Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 14, NYDFS published a notice of proposed rulemaking under New York’s Commercial Financing Disclosure Law (CFDL) related to disclosure requirements for certain providers of commercial financing transactions in the state. As previously covered by InfoBytes, the CFDL was enacted at the end of December 2020, and amended in February to expand coverage and delay the effective date. (See S5470-B, as amended by S898.) Under the CFDL, providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less. Last December, NYDFS announced that providers’ compliance obligations under the CFDL will not take effect until the necessary implementing regulations are issued and effective (covered by InfoBytes here).
The newest proposed regulations (see Assessment of Public Comments for the Revised Proposed New Part 600 to 23 NYCRR) introduce several revisions and clarifications following the consideration of comments received on proposed regulations published last October (covered by InfoBytes here). Updates include:
- A new section stating that a “transaction is subject to the CFDL if one of the parties is principally directed or managed from New York, or the provider negotiated the commercial financing from a location in New York.”
- A new section requiring notice be sent to a recipient if a change is made to the servicing of a commercial financing agreement.
- An revised definition of “recipient” to now “include entities subject to common control if all such recipients receive the single offer of commercial financing simultaneously.”
- Clarifying language stating that the “requirements pertaining to the statement of a rate of finance charge or a financing amount, as that term appears in Section 810 of the CFDL, shall be in effect only upon the quotation of a specific commercial financing offer.”
- Provisions allowing providers to perform calculations based upon either a 30-day month/360-day year or a 365-day year, with the acknowledgment that different methods of computation may lead to slightly different results.
- An amendment stating that “a ‘provider is not required to provide the disclosures required by the CFDL when the finance charge of an existing financing is effectively increased due to the incurrence, by the recipient, of avoidable fees and charges.’”
- An acknowledgement of comments asking that 23 NYCRR Part 600 be identical to California’s disclosure requirements (covered by InfoBytes here) “or as consistent as possible.” In response, NYDFS said that while it generally agrees, and has consulted with the California Department of Financial Protection and Innovation (DFPI), the regulations cannot be identical because the CFDL differs from the California Consumer Financial Protection Law and the Department cannot anticipate any future revisions DFPI may make to its proposed regulations.
Comments on the proposed regulations are due October 31.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
On July 15, New York’s governor signed S9348, directing the superintendent of NYDFS to conduct a study of overdraft fees in the state. (See also NYDFS press release here.) The study will examine, among other things: (i) the total amount of overdraft fees paid in the state; (ii) the geographical distribution of these fees; (iii) whether certain communities have higher rates of overdraft fees than others and the possible reason for such high rates; (iv) “the percentage of overdraft fees reduced through direct or indirect negotiation”; and (v) the enumeration of consumer rights related to overdraft fee negotiations. The results of the study are to be delivered within one year to the governor, the temporary president of the senate, and the speaker of the assembly. The act is effective immediately.
On July 13, NYDFS called on all federal student loan servicers to increase awareness of and enroll borrowers in public service loan forgiveness programs before a temporary waiver expires on October 31. NYDFS’s letter reminded servicers that under the Public Service Loan Forgiveness (PSLF) program, full-time government and certain non-profit employees may be eligible to have federal direct loans forgiven after making 120 qualifying monthly payments. Last October, the Department of Education announced temporary PSLF changes due to the Covid-19 pandemic. These changes provided qualifying borrowers a time-limited PSLF waiver, which allows all payments to count towards PSLF regardless of loan program or payment plan (covered by InfoBytes here). Expressing concerns that many borrowers may not learn of this opportunity before it expires in October, NYDFS encouraged servicers to adopt eight best practices to promote awareness of the PSLF Program and the waiver. These include “enhanced trainings for customer service staff, proactive communications with borrowers, and increased promotion of the PSLF program on servicer websites and on borrower account pages,” NYDFS said in its announcement.
The letter follows a December 2021 NYDFS request sent to federal student loan servicers asking for updates on steps taken to address the waived rules. NYDFS also reminded servicers that it “will diligently enforce all servicer legal requirements concerning the PSLF program and will consider the extent to which servicers engaged in proactive measures to promote the PSLF Waiver in future supervisory examinations.”
On July 12, NYDFS issued guidance in an industry letter to regulated banking institutions, calling into question bank practices that can cause consumers to receive multiple overdraft and non-sufficient funds (NSF) fees from a single transaction. The industry letter identifies three specific types of fee practices as unfair or deceptive:
- Charging overdraft fees for “authorize positive, settle negative” transactions, where consumers are charged an overdraft fee even if they have sufficient money in their account when a bank approves a transaction, but the balance is negative when the payment is settled. Per NYDFS, imposing an overdraft fee in this situation is unfair because, among other things, consumers “have no control over or involvement in” when or how their debit transactions get settled.
- Charging “double fees” to consumers for a failed overdraft protection plan transfer, which occurs when a bank goes to transfer money from one deposit account to another deposit account to cover an overdraft transaction, but the first account lacks sufficient funds to cover the overdraft. Per NYDFS, double fees injure consumers “by imposing fees for a transfer that provides no value to the consumer and is not reasonably avoidable by consumers, who have no reason to expect that they will be charged a fee for an overdraft protection transfer that does not in fact protect them against an overdraft.”
- Charging NSF representment fees when a merchant tries several times to process a transaction that is deemed an overdraft and the bank charges a fee for each blocked representment without adequate disclosure. Banks that currently charge multiple NSF fees should “make clear, conspicuous, and regular disclosure to consumers that they may be charged more than one NSF fee for the same attempted debit transaction,” NYDFS stated. Additionally, banks are advised to consider other steps to mitigate the risk that consumers are charged multiple NSF fees, including limiting time periods for when multiple NSF fees may be charged, performing periodic manual reviews to identify instances of multiple NSF Fees, and offering refunds to affected consumers. NYDFS “ultimately expects [i]nstitutions will not charge more than one NSF fee per transaction, regardless of how many times that transaction is presented for payment,” the industry letter said.
NYDFS informed regulated entities that it will evaluate whether they “are engaged in deceptive or unfair practices with respect to overdraft and NSF fees in future Consumer Compliance and Fair Lending examinations.”
On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.
The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).
On June 15, NYDFS issued a proposed check cashing regulation following an emergency regulation announced in February that halted annual increases on check-cashing fees and locked the current maximum fee set last February at 2.27 percent (covered by InfoBytes here). The proposed regulation establishes a new fee methodology which evaluates the needs of licensees and consumers who use check cashing services. Two tiers of fees for licensed check cashers are recommended: (i) the maximum fee that a check casher may charge for a public assistance check issued by a federal or state government agency (including checks for Social Security, unemployment, retirement, veteran’s benefits, emergency relief, housing assistance, or tax refunds) is set at 1.5 percent; and (ii) the maximum fee a check casher is permitted to charge for all other checks, drafts, or money orders is $1 or 2.2 percent, whichever is greater. NYDFS added that starting January 31, 2027 (and annually every five years thereafter), licensed check cashers may request an increase in the maximum fees established. Comments on the proposed regulation will be accepted for 60 days.
On June 8, NYDFS released new regulatory guidance on the issuance of U.S. dollar-backed stablecoins, establishing criteria for regulated virtual currency companies seeking to issue stablecoins in the state. The guidance outlines baseline criteria for USD-backed stablecoins, including that: (i) a “stablecoin must be fully backed by a Reserve of assets,” such that the Reserve’s market value “is at least equal to the nominal value of all outstanding units of the stablecoin as of the end of each business day”; (ii) stablecoin issuers “must adopt clear, conspicuous redemption policies, approved in advance by [NYDFS] in writing, that confer on any lawful holder of the stablecoin a right to redeem units of the stablecoin from the Issuer in a timely fashion at par for the U.S. dollar”; (iii) Reserve assets must be segregated from an issuer’s proprietary assets and “held in custody with U.S. state or federally chartered depository institutions and/or asset custodians”; (iv) a Reserve must consist of specific assets subject to NYDFS-approved overcollateralization requirements and restrictions; and (v) a Reserve must undergo an examination of its management’s assertions at least once a month by a licensed certified public accountant.
NYDFS emphasized that these criteria are not the only requirements it may impose when issuing stablecoins, and informed regulated entities that it will also consider a range of potential risks prior to granting a regulated entity authorization to issue stablecoins. This includes risk related to “cybersecurity and information technology; network design and maintenance and related technology and operational considerations; Bank Secrecy Act/anti-money-laundering  and sanctions compliance; consumer protection; safety and soundness of the issuing entity; and the stability/integrity of the payment system, as applicable.” Additional requirements may be imposed on regulated entities to address any of these risks.
NYDFS noted that the regulatory guidance is not applicable to USD-backed stablecoins listed, but not issued, by regulated entities, and stated it “does expect regulated entities that list USD-backed stablecoins to consider this guidance when submitting a request for coin issuance or seeking approval for a coin self-certification policy.”
On May 20, NYDFS Superintendent Adrienne A. Harris emphasized the role regulation plays in protecting consumers from cybercriminals in the virtual currency marketplace. According to Harris, NYDFS is committed to mitigating risks in this space by guarding against sanctions evasion and illicit activity and making sure corporate infrastructure and consumer data are well protected from bad actors. Harris stressed that NYDFS “will continue to improve upon [its] regulation and supervision; engage with key stakeholders on important trends and issues; collaborate with state, federal and international regulators; and strive to be a forward-looking, innovative regulator, including through [its] VOLT initiative,” which supports the department’s efforts to increase transparency and enhance supervision related to virtual currency.
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Jedd R. Bellman to provide an “Attorney exemption/medical debt update” at the North American Collection Agency Regulatory Association annual conference
- Kathryn L. Ryan to discuss “What should crypto regulation look like: Legislation, regulation and consumer issues” at WCL's First Annual Virtual Currency Law Institute
- Elizabeth E. McGinn to discuss “How to mitigate and manage third-party risks: Leveraging tools and best practices” at The Knowledge Group’s webcast
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The evolving regulatory landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- Sherry-Maria Safchuk to discuss “For your eyes only: Privacy updates for 2022-2023” at CCFL’s Annual Consumer Financial Services Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference