A model American state law for virtual currency businesses was approved last week by the National Conference of Commissioners of Uniform State Laws: “UNIFORM REGULATION OF VIRTUAL CURRENCY BUSINESSES ACT”.
I hope that this model law is not used as inspiration for regulatory efforts in Canada. This blog post explains why.
The law was made following written comments from Coinbase, Coin Center, Electronic Frontier Foundation, the Digital Chamber of Commerce, Entertainment Software Association, Ripple, and a California lawyer named Pamela Martinson. This is a very small subset of the potential people that could be affected by this law. That is a criticism that can be levied against just about any regulatory consultation but in the case of virtual currencies it's particularly important. Virtual currencies are a rapidly evolving industry/area of law. Rules that seemed appropriate five years ago wouldn't seem that way today, and five years from now I expect the landscape will be quite different. Caution and wide consultation should be the guiding principles for any regulatory reform effort.
Here are a few specific issues that I have with the model law:
Applications: Section 203 (pg. 9)
This section lays out 21 different items required for license applications. Item (4) assumes a very unrealistic type of server management:
“(4) the name, address, and telephone number of each person that manages each server the applicant expects to use in conducting its virtual currency business activity with or on behalf of residents and a copy of any agreement with that person;”
Presumably the model law is aimed at individuals who manage servers, but in almost every case this will be a hosting company. And in today's environment it will be multiple companies that provide various services such as DNS/DDoS protection (e.g. Cloudflare), hosting (e.g. AWS) and might include third-party APIs like block explorers (e.g. Etherscan). Any phone numbers provided for these companies will be useless as they won't respond to non-customer inquiries and could only provide general information about the company at best. The assembled agreements for these could be hundreds or thousands of generic legalese that would be of benefit to regulators.
If there actually was a specific individual who solely manages a server then it would be very unsafe for the person who is listed because they would be a major target for cybercriminals. No one would want their actual information provided so in effect the regulators will only ever receive proxy information like an LLC for the individual managing the server. None of this will help in identifying the key people involved, which I assume is the goal of this section. And if that's not the goal of this section, what's the point? For regulators to judge the expected (not actual) tech stack used by virtual currency companies? Will they have the expertise to be able to do this? I doubt it.
Subsection (12) of the law seems to also be aimed at identifying specific individuals for states to regulate.
“(12) the name, United States Post Office address, and email address of the registered agent of the applicant in this state”
This section requires a "registered agent" in each state. This will create a complicated burden for anyone attempting to build a multi-state business. It will be very difficult to hire, retain, and manage 50 state agents. Names change, addresses change, and email addresses change. Frequently.
Will having registered agents in each state really provide greater assurance for state regulators? Registered agents seem like a regulatory idea from the past that doesn't reflect today's globalized world. This rule is likely to just increase the barrier to entry and reduce competition in the virtual currency industry, especially because there's already a state-by-state surety bond/security guarantee.
Security Deposits: Section 206 (pg. 15)
Section 206(a) requires licensees to deposit "funds", "a letter of credit", or "a surety bond" that "secures the licensee’s faithful performance of its duties under this act". This will be an expensive requirement when applied across the country, as presumably securing performance in one state means securing performance across the company's entire business. How much will this cost? The model law is silent on this point but it does recognize that surety bonds may not be "generally available in the state at a commercially reasonable cost". This section leaves open the question of what counts as "commercially reasonable". Is that to be judged from the state regulator's perspective? Typical industry participant? The specific licensee? What about startups?
Subsection (e) allows regulators to demand additional security on 15 days notice for "good cause". This could be very hard to arrange on such short notice, depending on the amount requested. I doubt that regulators will accept virtual currency payments so the traditional banking system and its frequent delays will be involved. If multiple regulators make simultaneous demands for security (because they use common guidelines for what is "good cause") this could easily trigger insolvency for a virtual currency business that operates in many states, especially because these demands are most likely to be made during times of trouble.
Merger Control: Section 307 (pg. 30)
Section 307 sets out rules for merger control. Very few laws (at least in Canada) include merger control provisions and certainly not with the level of scrutiny that the model law entails. Subsection (e)(3) requires companies to disclose "describe the terms and conditions of the merger or consolidation and the mode of carrying it into effect."
If the goal is to protect consumers, why not just require proof that the law will be followed (i.e. conditions of the license maintained)? Why would the regulator need to know the financial details of the merger? Just because something might possibly be of interest doesn't mean that a law should require it in every case.
A merged entity would ordinarily be just as concerned as the regulator about its ability to comply with the terms of the license, which presumably forms part of the value of the merger. I doubt many lawyers planning such a transaction would overlook this point and they're in a much better position to evaluate it than a state regulator.
Enforcement: Section 402 (pg. 32)
Section 402(3) lays out several grounds for enforcement actions including "an unsafe or unsound act or practice;". This language would make just about any practice reviewable since it goes beyond "unsafe" acts/practices to include "unsound" acts/practices (which by construction must be something more than "unsafe"). "Unsound" from who's perspective? Who will develop the guidelines to turn these vague words into rules that can be followed?
Disclosures: Section 501 (pg. 37)
This section contains a laundry list of disclosures that must be given to customers "to the extent applicable to the virtual currency business activity the licensee or registrant will undertake". It's very unlikely that this list will be what people five years from now consider to be the relevant factors for virtual currency dealings. Some of them don't even make sense with today's virtual currency -> virtual currency exchanges (e.g. Shapeshift). I suspect the drafters understood this problem and that's why they wrote "to the extent applicable".
Furthermore, some of these disclosure points are very unlikely to be understood by, or be meaningful to, the intended recipients. Subsection (9) include a disclosure that "virtual currency is not legal tender". I doubt this statement would mean anything to 95% of potential customers who bothered to read the disclosure.
Why virtual currency? Are there really so many critical issues that states deserve such a complex statute? At least some states have decided that they don't. New Hampshire recently passed a law that specifically exempts virtual currency businesses from its MSB rules. Canada's Department of Finance has similarly taken a "wait-and-see" attitude by failing to create regulations that it has had the statutory authority to create since 2014.
Overly-specific, premature, expensive regulation is not likely to lead to a successful virtual currency industry in North America. But it is likely to drive people to use offshore exchanges, as they currently do right now. The third largest virtual currency exchange, BitFinex, is based out of Hong Kong and has many US customers. Virtual currency is global and can easily be pushed out of North America through ill-considered regulation.
States deserve better laws than this model. I hope Canadian regulators think skeptically while reviewing it.