Money Transmitter Compliance Checklist for Crypto Exchanges, Remittance and Web3 Platforms

Launching a crypto exchange, remittance application or Web3 NFT marketplace that requires federal and state money transmitter licenses (“MTL”) is a complex undertaking.

Careful legal and business planning is key for developing a practical product launch roadmap.  State money transmitter regulators have rigid compliance and IT checkboxes that companies must satisfy to qualify for state licenses.

Below is the compliance framework that companies could use as the reference when developing a crypto exchange, remittance platform or NFT marketplace and taking it through states’ MTL application process and state audits.

Companies applying for MTLs must also be prepared to provide third-party assessments and audits of relevant computer systems.

1. Has applicant implemented a comprehensive, enterprise-wide, disaster recovery / business continuity program (DR/BCP) for operating a cryptocurrency exchange or digital asset payments platform? If yes, does the DR/BCP contain:
   • Defined roles & responsibilities?
   • Written recovery procedures?
   • Does applicant obtain a Service
   • Organizational Control (SOC) 1 or similar audit?
   • Does applicant obtain a SOC 2 or similar audit?
   • Business impact analysis?
   • Offsite storage provisions?
   • Testing requirements, including documentation of lessons learned from DR/BCP tests?

2. Does applicant have an incident response plan?

As part of its cybersecurity program, each covered entity (crypto exchanges, payment and NFT platforms) may need to establish a written incident response plan designed to promptly respond to from any cyber event materially affecting the confidentiality and integrity of the covered entity’s business operations.

If a covered entity has an incident response plan, does the plan provide for:

2. • Assessing the nature & scope of the incident, including documenting any systems containing customer information that may have been compromised?
   • Containing & controlling the incident to prevent further compromise?
   • Contacting appropriate law enforcement and regulatory representatives?
   • Preserving records and other evidence?
   • Customer notification?
   • Periodic employee awareness training?

3. Has applicant implemented an internal audit program. If yes, does the scope of internal audit program include:
   • Network security?
   • General IT-related controls?
   • Penetration testing?
   • Application development policies & procedures?
   • Disaster recovery / business continuity planning?
   • Information security program?
   • Compliance with applicable safeguarding customer information regulations?

For example, a cryptocurrency exchange or payment platform should have a cybersecurity program that includes continuous monitoring or periodic penetration testing and vulnerability assessments.

Furthermore, cryptocurrency platforms, including NFT platforms should conduct annual penetration testing of its information systems based on relevant identified risks in the cryptocurrency and NFT industries.

4. Has applicant implemented an information security program (ISP) to protect non-public information?
   • Written policies & procedures?
   • Employee training?
   • Monitoring?
   • Security at both the applicant and, if applicable, significant service providers?
   • Logical & physical security considerations?
   • Provisions for testing the effectiveness of key controls through some type of audit, test, review, etc.?
   • Provisions for adjusting the program?

5. Has applicant implemented an ISP with respect to its application server infrastructure and controls? If yes, does the ISP include:
   • Security check of any internal application servers which contain customer information or critical data is stored, processed, or transmitted?
   • Does the security check test for internal application servers’ vulnerabilities?
   • Does the security check test for internal application servers validating appropriate access controls?
   • Does the security check test for internal application servers provide for penetration testing?

6. Has applicant implemented an ISP with respect to its cryptocurrency (NFT) wallet infrastructure and controls? If yes, does the ISP include:
   • Security over the virtual and physical Infrastructure in which virtual currency is kept for the applicant and customers?
   • Do virtual controls include passwords, encryption, and split keys?
   • Are private keys ever stored unencrypted?

7. Does the applicant develop or support custom software that is used for conducting daily business activities? If yes, are development/support activities:
   • Based on written policies & procedures?
   • Properly segregated? (e.g. development from production, documentation, production release controls, and pre-release testing.)
   • Based on secure program coding practices that meet industry standards?
   • Based on an assessment of the applicant’s system and application development methodology?
   • Subject to independent review and testing to ensure there are no security and integrity issues prior to migration to a production environment?

