BitInstant now has an MSB license from FinCEN?

[casascius]

I just checked out BitInstant's website and noticed they now advertise that they are a licensed MSB... complete with their FinCEN registration number...

something I am surprised to not have been announced or talked about on the forums.

I did see they posted on Facebook:

We are now a legal MSB sanctioned by the Dep't of the Treasury! MSB Registration number 31000005031107

In such a case, a huge congratulations to them - but also something significant for Bitcoin, as it looks to me like an official nod of approval of sorts, for FinCEN to be granting an MSB license for something that is so clearly Bitcoin-related.

[zer0]

I think that's how they are able to directly sell bitcoins to email now. Now bitinstant is truly instant, pay them and get coins immediately.

[rjk]

I think that's how they are able to directly sell bitcoins to email now. Now bitinstant is truly instant, pay them and get coins immediately.

How is the email part relevant to a FinCEN license? Also, Charlie has been saying for a while now that they had applied for it, so maybe it was only recently approved.

[gusti]

you can see registration filing here :
http://www.fincen.gov/financial_institutions/msb/msbstateselector.html
number : 31000005031107

[zer0]

I think that's how they are able to directly sell bitcoins to email now. Now bitinstant is truly instant, pay them and get coins immediately.

How is the email part relevant to a FinCEN license? Also, Charlie has been saying for a while now that they had applied for it, so maybe it was only recently approved.

I thought before they could only move money, not convert it into anything else including BTC

[davout]

I believe MSB licenses are state-specific, apparently from what I read they're (or a partner is) licensed in NY.

[casascius]

Bitcoin to e-mail sounds inherently scary as e-mail is insecure.  Anyone have a link where I may learn more, or is there another thread discussing this, so I'm not dumping a different topic on this thread?

[bitdragon]

Bitcoin to e-mail sounds inherently scary as e-mail is insecure.  Anyone have a link where I may learn more, or is there another thread discussing this, so I'm not dumping a different topic on this thread?

https://bitcointalk.org/index.php?topic=76863.msg853424#msg853424

[Yankee (BitInstant)]

I believe MSB licenses are state-specific, apparently from what I read they're (or a partner is) licensed in NY.

MSB Licenses are federal, and MTB licenses are state specific.

Our MSB license allows us to work within federal regulations and be compliant. However there are still certain transactions we cannot do without being a state MTB

Bitcoin to e-mail sounds inherently scary as e-mail is insecure.  Anyone have a link where I may learn more, or is there another thread discussing this, so I'm not dumping a different topic on this thread?

https://bitcointalk.org/index.php?topic=76863.0

We partnered with Coinapult to make it happen.

Essentially, you dont give us your Bitcoin address, rather your email address. We send a link+secret to your email address which takes you to a secure hosted redemption page where you can send the coins anywhere.
Obviously, no email is secure and if your server is being sniffed, then you could have a problem. BitInstant never engages in currency conversion or the purchase of Bitcoins. USD credit is given to Coinapult.com, which then buys the Bitcoin and sends it via email.

I just checked out BitInstant's website and noticed they now advertise that they are a licensed MSB... complete with their FinCEN registration number...

something I am surprised to not have been announced or talked about on the forums.

I did see they posted on Facebook:

We are now a legal MSB sanctioned by the Dep't of the Treasury! MSB Registration number 31000005031107

In such a case, a huge congratulations to them - but also something significant for Bitcoin, as it looks to me like an official nod of approval of sorts, for FinCEN to be granting an MSB license for something that is so clearly Bitcoin-related.

The reason we didn't announce it, because nothing changes at this point. It just states that now were operating legally, the government knows what we are doing, and compliant to the best of our efforts.
I also get free BSA training twice a year 

At this point, we're seeking financial service licenses in Europe and Oceania as well

-Charlie

[casascius]

Obviously, no email is secure and if your server is being sniffed, then you could have a problem. BitInstant never engages in currency conversion or the purchase of Bitcoins. USD credit is given to Coinapult.com, which then buys the Bitcoin and sends it via email.

... or if any part of the path from Coinapult to the user's e-mail server is sniffed, then that's an issue... the problem being that such sniffing is actually quite common, and e-mail is typically delivered unencrypted.  This method of delivery is certain to result in theft, eventually, and is unsustainable.  Delivery needs to be by two different channels for this to be safe - e.g. the link in e-mail, and the secret via SMS, and the secret must be unusable without the link.

The reason we didn't announce it, because nothing changes at this point. It just states that now were operating legally, the government knows what we are doing, and compliant to the best of our efforts.

What changes is it invalidates the notion that Bitcoin businesses will never be given MSB licenses or seen as legitimate due to the perceived threat against government / banking establishment / whatever.  It gives a big boost to the perceived legitimacy of Bitcoin, and adds a lot of credibility to your operation.  It's fantastic news the way I see it!

[evoorhees]

Regarding the perceived security issues of sending Bitcoins via email, it's a service that needs to exist in Bitcoinland, and thus Coinapult is doing it. Anyone who is buying massive amounts of coins should probably not send to their email inbox, but for everyone else it's a very convenient new tool. As with all things Bitcoin, personal responsibility and risk tolerance (and understanding) need to be given due consideration.

And yes, the FinCEN registration for BitInstant is just one more step toward credibility that Bitcoin obtains with the establishment. I think it's very good for prominent Bitcoin companies to pursue "legitimacy" in this way, as it shields our organic growing economy from scrutiny, giving us all more time to build a system which stands up to scrutiny when it inevitably arrives.

Bitcoin's best interests are served by being friendly with the State for as long as possible.

[Yankee (BitInstant)]

Bitcoin's best interests are served by being friendly with the State for as long as possible.

Couldn't have said it better myself 

It gives a big boost to the perceived legitimacy of Bitcoin, and adds a lot of credibility to your operation.  It's fantastic news the way I see it!

Thank you, that really means alot to us. We're trying very hard to be in compliance with the state as many other Bitcoin business's are doing as well.

The notion that Bitcoin is trying to stay underground and are a bunch of anarchists is simply not true, and hopefully day by day we can rid that stereotype

[Stephen Gornick]

This method of delivery is certain to result in theft, eventually, and is unsustainable.  Delivery needs to be by two different channels for this to be safe - e.g. the link in e-mail, and the secret via SMS, and the secret must be unusable without the link.

Yup.  The same problem occurs from those sending redeemable codes via e-mail as well, though I don't know if that happens much anymore.

Here's Coinapult's reply to the "is not secure" argument:
 - http://bitcointalk.org/index.php?topic=76493.msg849654#msg849654

[Bitcoin Oz]

If you could send coins by GPG email it would be better. Is that a possible add on in future ?

[Yankee (BitInstant)]

This method of delivery is certain to result in theft, eventually, and is unsustainable.  Delivery needs to be by two different channels for this to be safe - e.g. the link in e-mail, and the secret via SMS, and the secret must be unusable without the link.

Yup.  The same problem occurs from those sending redeemable codes via e-mail as well, though I don't know if that happen much.

Here's Coinapult's reply to the "is not secure" argument:
 - http://bitcointalk.org/index.php?topic=76493.msg849654#msg849654

It's true, thats why we stopped sending redeemable codes altogether and do direct deposits.

Problem is, not everyone has/wants to use a cell phone.

Any other ideas? Ira and myself are open to any suggestions and can easily make changes/fixes

What if we required a 'PIN' at checkout, and in order to redeem your coins you need the PIN?

This way, the PIN is entered securely on our servers and cryptographically passed over to Coinapults when redeeming.

We can always make the PIN idea optional, so your not forced to use it if your sending a few coins to a friend

If you could send coins by GPG email it would be better. Is that a possible add on in future ?

I think we can add on that option. What do you think of my PIN idea above?

-Charlie

[casascius]

I would think the GPG is not terribly necessary... it would work well and would definitely be secure, but the audience is relatively small.

Yes, a PIN from the website (presumably delivered by https) that they must write down would be miles above simply e-mailing them everything they need to get ripped off in one place, and is not too exotic or technical.  It's no different than what Chase or PayPal does.

Workflow would be simple.  Ask user:  "Redeeming the funds requires an 8-digit PIN number which we will choose, and which will not be e-mailed to you.  You will need to write it down or have it texted to you.  Do you want to see the PIN now? (yes/no)  Do you want us to text the PIN to your mobile phone now? (yes/no)"...

[kjlimo]

I was excitedly thinking this helps legitimize bitcoins a marginal amount as well.  However, I kind of chuckled once I viewed the MSB:

"The inclusion of a business on the MSB Registration Web site is not a recommendation, certification of legitimacy, or endorsement of the business by any government agency."

I still think it means something though

[Yankee (BitInstant)]

I would think the GPG is not terribly necessary... it would work well and would definitely be secure, but the audience is relatively small.

Yes, a PIN from the website (presumably delivered by https) that they must write down would be miles above simply e-mailing them everything they need to get ripped off in one place, and is not too exotic or technical.  It's no different than what Chase or PayPal does.

Workflow would be simple.  Ask user:  "Redeeming the funds requires an 8-digit PIN number which we will choose, and which will not be e-mailed to you.  You will need to write it down or have it texted to you.  Do you want to see the PIN now? (yes/no)  Do you want us to text the PIN to your mobile phone now? (yes/no)"...

Yup, I like this idea ALOT.

I'm gonna discuss it with the team and see how soon we can get this implemented.

Thanks for the feedback!

I was excitedly thinking this helps legitimize bitcoins a marginal amount as well.  However, I kind of chuckled once I viewed the MSB:

"The inclusion of a business on the MSB Registration Web site is not a recommendation, certification of legitimacy, or endorsement of the business by any government agency."

I still think it means something though

Yeh, they have to write that. If you get ripped off by an MSB, you can't go crying back to the government. Its to cover their own butt

[kjlimo]

I was excitedly thinking this helps legitimize bitcoins a marginal amount as well.  However, I kind of chuckled once I viewed the MSB:

"The inclusion of a business on the MSB Registration Web site is not a recommendation, certification of legitimacy, or endorsement of the business by any government agency."

I still think it means something though

Yeh, they have to write that. If you get ripped off by an MSB, you can't go crying back to the government. Its to cover their own butt

Yeah, all the legal caveats get to me.  At my work, I have to include a disclaimer in every report I produce that the results are "not to be relied upon."  Now seriously, if they are not to be relied upon, why did I make them?!?!?!

stupid TPS reports...

[Gareth Nelson]

I would think the GPG is not terribly necessary... it would work well and would definitely be secure, but the audience is relatively small.

Yes, a PIN from the website (presumably delivered by https) that they must write down would be miles above simply e-mailing them everything they need to get ripped off in one place, and is not too exotic or technical.  It's no different than what Chase or PayPal does.

Workflow would be simple.  Ask user:  "Redeeming the funds requires an 8-digit PIN number which we will choose, and which will not be e-mailed to you.  You will need to write it down or have it texted to you.  Do you want to see the PIN now? (yes/no)  Do you want us to text the PIN to your mobile phone now? (yes/no)"...

Yup, I like this idea ALOT.

I'm gonna discuss it with the team and see how soon we can get this implemented.

Thanks for the feedback!

I love that idea too, but I can picture a lot of people losing the PIN sadly, let's talk when you're online (and not in public either)