New York to Bitcoin Startups: Get Permission
techcrunch.com>1. Submit fingerprints of all founders (and employees) to the FBI and disclose personal financial information of founders and officers to NY State.
>2. Require them to hold an undetermined amount of U.S. dollar funds in bonds or trusts. Startups will not be able to predict the bonding or capitalization requirements until after they apply, making it difficult to project expenses or raise money.
>3. Conduct expensive audits and security testing that no small startup could afford.
>4. Hand over any untouched user assets to NY State after five years as “abandoned property.”
If these four things deter you, please do everyone a favor and do not start any company that handles other peoples money.
There is a difference between:
* Coinbase: A startup that holds millions of dollars worth of bitcoin for mostly consumers * The reddit tip bot: a non-profit community tool that explicitly discourages holding more than a dollar or two * Blockchain: A startup that holds no money for anyone, but writes and serves software that helps people hold their own money online.
Do you think all three of these groups should go through this process?
Professional auditing and security testing should be necessary for any piece of software from which it's possible to drain large sums of money, regardless of who's running the software or holding the money. In fact, I'd argue anything less constitutes an ethical breach on the part of the lead engineer(s).
I'm not really sure why that particular regulation is so onerous in any of these situations, since any responsible team would be thinking about security throughout, including and especially post-development.
At least in principle (maybe you'd prefer different auditing standards or practices -- that's what I mean by in principle).
edit: of course each of these is a different sort of service, and different levels of risk management are appropriate. In particular, the case of Blockchain seems like a real quagmire. I guess it would probably depend heavily on the revenue model.
Really my only point is that I would have a really hard time sleeping at night if I had to sign off on not applying state-of-the-art auditing and testing techniques any of these, even Blockchain. Maybe I'm too crotchety and old-school for bitcoin.
We're in the process right now of writing up a more in-depth policy proposal, but you're spot on in terms of different levels of risk management. And we're not at all against security testing, which is also one of the great benefits of FOSS. ("Given enough eyeballs, all bugs are shallow.")
And the audits comprise financial audits as well, which surely make sense for bitcoin exchanges and companies holding funds, but not so much for open source projects or technologies that are built around bitcoin but where no funds are held.
That said, the actual regulatory proposal has many more requirements than even mentioned in the article (including quarterly reports to the NY State Superintendent, collecting of user data, and the possibility of being denied a license without a system for due process in place), and things that the creator of a Reddit tip bot surely couldn't comply with.
This is great to hear. The best way for software to keep itself relatively unburdened by (poorly implemented) regulation is for industry to hold itself to high standards. And why wouldn't we? We're proud of what we build.
I'll be very curious to see how companies built up around client software but not directly handling money are treated in your proposal. I think safety-critical industries cover these in various different ways, normally under the assumption that the companies are producing either a) "components" for use in safety-critical systems; or b) tools which will be used for QA processes. I'm not sure either applies well, especially in the case of OSS. And I don't know of anything similar in finance.
> Given enough eyeballs, all bugs are shallow.
Tell that to OpenSSL.
Or tell that to Linus Torvalds, as it's his law.
> Professional auditing and security testing should be necessary for any piece of software from which it's possible to drain large sums of money, regardless of who's running the software or holding the money. In fact, I'd argue anything less constitutes an ethical breach on the part of the lead engineer(s).
Would you include web browsers, OSs, system libraries and such in that definition? All those can steal users money if compromised. If so, who do you suggest be responsible for that in an open source project?
> All those can steal users money if compromised.
Not in a vacuum; they have to be deployed in a setting where that's possible.
> Would you include web browsers, OSs, system libraries and such in that definition?
It's sort-of a moot point, because the major products in all of these areas are routinely analyzed from a security perspective. Apple and Microsoft both spend a lot of money on security, and security researchers spend lots of time and effort auditing linux.
> If so, who do you suggest be responsible for that in an open source project?
The organization deploying the software in a security-critical setting should follow best practices when selecting and maintaining components.
There's a significant difference between engineering failures that happen even when you've followed best practices, and very preventable engineering failures that happen only because you've not followed best practices. Just because perfect security isn't possible doesn't mean we should give up entirely and not even both sanitizing input, for instance.
Additionally, OS vendors should not encourage users to use their software in security-critical settings unless the vendor is following best practices w.r.t. security. This is where I could see some bitcoin projects getting into trouble.
For the Reddit Tip Bot?
The honest answer is that I don't know, because I don't know how much money the reddit tipbot handles or how long the money stays vulnerable to a potential bug in the software. This is criteria I suggest:
> for any piece of software from which it's possible to drain large sums of money
To which I might add "directly" or "quickly" or "covertly", but I think you get the intent. My edit to the parent comment also applies, since none of these is a binary value and risk management should match the assumed risk.
edit: I would say that the fact that it's only a few bucks per user is not relevant, especially if that limit isn't hard-coded.
How about this
https://github.com/vindimy/altcointip/blob/master/src/cointi...
with this
https://github.com/vindimy/altcointip/blob/master/src/ctb/ct...
You don't think that might allow someone to do a bit of skimming by playing a little loose with the exchange rates?
yes, it should. should that shouldness be codified into law and help entrenched market participants stay entrenched? because while I do see millions spent on bank software security, wellsfargo.com is still an enormous joke.
I'm referring only to the specific case of regulations which cover engineering practice (as opposed to more industry-specific regulations, for instance, which I don't know enough to comment on).
In these cases, absolutely yes! The shouldness should be codified into law.
The best mechanism (regulation vs. after-the-fact culpability; specific legislation vs. using existing frameworks, etc.) is debatable.
But companies who cause public harm by not following best practices (either intentionally or due to poor trained engineers) should be held legally responsible for preventable disasters. Just like it's done in many more mature (as in older) engineering fields.
What is the US's obsession with fingerprint collection?
The rest of it I can sorta understand, provided that society is viewing Bitcoin less as a weird internet thing, and more as a money thing, I can understand regulators wanting to treat Bitcoin institutions like financial institutions, but collecting fingerprints just to start a business seems so 1984.
They are a little dated these days of course, but off the top of my head fingerprints are used for banking, old fashioned wire transfers, and passports. They want to be able to connect you to those things, and the fingerprint was the private key signature [1] of the 20th century.
Which, IMO, isn't "so 1984" because those are historically all major fraud avenues.
off the top of my head fingerprints are used for banking, old fashioned wire transfers, and passports
Fingerprints are not routinely collected in the United States to open bank accounts, send or receive wire transfers, or request passports.
Has policy changed? I could swear I had to give a fingerprint last time I opened a bank account in person, and when I got my passport. I suppose that was fifteen years ago...
I have never given a fingerprint to open a bank account.
The only time I've ever been fingerprinted is for a license renewal at the California DMV, and I have a passport, a bank account, etc.
AFAIK there has never been a fingerprint requirement for US passports.
I have never given fingerprints to open a bank account
Many banks will request a fingerprint to cash a check if you do not have a preexisting relationship with the bank.
How about this?
each Licensee must obtain the superintendent’s prior written approval for any plan or proposal to introduce or offer a new product, service, or activity, or to make a material change to an existing product, service, or activity
Banks and other financial firms have the same requirement.
That would depend entirely of "handle other people's money" actually mean. There's a huge difference between the different players in this space. Just because they're in the same ecosystem doesn't mean the same regulations should apply.
I am personally intrigued by point 4, "any untouched asset after five years is abandoned property". So, if I deposit money in my account, it's not mine after five years? Where does it work like that?
#4 does not mean New York State owns it forever. It is intended to prevent companies from having an incentive to create business practices based on the hope that people will forget about or abandon funds etc. A customer can claim those funds by going here:
https://www.osc.state.ny.us/ouf/
Your comment is kind of what I'm talking about. You do not know nearly enough about this stuff to start a Bitcoin startup judging by the fact that you don't even know what unclaimed property is. Therefore I hope regulations like this prevent you and other obviously unqualified people from handling other peoples money.
EDIT: I came out a bit harsh on this and I apologize. I intended to use it as an example of you likely having the technical ability for such a project but not the financial knowledge, which in my opinion is the dangerous situation these regulations will hopefully prevent.
xorcist choosing to question a comment on a website does not necessarily put him in the same category as people wishing to start a bitcoin startup handling others money
That's a valid point. It came out wrong and unnecessarily harsh.
I should have also added that although the person I was replying to(xorcist) was unqualified in the financial knowledge, I assume by way of being around HN, that they likely have more than enough technical aptitude for such an endeavor.
These regulations, in my opinion work to protect the larger markets from exactly that type of dangerous situation.
"I am personally intrigued by point 4, 'any untouched asset after five years is abandoned property'."
