STATE OF NEW YORK
________________________________________________________________________
9899--A
IN ASSEMBLY
February 21, 2018
___________
Introduced by M. of A. KIM, VANEL, QUART, SEPULVEDA, D'URSO, RA --
Multi-Sponsored by -- M. of A. LUPARDO -- read once and referred to
the Committee on Banks -- committee discharged, bill amended, ordered
reprinted as amended and recommitted to said committee
AN ACT to amend the financial services law, in relation to creating a
regulatory sandbox program; to amend the banking law, in relation to
safeguarding financial technology products and services and prohibit-
ing licensing fees for such products and services; and providing for
the repeal of such provisions upon expiration thereof
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The financial services law is amended by adding a new arti-
2 cle 7 to read as follows:
3 ARTICLE 7
4 REGULATORY SANDBOX PROGRAM
5 Section 701. Definitions.
6 702. Reports; studies.
7 703. Program purpose.
8 704. Application process and requirements.
9 705. Consultation with applicable agencies; admission authority;
10 scope; insurance products; investment management.
11 706. Consumer protection.
12 707. Exit requirements.
13 708. Extensions.
14 709. Auditing by third party depository or custodian services.
15 710. Recordkeeping and reporting requirements.
16 711. Records; disclosure; evidentiary effect.
17 712. Reporting requirements; monitoring; enforcement; agree-
18 ments.
19 § 701. Definitions. For purposes of this article, the following terms
20 shall have the following meanings:
21 (a) "Securities investor protection corporation" means a federally
22 mandated, non-profit, member-funded, United States corporation created
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD14772-03-8
A. 9899--A 2
1 under the Securities Investor Protection Act of 1970 and mandates
2 membership of most United States registered broker-dealers.
3 (b) "Applicable agency" means a department or agency of this state
4 established by law to regulate certain types of business activity in
5 this state and persons engaged in such business, including the issuance
6 of licenses or other types of authorization, that the attorney general
7 and state comptroller determines would otherwise regulate a sandbox
8 participant if the person were not a regulatory sandbox participant.
9 (c) "Consumer" means a person that purchases or otherwise enters into
10 a transaction or agreement to receive a financial technology product or
11 service that is being tested by a sandbox participant.
12 (d) "Financial products or services" means a product or service that
13 requires licensure by the applicable agency or a product or service that
14 includes a business model, delivery mechanism or element that may other-
15 wise require a license or other authorization to act as a financial
16 institution or enterprise or other entity that is regulated by the
17 applicable agency.
18 (e) "Financial technology products or services" means a financial
19 product or service with the use or incorporation of new or emerging
20 technology or the reimagination of uses for existing technology to
21 address a problem, provide a benefit or otherwise offer a product,
22 service, business model or delivery mechanism that is not known by the
23 attorney general to have a comparable widespread offering in this state.
24 Such term shall include, but shall not be limited to, cryptocurrency
25 business activity.
26 (f) "Cryptocurrency" means a digital currency which uses encryption
27 techniques to regulate the generation of currency units and verify the
28 transfer of funds, operating independently from a central bank.
29 (g) "Cryptocurrency business activity" means the conduct of any of the
30 following types of activities involving New York or a New York resident:
31 (1) receiving cryptocurrency for transmission or transmitting crypto-
32 currency, except where the transaction is undertaken for non-financial
33 purposes and does not involve the transfer of more than a nominal amount
34 of cryptocurrency;
35 (2) storing, holding, or maintaining custody or control of cryptocur-
36 rency on behalf of others;
37 (3) buying and selling cryptocurrency as a customer business;
38 (4) performing exchange services of cryptocurrency as a customer busi-
39 ness; or
40 (5) controlling, administering, or issuing a cryptocurrency.
41 (h) "Regulatory sandbox" means the program established by this article
42 that allows a person to temporarily test financial technology products
43 or services on a limited basis without otherwise being licensed or
44 authorized to act under the laws of this state.
45 (i) "Sandbox participant" means a person whose application to partic-
46 ipate in the regulatory sandbox is approved pursuant to this article.
47 (j) "Test" means to provide activity and services as allowed by this
48 article.
49 § 702. Reports; studies. (a) The attorney general and state comp-
50 troller shall publish annually a written report describing the results
51 of the regulatory sandbox established pursuant to this article and the
52 results of their studies conducted pursuant to subdivision (b) of this
53 section.
54 (b) The attorney general and state comptroller shall study long term
55 solutions to issues that arise from financial technology products or
56 services, including, but not limited to:
A. 9899--A 3
1 (1) the use of third party depository and custodian services as audi-
2 tors of financial technology products and services; and
3 (2) the use of the securities investor protection corporation to
4 insure all financial technology products and services account holder's
5 assets.
