Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that incidents follow a similar pattern where “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” Following guidance from the Federal Bureau of Investigation, NYDFS recommended that companies avoid making ransomware payments if their networks are compromised. NYDFS also urged all regulated entities to prepare for a ransomware attack by implementing measures such as: (i) training employees in cybersecurity awareness; (ii) implementing a vulnerability and patch management program; (iii) utilizing multi-factor authentications and strong passwords; (iv) using monitoring and response to detect intruders; (v) and having a ransomware-specific incident response plan. NYDFS Superintendent Linda A. Lacewell noted that “[c]ybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry.”
On June 29, NYDFS announced settlements with two New York banks to resolve allegations that the banks violated New York Executive Law § 296-a while engaged in indirect automobile lending. NYDFS alleged that the banks’ practices resulted in members of protected classes paying higher interest rates that were not based on creditworthiness. According to NYDFS, the banks failed to monitor “dealers that were charging members of protected classes, namely race and ethnicity, more in discretionary Dealer Markups than borrowers identified as non-Hispanic White.”
Under the terms of the first consent order, the bank—which had voluntarily discontinued its indirect auto lending program in November 2017—agreed to pay a $275,000 civil money penalty, provide restitution to eligible impacted borrowers, and make a $50,000 contribution to local community development organizations. The second bank agreed to “move to a flat-fee business model in connection with indirect auto lending,” provide restitution to impacted borrowers, and undertake fair lending compliance remediation efforts to increase its monitoring of dealers participating in its indirect auto lending program. The consent order also requires the payment of a $350,000 civil money penalty.
On June 14, NYDFS and a coalition of 12 state attorneys general led by the California attorney general submitted separate letters (see here and here) in response to a request for input by Acting SEC Chair Allison Herren Lee, providing recommendations on disclosing information on climate change risks that entities are facing. Among other things, NYDFS recommends that the SEC: (i) make disclosures reliable, balanced, understandable, consistent over time, comparable among institutions within a sector, and provided in a timely manner; (ii) provide disclosure of the corporate governance and board oversight relating to climate-related issues and risks, such as policies, procedures, internal controls, and management information systems; (iii) disclose how an institution identifies, assesses, monitors, and manages climate-related risks and how such risks are integrated; and (iv) encourage agencies to take an equitable approach “that reflects each institution’s exposure to climate risks and the nature, scale, size, and complexity of its business.” NYDFS notes that “[d]eveloping and managing standards related to the disclosure of risks related to climate change requires collaboration among state and federal regulators and the industries that they regulate.”
The AGs advise the SEC to require that private and public companies analyze climate change-related risks altering their businesses and disclose that information, asserting that the current disclosure requirements under the SEC are insufficient. The letter includes recommendations, such as requiring SEC-regulated firms to (i) make annual disclosures of their greenhouse gas emissions and any plans to address their emissions; (ii) evaluate and disclose the potential impacts of climate change and climate change regulation; and (iii) disclose corporate governance and risk management practices as they relate to climate change.
On June 3, the U.S. Court of Appeals for the Second Circuit reversed a 2019 district court ruling, holding that NYDFS lacked Article III standing to pursue claims that the OCC’s policy to issue Special Purpose National Bank charters (SPNB charters) to non-depository fintech companies exceeded its statutory authority. As previously covered by InfoBytes, the district court entered final judgment in favor of NYDFS after concluding that the OCC’s SPNB policy should be set aside “with respect to all fintech applicants seeking a national bank charter that do not accept deposits,” rather than only those that have a nexus to New York State. Among other things, the district court, in denying the OCC’s motion to dismiss, determined that the OCC exceeded its authority under the National Bank Act because the Act “unambiguously requires receiving deposits as an aspect of the business,” and that “absent a statutory provision to the contrary, only depository institutions are eligible to receive [a SPNB] from [the] OCC.” The OCC appealed, and both parties filed briefs addressing issues related to ripeness and standing (covered by InfoBytes here).
On appeal, the 2nd Circuit concluded that NYDFS lacked Article III standing to pursue its claims because it failed to show that it had suffered an actual or imminent injury from the OCC’s decision to issue SPNB charters. The appellate court also found NYDFS’s claims to be “constitutionally unripe,” holding that NYDFS’s challenge is too speculative since no non-depository fintech companies have applied for or have been granted an SPNB charter. “It is unclear at this juncture whether New York law will ever be preempted in the ways [NYDFS] fears,” the appellate court wrote. However, the 2nd Circuit determined it lacked jurisdiction to decide the remaining issues on appeal and did not address the district court’s finding that “the ‘business of banking’ under the NBA unambiguously requires the receipt of deposits.” The appellate court remanded the case to the district court with instructions to enter a judgment of dismissal without prejudice.
