MTL Security Best Practices for Payment Platforms and Cryptocurrency Exchanges

Today, crypto assets and related payment platforms are increasingly adopted to store, secure, and transmit massive amounts of monetary value worldwide, making them primary targets for cybersecurity breaches.

Media headlines chronicle major cybersecurity hacks such as breaches at Mt. Gox, Shapeshift, Bitfinix, Poloniex, QuadrigaCX, and Bithumb. These breaches resulted in more than $4 billion stolen in cryptocurrencies from centralized exchanges between 2011 and 2017.[1] In comparison, the DeFi sector has lost about $284.9 million to hacks and other exploit attacks since 2019.[2]

To address the cybersecurity issues plaguing the industry, authorities have issued regulations on both centralized and decentralized payment platforms that facilitate “money transmission.”

If classified as a money services business (MSB), the exchange would be engaged in a regulated activity under both federal and state laws; and must adhere to certain requirements such as obtaining a money transmitter license (MTL) and implementing a comprehensive cybersecurity program.

As such, cybersecurity breaches in the online payment industry are likely a result of payment platforms either not following these regulations or lacking proper cybersecurity hygiene.

Federal and State Regulation

Under the federal Bank Secrecy Act (BSA), MSBs are required to register with the Financial Crimes Enforcement Network (FinCEN) and fulfill certain requirements such as developing an AML program and a cybersecurity policy.

Under state law, MSBs are required to obtain a MTL in every state where they either receive funds from, or send funds to, a resident of that state, whether an individual or a commercial entity. Each state adopts their own approach to combatting cybersecurity attacks on payment platforms.

For example, New York, Washington, and Texas have imposed strict compliance regimes that frustrate developers of these exchanges. Meanwhile, states like Wyoming are recognized for fostering innovative freedom in the virtual currency industry.

As such, when applying for an MTL, it is important to understand the spectrum of requirements across all 50 states with greater attention on the strict regulation states.

This article aims to educate anyone who is thinking of operating a payment platform in the U.S. on what minimum standards must be in place before applying for an MTL.

NEW YORK AS THE GOLD STANDARD FOR MTL APPLICATIONS

To apply for a license in New York, applicants must submit a host of financial and background information, including:

Given such burdensome requirements, payment facilitators should carefully consider whether they want to take on the responsibilities and compliance requirements of expanding their exchange in the U.S.

CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

The New York State Department of Financial Services (NYDFS) passed a regulation, effective March 1, 2017, that is designed to promote the protection of customer information as well as the information technology systems of regulated entities.

DFS concluded that there were five principles that the regulation must comprise: (1) establishment of a cybersecurity program, (2) adoption of a security policy and procedure, (3) role of Chief Information Security Officer (CISO), (4) monitoring third-party service providers, and (5) additional items relating to security best practice.

A. GOVERNANCE REQUIREMENTS

First, under the governance requirements, covered entities are required to maintain a cybersecurity program that reflects a risk-based approach.

Risk Assessment

Risk assessment programs are designed to conform to cybersecurity functions such as assessing internal and external risks, using defensive infrastructure, detecting breaches or attempts, mitigating its effects, recovering and restoring normal operations, and fulfilling compliance obligations.[3]

Programs must include “a written incident response plan designed to promptly respond to, and recover from, any [c]ybersecurity [e]vent that materially affecting the confidentiality, integrity or availability of the [c]overed [e]ntity’s [i]nformation [s]ystems or the continuing functionality of any aspect of the [c]overed [e]ntity’s business or operations.”[4]

Cybersecurity

Covered entities are required to implement and maintain a written cybersecurity policy that is approved by either a Senior Officer, the board of directors, or an equivalent governing body.[5]

The policy must adequately state the methods used to store and protect Information Systems and Nonpublic Information and must be based on a Risk Assessment and a reasonable consideration of the following 14 elements:

Cybersecurity Employees

Covered entities are also required to designate a qualified individual, known as the Chief Information Security Officer (CISO), responsible for implementing and maintaining the program and enforcing the policy.[7]

The CISO is responsible for writing annual reports about the cybersecurity program and material cyber risks to either the board of directors, an equivalent governing body, or senior officer of the covered entity.[8]

Additionally, the covered entity is tasked with hiring qualified cybersecurity personnel to assess cybersecurity risks and provide proper training to employees.[9]

Third-Party Service Providers

Covered entities must evaluate cybersecurity procedures and policies of its third-party service providers not already covered by the requirements and implement separate procedures and policies.[10]

This requirement means that contract provisions should be drafted that permit covered entities to assess the cybersecurity programs of its third-party service providers.

