Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (23 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.
The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).
On June 8, NYDFS released new regulatory guidance on the issuance of U.S. dollar-backed stablecoins, establishing criteria for regulated virtual currency companies seeking to issue stablecoins in the state. The guidance outlines baseline criteria for USD-backed stablecoins, including that: (i) a “stablecoin must be fully backed by a Reserve of assets,” such that the Reserve’s market value “is at least equal to the nominal value of all outstanding units of the stablecoin as of the end of each business day”; (ii) stablecoin issuers “must adopt clear, conspicuous redemption policies, approved in advance by [NYDFS] in writing, that confer on any lawful holder of the stablecoin a right to redeem units of the stablecoin from the Issuer in a timely fashion at par for the U.S. dollar”; (iii) Reserve assets must be segregated from an issuer’s proprietary assets and “held in custody with U.S. state or federally chartered depository institutions and/or asset custodians”; (iv) a Reserve must consist of specific assets subject to NYDFS-approved overcollateralization requirements and restrictions; and (v) a Reserve must undergo an examination of its management’s assertions at least once a month by a licensed certified public accountant.
NYDFS emphasized that these criteria are not the only requirements it may impose when issuing stablecoins, and informed regulated entities that it will also consider a range of potential risks prior to granting a regulated entity authorization to issue stablecoins. This includes risk related to “cybersecurity and information technology; network design and maintenance and related technology and operational considerations; Bank Secrecy Act/anti-money-laundering  and sanctions compliance; consumer protection; safety and soundness of the issuing entity; and the stability/integrity of the payment system, as applicable.” Additional requirements may be imposed on regulated entities to address any of these risks.
NYDFS noted that the regulatory guidance is not applicable to USD-backed stablecoins listed, but not issued, by regulated entities, and stated it “does expect regulated entities that list USD-backed stablecoins to consider this guidance when submitting a request for coin issuance or seeking approval for a coin self-certification policy.”
NYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. Such characteristics of virtual currencies can create compliance challenges, but also can present new possibilities for new technology-driven control measures. In the guidance, NYDFS outlined expectations for New York State-regulated virtual currency companies, including: (i) establishing control measures that may leverage blockchain analytics; (ii) augmenting due diligence controls; (iii) conducting transaction monitoring of on-chain activity; and (iv) conducting sanctions screening of on-chain activity. NYDFS also emphasized "the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions."
As previously covered by InfoBytes, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance, which provided guidance for effectively managing cyber insurance risk. The framework is the first guidance released by a U.S. regulator on cyberinsurance. NYDFS noted it has “engaged with external stakeholders to inform this new guidance and continues to conduct significant outreach to state, federal and international regulators; industry; and other experts in the field to ensure New York maintains a robust regulatory regime and remains a destination for virtual currency companies to operate.”
On March 4, the California Department of Financial Protection and Innovation (DFPI) issued guidance, in light of the evolving situation in Ukraine, to remind financial institutions of their sanctions compliance obligations under state and federal law. Licensees are reminded that they are prohibited from participating in financial transactions with individuals and entities listed on the SDN List, and encouraged to review specific, more limited sanctions that have been placed on several Russian entities. This information can be found on OFAC's website.
Additionally, licensees are strongly encouraged to immediately ensure their systems, programs, and processes comply with OFAC regulations, and review and monitor all transactions (particularly trade finance transactions and funds transfers) to identify and block transactions subject to sanctions. Licensees should also follow OFAC directions related to blocked funds.
DFPI further warned that Russia’s invasion of Ukraine increases the risk that listed individuals and entities will attempt to evade sanctions by using virtual currency transfers, and encouraged licensees to review OFAC Guidance to protect against these risks. Licensees engaged in transactions involving virtual currencies are instructed to implement policies, procedures, and processes to protect against the unique risks posed by virtual currencies and should “consider virtual currency-specific control measures including sanctions lists, geographic screening, and any other measures appropriate to the licensee’s specific risk profile.”
Additionally, DFPI cautioned that the “Russian invasion significantly elevates the cyber risk for the U.S. financial sector,” and licensees are instructed to take measures to mitigate cybersecurity threats, including adopting core cybersecurity hygiene measures, eliminating any non-essential networking protocols, ensuring procedures are able to address a ransomware attack, and reevaluating “plans to maintain essential services, protect critical data, and preserve customer confidence considering the realistic threat of extended outages.” Licensees are encouraged to track alerts from the Cybersecurity and Infrastructure Security Agency.
Licensees conducting business in Ukraine and/or Russia should also “take increased measures to monitor, inspect, and isolate traffic from Ukrainian or Russian offices and service providers,” and “segregate networks for Ukrainian or Russian offices from the global network.”
NYDFS also recently issued similar guidance for New York state regulated entities on its cybersecurity and virtual currency regulations in response to the Russian invasion and recently imposed sanctions. (Covered by a Buckley Special Alert.)
On March 2, New York Governor Kathy Hochul announced that NYDFS will increase its sanctions enforcement actions against Russia, including taking measures to expedite the procurement of blockchain analytics tools to detect exposure among regulated licensed virtual currency businesses to Russian individuals, banks, and other entities sanctioned by the Biden administration. “Accelerating the procurement process is a critical step to strengthen the Department's ability to enforce anti-money laundering and Bank Secrecy Act laws in this immediate crisis and beyond,” the announcement stated, explaining that “[l]everaging purpose-built technologies and service providers for virtual currency protects the financial system from illicit activity including money laundering, terrorist financing and ransomware activity.” NYDFS Superintendent Adrienne A. Harris added that monitoring transactions and exposure in real-time is imperative for preventing actors from attempting to evade sanctions through the transmission of virtual currency. The announcement follows NYDFS guidance on cybersecurity and virtual currency issued last week, which raised the specter of elevated cyber risk due to ongoing cyberattacks against Ukraine that could spill over to other networks, as well as potential direct attacks against U.S. critical infrastructure. (Covered by a Buckley Special Alert.) Governor Hochul also issued an Executive Order at the end of February, which directed all New York State agencies and authorities to review and divest public funds from Russia.
