Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • New York to coordinate state cybersecurity efforts

    Privacy, Cyber Risk & Data Security

    On February 22, New York Governor Kathy Hochul announced the creation of the Joint Security Operations Center (JSOC) to coordinate state efforts to anticipate potential cybersecurity threats and respond to security incidents. Calling the center the “first-of-its-kind” in the U.S., Houchel stated that JSOC “will serve as the nerve center for joint local, state and federal cyber efforts, including data collection, response efforts and information sharing,” and will strengthen the state’s ability to protect New York institutions, infrastructure, citizens, and public safety by bringing together security teams from city and regional governments, critical businesses and utilities, and state agencies. JSOC will also host cyber trainings and exercises in the upcoming months and “will help participating entities respond to potential issues and elevate systemic trends that may have otherwise gone undetected.”

    Privacy/Cyber Risk & Data Security State Issues New York

  • District Court says NY champerty statute bars RMBS suit

    Courts

    On February 8, the U.S. District Court for the Southern District of New York issued an opinion granting in part and denying in part defendants’ motion for summary judgment and denying plaintiffs’ motions for partial summary judgment in parallel actions concerning pre-2008 residential mortgage-back securities (RMBS) trusts. In both cases, plaintiffs—RMBS certificateholders—filed suit alleging breaches of contractual, fiduciary, statutory, and common law duties with respect to certificates issued by RMBS trusts for which two of the defendants’ units served as trustee. Both plaintiffs alleged that the defendants failed to follow through on obligations to monitor the pre-2008 RMBS trusts that they administered. However, the court partially ruled in favor of the defendants, concluding that one set of plaintiffs could not avoid their loss in an RMBS trustee case brought against a different national bank, in which the court deemed the plaintiffs lacked a valid legal right to sue. In that matter, the U.S. Court of Appeals for the Second Circuit issued an opinion last October, agreeing with a different New York judge that “found the assignments champertous under New York law, rendering them invalid and leaving Plaintiffs without standing.” According to the 2nd Circuit, district court findings showed it was clear that the assignments were champertous “as they were made ‘with the intent and for the primary purpose of bringing a lawsuit.’”

    The district court noted that the assignments of all the claims in the current matter were essentially identical to the issue already decided by the 2nd Circuit, and saw sufficient overlap to find the plaintiffs’ vehicles “collaterally estopped” from relitigating the issues of prudential standing and champerty. “The issues decided by the court of appeals relating to champerty and prudential standing are dispositive of the present action,” the court wrote. “Without prudential standing, the [] plaintiffs cannot assert claims arising out of the certificates and the entire [] action must be dismissed.” With respect to the other set of plaintiffs, while the court allowed certain claims to stand, it declined to grant any portion of the joint partial summary judgment related to the defendants’ alleged responsibilities as trustee, ruling that plaintiffs must prove those claims at trial.

    Courts RMBS Mortgages Champerty Appellate Second Circuit New York State Issues

  • NYDFS concerned with CFPB’s small business loan data collection proposal

    Agency Rule-Making & Guidance

    On January 6, NYDFS issued a comment letter responding to the CFPB’s Notice of Proposed Rulemaking (NPRM), “Small Business Lending Data Collection under the Equal Credit Opportunity Act (Regulation B).” The NPRM—mandated under Section 1071 of the Dodd-Frank Act—would require a broad swath of lenders to collect data on loans they make to small businesses, including information about the loans themselves, the characteristics of the borrower, and demographic information regarding the borrower’s principal owners. This information would be reported annually to the Bureau, and eventually published by the Bureau on its website, with some potential modifications. According to the Bureau, the statute’s stated intent is to “facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority-owned, and small businesses.” (Covered by a Buckley Special Alert.)

    In its comment letter, NYDFS discussed its responsibilities for examining state-chartered banking institutions’ compliance with the New York Community Reinvestment Act (NYCRA), New York Banking Law § 28-b, which NYDFS noted largely mirrors the current federal Community Reinvestment Act (CRA). Additionally, NYDFS stated that it examines regulated institutions for compliance with state fair lending requirements and agreed with the Bureau that “collecting critical information about minority- and women-owned businesses (MWOBs) to address fair lending concerns and allow financial institutions to identify gaps in the market” is an important goal. To that end, NYDFS is in the process of implementing its own MWOB data collection regulation under the NYCRA, which would require New York state-chartered banking institutions to start collecting MWOB-related data. (Covered by InfoBytes here.) Due to similarities between the proposed regulation and the Bureau’s NPRM, and to avoid imposing an undue burden on institutions covered by both regulations, NYDFS’s proposed regulation includes language that would “permit, but not obligate, NYDFS to treat compliance with the CFPB’s rule implementing Section 1071 as compliance with the NYCRA’s MWOB-related data collection regulation.”

    Two specific issues were raised in response to the Bureau’s NPRM. First, NYDFS expressed concerns about the NPRM’s silence as to whether the Bureau intends to share more detailed data with state regulators to help states identify fair lending violations and enforce anti-discrimination laws, even if this information is not made available to the public. NYDFS urged the Bureau to include specific language stating it “may share all data submitted by financial institutions with state regulators in accordance with information sharing agreements between the CFPB and the state regulators.” Second, NYDFS asked the Bureau to reconsider its proposal to require data collection only for MWOBs with a threshold of $5 million or less in gross annual revenue. In particular, NYDFS warned of the risk of “dissimilarity in data collected by lenders for submission to the CFPB and the NYDFS” as NYDFS’s proposed regulation “requires evaluation of MWOB lending without respect to size.” NYDFS stressed that this dissimilarity “may prevent the NYDFS from deeming compliance with the CFPB regulation sufficient to comply with the NYDFS regulation.”

    Agency Rule-Making & Guidance CFPB Section 1071 Small Business Lending NYDFS ECOA State Issues State Regulators New York

  • NYDFS puts CFDL compliance obligations on hold

    State Issues

    On December 31, NYDFS announced that providers’ compliance obligations under the state’s Commercial Finance Disclosure Law (CFDL) will not take effect until the necessary implementing regulations are issued and effective. The CFDL was enacted at the end of December 2020, and amended in February 2021, to expand coverage and delay the effective date to January 1, 2022. (See S5470-B, as amended by S898.) Under the CFDL, providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less. In October 2021, NYDFS published a notice announcing a proposed regulation (23 NYCRR 600) to implement the CFDL, which provided that the compliance date for the final regulation will be six months after the final adoption and publication of the regulation in the State Register (covered by InfoBytes here). Comments on the proposed regulation were due December 19. NYDFS noted in its announcement that “[i]n light of the significant feedback received, the Department is carefully considering the comments received and intends to publish a revised proposed regulation for notice-and-comment early in the new year.”

    State Issues Bank Regulatory NYDFS Commercial Finance CFDL Compliance New York Agency Rule-Making & Guidance

  • New York AG alerts companies on “credential stuffing” cyberattacks

    State Issues

    On January 5, the New York attorney general issued a report, which highlights the results of an investigation into “credential stuffing.” The investigation discovered over 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. The report, Business Guide for Credential Stuffing Attacks, details attacks, which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services, and provides recommendations on how business can protect themselves. Through credential stuffing, which is one of the most common forms of cyberattacks, offenders utilize automated software to reuse stolen usernames and passwords, relying on the human tendency to reuse the same credentials to access various online accounts and platforms. The AG’s office launched the investigation “in light of the growing threat of credential stuffing,” and monitored several online communities dedicated to credential stuffing. According to the report, the office discovered thousands of posts that had customer login credentials that were tested by hackers in a credential stuffing attack and found that the information could be used to access other accounts. From these posts, the office compiled credentials to compromised accounts at seventeen companies, which consisted of online retailers, restaurant chains, and food delivery services, and collected credentials for over 1.1 million customer accounts, all of which seemed to have been compromised. After alerting the companies regarding the compromised accounts and urging them to investigate and take protective action, every company did so. The report recommended that businesses maintaining online accounts have a data security program, including effective safeguards for protecting customers from credential stuffing attacks in four areas: (i) defending against credential stuffing attacks; (ii) detecting a credential stuffing breach; (iii) preventing fraud and misuse of customer information; and (iv) responding to a credential stuffing incident. Specifically, three safeguards considered to be “highly effective” at defending against credential stuffing attacks were bot detection services, multi-factor authentication, and password-less authentication. The report also recommended that companies require reauthentication at the time of a purchase. Additionally, “[b]usinesses should have a written incident response plan that includes processes for responding to credential stuffing attacks” and notification to affected parties.

    State Issues New York Investigations State Attorney General Privacy/Cyber Risk & Data Security

  • District Court temporarily halts enforcement of New York’s user data-sharing ordinances

    Privacy, Cyber Risk & Data Security

    On December 27, the U.S. District Court for the Southern District of New York issued a stipulation and order in a consolidated action, temporarily reprieving three delivery app companies from complying with New York City’s Administrative Code §§ 20-847.3 and 20-563.7 (collectively, “the ordinances”). The amended complaint contends that the ordinances “create an unconstitutional, privacy-infringing, data-disclosure requirement pursuant to which third-party food-ordering and delivery platforms. . . must divulge, against their will, sensitive, proprietary customer information,” including full names, phone numbers, email addresses, delivery addresses, and order contents to New York City restaurants “regardless of whether that restaurant maintains any security infrastructure, and regardless of whether the customer has expressly consented to their personal information being so shared.” According to the plaintiffs, the ordinances “state that customers are presumed to have consented to this dangerous flow of their information unless they specifically opt out for each and every order they place, contrary to the common view that opt-out requests should be valid for at least several months.” The plaintiffs allege, among other things, that the ordinances are preempted by New York State’s Right of Privacy and violate delivery app companies’ First Amendment rights.

    Notably, while New York City “has agreed to stay enforcement of the Challenged Laws pending final determination by this Court resolving, or disposing of, this action in exchange for Plaintiff’s agreement not to file a motion for a preliminary injunction,” the stipulation and order is not an indefinite agreement to stop enforcement of the ordinances.

    Privacy/Cyber Risk & Data Security Courts New York State Issues Consumer Protection

  • New York reduces judgment interest on debts

    State Issues

    On December 31, the New York governor signed S5724A, which amends the civil practice law and rules relating to the rate of interest applicable to money judgments arising out of consumer debt. Specifically, the bill provides that the interest rate that can be charged on unpaid money judgments is 2 percent and applies to judgments involving consumer debt, which is defined as “any obligation or alleged obligation of any natural person to pay money arising out of a transaction in which the money, property, insurance or services which are the subject of the transaction are primarily for personal, family or household purposes […], including, but not limited to, a consumer credit transaction, as defined in [section 105(f) of the civil practice law and rules].” The bill is effective April 30.

    State Issues New York State Legislation Consumer Finance Debt Collection Interest

  • New York AG settlement cancels debt

    State Issues

    On December 29, the New York attorney general announced a settlement with a New York-based off-campus private student housing provider (respondent) for allegedly deceiving hundreds of students, primarily at a New York state college, since 2019. According to the assurance of discontinuance, the respondent, among other things: (i) routinely collected interested students’ information; (ii) persuaded students to sign leases without first determining certain qualifications; (iii) denied students access to housing; (vi) alleged students owed thousands in rent; and (v) referred students to debt collectors. The respondent also allegedly charged students excess rent and fees and disclosed to some students that they could get out of their lease if they found another student to take it over, but then unlawfully charged a $300 “delegation” fee. The respondent allegedly at times permitted some students to prepay rent if it believed they did not meet certain qualification criteria, in violation of state rent laws, and charged certain students excessive late fees for each month of rent that was not timely paid. The terms of the settlement cancels more than $200,000 in improper debts, recovers $65,958 in restitution, and imposes a $50,000 civil penalty on the respondent. The settlement also prohibits the respondent from committing fraudulent and predatory practices in the future.

    State Issues Debt Collection State Attorney General New York Consumer Finance

  • New York establishes task force for private student loan refinance

    State Issues

    On December 22, the New York governor signed SB 2767, which established a private student loan refinance task force. Among other things, the bill created the task force to study and report on ways lending institutions offering private student loans to graduates of institutions of higher education can be encouraged to create student loan refinancing programs. According to the bill, the private student loan refinance task force is instructed to issue a report of its findings and recommendations to the New York governor, the temporary president of the senate, and the speaker of the assembly. The bill is effective immediately and will expire on January 1, 2023.

    State Issues State Legislation Student Lending New York

  • New York AG warns mortgage servicers of obligation to help homeowners affected by Covid-19

    State Issues

    On December 13, New York Attorney General Letitia James sent a letter warning mortgage servicers operating in the state of their obligation to help homeowners impacted by the Covid-19 pandemic. The letter, which was also sent to mortgage industry trade associations, reiterated that mortgage servicers are expected to comply with New York law and federal regulations and guidelines when providing long-term relief to affected homeowners. James also announced “that the Office of the Attorney General’s (OAG) Mortgage Enforcement Unit (MEU) will be helping to oversee the distribution of New York state’s Homeowner Assistance Fund (HAF) announced last week by New York Governor Kathy Hochul.” According to the letter, HAF funds “may be used to pay off arrears or reduce mortgage principal so that homeowners can qualify for an affordable loan modification.” However, James stressed that these funds “must supplement rather than replace the mortgage industry’s own efforts,” adding that mortgage servicers must “play their part by offering homeowners all available loss mitigation options before that homeowner seeks an outside HAF grant, in order to help the program save as many homes as possible.” MEU will contact the mortgage industry, including New York legal services and housing counseling agencies, to provide additional information on the HAF application process. MEU will also be responsible for reviewing HAF applications to determine whether homeowners have been presented all available and affordable loan modification options.

    James’ announcement stated that mortgages servicers are also expected to comply with streamlined modification programs offered by various federal agencies, Fannie Mae, and Freddie Mac, and must also “provide comparable relief (pursuant to New York state Banking Law § 9-x and New York’s mortgage servicing regulations) to homeowners whose mortgages are owned by private investors through private label securities or by banks in their own portfolios.” Mortgage servicers should also prepare for surges in requests for assistance, and will be held responsible for staffing shortages and poor customer communications, James warned. She noted in her letter that the OAG is “currently investigating whether certain servicers of privately-owned mortgages have failed to offer homeowners the forbearance relief and post-forbearance modifications required by New York Banking Law § 9-x,” and emphasized that the OAG “will continue to monitor compliance and initiate enforcement actions against individual mortgage servicers as needed to protect New York homeowners.”

    State Issues State Attorney General Mortgages Mortgage Servicing Covid-19 New York Consumer Finance

Pages

Upcoming Events