide its operation, or a qualified external party, at least annually, the findings of which shall be summarized in a written report submitted to the superintendent;
(3) designate a qualified individual or individuals in compliance responsible for coordinating and monitoring day-to-day compliance with the anti-money laundering program; and
(4) provide ongoing training for appropriate personnel to ensure they have a fulsome understanding of anti-money laundering requirements and to enable them to identify transactions required to be reported and maintain records required to be kept in accordance with this Part.
(d) The anti-money laundering program shall include a written anti-money laundering policy reviewed and approved by the licensee's board of directors or equivalent governing body.
(e) Each licensee, as part of its anti-money laundering program, shall maintain records and make reports in the manner set forth below.
(1) Records of virtual currency transactions. Each licensee shall maintain the following information for all virtual currency transactions involving the payment, receipt, exchange, conversion, purchase, sale, transfer, or transmission of virtual currency:
(i) the identity and physical addresses of the party or parties to the transaction that are customers or accountholders of the licensee and, to the extent practicable, any other parties to the transaction;
(ii) the amount or value of the transaction, including in what denomination purchased, sold, or transferred;
(iii) the method of payment;
(iv) the date or dates on which the transaction was initiated and completed; and
(v) a description of the transaction.
(2) Reports on transactions. When a licensee is involved in a virtual currency to virtual currency transaction or series of virtual currency to virtual currency transactions that are not subject to currency transaction reporting requirements under Federal law, including transactions for the payment, receipt, exchange, conversion, purchase, sale, transfer, or transmission of virtual currency, in an aggregate amount exceeding the United States dollar value of $10,000 in one day, by one person, the licensee shall notify the department, in a manner prescribed by the superintendent, within 24 hours.
(3) Monitoring for suspicious activity. Each licensee shall monitor for transactions that might signify money laundering, tax evasion, or other illegal or criminal activity.
(i) Each licensee shall file suspicious activity reports (“SARs”) in accordance with applicable Federal laws, rules, and regulations.
(ii) Each licensee that is not subject to suspicious activity reporting requirements under Federal law shall file with the superintendent, in a form prescribed by the superintendent, reports of transactions that indicate a possible violation of law or regulation within 30 days from the detection of the facts that constitute a need for filing. Continuing suspicious activity shall be reviewed on an ongoing basis and a suspicious activity report shall be filed within 120 days of the last filing describing continuing activity.
(f) No licensee shall structure transactions, or assist in the structuring of transactions, to evade reporting requirements under this Part.
(g) No licensee shall engage in, facilitate, or knowingly allow the transfer or transmission of virtual currency when such action will obfuscate or conceal the identity of an individual customer or counterparty. Nothing in this section, however, shall be construed to require a licensee to make available to the general public the fact or nature of the movement of virtual currency by individual customers or counterparties.
(h) Each licensee shall also maintain, as part of its anti-money laundering program, a customer identification program.
(1) Identification and verification of account holders. When opening an account for, or establishing a service relationship with, a customer, each licensee must, at a minimum, verify the customer’s identity, to the extent reasonable and practicable, maintain records of the information used to verify such identity, including name, physical address, and other identifying information, and check customers against the Specially Designated Nationals (“SDNs”) list maintained by the Office of Foreign Asset Control (“OFAC”), a part of the U.S. Treasury Department. Enhanced due diligence may be required based on additional factors, such as for high risk customers, high-volume accounts, or accounts on which a suspicious activity report has been filed.
(2) Enhanced due diligence for accounts involving foreign entities. licensees that maintain accounts for non-U.S. persons and non-U.S. licensees must establish enhanced due diligence policies, procedures, and controls to detect money laundering, including assessing the risk presented by such accounts based on the nature of the foreign business, the type and purpose of the activity, and the anti-money laundering and supervisory regime of the foreign jurisdiction.
(3) Prohibition on accounts with foreign shell entities. licensees are prohibited from maintaining relationships of any type in connection with their virtual currency business activity with entities that do not have a physical presence in any country.
(4) Identification required for large transactions. Each licensee must require verification of the identity of any accountholder initiating a transaction with a value greater than $3,000.
(i) Each licensee shall demonstrate that it has risk-based policies, procedures, and practices to ensure, to the maximum extent practicable, compliance with applicable regulations issued by OFAC.
(j) Each licensee shall have in place appropriate policies and procedures to block or reject specific or impermissible transactions that violate Federal or State laws, rules, or regulations.
(k) The individual or individuals designated by the licensee, pursuant to paragraph (c)(3) of this section, shall be responsible for day-to-day operations of the anti-money laundering program and shall, at a minimum:
(1) monitor changes in anti-money laundering laws, including updated OFAC and SDN lists, and update the program accordingly;
(2) maintain all records required to be maintained under this section;
(3) review all filings required under this section before submission;
(4) escalate matters to the board of directors, senior management, or appropriate governing body and seek outside counsel, as appropriate;
(5) provide periodic reporting, at least annually, to the board of directors, senior management, or appropriate governing body; and
(6) ensure compliance with relevant training requirements.
23 CRR-NY 200.15
Current through December 15, 2019
End of Document© 2020 Thomson Reuters. No claim to original U.S. Government Works.