Wow, this is down in the weeds. E.g.<p><pre><code> (4) include procedures for the maintenance of back-up facilities, systems,
and infrastructure as well as alternative staffing and other resources
to enable the timely recovery of data and documentation and to resume
operations as soon as reasonably possible following a disruption to
normal business activities;
...
(3) Source code reviews. Each Licensee shall have an independent,
qualified third party conduct a source code review of any internally
developed proprietary software used in the Licensee’s business
operations, at least annually.
</code></pre>
A lot of these regs may have started out as Best Practices, but shouldn't regulations focus on the What, not the How? Also, the right place for these regs, if we must have them, are under FinCEN at the Federal level. If you watch some of their presentations, some smart people working there whom I'm sure would love to tackle this in a way that doesn't create an quagmire of conflicting and overlapping state regs.<p>A little passage in some old document about interstate commerce comes to mind.<p>The great thing about Bitcoin is this only applies to 3rd party companies wanting to assist you in transferring bitcoin, it doesn't apply at all to individual transfers between private entities. So this will do a lot to encourage private wallet software over centralized points of failure and intelligence gathering. For that, at least, you can thank NY.