Money Transmitter Compliance Checklist for Crypto Exchanges, Remittance and Web3 Platforms
Launching a crypto exchange, remittance application or Web3 NFT marketplace that requires federal and state money transmitter licenses (“MTL”) is a complex undertaking.
Careful legal and business planning is key for developing a practical product launch roadmap. State money transmitter regulators have rigid compliance and IT checkboxes that companies must satisfy to qualify for state licenses.
Below is the compliance framework that companies could use as the reference when developing a crypto exchange, remittance platform or NFT marketplace and taking it through states’ MTL application process and state audits.
Companies applying for MTLs must also be prepared to provide third-party assessments and audits of relevant computer systems.
- Has applicant implemented a comprehensive, enterprise-wide, disaster recovery / business continuity program (DR/BCP) for operating a cryptocurrency exchange or digital asset payments platform? If yes, does the DR/BCP contain:
- Defined roles & responsibilities?
- Written recovery procedures?
- Does applicant obtain a Service
- Organizational Control (SOC) 1 or similar audit?
- Does applicant obtain a SOC 2 or similar audit?
- Business impact analysis?
- Offsite storage provisions?
- Testing requirements, including documentation of lessons learned from DR/BCP tests?
- Does applicant have an incident response plan?
As part of its cybersecurity program, each covered entity (crypto exchanges, payment and NFT platforms) may need to establish a written incident response plan designed to promptly respond to from any cyber event materially affecting the confidentiality and integrity of the covered entity’s business operations.
If a covered entity has an incident response plan, does the plan provide for:
- Assessing the nature & scope of the incident, including documenting any systems containing customer information that may have been compromised?
- Containing & controlling the incident to prevent further compromise?
- Contacting appropriate law enforcement and regulatory representatives?
- Preserving records and other evidence?
- Customer notification?
- Periodic employee awareness training?
- Has applicant implemented an internal audit program. If yes, does the scope of internal audit program include:
- Network security?
- General IT-related controls?
- Penetration testing?
- Application development policies & procedures?
- Disaster recovery / business continuity planning?
- Information security program?
- Compliance with applicable safeguarding customer information regulations?
For example, a cryptocurrency exchange or payment platform should have a cybersecurity program that includes continuous monitoring or periodic penetration testing and vulnerability assessments.
Furthermore, cryptocurrency platforms, including NFT platforms should conduct annual penetration testing of its information systems based on relevant identified risks in the cryptocurrency and NFT industries.
- Has applicant implemented an information security program (ISP) to protect non-public information?
- Written policies & procedures?
- Employee training?
- Security at both the applicant and, if applicable, significant service providers?
- Logical & physical security considerations?
- Provisions for testing the effectiveness of key controls through some type of audit, test, review, etc.?
- Provisions for adjusting the program?
- Has applicant implemented an ISP with respect to its application server infrastructure and controls? If yes, does the ISP include:
- Security check of any internal application servers which contain customer information or critical data is stored, processed, or transmitted?
- Does the security check test for internal application servers’ vulnerabilities?
- Does the security check test for internal application servers validating appropriate access controls?
- Does the security check test for internal application servers provide for penetration testing?
- Has applicant implemented an ISP with respect to its cryptocurrency (NFT) wallet infrastructure and controls? If yes, does the ISP include:
- Security over the virtual and physical Infrastructure in which virtual currency is kept for the applicant and customers?
- Do virtual controls include passwords, encryption, and split keys?
- Are private keys ever stored unencrypted?
- Does the applicant develop or support custom software that is used for conducting daily business activities? If yes, are development/support activities:
- Based on written policies & procedures?
- Properly segregated? (e.g. development from production, documentation, production release controls, and pre-release testing.)
- Based on secure program coding practices that meet industry standards?
- Based on an assessment of the applicant’s system and application development methodology?
- Subject to independent review and testing to ensure there are no security and integrity issues prior to migration to a production environment?
- Has applicant developed Anti-Money Laundering (AML)/Bank Secrecy Act (BSA) Policy. Note, many states require companies to complete an independent review of their BSA-AML program. Each licensee is required to have risk-based policies, procedures and practices to ensure that its transactions comply with OFAC requirements and adequately protect consumers. Furthermore, applicants must have a Transaction Screening and Filtering Program.
Guiding Clients Through MTL Application Procedures in Every State
Dilendorf law Firm assists clients with obtaining and maintaining Money Transmitter Licenses (MTLs) – the state and federal licenses required to operate as a Money Services Business (MSB).