6 § 703. Program purpose. The attorney general and state comptroller
7 shall establish a regulatory sandbox in consultation with applicable
8 agencies of this state to enable a person to obtain limited access to
9 the market in this state to test financial technology products and
10 services without obtaining a license or other authorization that other-
11 wise may be required by law and without having to pay any fees associ-
12 ated with such license or authorization.
13 § 704. Application process and requirements. (a) Any person may apply
14 to enter the regulatory sandbox to test financial technology products or
15 services.
16 (b) The attorney general and state comptroller shall create a joint
17 office or coordinated process and shall accept and review each applica-
18 tion for entry into the regulatory sandbox on a rolling basis.
19 (c) An application shall demonstrate that the applicant both:
20 (1) is an entity or individual that is subject to the jurisdiction of
21 the attorney general and state comptroller through incorporation, resi-
22 dency, presence, agreement, or otherwise; and
23 (2) has established a location, whether physical or virtual, that is
24 adequately accessible to the attorney general and state comptroller from
25 which testing will be developed and performed and where all required
26 records, documents and data will be maintained.
27 (d) Any person, corporation, partnership or other entity that already
28 possesses a license or other authorization under state laws that regu-
29 late financial technology products or services shall file an application
30 with the attorney general and state comptroller to test financial tech-
31 nology products or services within the regulatory sandbox.
32 (e) Applications shall contain sufficient information to demonstrate
33 that an applicant has an adequate understanding of the financial tech-
34 nology product or service and a sufficient plan to test, monitor and
35 assess the financial technology product or service while ensuring
36 consumers are protected from a test's failure.
37 (f) Applicants shall contain the information required by a form devel-
38 oped and made publicly available by the attorney general and state comp-
39 troller. The information required by the form shall include, but shall
40 not be limited to:
41 (1) relevant personal and contact information for the applicant,
42 including full legal names, addresses, telephone numbers, e-mail
43 addresses, website addresses and any other information that the attorney
44 general and state comptroller deems necessary;
45 (2) disclosure of any criminal convictions of the applicant or key
46 personnel, if any;
47 (3) a description of the financial technology products or services
48 desired to be tested, including statements regarding all of the follow-
49 ing:
50 (A) how a financial technology product or service is subject to regu-
51 lation outside of the regulatory sandbox;
52 (B) how the financial technology product or service would benefit
53 consumers;
54 (C) how the financial technology product or service is different from
55 other products or services available in this state;
A. 9899--A 4
1 (D) what risks will confront consumers that use or purchase the finan-
2 cial technology product or service;
3 (E) how entering the regulatory sandbox would enable a successful test
4 of the financial technology product or service;
5 (F) a description of the proposed testing plan, including estimated
6 time periods for market entry, market exit and the pursuit of necessary
7 licensure or authorization; and
8 (G) how the applicant will wind down the test and protect consumers if
9 the test fails.
10 (g) A person shall file a separate application for each financial
11 technology product or service sought to be tested.
12 (h) After the information required by subdivision (f) of this section
13 is submitted, the attorney general and state comptroller may seek addi-
14 tional information that is deemed necessary. Not later than ninety days
15 after an application is initially submitted, the attorney general and
16 state comptroller shall notify the applicant as to whether the applicant
17 is approved for entry into the regulatory sandbox. The attorney general
18 and state comptroller and an applicant may mutually agree to extend the
19 time period for the attorney general and state comptroller to determine
20 whether an application is approved for entry into the regulatory sand-
21 box.
22 (i) The attorney general and state comptroller may deny applicants at
23 their discretion and such a denial shall not be an appealable agency
24 action.
25 § 705. Consultation with applicable agencies; admission authority;
26 scope; insurance products; investment management. (a) (1) The attorney
27 general and state comptroller shall consult with an applicable state
28 agency before admitting a person into the regulatory sandbox. This
29 consultation may include seeking information about:
30 (A) whether the applicable agency previously has either (i) issued a
31 license or other authorization to the applicant, or (ii) investigated,
32 sanctioned or pursued legal action against the applicant; and
33 (B) whether the applicant could obtain a license or other authori-
34 zation from an applicable agency after exiting the regulatory sandbox.
35 (2) Notwithstanding paragraph one of this subdivision, the attorney
36 general and state comptroller have the sole authority to make the final
37 decision of whether to admit a person into the regulatory sandbox.
38 (b) If the attorney general and state comptroller approves an applica-
39 tion for entry into the regulatory sandbox, the applicant is deemed a
40 sandbox participant and both of the following shall apply:
41 (1) the sandbox participant has twenty-four months after the date of
42 approval to test the cryptocurrency business activity described in the
43 sandbox participant's application; and
44 (2) the attorney general and state comptroller shall issue the sandbox
45 participant a registration number.
46 (c) Financial technology products or services that are provided within
47 the regulatory sandbox are subject to the following restrictions:
48 (1) except as provided in subdivision (d) of this section, not more
49 than ten thousand consumers may transact through or enter into an agree-
50 ment to use the financial technology products or services;
51 (2) except as provided in subdivision (d) of this section, for a sand-
52 box participant testing products or services as a money transmitter,
53 individual transactions per consumer may not exceed ten thousand dollars
54 and aggregate transactions per consumer may not exceed two million
55 dollars over the course of the twenty-four months of the regulatory
56 sandbox period;
A. 9899--A 5
1 (3) for sandbox participants testing products or services as a financ-
2 ing agency as defined in subdivision nine of section three hundred one
3 of the personal property law, all of the following apply:
4 (A) section three hundred two of the personal property law;
5 (B) section three hundred three of the personal property law;
6 (C) section three hundred six of the personal property law;
7 (D) section three hundred eight of the personal property law; and
8 (E) section 9-601 of the uniform commercial code; and
9 (4) for sandbox participants testing products or services that provide
10 investment management that is regulated each sandbox participant shall:
11 (A) make, maintain and preserve books and records in accordance with
12 the requirements imposed on federal covered advisers under 17 CFR
13 275.204-2. The sandbox participant shall file with the state comptroller
14 and the attorney general's office a copy of any notices or written
15 undertakings required to be filed by federal covered advisers with the
16 securities and exchange commission under 17 CFR 275.204-2; and
17 (B) comply with all requirements imposed on federal covered advisers
18 under 17 CFR Part 275 with respect to:
19 (i) dishonest and unethical practices;
20 (ii) information required to be furnished to clients;
21 (iii) custody of client funds or securities; and
22 (iv) disclosure of financial and disciplinary information to clients.
23 (d) If a sandbox participant demonstrates adequate financial capital-
24 ization, risk management process and management oversight they may
25 request the attorney general and state comptroller to allow either or
26 both of the following:
27 (1) allow more than ten thousand consumers to transact through or
28 enter into an agreement to use the financial technology product or
29 service;
30 (2) for a sandbox participant testing products or services as a money
31 transmitter, allow individual transactions per consumer to exceed ten
32 thousand dollars and aggregate transactions per consumer to exceed two
33 million dollars during the twenty-four month regulatory sandbox period.
34 (e) This section shall not restrict a sandbox participant who holds a
35 license or other authorization in another jurisdiction from acting
36 pursuant to and in accordance with such license or other authorization.
37 (f) A sandbox participant is deemed to possess an appropriate license
38 under the laws of this state for any provision of federal law requiring
39 state licensure or authorization.
40 (g) Except as otherwise provided in this article, a sandbox partic-
41 ipant shall not be subject to state laws that regulate a financial prod-
42 uct or service.
43 (h) The attorney general and state comptroller may determine that
44 certain state laws that regulate financial products or services apply to
45 a sandbox participant. If the attorney general and state comptroller
46 make such determination and approve an application for entry into the
47 regulatory sandbox, the attorney general and state comptroller shall
48 notify the sandbox participant of the specific state regulatory laws
49 that will apply to the sandbox participant.
50 (i) A sandbox participant may obtain, record, provide or maintain in
51 electronic form any information, writing, signature, record or disclo-
52 sure that is required by this article or may substitute any substantial-
53 ly similar equivalent information, writing, signature, record or disclo-
54 sure that is approved by the attorney general and state comptroller.
A. 9899--A 6
1 § 706. Consumer protection. (a) Before providing a financial technolo-
2 gy product or service to consumers, a sandbox participant shall disclose
3 to consumers all of the following:
4 (1) the name and contact information of the sandbox participant
5 including the registration number provided by the attorney general and
6 state comptroller;
7 (2) that the financial technology product or service is authorized
8 pursuant to the regulatory sandbox and, if applicable, that the sandbox
9 participant does not have a license or other authorization to generally
10 provide products or services under state laws that regulate a financial
11 product or service that is outside the regulatory sandbox;
12 (3) that the state does not endorse or recommend the financial tech-
13 nology product or service;
14 (4) that the financial technology product or service is a temporary
15 test that may be discontinued at the end of the testing period, includ-
16 ing the expected end date of the testing period; and
17 (5) that consumers may contact the attorney general and state comp-
18 troller to file complaints regarding the financial technology product or
19 service being tested and provide the attorney general and state comp-
20 troller's telephone number and website address where complaints may be
21 filed.
22 (b) The notifications prescribed in subdivision (a) of this section
23 shall be provided to consumers in a clear and conspicuous form in
24 accordance with New York state language access requirements. For inter-
25 net or application-based financial technology products or services,
26 consumers shall acknowledge receipt of such notifications before
27 completion of a transaction.
28 (c) The attorney general and state comptroller may require that a
29 sandbox participant make additional disclosures to consumers. When the
30 attorney general and state comptroller approve an application for entry
31 into the regulatory sandbox, the attorney general and state comptroller
32 shall notify the sandbox participant of the additional disclosures.
33 § 707. Exit requirements. (a) At least thirty days before the end of
34 the twenty-four month regulatory sandbox testing period a sandbox
35 participant must either:
36 (1) notify the attorney general and state comptroller that the sandbox
37 participant will exit the regulatory sandbox, wind down its test and
38 cease offering any financial technology products or services in the
39 regulatory sandbox within sixty days after the twenty-four month testing
40 period ends; or
41 (2) seek an extension to pursue a license or other authorization
42 required by law.
43 (b) If the attorney general and state comptroller does not receive
44 notification pursuant to subdivision (a) of this section, the regulatory
45 sandbox testing period ends at the end of the twenty-four month testing
46 period and the sandbox participant must immediately cease offering
47 financial technology products or services.
48 (c) If a test includes offering financial technology products or
49 services that require ongoing duties, the sandbox participant shall
50 continue to fulfill those duties or arrange for another person to
51 fulfill those duties after the date the sandbox participant exits the
52 regulatory sandbox.
53 § 708. Extensions. (a) A sandbox participant may request an extension
54 of the regulatory sandbox testing period for the purpose of pursuing a
55 license or other authorization required by law.
A. 9899--A 7
1 (b) The attorney general and state comptroller may grant or deny a
2 request for an extension pursuant to subdivision (a) of this section by
3 the end of the twenty-four month regulatory sandbox testing period. An
4 extension pursuant to this subdivision is not effective for more than
5 one year after the end of the regulatory sandbox testing period.
6 (c) A sandbox participant that obtains an extension pursuant to subdi-
7 vision (b) of this section must provide the attorney general and state
8 comptroller with a written report every three months that provides an
9 update on efforts to obtain a license or other authorization, including
10 any submitted applications for licensure or other authorization,
11 rejected applications or issued licenses or other authorization.
12 § 709. Auditing by third party depository or custodian services. All
13 sandbox participants shall be audited by a third party depository or
14 custodian service. Such third party depository or custodian service
15 shall ensure that sandbox participants:
16 (a) have established and maintained a fund insuring a portion of their
17 account holder's assets by the securities investor protection corpo-
18 ration which shall replace the bond system; and
19 (b) provide financial technology products or services in full compli-
20 ance with this article.
21 § 710. Recordkeeping and reporting requirements. (a) A sandbox partic-
22 ipant must retain records, documents and data produced in the ordinary
23 course of business regarding a financial technology product or service
24 tested in the regulatory sandbox.
25 (b) If a financial technology product or service fails before the end
26 of the testing period, the sandbox participant must notify the attorney
27 general and state comptroller and report on actions taken to ensure
28 consumers have not been harmed as a result of the financial technology
29 products or services failure.
30 (c) A sandbox participant is subject to the requirements of section
31 two hundred eight of the state technology law and shall notify the
32 attorney general and state comptroller of any "breach of the security of
33 the system" as defined in paragraph (b) of subdivision one of section
34 two hundred eight of the state technology law.
35 § 711. Records; disclosure; evidentiary effect. (a) Records that are
36 submitted to or obtained by the attorney general and state comptroller
37 in administering this article are not public records or open for
38 inspection by the public.
39 (b) Records and information that are submitted or obtained pursuant to
40 this article may be disclosed to any of the following:
41 (1) state and federal agencies;
42 (2) representatives of foreign countries that have regulatory or
43 supervisory authority over the activities of the sandbox participant;
44 (3) a federal, state or county grand jury in response to a lawful
45 subpoena; and
46 (4) the state auditor general for the purpose of conducting audits
47 authorized by law.
48 (c) The attorney general and state comptroller and any applicable
49 agency consulted by the attorney general and state comptroller are not
50 liable for the disclosure of records, information or data received or
51 obtained pursuant to this article.
52 (d) The disclosure pursuant to subdivision (b) of this section of a
53 complaint or the results of an examination, inquiry or investigation of
54 a sandbox participant does not make that information a public record and
55 the sandbox participant or the sandbox participant's holding company may
56 not disclose that information to the general public unless the disclo-
A. 9899--A 8
1 sure is required by law. A sandbox participant or the sandbox partic-
2 ipant's holding company may not disclose, use or reference in any form
3 comments, conclusions or results of an examination, inquiry or investi-
4 gation in any type of communication to a customer or potential customer.
5 (e) This section shall not prevent the disclosure of information that
6 is admissible as evidence in a civil or criminal proceeding brought by a
7 state or federal law enforcement agency to enforce or prosecute civil or
8 criminal violations of the law.
9 § 712. Reporting requirements; monitoring; enforcement; agreements.
10 (a) The attorney general and state comptroller may establish periodic
11 reporting requirements on sandbox participants.
12 (b) The attorney general and state comptroller may seek records, docu-
13 ments and data from sandbox participants. On the attorney general and
14 state comptroller's request, sandbox participants shall make such
15 records, documents and data available for inspection by the attorney
16 general and state comptroller.
17 (c) If the attorney general and state comptroller have reasonable
18 cause to believe that a sandbox participant has engaged in, is engaging
19 in or is about to engage in any practice or transaction that is in
20 violation of this article or section three hundred fifty-two of the
21 general business law, or that constitutes a violation of a state or
22 federal criminal law, the attorney general and state comptroller may
23 remove a sandbox participant from the regulatory sandbox or order a
24 sandbox participant to exit the regulatory sandbox program.
25 (d) Removal from the regulatory sandbox shall not be an appealable
26 agency action.
27 (e) Sandbox participants are subject to the consumer fraud provisions
28 under article twenty-three-A of the general business law.
29 (f) The attorney general and state comptroller may enter into agree-
30 ments with state, federal or foreign regulators that allow sandbox
31 participants to operate in other jurisdictions and allow entities
32 authorized to operate in other jurisdictions to be recognized as sandbox
33 participants in this state.
34 § 2. The banking law is amended by adding a new section 9-x to read as
35 follows:
36 § 9-x. Audit of financial technology products or services; prohibiting
37 licensing fees. 1. The following terms, when used in this section, shall
38 have the following meanings:
39 (a) "Financial technology products or services" means a financial
40 product or service with the use or incorporation of new or emerging
41 technology or the reimagination of uses for existing technology to
42 address a problem, provide a benefit or otherwise offer a product,
43 service, business model or delivery mechanism that is not known by the
44 attorney general to have a comparable widespread offering in this state.
45 Such term shall include, but shall not be limited to, cryptocurrency
46 business activity.
47 (b) "Cryptocurrency business activity" means the conduct of any of the
48 following types of activities involving New York or a New York resident:
49 (i) receiving cryptocurrency for transmission or transmitting crypto-
50 currency, except where the transaction is undertaken for non-financial
51 purposes and does not involve the transfer of more than a nominal amount
52 of cryptocurrency;
53 (ii) storing, holding, or maintaining custody or control of cryptocur-
54 rency on behalf of others;
55 (iii) buying and selling cryptocurrency as a customer business;
A. 9899--A 9
1 (iv) performing exchange services of cryptocurrency as a customer
2 business; or
3 (v) controlling, administering, or issuing a cryptocurrency.
4 (c) "Cryptocurrency" means a digital currency which uses encryption
5 techniques to regulate the generation of currency units and verify the
6 transfer of funds, operating independently from a central bank.
7 2. Any person, corporation, partnership or other entity that provides
8 financial technology products or services shall be audited by a public
9 or private third party depository or custodian service. Such third party
10 depository or custodian service shall:
11 (a) ensure that such person, corporation, partnership or other entity
12 that provides financial technology products of services has established
13 security protocols to safeguard them from theft;
14 (b) ensure that such person, corporation, partnership or other entity
15 that provides financial technology products or services has established
16 and maintained a fund insuring a portion of their account holder's
17 assets by the securities investor protection corporation which shall
18 replace the bond system; and
19 (c) regularly examine holdings of such person, corporation, partner-
20 ship or other entity that provides financial technology products or
21 services to ensure proper ownership of assets.
22 3. Notwithstanding any other law, rule or regulation, no person,
23 corporation, partnership or other entity that provides financial tech-
24 nology products or services shall be required to pay a licensing fee in
25 order to provide such financial technology products or services.
26 § 3. This act shall take effect on the one hundred eightieth day after
27 it shall have become a law and shall expire and be deemed repealed July
28 1, 2028; provided, however, that effective immediately, the addition,
29 amendment and/or repeal of any rule or regulation necessary for the
30 implementation of this act on its effective date are authorized to be
31 made and completed on or before such effective date.
