On April 14, Arkansas enacted HB 1467 (the “Act”) to amend the Arkansas Uniform Money Services Act to enhance consumer protection and transparency in virtual currency transactions, particularly those through kiosks. The Act changes virtual currency kiosk operations and data security requirements applicable to operators of such kiosks. The Act will expand the scope of money transmission services to include “virtual currency kiosks,” defined as ATMs that allow users to engage in money transmission and exchange cash for virtual currency. The amendment also requires licensees under the Uniform Money Services Act to maintain comprehensive records of money transmission and virtual currency kiosk locations, while implementing fraud warnings in visible areas and on transmittal forms.
Several consumer protection measures are also set forth in the Act, including a provision allowing new customers to receive full refunds for any fraudulent virtual currency transactions within 72 hours of registration as a customer, provided the customer reports the fraud to government or law enforcement. The Act also establishes daily virtual currency kiosk transaction limits of $2,000 for new customers and $7,500 for existing customers (those registered for more than 72 hours), while capping fees and commissions available to owners of virtual currency kiosks at either $5 or 18 percent of the transaction amount, whichever is greater.
The Act also introduces an additional subchapter to the Uniform Money Services Act which establishes data security requirements for money services businesses. The Act will require businesses to develop, implement and maintain information security programs, including risk assessments, safeguards and incident response plans. The Act also mandates regular testing of security systems and requires financial institutions to report security breaches to the state’s securities commissioner as soon as possible and no later than 45 days after discovery of the notification event. Financial institutions that maintain customer information concerning fewer than 5,000 consumers are exempt from these data security requirements.
[View source.]
