Money Transmitter Compliance Checklist for Crypto Exchanges, Remittance and Web3 Platforms

August 10, 2022  |   By: Max Dilendorf, Esq.

Launching a crypto exchange, remittance application or Web3 NFT marketplace that requires federal and state money transmitter licenses (“MTL”) is a complex undertaking.

Careful legal and business planning is key for developing a practical product launch roadmap.  State money transmitter regulators have rigid compliance and IT checkboxes that companies must satisfy to qualify for state licenses.

Below is the compliance framework that companies could use as the reference when developing a crypto exchange, remittance platform or NFT marketplace and taking it through states’ MTL application process and state audits.

Companies applying for MTLs must also be prepared to provide third-party assessments and audits of relevant computer systems.

  1. Has applicant implemented a comprehensive, enterprise-wide, disaster recovery / business continuity program (DR/BCP) for operating a cryptocurrency exchange or digital asset payments platform? If yes, does the DR/BCP contain:
    • Defined roles & responsibilities?
    • Written recovery procedures?
    • Does applicant obtain a Service
    • Organizational Control (SOC) 1 or similar audit?
    • Does applicant obtain a SOC 2 or similar audit?
    • Business impact analysis?
    • Offsite storage provisions?
    • Testing requirements, including documentation of lessons learned from DR/BCP tests?
  1. Does applicant have an incident response plan?

As part of its cybersecurity program, each covered entity (crypto exchanges, payment and NFT platforms) may need to establish a written incident response plan designed to promptly respond to from any cyber event materially affecting the confidentiality and integrity of the covered entity’s business operations.

If a covered entity has an incident response plan, does the plan provide for:

    • Assessing the nature & scope of the incident, including documenting any systems containing customer information that may have been compromised?
    • Containing & controlling the incident to prevent further compromise?
    • Contacting appropriate law enforcement and regulatory representatives?
    • Preserving records and other evidence?
    • Customer notification?
    • Periodic employee awareness training?
  1. Has applicant implemented an internal audit program. If yes, does the scope of internal audit program include:
    • Network security?
    • General IT-related controls?
    • Penetration testing?
    • Application development policies & procedures?
    • Disaster recovery / business continuity planning?
    • Information security program?
    • Compliance with applicable safeguarding customer information regulations?

For example, a cryptocurrency exchange or payment platform should have a cybersecurity program that includes continuous monitoring or periodic penetration testing and vulnerability assessments.

Furthermore, cryptocurrency platforms, including NFT platforms should conduct annual penetration testing of its information systems based on relevant identified risks in the cryptocurrency and NFT industries.

  1. Has applicant implemented an information security program (ISP) to protect non-public information?
    • Written policies & procedures?
    • Employee training?
    • Monitoring?
    • Security at both the applicant and, if applicable, significant service providers?
    • Logical & physical security considerations?
    • Provisions for testing the effectiveness of key controls through some type of audit, test, review, etc.?
    • Provisions for adjusting the program?
  1. Has applicant implemented an ISP with respect to its application server infrastructure and controls? If yes, does the ISP include:
    • Security check of any internal application servers which contain customer information or critical data is stored, processed, or transmitted?
    • Does the security check test for internal application servers’ vulnerabilities?
    • Does the security check test for internal application servers validating appropriate access controls?
    • Does the security check test for internal application servers provide for penetration testing?
  1. Has applicant implemented an ISP with respect to its cryptocurrency (NFT) wallet infrastructure and controls? If yes, does the ISP include:
    • Security over the virtual and physical Infrastructure in which virtual currency is kept for the applicant and customers?
    • Do virtual controls include passwords, encryption, and split keys?
    • Are private keys ever stored unencrypted?
  1. Does the applicant develop or support custom software that is used for conducting daily business activities? If yes, are development/support activities:
    • Based on written policies & procedures?
    • Properly segregated? (e.g. development from production, documentation, production release controls, and pre-release testing.)
    • Based on secure program coding practices that meet industry standards?
    • Based on an assessment of the applicant’s system and application development methodology?
    • Subject to independent review and testing to ensure there are no security and integrity issues prior to migration to a production environment?
  1. Has applicant developed Anti-Money Laundering (AML)/Bank Secrecy Act (BSA) Policy. Note, many states require companies to complete an independent review of their BSA-AML program. Each licensee is required to have risk-based policies, procedures and practices to ensure that its transactions comply with OFAC requirements and adequately protect consumers. Furthermore, applicants must have a Transaction Screening and Filtering Program.

Guiding Clients Through MTL Application Procedures in Every State

Dilendorf law Firm assists clients with obtaining and maintaining Money Transmitter Licenses (MTLs) – the state and federal licenses required to operate as a Money Services Business (MSB).

We regularly represent the following types of use-cases in connection with MTL projects:

  • cryptocurrency exchanges
  • banking as a service (Baas) for crypto and digital payment applications
  • digital payment platforms and apps
  • stablecoin issuers and payment systems
  • cross-border payment and remittance solutions facilitating payments between US, Mexico, Middle East, India, European and African Countries (Tanzania, Kenya, Uganda, Rwanda, Ghana and South Africa)DeFI platforms switching to CeFI models
  • Metaverse businesses and payment processors
  • play-to-earn game operators
  • liquidity pool providers
  • OTC desks

Our lawyers advise and assist clients throughout the MTL application process, including the following steps:

  • Developing an MTL strategy nation-wide for traditional businesses and cryptocurrency trading platforms and exchanges
  • Selecting and establishing optimal corporate and tax business structures supporting US and cross-border payments and remittances
  • Preparing a business plan, summary of historical and current operations, financial statements, affidavits and other required documentation
  • Submitting applications in individual states
  • Acquiring mandatory surety bonds
  • Completing FinCEN registration
  • Accomplishing necessary corporate actions, including local qualification of out-of-state companies, provision of registered agents, drafting/amending corporate governance documents
  • Developing anti-money-laundering (AML) and other compliance programs
  • Representing clients in communications with the federal and state agencies

Resources:

Federal

State Money Transmitter Licensing Authorities:

State State Money Transmitter Licensing Authority
Alabama Alabama Securities Commission
Alaska Alaska Division of Banking and Securities
Arizona Arizona Department of Financial Institutions
Arkansas Arkansas Securities Department
California California Department of Business Oversight
Colorado Colorado Division of Banking
Connecticut Connecticut Department of Banking
Delaware Delaware Office of the State Bank Commissioner
District of Columbia District of Columbia Department of Insurance, Securities and Banking
Florida Florida Office of Financial Regulation
Georgia Georgia Department of Banking and Finance
Hawaii Hawaii Department of Commerce and Consumer Affairs
Idaho Idaho Department of Finance
Illinois Illinois Department of Financial & Professional Regulation
Indiana Indiana Department of Financial Institutions
Iowa Iowa Division of Banking
Kansas Kansas Office of the State Bank Commissioner
Kentucky Kentucky Department of Financial Institutions
Louisiana Louisiana Office of Financial Institutions
Maine Maine Office of Consumer Credit Protection
Maryland Maryland Department of Labor, Licensing & Regulation
Massachusetts Massachusetts Office of Consumer Affairs and Business Regulation
Michigan Michigan Department of Insurance and Financial Services
Minnesota Minnesota Department of Commerce
Mississippi Mississippi Department of Banking and Consumer Finance
MIssouri MIssouri Division of Finance
Montana Montana Division of Banking & Financial Institutions
Nebraska Nebraska Department of Banking and Finance
Nevada Nevada Department of Business & Industry
New Hampshire New Hampshire Banking Department
New Jersey New Jersey Department of Banking & Finance
New Mexico New Mexico Regulation and Licensing Department
New York New York Department of Financial Services
North Carolina North Carolina Commissioner of Banks
North Dakota North Dakota Department of Financial Institutions
Ohio Ohio Department of Commerce
Oklahoma Oklahoma Banking Department
Oregon Oregon Division of Financial Regulation
Pennsylvania Pennsyvlania Department of Banking and Securities
Rhode Island Rhode Island Department of Business Regulation
South Carolina South Carolina Attorney General
South Dakota South Dakota Division of Banking
Tennessee Tennessee Department of Financial Institutions
Texas Texas Department of Banking
Utah Utah Department of Financial Institutions
Vermont Vermont Department of Financial Regulation
Virginia Virginia State Corporation Commission
Washington Washington State Department of Financial Institutions
West Virgnia West Virginia Division of Financial Institutions
Wisconsin Wisconsin Department of Financial Institutions
Wyoming Wyoming Division of Banking

Stablecoins Federal Guidelines

New York

California

Florida

  • OFR-560-01 – Application to Register as a Money Services Business
  • OFR-560-02 – Location Notification Form
  • OFR-560-03 – Declaration of Intent to Engage in Deferred Presentment Transactions
  • OFR-560-04 – Money Services Business Quarterly Report Form
  • OFR-560-05 – Pledge Agreement
  • OFR-560-06 – Money Services Business Surety Bond Form
  • OFR-560-07 – Security Device Calculation Form
  • Chapter 560, Florida Statutes – Money Services Businesses
  • Rule 69V-560, Florida Administrative Code – Money Transmitters
  • Form OFR-560-09 – Disciplinary Guidelines for Money Services Businesses
  • Security Device Calculation Form
This article is provided for your convenience and does not constitute legal advice. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

Other Resources

ALL ARTICLES

Our Founding Partner

/

Max (Maksim) Dilendorf, Esq.

Max (Maksim) Dilendorf’s legal practice is laser-focused on digital assets and cyber-crime cases, a domain he has passionately pursued since 2017. Over the past 7 years, Max built a distinct digital asset law practice, dedicating tens of thousands of hours to managing diverse client cases, research and engaging ...

Learn More about Max (Maksim) Dilendorf, Esq.
Max (Maksim) Dilendorf, Esq.

Adam Pollock

Adam is one of the nation’s leading young whistleblower lawyers.  He brings with him a special ability not just to litigate, but to investigate – and understand – complex organizations and transactions.  His extensive familiarity with tech issues is built on a computer science degree and work as a ...

Learn More about Adam Pollock
Adam Pollock

Bari Zahn, Esq.

Bari Zahn has nearly 20 years of experience practicing at global law firms in New York. Bari has represented a broad array of multinational clients on U.S. and cross-border transactions. She has supervised legal teams worldwide and has extensive management experience as the Founder, former CEO and General ...

Learn More about Bari Zahn, Esq.
Bari Zahn, Esq.

Steve Cohen

Steve contributes extensive business and problem-solving experience to challenges that may require litigation – or may help avoid it.  Indeed, his perspective on litigation is influenced by his experience as a three-time internet start-up CEO.

Steve served on Ronald Reagan’s 1980 presidential campaign ...

Learn More about Steve Cohen
Steve Cohen

Robin Gerofsky Kaptzan, Esq.

A New York licensed attorney with three decades of legal and business experience in the U.S. and Asia, Robin recently joined the law firm as a partner and leads the Asia-Pacific practice.

While acting as an international business lawyer and global corporate general counsel, Robin is sought out by clients ...

Learn More about Robin Gerofsky Kaptzan, Esq.
Robin Gerofsky Kaptzan, Esq.

Craig S. Redler

Craig S. Redler has held positions with Amicorp in its offices in Auckland New Zealand and Miami Florida, and Southpac Trust International, Inc. with offices in the Cook Islands and Tauranga New Zealand. His responsibilities included serving as Trustee for off-shore trusts settled by high net-worth clients ...

Learn More about Craig S. Redler
Craig S. Redler