We regularly represent the following types of use-cases in connection with MTL projects:
- cryptocurrency exchanges
- banking as a service (Baas) for crypto and digital payment applications
- digital payment platforms and apps
- stablecoin issuers and payment systems
- cross-border payment and remittance solutions facilitating payments between US, Mexico, Middle East, India, European and African Countries (Tanzania, Kenya, Uganda, Rwanda, Ghana and South Africa)DeFI platforms switching to CeFI models
- Metaverse businesses and payment processors
- play-to-earn game operators
- liquidity pool providers
- OTC desks
Our lawyers advise and assist clients throughout the MTL application process, including the following steps:
- Developing an MTL strategy nation-wide for traditional businesses and cryptocurrency trading platforms and exchanges
- Selecting and establishing optimal corporate and tax business structures supporting US and cross-border payments and remittances
- Preparing a business plan, summary of historical and current operations, financial statements, affidavits and other required documentation
- Submitting applications in individual states
- Acquiring mandatory surety bonds
- Completing FinCEN registration
- Accomplishing necessary corporate actions, including local qualification of out-of-state companies, provision of registered agents, drafting/amending corporate governance documents
- Developing anti-money-laundering (AML) and other compliance programs
- Representing clients in communications with the federal and state agencies
- 50-State Survey: Money Transmitter Licensing Requirements
- Definition of Money Transmitter (Merchant Payment Processor) – FinCEN
- Enforcement Actions for Failure to Register as a Money Services Business – FinCEN
- FinCEN Guidance, FIN-2019-G001 – FinCEN
- Money Services Business (MSB) Registration – FinCEN
- FAQs: Virtual Currency Business | Department of Financial Services
- Treasury’s Work to Support Money Transmitters
- State of State Money Services Business Regulation & Supervision
State Money Transmitter Licensing Authorities:
Stablecoins Federal Guidelines
- Summary of Stablecoin TRUST Act of 2022
- Full Text of Stablecoin TRUST Act of 2022
- Congressional Report: Algorithmic Stablecoins and the TerraUSD Crash
- Stablecoins: How Do They Work, How Are They Used, and What Are Their Risks?
- Runs on Algorithmic Stablecoins: Evidence from Iron, Titan, and Steel
- Digital Assets and the Future of Finance: The President’s Working Group on Financial Markets’ Report on Stablecoins
- Stablecoins: Growth Potential and Impact on Banking
- President’s Working Group Report on Stablecoins
- Application for a License to Engage in the Money Transmission Business
- State of California Money Transmitter Laws
- State of California – Application for a License to Engage in the Money Transmission Business
- Money – Transmitter | Frequently Asked Questions
- OFR-560-01 – Application to Register as a Money Services Business
- OFR-560-02 – Location Notification Form
- OFR-560-03 – Declaration of Intent to Engage in Deferred Presentment Transactions
- OFR-560-04 – Money Services Business Quarterly Report Form
- OFR-560-05 – Pledge Agreement
- OFR-560-06 – Money Services Business Surety Bond Form
- OFR-560-07 – Security Device Calculation Form
- Chapter 560, Florida Statutes – Money Services Businesses
- Rule 69V-560, Florida Administrative Code – Money Transmitters
- Form OFR-560-09 – Disciplinary Guidelines for Money Services Businesses
- Security Device Calculation Form
Other ResourcesALL ARTICLES
Our Founding Partner
Max Dilendorf is an internationally recognized authority and pioneer in legal issues involving cryptocurrencies and blockchain technology. Max is an early adopter who joined the blockchain industry in 2016. Max was named a 2018-22 New York Metro Super Lawyer in digital asset and cryptocurrency law practice. ...Learn More
Adam is one of the nation’s leading young whistleblower lawyers. He brings with him a special ability not just to litigate, but to investigate – and understand – complex organizations and transactions. His extensive familiarity with tech issues is built on a computer science degree and work as a ...Learn More
Bari Zahn, Esq.
Bari Zahn has nearly 20 years of experience practicing at global law firms in New York. Bari has represented a broad array of multinational clients on U.S. and cross-border transactions. She has supervised legal teams worldwide and has extensive management experience as the Founder, former CEO and General ...Learn More
Steve contributes extensive business and problem-solving experience to challenges that may require litigation – or may help avoid it. Indeed, his perspective on litigation is influenced by his experience as a three-time internet start-up CEO.
Steve served on Ronald Reagan’s 1980 presidential campaign ...Learn More
Pamela A. Fuller, Esq.
Pamela A. Fuller is a corporate and international tax attorney, with over two decades of experience. She advises a wide range of clients–including private and public companies, joint ventures, private equity and hedge funds, C-Suite executives, private U.S and foreign individual clients, and government ...Learn More
Ivanna has 7 years of law practice in Europe, namely in the field of corporate law, M&A transactions, banking and finance. As a senior associate, she advised local, EU, US and multinational clients with respect to their business activities in Ukraine.
Particularly, Ivanna, together with junior associates ...Learn More
Robin Gerofsky Kaptzan, Esq.
A New York licensed attorney with three decades of legal and business experience in the U.S. and Asia, Robin recently joined the law firm as a partner and leads the Asia-Pacific practice.
While acting as an international business lawyer and global corporate general counsel, Robin is sought out by clients ...Learn More
Julia joined Dilendorf Law Firm in 2021. She handles all aspects of firm administration while providing paralegal support and litigation management. Julia also has a broad base of knowledge in human resources and communications.
Prior to joining Dilendorf team, Julia worked as an administrative assistant ...Learn More
Craig S. Redler
Craig S. Redler has held positions with Amicorp in its offices in Auckland New Zealand and Miami Florida, and Southpac Trust International, Inc. with offices in the Cook Islands and Tauranga New Zealand. His responsibilities included serving as Trustee for off-shore trusts settled by high net-worth clients ...Learn More
Sharon Kaye Mauer, Esq.
Sharon Kaye Mauer’s practice focuses trusts and estates and corporate law.
Sharon has practiced law for twenty year. She helps navigate her clients through various aspects of estate planning, such as wills, trusts, probate and administration, powers of attorney, and health care proxies and ...Learn More