MTL Security Best Practices for Payment Platforms and Cryptocurrency Exchanges
Today, crypto assets and related payment platforms are increasingly adopted to store, secure, and transmit massive amounts of monetary value worldwide, making them primary targets for cybersecurity breaches.
Media headlines chronicle major cybersecurity hacks such as breaches at Mt. Gox, Shapeshift, Bitfinix, Poloniex, QuadrigaCX, and Bithumb. These breaches resulted in more than $4 billion stolen in cryptocurrencies from centralized exchanges between 2011 and 2017. In comparison, the DeFi sector has lost about $284.9 million to hacks and other exploit attacks since 2019.
To address the cybersecurity issues plaguing the industry, authorities have issued regulations on both centralized and decentralized payment platforms that facilitate “money transmission.”
If classified as a money services business (MSB), the exchange would be engaged in a regulated activity under both federal and state laws; and must adhere to certain requirements such as obtaining a money transmitter license (MTL) and implementing a comprehensive cybersecurity program.
As such, cybersecurity breaches in the online payment industry are likely a result of payment platforms either not following these regulations or lacking proper cybersecurity hygiene.
Federal and State Regulation
Under the federal Bank Secrecy Act (BSA), MSBs are required to register with the Financial Crimes Enforcement Network (FinCEN) and fulfill certain requirements such as developing an AML program and a cybersecurity policy.
Under state law, MSBs are required to obtain a MTL in every state where they either receive funds from, or send funds to, a resident of that state, whether an individual or a commercial entity. Each state adopts their own approach to combatting cybersecurity attacks on payment platforms.
For example, New York, Washington, and Texas have imposed strict compliance regimes that frustrate developers of these exchanges. Meanwhile, states like Wyoming are recognized for fostering innovative freedom in the virtual currency industry.
As such, when applying for an MTL, it is important to understand the spectrum of requirements across all 50 states with greater attention on the strict regulation states.
This article aims to educate anyone who is thinking of operating a payment platform in the U.S. on what minimum standards must be in place before applying for an MTL.
NEW YORK AS THE GOLD STANDARD FOR MTL APPLICATIONS
To apply for a license in New York, applicants must submit a host of financial and background information, including:
Given such burdensome requirements, payment facilitators should carefully consider whether they want to take on the responsibilities and compliance requirements of expanding their exchange in the U.S.
CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
The New York State Department of Financial Services (NYDFS) passed a regulation, effective March 1, 2017, that is designed to promote the protection of customer information as well as the information technology systems of regulated entities.
DFS concluded that there were five principles that the regulation must comprise: (1) establishment of a cybersecurity program, (2) adoption of a security policy and procedure, (3) role of Chief Information Security Officer (CISO), (4) monitoring third-party service providers, and (5) additional items relating to security best practice.
A. GOVERNANCE REQUIREMENTS
First, under the governance requirements, covered entities are required to maintain a cybersecurity program that reflects a risk-based approach.
Risk assessment programs are designed to conform to cybersecurity functions such as assessing internal and external risks, using defensive infrastructure, detecting breaches or attempts, mitigating its effects, recovering and restoring normal operations, and fulfilling compliance obligations.
Programs must include “a written incident response plan designed to promptly respond to, and recover from, any [c]ybersecurity [e]vent that materially affecting the confidentiality, integrity or availability of the [c]overed [e]ntity’s [i]nformation [s]ystems or the continuing functionality of any aspect of the [c]overed [e]ntity’s business or operations.”
Covered entities are required to implement and maintain a written cybersecurity policy that is approved by either a Senior Officer, the board of directors, or an equivalent governing body.
The policy must adequately state the methods used to store and protect Information Systems and Nonpublic Information and must be based on a Risk Assessment and a reasonable consideration of the following 14 elements:
Covered entities are also required to designate a qualified individual, known as the Chief Information Security Officer (CISO), responsible for implementing and maintaining the program and enforcing the policy.
The CISO is responsible for writing annual reports about the cybersecurity program and material cyber risks to either the board of directors, an equivalent governing body, or senior officer of the covered entity.
Additionally, the covered entity is tasked with hiring qualified cybersecurity personnel to assess cybersecurity risks and provide proper training to employees.
Third-Party Service Providers
Covered entities must evaluate cybersecurity procedures and policies of its third-party service providers not already covered by the requirements and implement separate procedures and policies.
This requirement means that contract provisions should be drafted that permit covered entities to assess the cybersecurity programs of its third-party service providers.
Such provisions should also allow covered entities to implement appropriate cybersecurity programs that will protect non-public information and information systems, establish notification and remediation procedures in the event of a cybersecurity breach, and determine which entity will pay for the costs of the breach.
B. TECHNICAL REQUIREMENTS
Next, under the technical requirements, covered entities are required to use effective controls that protect against unauthorized access to Information Systems and Nonpublic Information.
Transaction Monitoring Threshold
For example, in a standard BSA/AML Policy, U.S. cryptocurrency exchanges take conservative approaches to monitor users’ transactions. This is usually accomplished by setting a low-dollar monitoring threshold. In the U.S., a typical minimum dollar transaction threshold for a cryptocurrency exchange ranges from $10,000 to $50,000 per transaction.
When a breach is detected, covered entities must promptly notify the DFS superintendent within 72 hours of a determination that a cybersecurity event occurred.
Covered entities are required to conduct continuous monitoring and testing, such as annual penetration testing, or “bi-annual vulnerability assessments” to keep its program current.
Independent Audit Reviews
In theory, payment platforms are not supposed to touch user funds until they are properly regulated; meaning, they have licenses, proper cybersecurity in place, and have gone through all the required auditing.
Meaning, if someone decides to launch an online payment platform, they will need to go through full independent audits and show that their systems are safe for users to use.
TEXAS AUDIT STANDARD
Texas requires MTL applicants to submit an Information Technology Questionnaire. The Questionnaire requires in part:
- Implementation of a comprehensive, enterprise-wide, disaster recovery / business continuity program (DR/BCP)
- Incident Response Plan
- Internal and External Audit Program
- Information Security Program (ISP) to protect non-public information
- ISP with respect to its: application server infrastructure and controls; website and associated web application security; Virtual Currency wallet infrastructure and controls
- Disclosure of Reliance on Delegates or Offices to Conduct Business Activities
- Disclosure of Development/Support Activities
Given that Texas is the only state that requires such an extensive auditing process for MTL applicants, it is arguably the most difficult state to get licensed in.
MITIGATING RISK OF CYBERSECURITY BREACHES
FinCEN issued an advisory to assist financial institutions (FIs) in understanding their BSA obligations regarding cybersecurity.
- SAR Reporting of Cyber-Events:
A FI is required to report suspicious transactions that involve or aggregate to $5,000 or more in funds or other assets.
The following example illustrates a situation in which SAR reporting of cyber-events is mandatory:
In this case, the FI must file a SAR to report the wire transfer because it was unauthorized and meets the filing threshold; and it must report the DDoS attack because it was perpetrated to conceal the unauthorized wire transfer.
- Including Cyber-Related Information in SAR Reporting:
FIs are required to file complete and accurate reports that incorporate all relevant information available, including cyber-related information.
Cyber-related information includes, but is not limited to, IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information.
- Collaboration between BSA/AML and Cybersecurity Units:
FIs are encouraged to internally share relevant information with BSA/AML staff, cybersecurity personnel, fraud prevention teams, and other potentially affected units.
Information provided by cybersecurity units could reveal additional patterns of suspicious behavior and identify suspects not previously known to BSA/AML units.
Co-Author: Laina Dowd (Suffolk University JD Candidate ’23)
 Crypto Exchange: Hacks in Review, Cointelegraph, https://cointelegraph.com/ magazine/crypto-exchange-hacks/ [https://perma.cc/K7ET-U7WK]; Erik Voorhees, Looting of the Fox: The Story of Sabotage at ShapeShift, Bitcoin.com (2016), https://news. bitcoin.com/looting-fox-sabotage-shapeshift/ [https://perma.cc/U5Z5-HP4R]; Tim Copeland, The Complete Story of the QuadrigaCZ $ 190 Million Scandal, Decrypt (2019), https://decrypt.co/5853/complete-story-quadrigacx-190-million [https://perma.cc/X883-AJ8P].
 Osato Avan-Nomayo, DeFi Hacks and Exploits Total $285M Since 2019, Messari Reports, Cointelegraph (2021), https://cointelegraph.com/news/defi-hacks-and-exploits-total-285m-since-2019-messari-reports.
 NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES, 23 NYCRR 500, 500.02(2)-(6),https://www.governor.ny.gov/sites/default/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf.
 Id. § 500.03(a)-(n).
 Id. § 500.04(a).
 Id. § 500.04(b).
 Id. § 500.17(a).
 Id. § 500.05(a)-(b)
Other ResourcesALL ARTICLES
Our Founding Partner
Max Dilendorf, throughout his 17-year career, has been catering to corporate and individual needs. He will always find the best solution. He will always have an interest and dedication to your needs.Learn More
Adam is one of the nation’s leading young whistleblower lawyers. He brings with him a special ability not just to litigate, but to investigate – and understand – complex organizations and transactions. His extensive familiarity with tech issues is built on a computer science degree and work as a ...Learn More
Bari Zahn, Esq.
Bari Zahn has nearly 20 years of experience practicing at global law firms in New York. Bari has represented a broad array of multinational clients on U.S. and cross-border transactions. She has supervised legal teams worldwide and has extensive management experience as the Founder, former CEO and General ...Learn More
Steve contributes extensive business and problem-solving experience to challenges that may require litigation – or may help avoid it. Indeed, his perspective on litigation is influenced by his experience as a three-time internet start-up CEO.
Steve served on Ronald Reagan’s 1980 presidential campaign ...Learn More
Pamela A. Fuller, Esq.
Pamela A. Fuller is a corporate and international tax attorney, with over two decades of experience. She advises a wide range of clients–including private and public companies, joint ventures, private equity and hedge funds, C-Suite executives, private U.S and foreign individual clients, and government ...Learn More
Ivanna has 7 years of law practice in Europe, namely in the field of corporate law, M&A transactions, banking and finance. As a senior associate, she advised local, EU, US and multinational clients with respect to their business activities in Ukraine.
Particularly, Ivanna, together with junior associates ...Learn More
Robin Gerofsky Kaptzan, Esq.
A New York licensed attorney with three decades of legal and business experience in the U.S. and Asia, Robin recently joined the law firm as a partner and leads the Asia-Pacific practice.
While acting as an international business lawyer and global corporate general counsel, Robin is sought out by clients ...Learn More
Julia joined Dilendorf Law Firm in 2021. She handles all aspects of firm administration while providing paralegal support and litigation management. Julia also has a broad base of knowledge in human resources and communications.
Prior to joining Dilendorf team, Julia worked as an administrative assistant ...Learn More
Craig S. Redler
Craig S. Redler has held positions with Amicorp in its offices in Auckland New Zealand and Miami Florida, and Southpac Trust International, Inc. with offices in the Cook Islands and Tauranga New Zealand. His responsibilities included serving as Trustee for off-shore trusts settled by high net-worth clients ...Learn More
Sharon Kaye Mauer, Esq.
Sharon Kaye Mauer’s practice focuses trusts and estates and corporate law.
Sharon has practiced law for twenty year. She helps navigate her clients through various aspects of estate planning, such as wills, trusts, probate and administration, powers of attorney, and health care proxies and ...Learn More