InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS warns financial institutions of February 15 cybersecurity compliance certification deadline
On January 22, the New York Department of Financial Services (NYDFS) issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance is February 15, 2018. Mandated by NYDFS’ cybersecurity regulation that went into effect March 1, 2017 (see previous InfoBytes coverage here), the certification covers the prior calendar year and must be filed electronically through the DFS cybersecurity portal. NYDFS Superintendent Maria T. Vullo also announced that going forward, cybersecurity will be incorporated into all department examinations, and cybersecurity-related questions will be added to NYDFS’ “first day letters” issued to commence examinations of financial services companies.
NYDFS updates cybersecurity regulation FAQs
Recently, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1 and establishes cybersecurity requirements for banks, insurance companies, and other financial services companies. The December updates to the FAQs address risk-based requirements affecting covered entities, including the following topics; (i) penetration testing and vulnerability assessments; (ii) third-party service provider due diligence requirements; (iii) limited notices of exemption; and (iv) record requirements.
Credit Reporting Agencies Must Comply With Emergency Regulations
On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft. The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:
- provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
- identify dedicated points of contact to assist the Division’s effective administering of the program;
- make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
- clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.
Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.
As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.
Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled
The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.
Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair or deceptive acts or practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.
NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo directed NYDFS to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.
State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.
Buckley Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually. Governor Cuomo’s directive was issued in response to a recent highly publicized security incident at a major consumer credit reporting agency. NYDFS issued a proposed regulation on the same day (CRA Regulation).
One of the primary intents of the registration directive is to make consumer credit reporting agencies subject to the state’s “First-in-the-Nation Cybersecurity Regulation” (Cybersecurity Regulation) (see previous InfoBytes coverage here) that was finalized earlier this year. The Cybersecurity Regulation applies to entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” and regulated by NYDFS. The Cybersecurity Regulation imposes a series of requirements on covered entities with compliance deadlines ranging from August 28, 2017 to March 1, 2019. These substantive requirements, which are in many ways more stringent and proscriptive than federal requirements for financial institutions, are described in our previous InfoBytes coverage on the Cybersecurity Regulation. Consumer credit reporting agency registrants would be subject to all of the requirements of the Cybersecurity Regulation, but under a different schedule beginning on April 4, 2018 and running through October 4, 2019.
***
Click here to read full special alert.If you have questions about the report or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
NYDFS Issues Reminder on Cybersecurity Regulation Compliance Effective August 28
On August 28, the New York Department of Financial Services (NYDFS) issued an announcement reminding all NYDFS-regulated banks, insurance companies, and other financial services institutions that they must now begin complying with the state’s “first-in-nation cybersecurity regulation.” As previously covered in Infobytes, the regulation took effect March 1, 2017, but August 28 was the first compliance date. Covered entities are now required to implement the following: (i) a cybersecurity program designed to protect consumers’ private data; (ii) board/senior officer-approved written policy or policies; (iii) a designated Chief Information Security Officer to help protect an entity’s data and systems; and (iv) “controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.” Furthermore, covered entities must begin reporting cybersecurity events through NYDFS’ online cybersecurity portal. (See previous InfoBytes coverage here.) Notices of exemption may be filed within “30 days of the determination that the covered entity is exempt,” and covered entities must file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018. NYDFS also released a series of frequently asked questions to provide assistance to institutions when complying with the regulation’s requirements.
NYDFS Launches New Cybersecurity Portal, Sets Compliance Deadlines
On July 31, the New York Department of Financial Services (NYDFS) announced the launch of an online cybersecurity portal for businesses to securely report cybersecurity events as required by the state’s cybersecurity regulation that took effect March 1. (See previous InfoBytes summary here.) The regulation, Cybersecurity Requirements for Financial Services Companies, requires all banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain cybersecurity programs to safeguard consumers’ private data. The cyber portal is designed to facilitate easy reporting of cybersecurity events and will allow regulated entities to file compliance certifications. Starting August 28, 2017, all entities required to comply with NYDFS cybersecurity regulations “must file certain notifications to the [Financial Services] Superintendent including notices of certain cybersecurity events within 72 hours from a determination that a reportable event has occurred.” A cybersecurity event is reportable if it: (i) “impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body”; or (ii) “has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.” Additionally, covered entities are required to file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018.
Conference of State Bank Supervisors Announce Initiatives to Obviate Need for Fintech Charter, New York Joins Nationwide Mortgage Licensing System for Fintechs
On May 10, the Conference of State Bank Supervisors (CSBS) announced a “series of initiatives to modernize state regulation of non-banks, including financial technology [fintech] firms.” The draft of initiatives, branded “Vision 2020,” appear to be generally geared towards streamlining the state regulatory system so that it is capable of supporting business innovation, while still protecting the rights of consumers. As explained by CSBS Chairman and Texas Commissioner of Banking Charles G. Cooper, the CSBS is “committed to a multi-state experience that is as seamless as possible,” and, to this end, “state regulators will transform the licensing process, harmonize supervision [and] engage fintech companies.”
The initial set of actions that CSBS and state regulators are taking includes the following:
- Redesign the Nationwide Multistate Licensing System (NMLS). CSBS plans to redesign the NMLS, which is a web-based system that allows non-depository companies, branches, and individuals in the mortgage, consumer lending, money services businesses, and debt collection industries to apply for, amend, update, or renew a license online. In particular, the CSBS’s redesign will “provide a more automated licensing process for new applicants, streamline multi-state regulation, and shift state resources to higher-risk cases.”
- Harmonize multi-state supervision. CSBS has created “working groups to establish model approaches to key aspects of non-bank supervision,” to “enhance uniformity in examinations, facilitate best practices,” and “capture and report non-bank violations at the national level.” CSBS also intends to “create a common technology platform for state examinations.”
- Form an industry advisory panel. CSBS will “establish a fintech industry advisory panel to identify points of friction in licensing and multi-state regulation, and provide feedback to state efforts to modernize regulatory regimes.”
- Assist state banking departments. CSBS intends to start “education programs” that “will make state departments more effective in supervising banks and non-banks.”
- Make it easier for banks to provide services to non-banks. CSBS is also “stepping up efforts to address de-risking—where banks are cautious about doing business with non-banks, due to regulatory uncertainty – by increasing industry awareness that strong regulatory regimes exist for compliance with laws for money laundering, the Bank Secrecy Act, and cybersecurity.”
- Make supervision more efficient for third parties. CSBS also intends to “support[] federal legislation that would allow state and federal regulators to better coordinate supervision of bank third-party service providers.”
By harmonizing the supervision and licensing system and working more closely together, state regulators appear to want to eliminate a key reason to seek the OCC charter, namely the ability to deal with one federal agency and follow a single set of rules. As previously covered in InfoBytes, the CSBS and a number of individual stakeholders have fiercely opposed the OCC’s other main fintech initiative—the development of a special purpose national bank charter for payments processors, online lenders and other new entrants in the financial industry. CSBS sued the OCC last month, arguing it lacked the legal power to move forward. The overall initiative appears to be a response to the OCC’s own “responsible innovation” efforts, which—as previously covered in InfoBytes—culminated in the creation of a new office last year to correspond with fintechs and the banks interested in partnering with them.
Concurrent with CSBS’s Vision 2020 initiatives, on May 11, the New York State Department of Financial Services (NYDFS) announced that beginning July 1, 2017, it will transition to the NMLS to manage the license application and ongoing regulation of all nondepository financial institutions conducting business in the state, commencing with money transmitters. Specifically, on July 1, 2017, financial services companies holding New York money transmitter licenses will have the opportunity to transition those licenses to NMLS, and companies applying for new licenses will be able to apply through NMLS. As previously covered in InfoBytes, NMLS—a secure, web-based licensing system—will allow for easier on-line licensing renewal and enable NYDFS to “provide better supervision of the money transmitter industry by linking with other states to protect consumers.” Financial Services Superintendent Maria T. Vullo stressed that “[b]y working with the CSBS, which is leading the modernization of state regulation through Vision 2020, DFS is supporting the strong nationwide regulatory framework created by states to provide improved licensing and supervision by State regulators.”
Additional information about NMLS can be accessed through the NMLS Resource Center.
NYDFS Landmark Cybersecurity Rule Set to Take Effect on March 1
On February 16, New York Governor Andrew Cuomo announced that with the New York Department of Financial Services’ (NYDFS) publication of a Final Regulation, New York’s “First-in-the-Nation Cybersecurity Regulation” is set to take effect on March 1. As discussed previously in InfoBytes, the regulation—which requires banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data—imposes broad and, in some cases proscriptive, data security and cybersecurity requirements on Covered Entities that venture into new territory for both state and federal financial regulators. Indeed, as described by Governor Cuomo, the regulation reflects New York’s efforts to “lead[] the nation” through “decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”
Moreover, as detailed in a follow-up InfoBytes Special Alert, NYDFS issued a updated proposed regulation on December 28 in response to over 150 comments and testimony presented at a hearing before New York State lawmakers. Though the updated proposed regulation did not differ drastically from the original, the revised proposed regulation provided for somewhat greater flexibility in how covered entities could go about implementing the requirements. Among other things, the December 28 revisions provided for: (i) longer timeframes for compliance with its requirements; (ii) more flexibility for compliance with certain requirements and acknowledgement that some requirements may not be applicable to all financial institutions; and (iii) clarifications to certain key definitions.
The newly released Final Regulation retains the revisions incorporated in the December 28 revision, but also contains the following notable revisions:
- Record retention requirements for audit trail materials relating to Cybersecurity Events were reduced from five years to three years.
- Clarification that Covered Entities’ policies and procedures for reporting by Third Party Service Providers of Cybersecurity Events only apply to the Covered Entity’s Nonpublic Information.
- The limited exemption for small businesses to certain requirements of the rule has been narrowed by including a Covered Entity’s New York affiliates when calculating its number of employees and annual revenue.
- Further clarification on the exemptions for companies regulated under New York’s Insurance Law.
With the expiration of the 30-day comment period and the publication of the Final Rule, New York’s Cybersecurity regulation is officially cleared to become effective upon publication in the New York State Register on March 1.
InfoBytes will continue to monitor the rollout of this pioneering regulation as it progresses.
Coinbase Gets NY BitLicense, Clearance For Its Operations
On January 18, the New York State Department of Financial Services (NYDFS) announced that it had approved the application of Coinbase, Inc., for a virtual currency and a money transmitter license. According to NYDFS, the license was issued to Coinbase—a digital currency wallet that facilitates transactions with Bitcoin and other virtual currencies—only after “a comprehensive review of Coinbase’s applications, including the company’s anti-money laundering, capitalization, consumer protection, and cyber security policies.” Having met the New York regulator’s standards for operations in the state, Coinbase may now operate, under supervision by NYDFS, as a service for buying, selling, sending, receiving and storing Bitcoin.
As previously covered in InfoBytes, NYDFS’s BitLicense framework—which was finalized back in June 2015—requires virtual currency companies to submit a 31-page application providing information covering, among other things: (i) written policies and procedures including, but not limited to BSA/AML, cybersecurity, privacy and information security, (ii) company information, (iii) biographical information on company directors and stockholders, and (iv) an explanation of the methodology used to calculate the value of virtual currency in fiat currency. In addition, the NYDFS released a set of FAQs to help clarify the BitLicense requirements. To date, NYDFS has approved five firms for virtual currency charters or licenses, while denying those applications that did not meet its standards.