Bill Text: NY A02213 | 2019-2020 | General Assembly | Introduced
Bill Title: Relates to financial technology products and services; establishes a regulatory sandbox program.
Spectrum: Strong Partisan Bill (Democrat 10-1)
Status: (Introduced - Dead) 2020-01-08 - referred to banks [A02213 Detail]
Download: New_York-2019-A02213-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 2213 2019-2020 Regular Sessions IN ASSEMBLY January 22, 2019 ___________ Introduced by M. of A. KIM, QUART, D'URSO, RA, DICKENS, PICHARDO, ARROYO, BLAKE, LAVINE -- Multi-Sponsored by -- M. of A. LUPARDO, THIELE -- read once and referred to the Committee on Banks AN ACT to amend the financial services law, in relation to creating a regulatory sandbox program; to amend the banking law, in relation to safeguarding financial technology products and services and prohibit- ing licensing fees for such products and services; and providing for the repeal of such provisions upon expiration thereof The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The financial services law is amended by adding a new arti- 2 cle 7 to read as follows: 3 ARTICLE 7 4 REGULATORY SANDBOX PROGRAM 5 Section 701. Definitions. 6 702. Reports; studies. 7 703. Program purpose. 8 704. Application process and requirements. 9 705. Consultation with applicable agencies; admission authority; 10 scope; insurance products; investment management. 11 706. Consumer protection. 12 707. Exit requirements. 13 708. Extensions. 14 709. Auditing by third party depository or custodian services. 15 710. Recordkeeping and reporting requirements. 16 711. Records; disclosure; evidentiary effect. 17 712. Reporting requirements; monitoring; enforcement; agree- 18 ments. 19 § 701. Definitions. For purposes of this article, the following terms 20 shall have the following meanings: EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD03966-01-9A. 2213 2 1 (a) "Securities investor protection corporation" means a federally 2 mandated, non-profit, member-funded, United States corporation created 3 under the Securities Investor Protection Act of 1970 and mandates 4 membership of most United States registered broker-dealers. 5 (b) "Applicable agency" means a department or agency of this state 6 established by law to regulate certain types of business activity in 7 this state and persons engaged in such business, including the issuance 8 of licenses or other types of authorization, that the attorney general 9 and state comptroller determines would otherwise regulate a sandbox 10 participant if the person were not a regulatory sandbox participant. 11 (c) "Consumer" means a person that purchases or otherwise enters into 12 a transaction or agreement to receive a financial technology product or 13 service that is being tested by a sandbox participant. 14 (d) "Financial products or services" means a product or service that 15 requires licensure by the applicable agency or a product or service that 16 includes a business model, delivery mechanism or element that may other- 17 wise require a license or other authorization to act as a financial 18 institution or enterprise or other entity that is regulated by the 19 applicable agency. 20 (e) "Financial technology products or services" means a financial 21 product or service with the use or incorporation of new or emerging 22 technology or the reimagination of uses for existing technology to 23 address a problem, provide a benefit or otherwise offer a product, 24 service, business model or delivery mechanism that is not known by the 25 attorney general to have a comparable widespread offering in this state. 26 Such term shall include, but shall not be limited to, cryptocurrency 27 business activity. 28 (f) "Cryptocurrency" means a digital currency which uses encryption 29 techniques to regulate the generation of currency units and verify the 30 transfer of funds, operating independently from a central bank. 31 (g) "Cryptocurrency business activity" means the conduct of any of the 32 following types of activities involving New York or a New York resident: 33 (1) receiving cryptocurrency for transmission or transmitting crypto- 34 currency, except where the transaction is undertaken for non-financial 35 purposes and does not involve the transfer of more than a nominal amount 36 of cryptocurrency; 37 (2) storing, holding, or maintaining custody or control of cryptocur- 38 rency on behalf of others; 39 (3) buying and selling cryptocurrency as a customer business; 40 (4) performing exchange services of cryptocurrency as a customer busi- 41 ness; or 42 (5) controlling, administering, or issuing a cryptocurrency. 43 (h) "Regulatory sandbox" means the program established by this article 44 that allows a person to temporarily test financial technology products 45 or services on a limited basis without otherwise being licensed or 46 authorized to act under the laws of this state. 47 (i) "Sandbox participant" means a person whose application to partic- 48 ipate in the regulatory sandbox is approved pursuant to this article. 49 (j) "Test" means to provide activity and services as allowed by this 50 article. 51 § 702. Reports; studies. (a) The attorney general and state comp- 52 troller shall publish annually a written report describing the results 53 of the regulatory sandbox established pursuant to this article and the 54 results of their studies conducted pursuant to subdivision (b) of this 55 section.A. 2213 3 1 (b) The attorney general and state comptroller shall study long term 2 solutions to issues that arise from financial technology products or 3 services, including, but not limited to: 4 (1) the use of third party depository and custodian services as audi- 5 tors of financial technology products and services; and 6 (2) the use of the securities investor protection corporation to 7 insure all financial technology products and services account holder's 8 assets. 9 § 703. Program purpose. The attorney general and state comptroller 10 shall establish a regulatory sandbox in consultation with applicable 11 agencies of this state to enable a person to obtain limited access to 12 the market in this state to test financial technology products and 13 services without obtaining a license or other authorization that other- 14 wise may be required by law and without having to pay any fees associ- 15 ated with such license or authorization. 16 § 704. Application process and requirements. (a) Any person may apply 17 to enter the regulatory sandbox to test financial technology products or 18 services. 19 (b) The attorney general and state comptroller shall create a joint 20 office or coordinated process and shall accept and review each applica- 21 tion for entry into the regulatory sandbox on a rolling basis. 22 (c) An application shall demonstrate that the applicant both: 23 (1) is an entity or individual that is subject to the jurisdiction of 24 the attorney general and state comptroller through incorporation, resi- 25 dency, presence, agreement, or otherwise; and 26 (2) has established a location, whether physical or virtual, that is 27 adequately accessible to the attorney general and state comptroller from 28 which testing will be developed and performed and where all required 29 records, documents and data will be maintained. 30 (d) Any person, corporation, partnership or other entity that already 31 possesses a license or other authorization under state laws that regu- 32 late financial technology products or services shall file an application 33 with the attorney general and state comptroller to test financial tech- 34 nology products or services within the regulatory sandbox. 35 (e) Applications shall contain sufficient information to demonstrate 36 that an applicant has an adequate understanding of the financial tech- 37 nology product or service and a sufficient plan to test, monitor and 38 assess the financial technology product or service while ensuring 39 consumers are protected from a test's failure. 40 (f) Applicants shall contain the information required by a form devel- 41 oped and made publicly available by the attorney general and state comp- 42 troller. The information required by the form shall include, but shall 43 not be limited to: 44 (1) relevant personal and contact information for the applicant, 45 including full legal names, addresses, telephone numbers, e-mail 46 addresses, website addresses and any other information that the attorney 47 general and state comptroller deems necessary; 48 (2) disclosure of any criminal convictions of the applicant or key 49 personnel, if any; 50 (3) a description of the financial technology products or services 51 desired to be tested, including statements regarding all of the follow- 52 ing: 53 (A) how a financial technology product or service is subject to regu- 54 lation outside of the regulatory sandbox; 55 (B) how the financial technology product or service would benefit 56 consumers;A. 2213 4 1 (C) how the financial technology product or service is different from 2 other products or services available in this state; 3 (D) what risks will confront consumers that use or purchase the finan- 4 cial technology product or service; 5 (E) how entering the regulatory sandbox would enable a successful test 6 of the financial technology product or service; 7 (F) a description of the proposed testing plan, including estimated 8 time periods for market entry, market exit and the pursuit of necessary 9 licensure or authorization; and 10 (G) how the applicant will wind down the test and protect consumers if 11 the test fails. 12 (g) A person shall file a separate application for each financial 13 technology product or service sought to be tested. 14 (h) After the information required by subdivision (f) of this section 15 is submitted, the attorney general and state comptroller may seek addi- 16 tional information that is deemed necessary. Not later than ninety days 17 after an application is initially submitted, the attorney general and 18 state comptroller shall notify the applicant as to whether the applicant 19 is approved for entry into the regulatory sandbox. The attorney general 20 and state comptroller and an applicant may mutually agree to extend the 21 time period for the attorney general and state comptroller to determine 22 whether an application is approved for entry into the regulatory sand- 23 box. 24 (i) The attorney general and state comptroller may deny applicants at 25 their discretion and such a denial shall not be an appealable agency 26 action. 27 § 705. Consultation with applicable agencies; admission authority; 28 scope; insurance products; investment management. (a) (1) The attorney 29 general and state comptroller shall consult with an applicable state 30 agency before admitting a person into the regulatory sandbox. This 31 consultation may include seeking information about: 32 (A) whether the applicable agency previously has either (i) issued a 33 license or other authorization to the applicant, or (ii) investigated, 34 sanctioned or pursued legal action against the applicant; and 35 (B) whether the applicant could obtain a license or other authori- 36 zation from an applicable agency after exiting the regulatory sandbox. 37 (2) Notwithstanding paragraph one of this subdivision, the attorney 38 general and state comptroller have the sole authority to make the final 39 decision of whether to admit a person into the regulatory sandbox. 40 (b) If the attorney general and state comptroller approves an applica- 41 tion for entry into the regulatory sandbox, the applicant is deemed a 42 sandbox participant and both of the following shall apply: 43 (1) the sandbox participant has twenty-four months after the date of 44 approval to test the cryptocurrency business activity described in the 45 sandbox participant's application; and 46 (2) the attorney general and state comptroller shall issue the sandbox 47 participant a registration number. 48 (c) Financial technology products or services that are provided within 49 the regulatory sandbox are subject to the following restrictions: 50 (1) except as provided in subdivision (d) of this section, not more 51 than ten thousand consumers may transact through or enter into an agree- 52 ment to use the financial technology products or services; 53 (2) except as provided in subdivision (d) of this section, for a sand- 54 box participant testing products or services as a money transmitter, 55 individual transactions per consumer may not exceed ten thousand dollars 56 and aggregate transactions per consumer may not exceed two millionA. 2213 5 1 dollars over the course of the twenty-four months of the regulatory 2 sandbox period; 3 (3) for sandbox participants testing products or services as a financ- 4 ing agency as defined in subdivision nine of section three hundred one 5 of the personal property law, all of the following apply: 6 (A) section three hundred two of the personal property law; 7 (B) section three hundred three of the personal property law; 8 (C) section three hundred six of the personal property law; 9 (D) section three hundred eight of the personal property law; and 10 (E) section 9-601 of the uniform commercial code; and 11 (4) for sandbox participants testing products or services that provide 12 investment management that is regulated each sandbox participant shall: 13 (A) make, maintain and preserve books and records in accordance with 14 the requirements imposed on federal covered advisers under 17 CFR 15 275.204-2. The sandbox participant shall file with the state comptroller 16 and the attorney general's office a copy of any notices or written 17 undertakings required to be filed by federal covered advisers with the 18 securities and exchange commission under 17 CFR 275.204-2; and 19 (B) comply with all requirements imposed on federal covered advisers 20 under 17 CFR Part 275 with respect to: 21 (i) dishonest and unethical practices; 22 (ii) information required to be furnished to clients; 23 (iii) custody of client funds or securities; and 24 (iv) disclosure of financial and disciplinary information to clients. 25 (d) If a sandbox participant demonstrates adequate financial capital- 26 ization, risk management process and management oversight they may 27 request the attorney general and state comptroller to allow either or 28 both of the following: 29 (1) allow more than ten thousand consumers to transact through or 30 enter into an agreement to use the financial technology product or 31 service; 32 (2) for a sandbox participant testing products or services as a money 33 transmitter, allow individual transactions per consumer to exceed ten 34 thousand dollars and aggregate transactions per consumer to exceed two 35 million dollars during the twenty-four month regulatory sandbox period. 36 (e) This section shall not restrict a sandbox participant who holds a 37 license or other authorization in another jurisdiction from acting 38 pursuant to and in accordance with such license or other authorization. 39 (f) A sandbox participant is deemed to possess an appropriate license 40 under the laws of this state for any provision of federal law requiring 41 state licensure or authorization. 42 (g) Except as otherwise provided in this article, a sandbox partic- 43 ipant shall not be subject to state laws that regulate a financial prod- 44 uct or service. 45 (h) The attorney general and state comptroller may determine that 46 certain state laws that regulate financial products or services apply to 47 a sandbox participant. If the attorney general and state comptroller 48 make such determination and approve an application for entry into the 49 regulatory sandbox, the attorney general and state comptroller shall 50 notify the sandbox participant of the specific state regulatory laws 51 that will apply to the sandbox participant. 52 (i) A sandbox participant may obtain, record, provide or maintain in 53 electronic form any information, writing, signature, record or disclo- 54 sure that is required by this article or may substitute any substantial- 55 ly similar equivalent information, writing, signature, record or disclo- 56 sure that is approved by the attorney general and state comptroller.A. 2213 6 1 § 706. Consumer protection. (a) Before providing a financial technolo- 2 gy product or service to consumers, a sandbox participant shall disclose 3 to consumers all of the following: 4 (1) the name and contact information of the sandbox participant 5 including the registration number provided by the attorney general and 6 state comptroller; 7 (2) that the financial technology product or service is authorized 8 pursuant to the regulatory sandbox and, if applicable, that the sandbox 9 participant does not have a license or other authorization to generally 10 provide products or services under state laws that regulate a financial 11 product or service that is outside the regulatory sandbox; 12 (3) that the state does not endorse or recommend the financial tech- 13 nology product or service; 14 (4) that the financial technology product or service is a temporary 15 test that may be discontinued at the end of the testing period, includ- 16 ing the expected end date of the testing period; and 17 (5) that consumers may contact the attorney general and state comp- 18 troller to file complaints regarding the financial technology product or 19 service being tested and provide the attorney general and state comp- 20 troller's telephone number and website address where complaints may be 21 filed. 22 (b) The notifications prescribed in subdivision (a) of this section 23 shall be provided to consumers in a clear and conspicuous form in 24 accordance with New York state language access requirements. For inter- 25 net or application-based financial technology products or services, 26 consumers shall acknowledge receipt of such notifications before 27 completion of a transaction. 28 (c) The attorney general and state comptroller may require that a 29 sandbox participant make additional disclosures to consumers. When the 30 attorney general and state comptroller approve an application for entry 31 into the regulatory sandbox, the attorney general and state comptroller 32 shall notify the sandbox participant of the additional disclosures. 33 § 707. Exit requirements. (a) At least thirty days before the end of 34 the twenty-four month regulatory sandbox testing period a sandbox 35 participant must either: 36 (1) notify the attorney general and state comptroller that the sandbox 37 participant will exit the regulatory sandbox, wind down its test and 38 cease offering any financial technology products or services in the 39 regulatory sandbox within sixty days after the twenty-four month testing 40 period ends; or 41 (2) seek an extension to pursue a license or other authorization 42 required by law. 43 (b) If the attorney general and state comptroller does not receive 44 notification pursuant to subdivision (a) of this section, the regulatory 45 sandbox testing period ends at the end of the twenty-four month testing 46 period and the sandbox participant must immediately cease offering 47 financial technology products or services. 48 (c) If a test includes offering financial technology products or 49 services that require ongoing duties, the sandbox participant shall 50 continue to fulfill those duties or arrange for another person to 51 fulfill those duties after the date the sandbox participant exits the 52 regulatory sandbox. 53 § 708. Extensions. (a) A sandbox participant may request an extension 54 of the regulatory sandbox testing period for the purpose of pursuing a 55 license or other authorization required by law.A. 2213 7 1 (b) The attorney general and state comptroller may grant or deny a 2 request for an extension pursuant to subdivision (a) of this section by 3 the end of the twenty-four month regulatory sandbox testing period. An 4 extension pursuant to this subdivision is not effective for more than 5 one year after the end of the regulatory sandbox testing period. 6 (c) A sandbox participant that obtains an extension pursuant to subdi- 7 vision (b) of this section must provide the attorney general and state 8 comptroller with a written report every three months that provides an 9 update on efforts to obtain a license or other authorization, including 10 any submitted applications for licensure or other authorization, 11 rejected applications or issued licenses or other authorization. 12 § 709. Auditing by third party depository or custodian services. All 13 sandbox participants shall be audited by a third party depository or 14 custodian service. Such third party depository or custodian service 15 shall ensure that sandbox participants: 16 (a) have established and maintained a fund insuring a portion of their 17 account holder's assets by the securities investor protection corpo- 18 ration which shall replace the bond system; and 19 (b) provide financial technology products or services in full compli- 20 ance with this article. 21 § 710. Recordkeeping and reporting requirements. (a) A sandbox partic- 22 ipant must retain records, documents and data produced in the ordinary 23 course of business regarding a financial technology product or service 24 tested in the regulatory sandbox. 25 (b) If a financial technology product or service fails before the end 26 of the testing period, the sandbox participant must notify the attorney 27 general and state comptroller and report on actions taken to ensure 28 consumers have not been harmed as a result of the financial technology 29 products or services failure. 30 (c) A sandbox participant is subject to the requirements of section 31 two hundred eight of the state technology law and shall notify the 32 attorney general and state comptroller of any "breach of the security of 33 the system" as defined in paragraph (b) of subdivision one of section 34 two hundred eight of the state technology law. 35 § 711. Records; disclosure; evidentiary effect. (a) Records that are 36 submitted to or obtained by the attorney general and state comptroller 37 in administering this article are not public records or open for 38 inspection by the public. 39 (b) Records and information that are submitted or obtained pursuant to 40 this article may be disclosed to any of the following: 41 (1) state and federal agencies; 42 (2) representatives of foreign countries that have regulatory or 43 supervisory authority over the activities of the sandbox participant; 44 (3) a federal, state or county grand jury in response to a lawful 45 subpoena; and 46 (4) the state auditor general for the purpose of conducting audits 47 authorized by law. 48 (c) The attorney general and state comptroller and any applicable 49 agency consulted by the attorney general and state comptroller are not 50 liable for the disclosure of records, information or data received or 51 obtained pursuant to this article. 52 (d) The disclosure pursuant to subdivision (b) of this section of a 53 complaint or the results of an examination, inquiry or investigation of 54 a sandbox participant does not make that information a public record and 55 the sandbox participant or the sandbox participant's holding company may 56 not disclose that information to the general public unless the disclo-A. 2213 8 1 sure is required by law. A sandbox participant or the sandbox partic- 2 ipant's holding company may not disclose, use or reference in any form 3 comments, conclusions or results of an examination, inquiry or investi- 4 gation in any type of communication to a customer or potential customer. 5 (e) This section shall not prevent the disclosure of information that 6 is admissible as evidence in a civil or criminal proceeding brought by a 7 state or federal law enforcement agency to enforce or prosecute civil or 8 criminal violations of the law. 9 § 712. Reporting requirements; monitoring; enforcement; agreements. 10 (a) The attorney general and state comptroller may establish periodic 11 reporting requirements on sandbox participants. 12 (b) The attorney general and state comptroller may seek records, docu- 13 ments and data from sandbox participants. On the attorney general and 14 state comptroller's request, sandbox participants shall make such 15 records, documents and data available for inspection by the attorney 16 general and state comptroller. 17 (c) If the attorney general and state comptroller have reasonable 18 cause to believe that a sandbox participant has engaged in, is engaging 19 in or is about to engage in any practice or transaction that is in 20 violation of this article or section three hundred fifty-two of the 21 general business law, or that constitutes a violation of a state or 22 federal criminal law, the attorney general and state comptroller may 23 remove a sandbox participant from the regulatory sandbox or order a 24 sandbox participant to exit the regulatory sandbox program. 25 (d) Removal from the regulatory sandbox shall not be an appealable 26 agency action. 27 (e) Sandbox participants are subject to the consumer fraud provisions 28 under article twenty-three-A of the general business law. 29 (f) The attorney general and state comptroller may enter into agree- 30 ments with state, federal or foreign regulators that allow sandbox 31 participants to operate in other jurisdictions and allow entities 32 authorized to operate in other jurisdictions to be recognized as sandbox 33 participants in this state. 34 § 2. The banking law is amended by adding a new section 9-x to read as 35 follows: 36 § 9-x. Audit of financial technology products or services; prohibiting 37 licensing fees. 1. The following terms, when used in this section, shall 38 have the following meanings: 39 (a) "Financial technology products or services" means a financial 40 product or service with the use or incorporation of new or emerging 41 technology or the reimagination of uses for existing technology to 42 address a problem, provide a benefit or otherwise offer a product, 43 service, business model or delivery mechanism that is not known by the 44 attorney general to have a comparable widespread offering in this state. 45 Such term shall include, but shall not be limited to, cryptocurrency 46 business activity. 47 (b) "Cryptocurrency business activity" means the conduct of any of the 48 following types of activities involving New York or a New York resident: 49 (i) receiving cryptocurrency for transmission or transmitting crypto- 50 currency, except where the transaction is undertaken for non-financial 51 purposes and does not involve the transfer of more than a nominal amount 52 of cryptocurrency; 53 (ii) storing, holding, or maintaining custody or control of cryptocur- 54 rency on behalf of others; 55 (iii) buying and selling cryptocurrency as a customer business;A. 2213 9 1 (iv) performing exchange services of cryptocurrency as a customer 2 business; or 3 (v) controlling, administering, or issuing a cryptocurrency. 4 (c) "Cryptocurrency" means a digital currency which uses encryption 5 techniques to regulate the generation of currency units and verify the 6 transfer of funds, operating independently from a central bank. 7 2. Any person, corporation, partnership or other entity that provides 8 financial technology products or services shall be audited by a public 9 or private third party depository or custodian service. Such third party 10 depository or custodian service shall: 11 (a) ensure that such person, corporation, partnership or other entity 12 that provides financial technology products of services has established 13 security protocols to safeguard them from theft; 14 (b) ensure that such person, corporation, partnership or other entity 15 that provides financial technology products or services has established 16 and maintained a fund insuring a portion of their account holder's 17 assets by the securities investor protection corporation which shall 18 replace the bond system; and 19 (c) regularly examine holdings of such person, corporation, partner- 20 ship or other entity that provides financial technology products or 21 services to ensure proper ownership of assets. 22 3. Notwithstanding any other law, rule or regulation, no person, 23 corporation, partnership or other entity that provides financial tech- 24 nology products or services shall be required to pay a licensing fee in 25 order to provide such financial technology products or services. 26 § 3. This act shall take effect on the one hundred eightieth day after 27 it shall have become a law and shall expire and be deemed repealed July 28 1, 2029; provided, however, that effective immediately, the addition, 29 amendment and/or repeal of any rule or regulation necessary for the 30 implementation of this act on its effective date are authorized to be 31 made and completed on or before such effective date.