Such provisions should also allow covered entities to implement appropriate cybersecurity programs that will protect non-public information and information systems, establish notification and remediation procedures in the event of a cybersecurity breach, and determine which entity will pay for the costs of the breach.[11]

B. TECHNICAL REQUIREMENTS

Next, under the technical requirements, covered entities are required to use effective controls that protect against unauthorized access to Information Systems and Nonpublic Information.

Transaction Monitoring Threshold

For example, in a standard BSA/AML Policy, U.S. cryptocurrency exchanges take conservative approaches to monitor users’ transactions. This is usually accomplished by setting a low-dollar monitoring threshold. In the U.S., a typical minimum dollar transaction threshold for a cryptocurrency exchange ranges from $10,000 to $50,000 per transaction.

When a breach is detected, covered entities must promptly notify the DFS superintendent within 72 hours of a determination that a cybersecurity event occurred.[12]

Covered entities are required to conduct continuous monitoring and testing, such as annual penetration testing, or “bi-annual vulnerability assessments” to keep its program current.[13]

Independent Audit Reviews

In theory, payment platforms are not supposed to touch user funds until they are properly regulated; meaning, they have licenses, proper cybersecurity in place, and have gone through all the required auditing.

Meaning, if someone decides to launch an online payment platform, they will need to go through full independent audits and show that their systems are safe for users to use.

TEXAS AUDIT STANDARD

Texas requires MTL applicants to submit an Information Technology Questionnaire. The Questionnaire requires in part:

1. Implementation of a comprehensive, enterprise-wide, disaster recovery / business continuity program (DR/BCP)
2. Incident Response Plan
3. Internal and External Audit Program
4. Information Security Program (ISP) to protect non-public information
5. ISP with respect to its: application server infrastructure and controls; website and associated web application security; Virtual Currency wallet infrastructure and controls
6. Disclosure of Reliance on Delegates or Offices to Conduct Business Activities
7. Disclosure of Development/Support Activities

Given that Texas is the only state that requires such an extensive auditing process for MTL applicants, it is arguably the most difficult state to get licensed in.

MITIGATING RISK OF CYBERSECURITY BREACHES

FinCEN Advisory

FinCEN issued an advisory to assist financial institutions (FIs) in understanding their BSA obligations regarding cybersecurity.

1. SAR Reporting of Cyber-Events:

A FI is required to report suspicious transactions that involve or aggregate to $5,000 or more in funds or other assets.

The following example illustrates a situation in which SAR reporting of cyber-events is mandatory:

In this case, the FI must file a SAR to report the wire transfer because it was unauthorized and meets the filing threshold; and it must report the DDoS attack because it was perpetrated to conceal the unauthorized wire transfer.

2. Including Cyber-Related Information in SAR Reporting:

FIs are required to file complete and accurate reports that incorporate all relevant information available, including cyber-related information.

Cyber-related information includes, but is not limited to, IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information.

3. Collaboration between BSA/AML and Cybersecurity Units:

FIs are encouraged to internally share relevant information with BSA/AML staff, cybersecurity personnel, fraud prevention teams, and other potentially affected units.

Information provided by cybersecurity units could reveal additional patterns of suspicious behavior and identify suspects not previously known to BSA/AML units.

Co-Author: Laina Dowd (Suffolk University JD Candidate ’23)

References

[1] Crypto Exchange: Hacks in Review, Cointelegraph, https://cointelegraph.com/ magazine/crypto-exchange-hacks/  [https://perma.cc/K7ET-U7WK]; Erik Voorhees, Looting of the Fox: The Story of Sabotage at ShapeShift, Bitcoin.com (2016), https://news. bitcoin.com/looting-fox-sabotage-shapeshift/ [https://perma.cc/U5Z5-HP4R]; Tim Copeland, The Complete Story of the QuadrigaCZ $ 190 Million Scandal, Decrypt (2019), https://decrypt.co/5853/complete-story-quadrigacx-190-million  [https://perma.cc/X883-AJ8P].

[2] Osato Avan-Nomayo, DeFi Hacks and Exploits Total $285M Since 2019, Messari Reports, Cointelegraph (2021), https://cointelegraph.com/news/defi-hacks-and-exploits-total-285m-since-2019-messari-reports.

[3] NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES, 23 NYCRR 500, 500.02(2)-(6),https://www.governor.ny.gov/sites/default/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf.

[4] Id. § 500.16.

[5] Id. § 500.03.

[6] Id. § 500.03(a)-(n).

[7] Id. § 500.04(a).

[8] Id. § 500.04(b).

[9] Id. § 500.10.

[10] Id. § 500.11.

[11] Id.

[12] Id. § 500.17(a).

[13] Id. § 500.05(a)-(b)