Regulator — New York is the financial capital of the United States. The concentration of financial institutions, investment managers, hedge funds, family offices, and corporate treasury operations in New York City means that any digital asset business that wants to serve institutional clients cannot avoid New York residents and counterparties — and any business serving New York residents needs the New York Department of Financial Services’ approval. The BitLicense, introduced in 2015, is the most comprehensive and most demanding state digital asset regulatory framework in the country. Its design reflects New York’s position: the strictest standards, the highest cost, and the most meaningful market access.
Overview
The New York Department of Financial Services regulates the financial services industry in New York State, with jurisdiction over banks, insurance companies, mortgage companies, money transmitters, and — through the BitLicense framework — virtual currency businesses. The NYDFS operates under the Banking Law and the Financial Services Law, with authority to examine, supervise, and enforce compliance by all regulated entities.
The BitLicense — formally the “Virtual Currency Business Activity” license under 23 NYCRR Part 200 — was finalized in June 2015 under Superintendent Benjamin Lawsky, who was the first state financial regulator to create a comprehensive crypto regulatory framework. The BitLicense requires any company that engages in “virtual currency business activity” involving New York or New York residents to obtain a license, regardless of where the company is incorporated or operates. Virtual currency business activity includes: buying and selling virtual currency as a customer business, transmitting virtual currency, storing virtual currency, issuing virtual currency, or conducting exchange services. The breadth of this definition captures virtually every crypto exchange, custodian, or service provider that serves New York customers.
The BitLicense application requirements are among the most demanding in US financial services regulation. The $100,000 application fee is a barrier for smaller companies. The review process — which has historically taken one to three years — requires extensive documentation of the applicant’s AML program, cybersecurity systems, business continuity plan, consumer protection policies, capital adequacy, and management background. The NYDFS conducts detailed on-site examinations and background investigations as part of the review. The total cost of obtaining a BitLicense — including legal fees, compliance infrastructure build-out, and management time — routinely exceeds $500,000 and often reaches into the millions.
As of February 2026, approximately 30 companies hold BitLicenses. The list includes the most prominent names in US institutional digital asset services: Coinbase, Kraken, Gemini, Circle, Ripple, Robinhood Crypto, PayPal, Bakkt, eToro, and several others. The selectivity of the list reflects both the rigor of NYDFS’s review and the rational choice made by many smaller companies to block New York users rather than invest in the license process — a decision that accepts a meaningful market access limitation in exchange for avoiding the compliance burden.
The NYDFS trust company charter is a separate but related regulatory pathway for digital asset custodians. New York-chartered trust companies that engage in virtual currency custody activities must comply with both trust company law and the BitLicense framework. Trust companies chartered by NYDFS include Coinbase Custody Trust Company, Paxos Trust Company, Gemini Trust Company, and BitGo Trust Company of New York (a subsidiary of BitGo’s South Dakota trust). These NYDFS trust company charters provide Qualified Custodian status under the Investment Advisers Act for digital assets, making them legally equivalent to bank custody for investment adviser compliance purposes.
The NYDFS cybersecurity regulation (23 NYCRR Part 500) — which applies to all NYDFS-licensed entities, including BitLicense holders — is the most comprehensive state cybersecurity requirement for financial institutions in the US. It requires covered entities to maintain a cybersecurity program, conduct regular risk assessments, implement specific technical controls, report cybersecurity incidents to NYDFS within 72 hours, and certify compliance annually. For digital asset companies, where cybersecurity failures (wallet hacks, key exposure, smart contract exploits) can result in immediate, irreversible loss of client assets, the cybersecurity regulation imposes standards that are commercially critical regardless of regulatory mandate.
Superintendent Adrian Harris, who took office in 2024, has indicated a continued commitment to robust supervision of BitLicense holders alongside a more streamlined application process to reduce the two-year review timelines that have deterred some applicants.
Key Metrics
| Metric | Value |
|---|---|
| BitLicense Established | June 2015 |
| Application Fee | $100,000 |
| Review Timeline | 1–3 years (historically) |
| Active BitLicense Holders | ~30 (Feb 2026) |
| Key BitLicense Holders | Coinbase, Kraken, Gemini, Circle, Ripple |
| NYDFS Trust Companies | Coinbase Custody, Paxos, Gemini Trust, BitGo NY |
| Cybersecurity Reg | 23 NYCRR Part 500 (most comprehensive in US) |
| Current Superintendent | Adrian Harris (2024+) |
| Primary Law | Banking Law + Financial Services Law |
| HQ | New York City |
Tokenization Activity
The NYDFS’s oversight of BitLicense holders and trust companies directly shapes the tokenized asset custody landscape. The trust companies chartered by NYDFS — Coinbase Custody, Paxos, Gemini Trust — are the primary Qualified Custodians for digital assets in New York-regulated institutional contexts. When investment advisers subject to New York law need digital asset custody, NYDFS-chartered trust companies provide the regulatory imprimatur that compliance departments require.
Paxos Trust Company deserves specific attention in the tokenization context. Paxos — an NYDFS-chartered trust company — issues USDP (Paxos Dollar), a regulated stablecoin with NYDFS oversight, and has served as the infrastructure provider for PayPal’s PYUSD stablecoin. Paxos also provides gold tokenization services (PAX Gold/PAXG), demonstrating that NYDFS trust companies can issue tokenized assets under state banking law without requiring SEC securities registration — provided the tokenized asset has the economic characteristics of a commodity or currency rather than a security.
The NYDFS’s approach to tokenized securities — specifically whether tokenized securities issued by regulated entities need BitLicense coverage in addition to SEC registration — has been an area of active regulatory dialogue. Platforms like Securitize that are SEC-registered transfer agents and broker-dealers operating in New York engage with both the NYDFS and the SEC to ensure their operations are compliant with both regulatory frameworks.
The NYDFS cybersecurity regulation has become a de facto global standard for institutional digital asset companies. Companies seeking to build cybersecurity programs that will withstand scrutiny from multiple regulators (OCC, SEC, FINRA) find that building to the NYDFS 23 NYCRR Part 500 standard satisfies or exceeds the requirements of most other regulators — making NYDFS compliance a useful benchmark for institutional-grade cybersecurity in digital asset operations.
Investment Relevance
BitLicense is simultaneously a barrier to entry and a quality signal. Holding a BitLicense certifies that a digital asset company has met NYDFS’s rigorous standards for AML, cybersecurity, capital adequacy, and consumer protection — a certification that institutional counterparties value in their vendor assessment processes. For companies that have invested in obtaining and maintaining BitLicense compliance, the license provides a durable competitive advantage in the New York institutional market.
The NYDFS trust company charter is the most commercially valuable regulatory asset in the US digital asset custody market for New York-based or New York-client-serving businesses. As institutional digital asset allocations grow, the concentration of trusted custody in NYDFS-chartered trust companies creates regulatory-driven market concentration that incumbents benefit from.
Related Entities
- Coinbase Prime — Coinbase Custody Trust Company (NYDFS-chartered)
- BitGo — BitGo Trust Company of New York (NYDFS-licensed subsidiary)
- Anchorage Digital — OCC-chartered federal bank (alternative to NYDFS framework)
- SEC — Coordinate federal regulator for digital securities
- FinCEN — Federal AML authority that overlaps with NYDFS AML requirements