That's how bank accounts in NY State currently work. However, if your account has been idle for a while, your bank tries to contact you to tell you about it. If you have on-line banking, logging in to your account usually makes it active again.
Also, in the event that your money does get turned over to the state, you can ask the state to return it to you.
I think this law is primarily designed to ensure that if people die without leaving a will, the funds will go to the state rather than to the bank. If heirs (e.g., next of kin) turn up eventually, it's easier to go to the state's web site and look for unclaimed property under someone's name than to try to figure out which of hundreds of banks the deceased had his account at.
And one of the key questions is, does this make sense for, say 1000 abandoned dogecoin (current value $0.24) on tipdoge.info? This is why we proposed de minimis exceptions.
Absolutely, 100% it does. Because it helps to prevent a business from building its profit model around 100,000 people abandoning $1 each.
Policy is always about tradeoffs. Is it your stance that the creator of Reddit tip bots should have to register fingerprints with the FBI, hand over personal financial info, send quarterly reports with to the Superintendent with audited financial statements, collect the real identities and physical addresses of all senders and recipients, assign a compliance officer, hire an outside firm to do pentesting, get permission before releasing a new product, service, or features, and have an undisclosed amount of USD funds bonded to NY State along with an undisclosed amount on hand just to operate a simple app? What about open source projects that are not corporations?
Yes, that is exactly my stance. Find another hobby outside of playing with people's money.
... or do it somewhere else than in New York State, I guess?
Fingerprints requirement sounds a bit ludicrous. Is this standard practice applied to other financial services companies?
Capital requirement is misplaced: Bitcoin startups are not generally fractional banking institutions. Also, they operate in Bitcoin, so why demand they hold assets denominated in USD? It's not like the customers can come back demanding to sale their Bitcoin at the same exchange rate they bought it at.
Audits and security testing sound perfectly appropriate.
Inactive assets handover also seems appropriate since it provides the most efficient way to manage and ultimately return abandoned property to its rightful owner.
Fingerprints are required so that when they find a stolen bitcoin, they can dust it for prints to see if any of the founders were involved in its theft. That's pretty straightforward.
>>4. Hand over any untouched user assets to NY State after five years as “abandoned property.”
So if you hold bitcoin in an account for 5 years, the state will steal it from you by force?
No, if an account is inactive for five years, and the company is unable to contact the account holder, it's turned over to the state to hold. The state publishes a list of unclaimed property and provides a process that the owner or other appropriate party can use to claim their property. You can see how it works in New York at https://www.osc.state.ny.us/ouf/.
Does anyone else wonder if this is more of a go-for-it-all-and-negotiate-back-to-reasonable sort of attack on bitcoin? He can't really want what he's proposing; banks don't even ask for government approval when they launch new features. So the only thought is that he either doesn't want bitcoin at all or he wants to win control of it in NY by proposing unreasonable things. If he'd wanted real consumer protections, wouldn't he just have asked for them?
Banks actually do have to ask for permission for "new lines of business", aka new products. The theory going around is that he asked for a best case scenario for the regulator and the goal of the comment period is to see what the industry cares enough about to push back hard. His goal is to have a regulation come out of the comment period that all of the "Big Bitcoin" startups and VC's like enough to apply instead of sue. He'll probably get what he wants.
It certainly is an "ask for the moon" type proposal, which is how regulators often like to start. Part of the problem, though, is that it's so far skewed to one side that getting it back to even somewhat reasonable is going to take a lot of work.
Lawsky did what makes sense from his perspective: he applied the money transmission framework to Bitcoin.
The authors of this post are both biased in favor of Bitcoin, and not particularly careful examiners of the real consumer protection issues at hand.
The Money Transmission Framework is a combination of two types of rules:
1. Capital Requirements, licensing and Bonding for people who hold money for consumers who are not banks. These rules are consumer protection laws and make sense for businesses that offer custodial accounts denominated in bitcoin or dollars. These rules could have been applied to Instawallet, Coinbase, Mt. Gox, etc.
2. AML + KYC rules. These require people who help move money into and out of the banking system to find out who their customers are and report them to law enforcement when they do the unexpected. These rules could be applied normally to people doing exchange services, like Expresscoin, BitInstant (RIP), CoInvoice, etc.
I've spent years and hundreds of thousands of investor dollars examining the issues here, like you have. Stay tuned for a policy piece describing when these rules make sense and when they don't. Hint: If you are just posting software to github, these rules do not make sense to apply to you.
