Earlier this month, New York Attorney General Letitia James proposed the Crypto, Protection, Transparency, and Oversight Act (CRPTO Act) to regulate the crypto ecosystem. This sweeping legislation would take aim at the digital asset industry, which has seen many players face allegations of fraud and scandal, ranging from consumer fraud to enabling money laundering to promoting cybercrime and other criminal activity. New York makes this move in an uncertain federal regulatory environment, in which the SEC and CFTC have been engaged in a turf war to regulate crypto. The CRPTO Act is New York’s proposal to sidestep the debate over whether crypto should be regulated as a security or a commodity, instead treating it as its own asset class.
The result would be momentous for the cryptocurrency industry. The CRPTO Act broadly defines digital asset issuers, brokers, marketplaces, and investment advisors as covered entities, but also imposes certain obligations on digital asset customers and influencers, as discussed below. The proposed law is significant in terms of the breadth of new requirements. For example, the CRPTO Act contains new rules concerning capital requirements for digital asset issuers, and it broadly defines digital assets and treats them all as financial instruments even though there are a plethora of uses that are unrelated to speculative finance. If the CRPTO Act is signed into law as drafted, it would subject a wide range of digital asset activity to its requirements and would alter the regulatory landscape for digital assets in New York and beyond. While digital asset industry participants will want to understand the entire CRPTO Act if it is passed, four aspects are noteworthy:
1. Cybersecurity Compliance Requirements
The CRPTO Act would require covered entities to maintain cybersecurity programs in line with state and federal laws and regulations. In particular, the CRPTO Act appears to subject covered entities to regulation by the New York Department of Financial Services (NYDFS), which would likely require entities to comply with NYDFS’s cybersecurity regulation, codified at 21 NYCRR Part 500. Part 500 is highly prescriptive, requiring, among other things, that covered entities implement a robust cybersecurity policy; regular penetration tests and vulnerability assessments; governance controls; specific controls involving multifactor authentication, user-access privileges, secure application development, and encryption of sensitive nonpublic information at rest and in transit; and annual management compliance certifications. Part 500 has broad regulatory notification requirements, including that NYDFS be notified where a covered entity is required to report a data incident to any other regulator.
NYDFS is aggressive in investigating data incidents and enforcing compliance. So newly covered entities will need to promptly take steps to review their cybersecurity policies and controls and audit their systems in order to ensure that they conform to Part 500’s detailed requirements.
2. Managing Perceived Conflicts of Interest and Public Disclosure
In the wake of the collapse of the FTX cryptocurrency exchange—which has faced allegations regarding apparent conflicts of interest with the use of customer funds—the CRPTO Act imposes a broad range of new requirements on covered entities. Of significance, the new law would bar covered entities from wearing more than one hat. To that end, the CRPTO Act prohibits covered entities from operating as more than one of the following: issuer, broker, marketplace, or investment adviser. It expressly forbids companies and individuals that perform any of these functions from engaging in proprietary trading, which would align the digital asset rules with the Volcker Rule, a financial regulation that prohibits banks from investing with their own accounts. In addition, the proposed law contains broad registration and reporting requirements that expand the reach of existing financial laws imposed by New York. For example, digital asset issuers would have to publish prospectuses describing material information about the issuers and the digital assets they seek to issue. In addition, all covered entities conducting business from or in New York would need to file digital asset statements, and make publicly available independently audited annual and quarterly financial statements. After a covered entity files a digital asset statement, the company would have to follow 23 NYCRR § 200.13, which allows New York financial regulators to examine the company’s financial condition, business conduct, management policies, regulatory compliance, and other matters related to their digital asset business activity.
In short, the CRPTO Act will impose significant new compliance concerns for covered entities that operate in New York. Covered entities will need to ensure that their functions are properly limited and that they are prepared for inspections. Covered entities will also need to approach annual and quarterly financial statements (and required prospectuses related to the release of new digital assets) carefully, since prosecutors, regulators, and civil litigants can latch on to perceived misstatements and pursue action against the entity.
3. Customer-reporting obligations
In addition to new rules for covered entities, the CRPTO Act imposes novel reporting obligations on customers that may be victims of fraud. Specifically, once a customer is aware that their digital assets were subject to an unauthorized transaction (whether stolen, hacked, or induced through fraud), they must report the transaction within two days to cap their liability for the losses at the lesser of the amount of the transaction or $50, with the digital asset or broker covering the rest. If the consumer waits between 2 and 60 days to report the transaction, the customer-liability threshold increases to a maximum of $500, and if more than 60 days, the customer will be on the hook for any later transfers that the broker or adviser can show would not have happened had the customer timely notified them of the unauthorized transaction. In other words, the sooner a customer reports an unauthorized transaction, the lower the potential loss to the customer.
Rarely do financial laws place such stringent reporting requirements on customers. This approach represents a marked departure from the current liability regime within traditional finance, where institutions carry the primary liability for identifying and remediating potentially fraudulent activities. The proposed law presents a unique approach to encourage consumer fraud reporting, by shifting some liability to consumers. This likely reflects the New York Legislature’s view that prompt reporting will better position entities in the digital asset ecosystem to detect fraud and mitigate losses. Covered entities should expect to see increased reporting based on the incentives created by the law, and so digital asset brokers and investment need to be prepared to receive, investigate, and respond to those reports to mitigate losses and their own liability, and to avoid scrutiny by regulatory authorities.
4. Influencer regulation
Since the ill-fated Fyre Festival in 2017—where celebrities and social media influencers promoted the event without disclosing that they had been paid to do so—regulators have been concerned about the role that social media influencers (who are frequently compensated without genuine connection or endorsement of a product) can play in exponentially magnifying the harmful effect of consumer fraud schemes. The FTX scandal has highlighted this issue again, as a number of celebrities are under fire for endorsing FTX. The CRPTO Act uses perceived consumer fraud threats surrounding digital assets as a hook to be the first the first law to regulate some of these promotional activities, by providing consumers with more transparency on digital assets. Specifically, the CRPTO Act bars digital asset influencers (defined as any person who widely promotes investment a digital asset and receives compensation for their promotion, or who also owns or expects to own the digital asset) from engaging in promotional activities without disclosing their ownership interest in and compensation in connection with the digital asset. Covered individuals would have to file a digital asset influencer statement with New York for each digital asset they promote. In that statement, influencers would have to detail, among other things, their social media handles; wallet addresses; conflicts of interest involving their current and past holdings; prices paid for the digital assets; and their educational, business, and criminal backgrounds. Requiring influencers to disclose their wallet addresses may strongly deter would-be influencers, who may be wary of government authorities having insight to their cryptocurrency activities, since wallet addresses can reveal crypto transaction activity on public blockchains.
If the CRPTO Act is passed, covered entities may face increased challenges in finding celebrity or other social media personas that are willing to provide endorsements, and will have to consider the value of those endorsements in light of the associated required disclosures.
Although the CRPTO Act is not yet on the books, it signals increasing state interest in regulating the space. If passed, the CRPTO Act would have sweeping impact on digital asset companies and customers and would bring within the New York regulatory ambit a large swath of digital asset activity that is not covered by existing New York laws. More states would likely enter the fray. This may lead to a patchwork of legislation driven by states—unless and until Congress enacts legislation preempting state laws in this area. For now, industry participants should keep an eye out for new laws and regulations, from across the United States, and crypto entities intending to take advantage of the New York market will need to take steps to achieve and maintain compliance.