A legislative initiative in Illinois would establish licensing and consumer protection requirements for digital asset businesses serving consumers in the state.
On February 21, 2023, the Illinois Department of Financial and Professional Regulation (IDFPR) announced the Consumer Financial Protection and Innovation Package, which was introduced in both chambers of the Illinois General Assembly, consisting of two key legislative proposals: the Fintech-Digital Asset Bill and the Consumer Financial Protection Bill (the Bills). The Fintech-Digital Asset Bill “establishes regulations for digital asset businesses and modernizes regulations for money transmission in Illinois.”
The Consumer Financial Protection Bill would enhance the IDFPR’s ability to enforce those regulations, along with additional authority and resources to enforce existing consumer financial protections.
Specifically, the Fintech-Digital Asset Bill would enact the Digital Assets Regulation Act (the Act), applicable to digital asset business activity in Illinois, when conducted with or on behalf of an Illinois resident, regardless of where the business is located and insofar as preemption by federal law is not a factor. The Act represents an effort to implement a comprehensive digital asset licensing regime for Illinois, and mirrors many aspects of the New York BitLicense.
Key provisions of the Act include the following:
A license, or valid exemption, would be required to conduct any digital asset business activity with or on behalf of an Illinois resident. Merely holding oneself out as being able to engage in digital asset business activity would require a license.
- To procure a license, an applicant would need to meet extensive requirements, including disclosure of any digital asset, money service, or money transmitter license the applicant and any affiliates hold in another state, or from a federal agency.
- Licenses would need to be renewed annually.
- The IDFPR would be authorized to suspend or revoke a license without notice or hearing for failure to pay a renewal fee or file a renewal application.
A digital asset business would be required to make significant disclosures, “in a clear and conspicuous manner,” before engaging in digital asset business activity with an Illinois resident. Disclosures would include the following:
- A schedule of fees and charges the digital asset business may assess, the manner in which fees and charges would be calculated if they are not set in advance and disclosed, and the timing of the fees and charges
- The resident’s right to at least 14 days’ notice of a change in the fee schedule, material terms and conditions, or applicable policies
- Whether the product or service that the digital asset business provides would be covered by private insurance against loss or theft (including intelligible disclosure of all material terms of the insurance and associated risks); or, a form of insurance or other guarantee against loss by a federal agency (e.g., the Federal Deposit Insurance Corporation, the National Credit Union Administration, or the Securities Investor Protection Corporation)
- A description of the digital asset business’ liability for an unauthorized, mistaken, or accidental transfer or exchange, and the basis for any customer recovery in such an event
- Whether the consumer has a right to stop a preauthorized payment or revoke authorization for transfers, and the related procedures for accomplishing them
- The irrevocability of a transfer or exchange, and any exceptions
- A confirmation record after any digital asset transaction (either individually or as a daily digest), that includes the type, value, date, precise time, and amount of the transaction, and any fees assessed
- A trailing 12-month record of service outages experienced by the digital asset business, along with a description of their causes and resolution
Custody and Protection of Customer Assets
A digital asset business that stores, holds, or maintains custody or control of a digital asset would be required to maintain an amount of each type of digital asset sufficient to satisfy the aggregate entitlements. The digital asset must:
- be held for the customers entitled to the digital asset;
- not be property of the digital asset business; and
- not be subject to the claims of creditors of the digital asset business.
The IDFPR also would reserve the right to adopt additional customer asset protection rules, such as rules related to:
- segregated accounts and titling of segregated accounts;
- qualified custodians;
- audit requirements;
- compliance with specific provisions of the Uniform Commercial Code applicable to digital assets; and
- restrictions on selling, transferring, assigning, lending, hypothecating, pledging, or otherwise using or encumbering customer assets.
A covered digital asset exchange, before listing or offering a digital asset, would be required to certify that it has:
- identified the risk that the digital asset would be deemed a security by federal or state regulators;
- provided full and fair disclosure in writing of all material facts relating to conflicts of interest that are associated with the exchange and the digital asset;
- conducted a comprehensive risk assessment to ensure consumers are protected from cybersecurity risk, risk of malfeasance (including theft), risks related to code or protocol defects, market-related risks (including price manipulation and fraud), and any other material risks;
- established policies and procedures to reevaluate the appropriateness of the continued listing or offering of the digital asset, including assessment of any material changes; and
- established policies and procedures to cease listing or offering the digital asset, including notification to affected consumers and counterparties.
Notably, certification by a covered digital asset exchange would not be required for any digital asset approved for listing on or before January 1, 2023, by the New York Department of Financial Services (NYDFS) pursuant to Part 200 of Title 23 of the NY Code of Rules and Regulations, if the IDFPR is properly notified.
If an exchange lists or offers a digital asset without the proper certification, or makes misrepresentations in the certification process, the IDFPR would be authorized to order the delisting of the digital asset, and to bring an enforcement action.
A covered digital asset exchange would be required to:
- clearly communicate information on its website for access to 24/7 customer service, and provide live customer assistance; and
- implement reasonable policies and procedures for accepting, processing, investigating, and responding to requests for assistance in a timely and effective manner, including coverage of dispute resolution; consumer reporting of unauthorized, mistaken, or accidental transactions; and complaint filing.
Policies and Procedures
A digital asset business (before submitting a license application, and after obtaining a license) would be required to maintain, implement, update, and enforce, written compliance policies and procedures for all of the following:
- A cybersecurity program with well-defined and implemented policies and procedures and managerial oversight
- A business continuity program
- A disaster recovery program
- An anti-fraud program (including protection against market manipulation and insider trading)
- An anti-money laundering and countering the financing of terrorism program
- An operational security program
- A compliance program that at minimum specifies the policies and procedures that the licensee maintains to minimize the risk that the licensee facilitates the exchange of unregistered securities
- A conflict of interest program
- A customer assistance program
A digital asset business would need to disclose policies and procedures to consumers in a clear and conspicuous manner and separately from other disclosures, and in the medium through which the consumer contacted the licensee.
Books and Records
A licensed digital asset business would need to maintain a detailed record of any transaction of the licensee with or on behalf of an Illinois resident or for the licensee’s account for five years after the date of the activity.
Material Business Changes
A licensed digital asset business would need to file a report with the IDFPR for any material change in information in the application, business, or management structure within 15 days of occurrence.
A licensed digital asset business would be required to file with the IDFPR any plan of merger or consolidation, at least 30 days before a proposed merger or consolidation with another entity. The IDFPR may approve, conditionally approve, or deny any such merger or consolidation application. If denied, the licensee will be required to abandon the plan, or cease digital asset business activity with, or on behalf of, Illinois residents.
Investigation of Complaints
The IDFPR would be authorized to investigate complaints and inquiries, and licensed digital asset businesses are required to open their books, records, documents, and offices (wherever located) to facilitate such investigations.
The IDFPR would be authorized to examine a licensed digital asset business to assess the licensee’s financial condition, safety and soundness, policies, lawfulness, accounting, etc.
The IDFPR would be authorized to take an enforcement action against a digital asset business for the following:
- Violation of the Act
- Misrepresentation to the IDFPR
- Non-cooperation with an examination or investigation
- Failure to pay a required fee
- Failure to submit a report or documentation
- Unsafe, unsound, or unlawful act or practice
- Unfair, deceptive, or abusive act or practice
- Fraud, misrepresentation, deceit, or negligence
- Misappropriation of fiat currency, a digital asset, or other value
- Conviction of a crime related to its digital asset business activity
- Insolvency and bankruptcy related events
A digital asset business would not be authorized to exchange, transfer, store, or administer a stablecoin unless the stablecoin issuer is licensed pursuant to the Act (or is a federally insured depository institution exempt from licensure), and the stablecoin issuer always maintains a 1:1 ratio of reserve assets to outstanding stablecoins issued or sold.
Capital and Liquidity
A licensed digital asset business would be required to maintain a surety bond or trust account in US dollars in a form and amount that the IDFPR would determine to protect resident customers of the licensee. A licensee would also need to maintain capital and liquidity in an amount and form that the IDFPR determines is sufficient to ensure the financial integrity of the licensee and its ongoing operations. Such determination would be based on an assessment of the licensee’s specific risks as they relate to its products and services, size, position, liabilities, volume, leverage, etc.
A licensed digital asset business would need to designate a qualified individual or individuals to coordinate and monitor compliance with the Act’s requirements, as well as all applicable federal and state laws, rules, and regulations. Each licensee would also be required to maintain, implement, update, and enforce written compliance policies and procedures, which must be reviewed and approved by the licensee’s board of directors or equivalent corporate governing body.
Consumer Financial Protection Bill
The proposed Consumer Financial Protection Bill is modeled after the law that created the federal Consumer Financial Protection Bureau (CFPB). According to the Bill’s sponsors, it would provide the IDFPR with authority and resources to enforce the Fintech-Digital Asset Bill, as well as existing consumer financial protection laws.
Special Purpose Trust Company
The Illinois Corporate Fiduciary Act would also be amended to allow for a new class of corporate fiduciary — a special purpose trust company — to custody, safekeep, and manage digital assets. Such a company would operate and be supervised under the Corporate Fiduciary Act, and would in no way interfere with the right of a depository institution to provide nonfiduciary custodial services.
As noted above, the Act represents an effort to implement a comprehensive licensing regime for Illinois, and mirrors many aspects of the New York BitLicense. The BitLicense, however, appears to be more stringent in some regards. For example:
- Under the Act, a licensed digital asset business would be required to file a report with the IDFPR for any material change to the business within 15 days of occurrence; under the BitLicense, a licensee must obtain the NYDFS’ prior written approval for any plan or proposal to materially change its business.
- Under the Act, a licensed digital asset business would be required to maintain detailed books and records for five years; under the BitLicense, books and records must generally be kept for seven years.
- The BitLicense imposes requirements for licensee advertising practices; the Act would not.
- The Act would authorize examinations of licensees “from time to time;” under the BitLicense, examinations occur “not less than once every two calendar years.”
According to Representative Mark Walker, the sponsor of the Bills, “[t]hese measures not only work to hold bad actors accountable, but allow good actors to enter the marketplace and prove to customers they are operating within the bounds of the law.”
Latham & Watkins will continue to monitor and report on the Bills’ legislative progress.
 For the purpose of the Fintech-Digital Asset Bill, digital asset is defined as “a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not fiat currency, whether or not denominated in fiat currency.”
 The Act does not apply to: (i) the exchange, transfer, or storage of a digital asset or to digital asset administration to the extent the Securities Exchange Act of 1934 or the Illinois Securities Law of 1953 govern the activity, and the activity is actually regulated for the purpose of investor protection by the SEC or Illinois Secretary of State; (ii) the United States, a state, political subdivision of a state, agency, or instrumentality of federal, state, or local government, or a foreign government or a subdivision, department, agency, or instrumentality of a foreign government; (iv) a federally insured depository institution; (v) a corporate fiduciary acting as a fiduciary or otherwise engaging in fiduciary activities; (vi) a merchant using digital assets solely for the purchase or sale of goods or services in the ordinary course of its business; or (vii) a person using digital assets solely for the purchase or sale of goods or services for personal, family, or household purposes.