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing cyberattacks against Ukraine, which could spill over to other networks, as well as potential direct attacks against U.S. critical infrastructure.
Updated cybersecurity regulation guidance
NYDFS suggested that regulated entities with programs pursuant to its cybersecurity regulation (23 NYCRR 500) have the potential to mitigate increased cyber threats and should take the following steps:
- Review cybersecurity programs for compliance, with particular attention to certain safeguards and core cybersecurity hygiene measures, including access control, vulnerability management, and privileged access review
- Review, update, and test incident-response and business-continuity plans and ensure they address ransomware events
- Review and implement practices pursuant to the June 2021 Ransomware Guidance
- Re-evaluate plans to maintain essential services and protect critical data in the event of an extended outage or service disruption
- Conduct a full test of backup and recovery abilities
- Provide additional cybersecurity awareness training and reminders for all employees
NYDFS also advised that regulated entities should keep track of known threat actors and take extra precautions when doing business in Russia and Ukraine, including segregating Russian and Ukrainian networks. Regulated entities must report cybersecurity events that meet the criteria of 23 NYCRR 500.17(a) as promptly as possible and within 72 hours, and should also report cybersecurity events immediately to law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency.
Guidance in response to recent sanctions
In the last week, the Biden administration imposed significant new sanctions targeting Russian assets, the Russian financial market, and Russian business dealings in response to Russia’s invasion of Ukraine. (See InfoBytes coverage here.) NYDFS reiterated that regulated entities should fully comply with U.S. sanctions on Russia, as well as Part 504 of its regulations regarding transaction monitoring and filtering. In order to comply with the new sanctions, NYDFS recommended that regulated entities take the following steps immediately:
- Monitor all communications from NYDFS, the U.S. Department of the Treasury, the Office of Foreign Assets Control (OFAC), and other federal agencies on a real-time basis to keep tabs on the latest developments
- Modify transaction monitoring and filtering programs as necessary to capture new sanctions as they are proposed
- Monitor all transactions, particularly trade finance transactions and funds transfers, and identify and interdict transactions prohibited by U.S. sanctions.
- Update OFAC compliance policies and procedures on a continuous basis to incorporate the recent sanctions and any new sanctions that may be imposed.
Updated virtual currency regulation guidance
NYDFS also cautioned that sanctioned entities may attempt to use virtual currency to evade sanctions. It said regulated entities must ensure they have “tailored policies, procedures, and processes to protect against the unique risks that virtual currency present” and are complying with the relevant state and federal laws, including the OFAC Sanctions Compliance Guidance for the Virtual Currency Industry and New York virtual currency regulation (23 NYCRR 200). Additionally, regulated entities should monitor the effectiveness of virtual currency-specific control measures, including sanctions lists, geographic screening, geolocation tools/IP address identification and blocking capabilities, and transaction monitoring and investigative tools, including blockchain analytics tools.
Buckley will continue to monitor the ongoing situation in Ukraine and provide updates in conjunction with significant developments.
If you have any questions regarding the NYDFS guidance or the recent Ukraine-related sanctions against Russia, please visit our Privacy, Cyber Risk & Data Security or Bank Secrecy Act/Anti-Money Laundering & Sanctions practice pages, or contact a Buckley attorney with whom you have worked in the past.
On December 9, NYDFS updated its FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on 23 NYCRR Part 500 here.) New FAQ 41 addressed whether covered entities should use a cyber assessment framework as part of their risk assessment process as required by Sections 500.9 and 500.2(b). NYDFS clarified that while it “does not require a specific standard or framework for use in the risk assessment process," it expects covered entities “to implement a framework and methodology that best suits their risk and operations.” Commonly employed frameworks cited by NYDFS include the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.
On December 7, NYDFS issued guidance on multi-factor authentication (MFA) to all regulated entities. According to NYDFS, “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” affecting both large companies and small businesses. The regulator noted that, since the Cybersecurity Regulation (23 NYCRR Part 500) went into effect (covered by InfoBytes here), MFA failures have continued to impact both financial services entities and consumers. From January 2020 to July 2021, more than 18.3 million consumers were affected by reported cyber incidents involving covered entities’ MFA failures, according to NYDFS. NYDFS has also taken two enforcement actions in the past year against companies whose failure to implement MFA fully resulted in unauthorized access to nonpublic information. The New York banking regulator is increasing its review of MFA during examinations and will focus on searching for common MFA failures discussed in the guidance. Covered entities are advised to consider carefully the importance of MFA as they implement their risk-based cybersecurity programs. Under the Cybersecurity Regulation, MFA is required for remote access, and must “be implemented beyond that as necessary to ensure effective access controls based on a comprehensive risk assessment.” The guidance provides examples of common problems related to MFA as well as recommendations for preventing problems.
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- John R. Coleman to participate in a roundtable on current topics in administrative law at the C. Boyden Gray Center for the Study of the Administrative State at George Mason University
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Jeffrey P. Naimon to provide an “Update on key fair lending cases and the CRA and UDAAP rules” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The Evolving Regulatory Landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference