Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 26, New York Governor, Kathy Hochul, issued a proclamation establishing January 21-27, 2024, as Data Privacy Awareness Week in partnership with several state agencies, including NYDFS. Generally celebrated as a Data Privacy Day, this will be the first time that the event expands to an entire week. This proclamation addresses ways that citizens can protect their personal information against bad actors. The week is designed to help “educate the public” and heighten the importance of data privacy. The press release highlights how consumers can keep their personal information private and protect themselves, including: keeping applications up to date; using unique and complex passwords for every account; enabling multi-factor authentication on devices; exercising caution when opening unsolicited links in emails or messages; limiting the amount of personal data collected by websites; considering what personal information is shared on social media; setting up a virtual private network, or VPN; and being careful when using public wi-fi networks.
On January 19, the Federal Reserve Board and NYDFS each issued separate enforcement actions against one of the largest banks in the world for alleged compliance deficiencies and violations under BSA/AML. The Fed issued its cease and desist order and ordered the bank to pay a civil money penalty of $2.4 million. The NYDFS also issued a similar consent order with a monetary penalty of $30 million.
According to the Fed’s order, an investigation into the bank’s practices determined that the New York branch lacked any formal policies or training on confidential supervisory information (CSI). Additionally, the order required the bank to submit a written plan to enhance internal compliance controls to the Fed, including designation of a CSI officer, among other requirements. According to NYDFS’s order, the bank previously entered into a 2018 cease and desist order with the Fed to address “significant deficiencies” in its compliance with BSA/AML requirements and OFAC regulations. NYDFS conducted an examination in 2022 and found that deficiencies cited in the 2018 order persisted for several more years. A subsequent examination in 2023 found that the bank had made significant efforts toward enhancing its compliance programs and successfully remediated prior deficiencies. Per this most recent order, NYDFS found that the bank’s BSA/AML program was not in compliance for several years; the bank failed to maintain appropriate accounting records; and the bank failed to submit a report after discovering the occurrence of “embezzlement, misapplication, larceny, forgery, fraud, [or] dishonesty[.]” The consent order stipulated several remediation requirements, including a status report to NYDFS on the bank’s BSA/AML compliance.
On January 22, NYDFS issued an industry letter titled “Guidance on Assessment of the Character and Fitness of Directors, Senior Officers, and Managers” for banks and other financial institutions (Covered Institutions) to notify them of NYDFS’s expectations. The final guidance came after a review process conducted over the past year where twenty comments indicated the need for Covered Institutions to build “robust character and fitness” policies. NYDFS asked that these Covered Institutions develop and maintain a framework to vet senior officials’ character and fitness during onboarding and on a regular basis.
According to the guidance, each Covered Institution is expected to “define sensitive issues, warning signs, and other indicators” that would be cause for concern. The depth and nature of each Covered Institution’s assessment is tailored to each institution, and the guidance does not demand a defined period for the review, but NYDFS supplied a list of suggested questions for Covered Institutions to use as best practices for vetting key individuals. (These questions are not mandated, however.) NYDFS noted that Covered Institutions are expected to review materials related to the character and fitness assessment of key persons. The guidance’s appendix lists suggested questions, including whether the key person has reviewed and understood pertinent policies and whether the interviewee has ever been charged or convicted of a crime or has previously been sanctioned or censured by a securities regulator.
On January 17, NYDFS issued a guidance letter on artificial intelligence (AI) intended to help licensed insurers understand NYDFS’s expectations for combating discrimination and bias when using AI in connection with underwriting. The guidance is aimed at all insurers authorized to write insurance in New York State and is intended to help insurers develop AI systems, data information systems, and predictive models while “mitigat[ing] potential harm to consumers.”
The guidance letter states that while the use of AI can potentially result in more accurate underwriting and pricing of insurance, AI technology can also “reinforce and exacerbate” systemic biases and inequality. As part of the letter’s fairness principles, NYDFS states that an insurer should not use underwriting or pricing technologies “unless the insurer can establish that the data source or model… is not biased in any way” with respect to any class protected pursuant to New York insurance law. Further, insurers are expected to demonstrate that technology-driven underwriting and pricing decisions are supported by generally accepted actuarial standards of practice and based on actual or reasonably anticipated experience. It was last noted that these rules build on New York Governor Hochul’s statewide policies governing AI.
On January 12, NYDFS announced that it had entered into a consent order with a digital currency trading company after an investigation that found the company responsible for compliance failures that violated NYDFS’s virtual currency and cybersecurity regulations, leaving the company vulnerable to illicit activity and cybersecurity threats.
NYDFS found that the company failed to meet its compliance obligations due to (i) deficiencies in the company’s AML program; (ii) failure to file compliant suspicious activity reports; (iii) failure to conduct required OFAC screening; and (iv) failure to maintain an adequate cybersecurity program. In connection with the settlement, the company will surrender its BitLicense, the license required to be held by any company conducting virtual currency business in New York state and pay an $8 million penalty.
On January 2, New York Governor Kathy Hochul revealed a proposed plan focused on consumer protection and affordability as the initial part of the Governor’s 2024 State of the State address. The plan includes changes to New York’s consumer protection laws, regulations for buy now pay later products, increased paid medical and disability leave benefits, measures to eliminate co-pays for insulin in specific insurance plans, and legislation addressing medical debt.
Changes to consumer protection laws would give the Attorney General more power to enforce the laws and help the state to address unfair and abusive business practices. Additionally, proposed legislation would require buy now pay later providers to obtain licenses and introduce regulations focusing on disclosure, dispute resolution, credit standards, fee limits, data privacy, and preventing excessive debt.
NYDFS also detailed Governor Hochul’s plan to update and broaden New York’s hospital financial assistance law to provide increased protection against medical debt. The proposed legislation aims to limit hospitals’ ability to sue low-income patients (earning less than 400 percent of the Federal Poverty Level) for medical debt and expand financial assistance programs. It also seeks to cap monthly payments and interest rates on medical debt while enhancing access to financial aid. This consumer protection and affordability plan builds on Governor Hochul and her administration’s efforts to make New York more affordable and livable.
On December 21, 2023, NYDFS released guidance for managing significant financial and operational risks associated with climate change for New York State-regulated banking and mortgage institutions. The guidance emphasized the importance of ensuring operational resiliency which is “the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard.” Regulated organizations are encouraged to consider three key areas: 1) understanding climate-related financial risks; 2) prioritizing operational resilience; 3) and complying with consumer protection laws when adjusting risk frameworks for climate-related risks. The NYDFS categorizes climate-related financial risks as either physical risks, like hurricanes, floods, and wildfires, or transition risks from policy, regulations, adoption of new technologies, consumer, and investor preferences, and changing liability risks which can directly and indirectly affect financial institutions.
Regulated organizations are urged to consider potential impacts on at-risk communities while adapting their risk management approaches. NYDFS suggests they maintain reasonable, risk-based business strategies to prevent unnecessary market disruptions and comply with consumer protection laws and fair lending considerations at all times. The guidance suggests institutions also maintain fair lending practices while managing climate-related financial risks, and further suggests not divesting from low-income communities to manage risk.
The NYDFS has not set a timeline for implementation of the Guidance expectations as it would like “to provide regulated organizations with sufficient opportunity to integrate consideration of climate-related financial and operational risks into their governance frameworks, organizational structures, business strategies and risk management processes in a proportionate manner.” To offer an overview of these documents and highlight key feedback themes, NYDFS has scheduled a webinar for January 11, 2024, at 11:30 am ET. Interested parties can register for the webinar via the provided link. The Department also made additional resources available to aid organizations in implementing measures to tackle climate-related risks.
On December 7, the Supreme Court of the State of New York granted a motion to dismiss a challenge made to NYDFS’s check cashing regulation and ruled in favor of NYDFS. As previously covered in InfoBytes, the January regulation’s methodology capped the maximum percentage check cashing fee for most check types (social security, unemployment, emergency relief, veterans’ benefits) at 2.2 percent or $1, whichever is greater, and eliminated automatic fee increases based on CPI every year that had been in place since 2005.
Shortly after the rule took effect in June, several plaintiffs sued NYDFS alleging that the amended regulation was arbitrary and capricious, violated the purpose of the banking law, and was an unconstitutional property deprivation. The NY Supreme Court found that the amended regulation had a rational basis and was supported by the administrative record. Because NYDFS neither violated the NY state banking law nor the Administrative Procedures Act, the court further declared that the “amended regulation did not constitute a deprivation of property in the absence of either procedural or substantive due process.” Because the court dismissed the petition entirely in NYDFS’s favor, the court denied the plaintiffs’ motion for preliminary injunction as merely “academic.”
On November 27, the NYDFS entered into a consent order with a title insurance company, which required the company to pay $1 million for failing to maintain and implement an effective cybersecurity policy and correct a cybersecurity vulnerability. The vulnerability allowed members of the public to access others’ nonpublic information, including driver’s license numbers, social security numbers, and tax and banking information. The consent order indicates the title insurance company discovered the vulnerability as early as 2018. The title insurance company’s failure to correct these changes violated Section 500.7 of the Cybersecurity Regulation.
In May 2019, a cybersecurity journalist published an article on the existence of a vulnerability in the title insurance company’s application, that led to a public exposure of 885 million documents, some found through search engine results. The journalist noted that “replacing the document ID in the web page URL… allow[ed] access to other non-related sessions without authentication.” Following the cybersecurity journalist’s article, and as required by Section 500.17(a) of the Cybersecurity Regulation, the title insurance company notified NYDFS of its vulnerability, at which point NYDFS investigated further. The title insurance company has been ordered to pay the penalty no later than ten days after the effective date.
On November 15, NYDFS announced new regulatory guidance which adopts new requirements for coin-listing and delisting policies of DFS-regulated virtual currency entities, updating its 2020 framework for each policy. After considering public comments, the new guidance aims to enhance standards for self-certification of coins and includes requirements for risk assessment, advance notification, and governance. It emphasizes stricter criteria for approving coins and mandates adherence to safety, soundness, and consumer protection principles. Virtual currency entities must comply with these guidelines, requiring DFS approval for coin-listing policies before self-certifying coins, and submitting detailed records for ongoing compliance review. The guidance also outlines procedures for delisting coins and necessitates virtual currency entities to have an approved coin-delisting policy.
As an example under coin listing policy framework, the letter states that a virtual currency entity risk assessment must be tailored to a virtual currency entity's business activity and can include factors such as (i) technical design and technology risk; (ii) market and liquidity risk; (iii) operational risk; (iv) cybersecurity risk; (v) illicit finance risk; (vi) legal risk; (vii) reputational risk; (viii) regulatory risk; (ix) conflicts of interest; and (x) consumer protection. Regarding consumer protection, NYDFS says that virtual currency entities must “ensure that all customers are treated fairly and are afforded the full protection of all applicable laws and regulations, including protection from unfair, deceptive, or abusive practices.”
Similar to the listing policy framework, the letter provides a fulsome delisting policy framework. The letter also stated that all virtual currency entities must meet with the DFS by December 8 to preview their draft coin-delisting policies and that final policies must be submitted to DFS for approval by January 31, 2024.