NYDFS Superintendent Linda Lacewell issued a statement following the 2nd Circuit’s decision, in which she reiterated the importance of “guarding against any encroachment on the state regulatory system” and urged the OCC to reconsider its policy.
On May 13, NYDFS announced a settlement with an insurance company to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to implement multi-factor authentication or reasonably equivalent or more secure access controls. Under Part 500.12(b), covered entities are required to implement such protocols (see FAQs here). NYDFS’s investigation also revealed that the insurance company falsely certified its compliance with the cybersecurity regulation for 2018. Under the terms of the consent order, the company will pay a $1.8 million civil monetary penalty and will undertake improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”
The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.
On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A September 2019 examination revealed that the cyber breaches involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also alleged that the broker failed to implement a multi-factor authentication as required by 23 NYCRR Part 500. Under the terms of the consent order, the broker will pay a $3 million civil monetary penalty and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.
On April 13, NYDFS announced the new Statewide Office of Financial Inclusion and Empowerment, which is intended to meet the financial services needs of low- and middle-income New Yorkers and provide a “single-stop state resource” for consumers to access financial help. Superintended Linda A. Lacewell stated that the intention of the office is to “advance the Department’s strategic financial inclusion initiatives” and “pilot and develop policy initiatives designed to help further financial inclusion and empowerment.” Among other things, the new office will (i) maintain a centralized list of financial services counseling providers from across the state in the areas of housing, student loan, debt, and general financial literacy; (ii) coordinate state and local services intended to expand access to credit and opportunities for wealth building; (iii) “[i]ncubate new programs to expand access to safe and affordable banking services, credit and financial education,” and “coordinate public-private partnerships”; and (iv) foster the provision of high-quality, low-cost financial products across New York. Lacewell also announced that the Honorable Tremaine Wright will serve as the office’s first director. Wright, who will develop and implement the office’s policies and programs, was previously elected to the New York State Assembly where she was chair of New York State Black, Puerto Rican, Hispanic & Asian Legislative Caucus.
On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes, the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities, which described a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. In addition to the techniques previously identified, NYDFS alerts regulated entities of the following additional hacking methods: (i) using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and (ii) credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI. To prevent sensitive data from being stolen from public-facing websites, NYDFS advises financial organizations to circumvent displaying prefilled NPI, even in redacted form, and to guarantee that all portals are being guarded by the “robust access controls required by [NYDFS]’s cybersecurity regulation.” The alert also outlines remediation steps that financial institutions should execute to guarantee basic security.
In March, NYDFS released a report detailing the findings of an investigation into whether a global technology company and a New York state-chartered bank allegedly discriminated against women when making underwriting decisions for a co-branded credit card. According to the report, in 2019, allegations were made that the bank offered lower credit limits to women applicants and unfairly denied women accounts. NYDFS launched a fair lending investigation into the allegations and reviewed underwriting data for nearly 400,000 New Yorker residents, but ultimately found no evidence of unlawful disparate treatment or disparate impact. Among other things, the report noted that the bank “had a fair lending program in place for ensuring its lending policy—and underlying statistical model—did not consider prohibited characteristics of applicants and would not produce disparate impacts.” The bank also identified the factors it used when making the credit decisions, including credit scores, indebtedness, income, credit utilization, missed payments, and other credit history elements, all of which, NYDFS stated, appeared to be consistent with its credit policy.
- Jeffrey P. Naimon to provide “Fair lending update” at the Colorado Mortgage Lenders Association Operational and Compliance Forum
- Kari K. Hall to discuss “Justice for all: Achieving racial equity through fair lending” at CBA Live
- Warren W. Traiger to discuss “On the horizon for CRA modernization” at CBA Live
- APPROVED Webcast: Strategy & Technology: A dynamic duo for successful regulatory exams
- Melissa Klimkiewicz to participate in Q&A on flood insurance at the NAFCU Virtual Regulatory Compliance School
- Daniel R. Alonso to discuss “Primer on cross-border prosecutions in Argentina, Brazil, Colombia, and Mexico for U.S. criminal lawyers” at a New York City Bar Association webinar
- Jonice Gray Tucker to discuss "Fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss “State law regulatory and enforcement trends” at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond,” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute