New York to Bitcoin Startups: Get Permission(techcrunch.com) |
New York to Bitcoin Startups: Get Permission(techcrunch.com) |
>2. Require them to hold an undetermined amount of U.S. dollar funds in bonds or trusts. Startups will not be able to predict the bonding or capitalization requirements until after they apply, making it difficult to project expenses or raise money.
>3. Conduct expensive audits and security testing that no small startup could afford.
>4. Hand over any untouched user assets to NY State after five years as “abandoned property.”
If these four things deter you, please do everyone a favor and do not start any company that handles other peoples money.
* Coinbase: A startup that holds millions of dollars worth of bitcoin for mostly consumers * The reddit tip bot: a non-profit community tool that explicitly discourages holding more than a dollar or two * Blockchain: A startup that holds no money for anyone, but writes and serves software that helps people hold their own money online.
Do you think all three of these groups should go through this process?
I'm not really sure why that particular regulation is so onerous in any of these situations, since any responsible team would be thinking about security throughout, including and especially post-development.
At least in principle (maybe you'd prefer different auditing standards or practices -- that's what I mean by in principle).
edit: of course each of these is a different sort of service, and different levels of risk management are appropriate. In particular, the case of Blockchain seems like a real quagmire. I guess it would probably depend heavily on the revenue model.
Really my only point is that I would have a really hard time sleeping at night if I had to sign off on not applying state-of-the-art auditing and testing techniques any of these, even Blockchain. Maybe I'm too crotchety and old-school for bitcoin.
The rest of it I can sorta understand, provided that society is viewing Bitcoin less as a weird internet thing, and more as a money thing, I can understand regulators wanting to treat Bitcoin institutions like financial institutions, but collecting fingerprints just to start a business seems so 1984.
Which, IMO, isn't "so 1984" because those are historically all major fraud avenues.
each Licensee must obtain the superintendent’s prior written approval for any plan or proposal to introduce or offer a new product, service, or activity, or to make a material change to an existing product, service, or activity
I am personally intrigued by point 4, "any untouched asset after five years is abandoned property". So, if I deposit money in my account, it's not mine after five years? Where does it work like that?
https://www.osc.state.ny.us/ouf/
Your comment is kind of what I'm talking about. You do not know nearly enough about this stuff to start a Bitcoin startup judging by the fact that you don't even know what unclaimed property is. Therefore I hope regulations like this prevent you and other obviously unqualified people from handling other peoples money.
EDIT: I came out a bit harsh on this and I apologize. I intended to use it as an example of you likely having the technical ability for such a project but not the financial knowledge, which in my opinion is the dangerous situation these regulations will hopefully prevent.
That's how bank accounts in NY State currently work. However, if your account has been idle for a while, your bank tries to contact you to tell you about it. If you have on-line banking, logging in to your account usually makes it active again.
Also, in the event that your money does get turned over to the state, you can ask the state to return it to you.
I think this law is primarily designed to ensure that if people die without leaving a will, the funds will go to the state rather than to the bank. If heirs (e.g., next of kin) turn up eventually, it's easier to go to the state's web site and look for unclaimed property under someone's name than to try to figure out which of hundreds of banks the deceased had his account at.
Capital requirement is misplaced: Bitcoin startups are not generally fractional banking institutions. Also, they operate in Bitcoin, so why demand they hold assets denominated in USD? It's not like the customers can come back demanding to sale their Bitcoin at the same exchange rate they bought it at.
Audits and security testing sound perfectly appropriate.
Inactive assets handover also seems appropriate since it provides the most efficient way to manage and ultimately return abandoned property to its rightful owner.
So if you hold bitcoin in an account for 5 years, the state will steal it from you by force?
This is entirely about the state inserting themselves between people, their money, and where they want to spend it. You'd be ignorant to believe that the Feds wouldn't apply the same, transaction-ending, censorship level of force to Bitcoin transactions services ("Oh your users are sending money to Wikileaks? We deem that a risky transaction and now require you to hold 10X funds in dollars and to buy additional bonds. Oh What a coincidence that's outside of your financial situation that we have complete privilage to inspect.")
"Second, this model [the Bitcoin ecosystem] unbundles the existing financial system into layers run by independent companies. To see the value of this, contrast with the US mobile carriers, who used to own the entire stack. They owned the handsets, the operating systems, the applications running on the phone, and the service. This meant that most of the stack never had anything pushing it to get very good, and there were even incentives to hold it back in order to preserve legacy revenue-generating facilities like SMS. By enabling competition at individual layers of the financial system, each one should improve."
The big banks of NY are threatened by Bitcoin and are working with the same people/regulators they've rubbed elbows for so long. If regulators really cared about protecting consumers they would have prosecuted big banks for the biggest destruction in wealth in human history aka the 2008 financial crash.
This is all kind of amusing. 1) Government architects Internet in a decentralized fashion so that it survives damage from a nuclear attack. 2) Government tries to control Internet and fails because Internet, being decentralized, routes around control because it is seen as damage. 3) Bitcoin is pure Internet money.
The math isn't that hard here. This should be interesting...
The authors of this post are both biased in favor of Bitcoin, and not particularly careful examiners of the real consumer protection issues at hand.
