BitLicense: New York's Crypto Regulation That Changed an Industry

When Benjamin Lawsky left the New York Department of Financial Services in 2015, his farewell gift to the crypto industry was the BitLicense — the most comprehensive state-level crypto regulation in US history, and arguably the most controversial. A decade later, approximately 30 companies hold the license. Dozens more left New York rather than pursue it. And the framework’s conceptual architecture has influenced regulators from Frankfurt to Singapore.

The BitLicense story is the story of what happens when a determined regulator moves decisively in a space where federal law doesn’t apply, consumer harms are real, and the industry is too young to have established compliance infrastructure. The results are instructive — both as a model and as a warning.

Origins: Lawsky’s Consumer Protection Mandate

Benjamin Lawsky became the first Superintendent of the newly created New York Department of Financial Services in 2011. The NYDFS had been formed by merging the state’s Banking Department and Insurance Department, and Lawsky built its reputation as one of the most aggressive financial regulators in the country, pursuing large banks for money laundering and mortgage fraud violations.

When Bitcoin began attracting mainstream attention in 2013 — and when a series of exchange failures and fraud cases demonstrated the absence of consumer protections — Lawsky moved to extend NYDFS jurisdiction to virtual currency businesses. His theory was straightforward: New Yorkers were depositing money with crypto exchanges. Those exchanges had no reserve requirements, no consumer protection rules, no cybersecurity standards. The NYDFS had a consumer protection mandate. The gap needed to be closed.

The NYDFS published its proposed BitLicense rules in July 2014. The consultation period generated thousands of comments — the largest response in NYDFS history at the time. Industry comments ranged from supportive of the principle to deeply critical of the specifics. Many argued that the proposed requirements were so burdensome that they would exclude all but the largest companies.

The final BitLicense regulations were published in June 2015 and took effect immediately.

What the BitLicense Requires

The BitLicense applies to any company conducting “virtual currency business activity” in New York — which includes receiving, transmitting, storing, or exchanging virtual currency; buying or selling virtual currency as a customer business; performing conversion of virtual currency; and operating a virtual currency exchange.

The application requirements are extensive. An applicant must provide: detailed personal background information and fingerprints for all controlling persons; a description of the proposed business plan; financial statements for the prior two years; audited balance sheet and income statements; a description of the applicant’s compliance program; AML and Bank Secrecy Act policies; a cybersecurity program description; a consumer protection policy; a business continuity and disaster recovery plan; and any material written agreements with third parties.

The substantive ongoing requirements are equally demanding. Licensed companies must maintain a surety bond or trust account in US dollars for the benefit of New York customers. They must comply with detailed capital requirements set by the NYDFS. They must maintain books and records accessible to NYDFS examination. They must report material changes in business, ownership, or financial condition. They must obtain NYDFS approval before listing new virtual currencies for trading.

The cybersecurity requirements — updated through subsequent NYDFS rules applicable to all regulated financial institutions — are among the most detailed in US financial regulation. They require a comprehensive cybersecurity program, a chief information security officer, annual penetration testing, encryption of data in transit and at rest, and detailed incident reporting requirements.

The Exodus

The BitLicense’s immediate effect was the departure of significant crypto companies from New York. The departures began during the consultation period and accelerated after the final rules were published.

Kraken, one of the largest crypto exchanges, made its exit explicit. CEO Jesse Powell published a lengthy explanation of why Kraken would not apply for a BitLicense, detailing the compliance costs and arguing that the rules would harm innovation without proportionate consumer benefit. Kraken continued to operate but geo-blocked New York users.

ShapeShift, a no-account crypto exchange, left New York. BitFinex, then one of the largest exchanges by volume, exited. Dozens of smaller companies made similar decisions.

The companies that remained and pursued licenses were predominantly the largest, most well-capitalized operators. Coinbase, Circle, and Gemini obtained licenses. Their investment in BitLicense compliance created a significant barrier to entry for competitors — a dynamic that the exits accelerated. New York’s crypto market became increasingly concentrated in the hands of a few well-resourced incumbents.

The “Bitcoin Exodus” attracted political attention. Critics of the BitLicense argued it had effectively handed the New York market to incumbents and driven innovation to other states. Supporters argued it had created a regulated, trustworthy market for consumers.

Subsequent Reforms: The Conditional License

After years of criticism about the BitLicense’s exclusionary effects, the NYDFS introduced a Conditional BitLicense in 2022. The conditional framework allows companies to offer limited services in New York while operating under the supervision of an existing full licensee. The full licensee acts as a compliance partner, providing the compliance infrastructure the smaller company doesn’t yet have.

The conditional framework reduced the barrier to entry — a smaller company could enter the New York market under a larger company’s license while building toward full compliance. But critics noted that it also created a commercial dependency: smaller companies needed to contract with established licensees, potentially on unfavorable terms.

Global Influence

Whatever its domestic political legacy, the BitLicense’s conceptual framework was influential globally. The comprehensive approach — AML, cybersecurity, capital, consumer protection, all bundled into a single licensing framework — was adopted in modified form by regulators from Singapore (MAS licensing requirements) to the EU (MiCA’s CASP authorization requirements bear structural similarities to the BitLicense approach).

The BitLicense demonstrated that crypto exchanges could be comprehensively regulated under existing state law frameworks, without waiting for federal action. That demonstration — whatever its costs — was a form of regulatory proof of concept that other jurisdictions studied and adapted.

By 2025, with the GENIUS Act having established a federal stablecoin framework and the CLARITY Act pending, the BitLicense’s role has begun to shift. Federal preemption of stablecoin rules means that NYDFS will need to have its stablecoin framework certified as equivalent to federal standards. The broader BitLicense framework, however, remains in force — and for crypto activities not addressed by federal legislation, the most onerous state-level crypto regulation in the United States continues to apply to anyone seeking access to the country’s largest financial market.