"These rules could have been applied to"
Actually, these rules ARE applied to Coinbase at the very least. Coinbase--and YC, and many YC startups--deliberately choose to ignore them.
I've read your lawsuit against coinbase. No comment.
Sounds like you don't disagree then.
Sounds like he cannot comment for legal reasons.
On the other hand, assuming that you have filed a lawsuit against Coinbase, it sounds like you can no longer pass neutral comment on the matter. Something you seem to have conveniently not mentioned.
I've written about the lawsuit often enough on HN that I'm routinely criticized for writing too much. Of course, if I don't bring it up, I must be trying to hide it.
In any event, there's no legal reason why he couldn't comment. He's not involved, except to the extent that his own company might also be ignoring the law and thereby breaking it--which I have no idea if it's the case or not. But plenty of startups do.
The bulk of readers are not going to know your history. I didn't.
It doesn't take a lot to add "[full disclosure: I'm suing Coinbase]" when you opine on Coinbase. Having somebody else bring it up first definitely reduces your credibility.
Indeed he's attempting to apply an existing regulatory framework to new technology, which rarely works well.
The point of the article was not to focus on the consumer protection issues, but instead to point out how it could kill startups in the name of consumer protection. We are both in favor of avoiding another Mt. Gox, and the numerous other cases where user funds were lost, which includes escrow of the funds held for users. I'd be curious to get your thoughts as to what you consider the most pressing consumer protection issues, as we're working on another piece that will focus more on these.
Given the way that some Bitcoin startups have crashed and burned with people's money, I don't think that it's unreasonable to raise the bar significantly in the name of consumer protection.
If that eliminates small startups in the space from directly offering services to consumers, so be it.
Part of the problem is that the regulations aren't just seeking to cover companies that hold peoples' funds (aka private keys), but instead any technology touching the ecosystem. New York doesn't have to and shouldn't conflate the two.
It makes sense to regulate and, for example, require escrow for companies that are holding user funds in order to avoid the exact situation you point out. It doesn't make sense for a web wallet where the user is storing her own keys client-side.
> Indeed he's attempting to apply an existing regulatory framework to new technology, which rarely works well.
I think this sounds more true than it actually is. "Works" is a fairly ambiguous word, but new technology is released into existing regulatory frameworks every day.
I've written up my thoughts in a comment letter to CFPB. See http://www.thinkcomputer.com/20140214.cfpbcomment.pdf.
And if you were aware of the existing regulatory framework, how is any of this different or surprising?
These regulations aren't about consumer protections (if they were, companies would be audited and scored on how well they comply, ala health food scores in restaurants). If regulators solely marked businesses with the metaphorical seal of approval, a democratic, economic process would happen in the market place.
This is entirely about the state inserting themselves between people, their money, and where they want to spend it. You'd be ignorant to believe that the Feds wouldn't apply the same, transaction-ending, censorship level of force to Bitcoin transactions services ("Oh your users are sending money to Wikileaks? We deem that a risky transaction and now require you to hold 10X funds in dollars and to buy additional bonds. Oh What a coincidence that's outside of your financial situation that we have complete privilage to inspect.")
Further more, to quote Greg Brockman:
"Second, this model [the Bitcoin ecosystem] unbundles the existing financial system into layers run by independent companies. To see the value of this, contrast with the US mobile carriers, who used to own the entire stack. They owned the handsets, the operating systems, the applications running on the phone, and the service. This meant that most of the stack never had anything pushing it to get very good, and there were even incentives to hold it back in order to preserve legacy revenue-generating facilities like SMS. By enabling competition at individual layers of the financial system, each one should improve."
The big banks of NY are threatened by Bitcoin and are working with the same people/regulators they've rubbed elbows for so long. If regulators really cared about protecting consumers they would have prosecuted big banks for the biggest destruction in wealth in human history aka the 2008 financial crash.
This will only further the ambitious goals of DACs (Distributed Autonomous Corporations).
This is all kind of amusing. 1) Government architects Internet in a decentralized fashion so that it survives damage from a nuclear attack. 2) Government tries to control Internet and fails because Internet, being decentralized, routes around control because it is seen as damage. 3) Bitcoin is pure Internet money.
The math isn't that hard here. This should be interesting...
Looks like California is about to get a huge influx of bitcoin entrepreneurs...