MTL Security Best Practices for Payment Platforms and Cryptocurrency Exchanges

July 21, 2022  |   By: Max Dilendorf, Esq.

Today, crypto assets and related payment platforms are increasingly adopted to store, secure, and transmit massive amounts of monetary value worldwide, making them primary targets for cybersecurity breaches.

Media headlines chronicle major cybersecurity hacks such as breaches at Mt. Gox, Shapeshift, Bitfinix, Poloniex, QuadrigaCX, and Bithumb. These breaches resulted in more than $4 billion stolen in cryptocurrencies from centralized exchanges between 2011 and 2017.[1] In comparison, the DeFi sector has lost about $284.9 million to hacks and other exploit attacks since 2019.[2]

To address the cybersecurity issues plaguing the industry, authorities have issued regulations on both centralized and decentralized payment platforms that facilitate “money transmission.”

If classified as a money services business (MSB), the exchange would be engaged in a regulated activity under both federal and state laws; and must adhere to certain requirements such as obtaining a money transmitter license (MTL) and implementing a comprehensive cybersecurity program.

As such, cybersecurity breaches in the online payment industry are likely a result of payment platforms either not following these regulations or lacking proper cybersecurity hygiene.

Federal and State Regulation

Under the federal Bank Secrecy Act (BSA), MSBs are required to register with the Financial Crimes Enforcement Network (FinCEN) and fulfill certain requirements such as developing an AML program and a cybersecurity policy.

Under state law, MSBs are required to obtain a MTL in every state where they either receive funds from, or send funds to, a resident of that state, whether an individual or a commercial entity. Each state adopts their own approach to combatting cybersecurity attacks on payment platforms.

For example, New York, Washington, and Texas have imposed strict compliance regimes that frustrate developers of these exchanges. Meanwhile, states like Wyoming are recognized for fostering innovative freedom in the virtual currency industry.

As such, when applying for an MTL, it is important to understand the spectrum of requirements across all 50 states with greater attention on the strict regulation states.

This article aims to educate anyone who is thinking of operating a payment platform in the U.S. on what minimum standards must be in place before applying for an MTL.


To apply for a license in New York, applicants must submit a host of financial and background information, including:

Two years of audited financial statements, FinCEN registration information, AML/BSA policies, management, and organizational charts, disclosure of executive officers, control persons, and direct and indirect owners (each of whom must submit credit reports and personal financial statements), a detailed business plan, a description of the services or transactions to be conducted in the state, as well as internal compliance policies and risk management programs on a range of topics including privacy, cybersecurity, consumer protection, anti-fraud, and internal complaints.

Given such burdensome requirements, payment facilitators should carefully consider whether they want to take on the responsibilities and compliance requirements of expanding their exchange in the U.S.


The New York State Department of Financial Services (NYDFS) passed a regulation, effective March 1, 2017, that is designed to promote the protection of customer information as well as the information technology systems of regulated entities.

DFS concluded that there were five principles that the regulation must comprise: (1) establishment of a cybersecurity program, (2) adoption of a security policy and procedure, (3) role of Chief Information Security Officer (CISO), (4) monitoring third-party service providers, and (5) additional items relating to security best practice.


First, under the governance requirements, covered entities are required to maintain a cybersecurity program that reflects a risk-based approach.

Risk Assessment

Risk assessment programs are designed to conform to cybersecurity functions such as assessing internal and external risks, using defensive infrastructure, detecting breaches or attempts, mitigating its effects, recovering and restoring normal operations, and fulfilling compliance obligations.[3]

Programs must include “a written incident response plan designed to promptly respond to, and recover from, any [c]ybersecurity [e]vent that materially affecting the confidentiality, integrity or availability of the [c]overed [e]ntity’s [i]nformation [s]ystems or the continuing functionality of any aspect of the [c]overed [e]ntity’s business or operations.”[4]


Covered entities are required to implement and maintain a written cybersecurity policy that is approved by either a Senior Officer, the board of directors, or an equivalent governing body.[5]

The policy must adequately state the methods used to store and protect Information Systems and Nonpublic Information and must be based on a Risk Assessment and a reasonable consideration of the following 14 elements:

Information security, data governance and classification, asset inventory and device management, access controls and identity management, business continuity and disaster recovery planning and resources, systems operations and availability concerns, systems and network security, systems and network monitoring, systems and application development and quality assurance, physical security and environmental controls, customer data privacy, vendor and Third Party Service Provider management, risk assessment, and incident response.[6]

Cybersecurity Employees

Covered entities are also required to designate a qualified individual, known as the Chief Information Security Officer (CISO), responsible for implementing and maintaining the program and enforcing the policy.[7]

The CISO is responsible for writing annual reports about the cybersecurity program and material cyber risks to either the board of directors, an equivalent governing body, or senior officer of the covered entity.[8]

Additionally, the covered entity is tasked with hiring qualified cybersecurity personnel to assess cybersecurity risks and provide proper training to employees.[9]

Third-Party Service Providers

Covered entities must evaluate cybersecurity procedures and policies of its third-party service providers not already covered by the requirements and implement separate procedures and policies.[10]

This requirement means that contract provisions should be drafted that permit covered entities to assess the cybersecurity programs of its third-party service providers.

Such provisions should also allow covered entities to implement appropriate cybersecurity programs that will protect non-public information and information systems, establish notification and remediation procedures in the event of a cybersecurity breach, and determine which entity will pay for the costs of the breach.[11]


Next, under the technical requirements, covered entities are required to use effective controls that protect against unauthorized access to Information Systems and Nonpublic Information.

Transaction Monitoring Threshold

For example, in a standard BSA/AML Policy, U.S. cryptocurrency exchanges take conservative approaches to monitor users’ transactions. This is usually accomplished by setting a low-dollar monitoring threshold. In the U.S., a typical minimum dollar transaction threshold for a cryptocurrency exchange ranges from $10,000 to $50,000 per transaction.

When a breach is detected, covered entities must promptly notify the DFS superintendent within 72 hours of a determination that a cybersecurity event occurred.[12]

Covered entities are required to conduct continuous monitoring and testing, such as annual penetration testing, or “bi-annual vulnerability assessments” to keep its program current.[13]

Independent Audit Reviews

In theory, payment platforms are not supposed to touch user funds until they are properly regulated; meaning, they have licenses, proper cybersecurity in place, and have gone through all the required auditing.

Meaning, if someone decides to launch an online payment platform, they will need to go through full independent audits and show that their systems are safe for users to use.


Texas requires MTL applicants to submit an Information Technology Questionnaire. The Questionnaire requires in part:

  1. Implementation of a comprehensive, enterprise-wide, disaster recovery / business continuity program (DR/BCP)
  2. Incident Response Plan
  3. Internal and External Audit Program
  4. Information Security Program (ISP) to protect non-public information
  5. ISP with respect to its: application server infrastructure and controls; website and associated web application security; Virtual Currency wallet infrastructure and controls
  6. Disclosure of Reliance on Delegates or Offices to Conduct Business Activities
  7. Disclosure of Development/Support Activities

Given that Texas is the only state that requires such an extensive auditing process for MTL applicants, it is arguably the most difficult state to get licensed in.


FinCEN Advisory

FinCEN issued an advisory to assist financial institutions (FIs) in understanding their BSA obligations regarding cybersecurity.

  1. SAR Reporting of Cyber-Events:

A FI is required to report suspicious transactions that involve or aggregate to $5,000 or more in funds or other assets.

The following example illustrates a situation in which SAR reporting of cyber-events is mandatory:

A MSB knows or suspects a Distributed Denial of Service (DDoS) attack prevented or distracted its cybersecurity or other appropriate personnel from immediately detecting or stopping an unauthorized $2,000 wire transfer.

In this case, the FI must file a SAR to report the wire transfer because it was unauthorized and meets the filing threshold; and it must report the DDoS attack because it was perpetrated to conceal the unauthorized wire transfer.

  1. Including Cyber-Related Information in SAR Reporting:

FIs are required to file complete and accurate reports that incorporate all relevant information available, including cyber-related information.

Cyber-related information includes, but is not limited to, IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information.

For instance, a FI may file one SAR to report several malware intrusions if these events share common characteristics and indicators such as the methodology used, the vulnerability exploited, and IP addresses involved.
  1. Collaboration between BSA/AML and Cybersecurity Units:

FIs are encouraged to internally share relevant information with BSA/AML staff, cybersecurity personnel, fraud prevention teams, and other potentially affected units.

For instance, BSA/AML units can use cyber-related information, such as patterns and timing of cyber-events and transaction instructions coded into malware among other things, to (1) to help identify suspicious activity and criminal actors and (2) develop a more comprehensive understanding of their BSA/AML risk exposure.

Information provided by cybersecurity units could reveal additional patterns of suspicious behavior and identify suspects not previously known to BSA/AML units.

Co-Author: Laina Dowd (Suffolk University JD Candidate ’23)


[1] Crypto Exchange: Hacks in Review, Cointelegraph, magazine/crypto-exchange-hacks/  []; Erik Voorhees, Looting of the Fox: The Story of Sabotage at ShapeShift, (2016), https://news. []; Tim Copeland, The Complete Story of the QuadrigaCZ $ 190 Million Scandal, Decrypt (2019),  [].

[2] Osato Avan-Nomayo, DeFi Hacks and Exploits Total $285M Since 2019, Messari Reports, Cointelegraph (2021),


[4] Id. § 500.16.

[5] Id. § 500.03.

[6] Id. § 500.03(a)-(n).

[7] Id. § 500.04(a).

[8] Id. § 500.04(b).

[9] Id. § 500.10.

[10] Id. § 500.11.

[11] Id.

[12] Id. § 500.17(a).

[13] Id. § 500.05(a)-(b)

This article is provided for your convenience and does not constitute legal advice. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

Other Resources


Our Founding Partner


Max (Maksim) Dilendorf, Esq.

Max (Maksim) Dilendorf’s legal practice is laser-focused on digital assets and cyber-crime cases, a domain he has passionately pursued since 2017. Over the past 7 years, Max built a distinct digital asset law practice, dedicating tens of thousands of hours to managing diverse client cases, research and engaging ...

Learn More about Max (Maksim) Dilendorf, Esq.
Max (Maksim) Dilendorf, Esq.

Adam Pollock

Adam is one of the nation’s leading young whistleblower lawyers.  He brings with him a special ability not just to litigate, but to investigate – and understand – complex organizations and transactions.  His extensive familiarity with tech issues is built on a computer science degree and work as a ...

Learn More about Adam Pollock
Adam Pollock

Bari Zahn, Esq.

Bari Zahn has nearly 20 years of experience practicing at global law firms in New York. Bari has represented a broad array of multinational clients on U.S. and cross-border transactions. She has supervised legal teams worldwide and has extensive management experience as the Founder, former CEO and General ...

Learn More about Bari Zahn, Esq.
Bari Zahn, Esq.

Steve Cohen

Steve contributes extensive business and problem-solving experience to challenges that may require litigation – or may help avoid it.  Indeed, his perspective on litigation is influenced by his experience as a three-time internet start-up CEO.

Steve served on Ronald Reagan’s 1980 presidential campaign ...

Learn More about Steve Cohen
Steve Cohen

Robin Gerofsky Kaptzan, Esq.

A New York licensed attorney with three decades of legal and business experience in the U.S. and Asia, Robin recently joined the law firm as a partner and leads the Asia-Pacific practice.

While acting as an international business lawyer and global corporate general counsel, Robin is sought out by clients ...

Learn More about Robin Gerofsky Kaptzan, Esq.
Robin Gerofsky Kaptzan, Esq.

Craig S. Redler

Craig S. Redler has held positions with Amicorp in its offices in Auckland New Zealand and Miami Florida, and Southpac Trust International, Inc. with offices in the Cook Islands and Tauranga New Zealand. His responsibilities included serving as Trustee for off-shore trusts settled by high net-worth clients ...

Learn More about Craig S. Redler
Craig S. Redler

Pamela A. Fuller, Esq.

Pamela A. Fuller is a corporate and international tax attorney, with over two decades of experience.  She advises a wide range of clients–including private and public companies, joint ventures, private equity and hedge funds, C-Suite executives, private U.S and foreign individual clients, and government ...

Learn More about Pamela A. Fuller, Esq.
Pamela A. Fuller, Esq.