VIRTUAL CURRENCY
In re: Genesis Global Trading Inc.
Date: Jan. 12, 2024
Issue: Genesis Global Trading Inc.’s consent order with the New York Department of Financial Services (NYDFS).
Case Summary: Genesis Global Trading (GGT) agreed to pay $8 million to resolve NYDFS allegations that it violated virtual currency and cyber security regulations.
In 2017, NYDFS developed a first-of-its kind regulatory framework on virtual currency businesses. Companies must be chartered through the NYDFS Limited Purpose Trust Charter process or obtain a BitLicense to conduct virtual business activity in New York. GGT held a BitLicense and primarily engaged in non-custodial, over-the-counter trading of digital currencies.
NYDFS oversees the Virtual Currency Regulation and Cybersecurity Regulation. The Virtual Currency Regulation (23 NYCRR Part 200) requires each licensee to, among other things, comply with certain financial reporting requirements; develop and implement an effective anti-money laundering program; and maintain a robust cybersecurity program. The Cybersecurity Regulation (23 NYCRR Part 500) requires covered entities to implement and maintain a cybersecurity program that protects their information systems and nonpublic information based on periodic risk assessments.
NYDFS conducted an initial full-scope examination (first exam) of GGT covering the period of April 1, 2019, through March 31, 2022, and alleged deficiencies in GGT’s overall compliance function. After conducting a second full-scope examination (second exam), NYDFS alleged GGT did not adequately address deficiencies from the first exam, even though GGT’s business had significantly grown. Following the second exam, NYDFS initiated an enforcement investigation into GGT’s compliance with the Virtual Currency Regulation and the Cybersecurity Regulation. According to NYDFS, GGT failed to:
- Maintain a compliant anti-money laundering program, in violation of 23 NYCRR § 200.15;
- Ensure all consumer protection disclosures were made and acknowledged by consumers, in violation of 23 NYCRR § 200.19(c), (d), (e);
- Maintain a cybersecurity program based on a risk assessment, and designed to protect the confidentiality, integrity, and availability of its information systems, in violation of 23 NYCRR §§ 500.2, 500.9, 200.16(a);
- Maintain and implement compliant cybersecurity policies, in violation of 23 NYCRR §§ 500.3, 200.16(b), 200.17, 500.16(b)(6);
- Limit user access privileges, in violation of 23 NYCRR § 500.7;
- Implement policies and procedures for the secure disposal on a periodic basis of nonpublic information in violation of 23 NYCRR § 500.13;
- Encrypt NPI in transit and at rest, in violation of 23 NYCRR § 500.15;
- Submit an opinion and attestation by an independent certified public accountant, in violation of 23 NYCRR § 200.14(b);
- Ensure that its chief information security officer submitted annual written reports to its board of directors and the department, in violation of 23 NYCRR §§ 500.4, 200.16(d); and
- Certify compliance properly with the Cybersecurity Regulation for the calendar years 2019 and 2020, in violation of 23 NYCRR § 500.17(b).
In addition to paying the $8 million penalty, GGT agreed to surrender its BitLicense to conduct virtual currency business activity and cease operations.
Bottom Line: Genesis did not admit to or deny NYDFS’ allegations. NYDFS emphasized in the consent order that a cybersecurity risk assessment should serve as the foundation of a company’s cybersecurity program.
Documents: Consent order