8. Has applicant developed Anti-Money Laundering (AML)/Bank Secrecy Act (BSA) Policy. Note, many states require companies to complete an independent review of their BSA-AML program. Each licensee is required to have risk-based policies, procedures and practices to ensure that its transactions comply with OFAC requirements and adequately protect consumers. Furthermore, applicants must have a Transaction Screening and Filtering Program.

Guiding Clients Through MTL Application Procedures in Every State

Dilendorf law Firm assists clients with obtaining and maintaining Money Transmitter Licenses (MTLs) – the state and federal licenses required to operate as a Money Services Business (MSB).

We regularly represent the following types of use-cases in connection with MTL projects:

• cryptocurrency exchanges
• banking as a service (Baas) for crypto and digital payment applications
• digital payment platforms and apps
• stablecoin issuers and payment systems
• cross-border payment and remittance solutions facilitating payments between US, Mexico, Middle East, India, European and African Countries (Tanzania, Kenya, Uganda, Rwanda, Ghana and South Africa)DeFI platforms switching to CeFI models
• Metaverse businesses and payment processors
• play-to-earn game operators
• liquidity pool providers
• OTC desks

Our lawyers advise and assist clients throughout the MTL application process, including the following steps:

• Developing an MTL strategy nation-wide for traditional businesses and cryptocurrency trading platforms and exchanges
• Selecting and establishing optimal corporate and tax business structures supporting US and cross-border payments and remittances
• Preparing a business plan, summary of historical and current operations, financial statements, affidavits and other required documentation
• Submitting applications in individual states
• Acquiring mandatory surety bonds
• Completing FinCEN registration
• Accomplishing necessary corporate actions, including local qualification of out-of-state companies, provision of registered agents, drafting/amending corporate governance documents
• Developing anti-money-laundering (AML) and other compliance programs
• Representing clients in communications with the federal and state agencies

Resources:

Federal

• 50-State Survey: Money Transmitter Licensing Requirements
• Definition of Money Transmitter (Merchant Payment Processor) – FinCEN
• Enforcement Actions for Failure to Register as a Money Services Business – FinCEN
• FinCEN Guidance, FIN-2019-G001 – FinCEN
• Money Services Business (MSB) Registration – FinCEN
• FAQs: Virtual Currency Business | Department of Financial Services
• Treasury’s Work to Support Money Transmitters
• State of State Money Services Business Regulation & Supervision

Stablecoins Federal Guidelines

• Summary of Stablecoin TRUST Act of 2022
• Full Text of Stablecoin TRUST Act of 2022
• Congressional Report: Algorithmic Stablecoins and the TerraUSD Crash
• Stablecoins: How Do They Work, How Are They Used, and What Are Their Risks?
• Runs on Algorithmic Stablecoins: Evidence from Iron, Titan, and Steel
• Digital Assets and the Future of Finance: The President’s Working Group on Financial Markets’ Report on Stablecoins
• Stablecoins: Growth Potential and Impact on Banking
• President’s Working Group Report on Stablecoins

New York

• Money Transmitter Application Resources – NYSDFS
• Using a Licensed Money Transmitter – NYSDFS

California

• Application for a License to Engage in the Money Transmission Business
• State of California Money Transmitter Laws
• State of California – Application for a License to Engage in the Money Transmission Business
• Money – Transmitter | Frequently Asked Questions

Florida

• OFR-560-01 – Application to Register as a Money Services Business
• OFR-560-02 – Location Notification Form
• OFR-560-03 – Declaration of Intent to Engage in Deferred Presentment Transactions
• OFR-560-04 – Money Services Business Quarterly Report Form
• OFR-560-05 – Pledge Agreement
• OFR-560-06 – Money Services Business Surety Bond Form
• OFR-560-07 – Security Device Calculation Form
• Chapter 560, Florida Statutes – Money Services Businesses
• Rule 69V-560, Florida Administrative Code – Money Transmitters
• Form OFR-560-09 – Disciplinary Guidelines for Money Services Businesses
• Security Device Calculation Form