1. Capital Requirements, licensing and Bonding for people who hold money for consumers who are not banks. These rules are consumer protection laws and make sense for businesses that offer custodial accounts denominated in bitcoin or dollars. These rules could have been applied to Instawallet, Coinbase, Mt. Gox, etc.
2. AML + KYC rules. These require people who help move money into and out of the banking system to find out who their customers are and report them to law enforcement when they do the unexpected. These rules could be applied normally to people doing exchange services, like Expresscoin, BitInstant (RIP), CoInvoice, etc.
I've spent years and hundreds of thousands of investor dollars examining the issues here, like you have. Stay tuned for a policy piece describing when these rules make sense and when they don't. Hint: If you are just posting software to github, these rules do not make sense to apply to you.
The point of the article was not to focus on the consumer protection issues, but instead to point out how it could kill startups in the name of consumer protection. We are both in favor of avoiding another Mt. Gox, and the numerous other cases where user funds were lost, which includes escrow of the funds held for users. I'd be curious to get your thoughts as to what you consider the most pressing consumer protection issues, as we're working on another piece that will focus more on these.
I should have also added that although the person I was replying to(xorcist) was unqualified in the financial knowledge, I assume by way of being around HN, that they likely have more than enough technical aptitude for such an endeavor.
These regulations, in my opinion work to protect the larger markets from exactly that type of dangerous situation.
If that eliminates small startups in the space from directly offering services to consumers, so be it.
It makes sense to regulate and, for example, require escrow for companies that are holding user funds in order to avoid the exact situation you point out. It doesn't make sense for a web wallet where the user is storing her own keys client-side.
I think this sounds more true than it actually is. "Works" is a fairly ambiguous word, but new technology is released into existing regulatory frameworks every day.
And if you were aware of the existing regulatory framework, how is any of this different or surprising?
Fingerprints are not routinely collected in the United States to open bank accounts, send or receive wire transfers, or request passports.
AFAIK there has never been a fingerprint requirement for US passports.
Actually, these rules ARE applied to Coinbase at the very least. Coinbase--and YC, and many YC startups--deliberately choose to ignore them.
On the other hand, assuming that you have filed a lawsuit against Coinbase, it sounds like you can no longer pass neutral comment on the matter. Something you seem to have conveniently not mentioned.
In any event, there's no legal reason why he couldn't comment. He's not involved, except to the extent that his own company might also be ignoring the law and thereby breaking it--which I have no idea if it's the case or not. But plenty of startups do.
It doesn't take a lot to add "[full disclosure: I'm suing Coinbase]" when you opine on Coinbase. Having somebody else bring it up first definitely reduces your credibility.
And the audits comprise financial audits as well, which surely make sense for bitcoin exchanges and companies holding funds, but not so much for open source projects or technologies that are built around bitcoin but where no funds are held.
That said, the actual regulatory proposal has many more requirements than even mentioned in the article (including quarterly reports to the NY State Superintendent, collecting of user data, and the possibility of being denied a license without a system for due process in place), and things that the creator of a Reddit tip bot surely couldn't comply with.
I'll be very curious to see how companies built up around client software but not directly handling money are treated in your proposal. I think safety-critical industries cover these in various different ways, normally under the assumption that the companies are producing either a) "components" for use in safety-critical systems; or b) tools which will be used for QA processes. I'm not sure either applies well, especially in the case of OSS. And I don't know of anything similar in finance.
Tell that to OpenSSL.
Would you include web browsers, OSs, system libraries and such in that definition? All those can steal users money if compromised. If so, who do you suggest be responsible for that in an open source project?
Not in a vacuum; they have to be deployed in a setting where that's possible.
> Would you include web browsers, OSs, system libraries and such in that definition?
It's sort-of a moot point, because the major products in all of these areas are routinely analyzed from a security perspective. Apple and Microsoft both spend a lot of money on security, and security researchers spend lots of time and effort auditing linux.
> If so, who do you suggest be responsible for that in an open source project?
The organization deploying the software in a security-critical setting should follow best practices when selecting and maintaining components.
There's a significant difference between engineering failures that happen even when you've followed best practices, and very preventable engineering failures that happen only because you've not followed best practices. Just because perfect security isn't possible doesn't mean we should give up entirely and not even both sanitizing input, for instance.
Additionally, OS vendors should not encourage users to use their software in security-critical settings unless the vendor is following best practices w.r.t. security. This is where I could see some bitcoin projects getting into trouble.
> for any piece of software from which it's possible to drain large sums of money
To which I might add "directly" or "quickly" or "covertly", but I think you get the intent. My edit to the parent comment also applies, since none of these is a binary value and risk management should match the assumed risk.
edit: I would say that the fact that it's only a few bucks per user is not relevant, especially if that limit isn't hard-coded.
https://github.com/vindimy/altcointip/blob/master/src/cointi...
with this
https://github.com/vindimy/altcointip/blob/master/src/ctb/ct...
You don't think that might allow someone to do a bit of skimming by playing a little loose with the exchange rates?
In these cases, absolutely yes! The shouldness should be codified into law.
The best mechanism (regulation vs. after-the-fact culpability; specific legislation vs. using existing frameworks, etc.) is debatable.
But companies who cause public harm by not following best practices (either intentionally or due to poor trained engineers) should be held legally responsible for preventable disasters. Just like it's done in many more mature (as in older) engineering fields.