InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Bank to pay Fed, NYDFS almost $30 million for deficient third-party risk management practices
On October 19, the Fed and NYDFS announced an enforcement action against a New York-based bank for alleged violations of consumer identification rules and deficient third-party risk management practices. NYDFS Superintendent Adrienne A. Harris stated that the bank failed to prevent a “massive, ongoing fraud” related to its prepaid card program. According to the Fed’s cease-and-desist order, illicit actors managed to open prepaid card accounts through a third-party, and moved hundreds of millions of dollars of direct deposit payroll payments and state unemployment benefits through the accounts. The Fed’s order requires the bank to, among other things, improve its oversight, create a new product review program, enhance its customer identification program, and submit a plan to enhance its third-party risk management program. The bank’s plan must include (i) policies and procedures to ensure third-party service providers are complying with federal and state law; (ii) a third-party risk management oversight program; (iii) policies and procedures to ensure the bank’s Chief Compliance Officer has sufficient resources to properly access the bank’s prepaid card program and is adequately staffed; and (iv) a comprehensive identity theft prevention program. The Fed also requires the bank to pay a civil money penalty of approximately $14.5 million. Under NYDFS’s consent order, the bank agreed to pay an additional $15 million civil monetary penalty, and to submit remediation and program reporting.
NYDFS settles with bank for compliance failures
On September 29, NYDFS announced a settlement with a South Korean-based bank’s American subsidiary to resolve allegations of repeated violations of AML requirements, the Bank Secrecy Act (BSA), and New York law. According to the consent order, the respondent was repeatedly examined seven times in less than 10 years by DFS and entered into a consent order with the FDIC in 2017 for BSA/AML compliance, among other things. DFS claims that respondents violated (i) New York Banking Law § 44 by conducting their business in an unsafe and unsound manner; (ii) 3 NYCRR § 116.2 by failing to maintain an effective AML compliance program; and (iii) 23 NYCRR § 504.4 by incorrectly certifying compliance with Part 504. To resolve the claims, the respondent agreed to pay a $10 million civil money penalty, and write a written plan detailing improvements to its compliance policies and procedures, among other things.
NYDFS updates criteria for virtual currency regulation
Adrienne Harris, Superintendent of the New York State Department of Financial Services (“DFS”) issued an update on the VOLT initiative, an ongoing project to enhance DFS’s role as a virtual currency regulator. Superintendent Harris published proposed guidance adopting enhanced criteria for procedures to list and de-list virtual currencies as well as updated guidance for designating virtual currencies to the DFS “Greenlist.”
The new General Framework for Greenlisted Coins sets (i) heightened risk assessment standards for coin-listing policies and enhances requirements for consumer-facing products; and (ii) new requirements associated with coin-delisting policies. Under the new guidance, a virtual currency entity that seeks to self-certify coins must create a coin-listing policy and may not self-certify any coins until such possibly has a written approval from DFS. A coin-listing policy must contain and be based on a robust governance structure; comprehensive risk assessment; consideration of factors to identify and mitigate risks involved in each coin and its uses; and policies and procedures to conduct continued monitoring of the coin to ensure consistent safety and soundness compliance.
The new framework does not require prior approval from the DFS to list coins included on the Greenlist, but does require virtual currency entities that choose to list such coins to (i) provide advance notification to DFS and (ii) have a DFS-approved coin-delisting policy.
NYDFS: Auto loan borrowers are entitled to rebates for cancelled ancillary products
On July 18, NYDFS sent a letter reminding regulated auto lenders and auto loan servicers that they are responsible for ensuring certain rebates are credited to consumers whose vehicles were repossessed or were a total loss. During its examinations, NYDFS identified instances where certain institutions that finance ancillary products, such as extended warranties, vehicle service contracts, and guaranteed asset protection insurance, failed to properly calculate, obtain, and credit rebates to consumers as required. NYDFS explained that the terms of sale for such ancillary products “provide that if the vehicle is repossessed or is a total loss prior to the product’s expiration, the consumer is entitled to a rebate for the prorated, unused value of the product (a ‘Rebate’), payable first to the [i]nstitution to cover any deficiency balance, and then to the consumer.” NYDFS found that some institutions either neglected to pursue Rebates from the issuers of the ancillary products or miscalculated the owed amounts, adding that in some instances, institutions made initial requests for Rebates but did not follow through to ensure that they were received and credited to consumers.
NYDFS explained that an institution’s failure to obtain and credit Rebates from unexpired ancillary products is considered to be unfair “because it causes or is likely to cause substantial injury to consumers who are made to pay or defend themselves against deficiency balances in excess of what the consumer legally owes.” The resulting injury caused to consumers is not outweighed by any countervailing benefits to consumers or to competition, NYDFS stressed.
Additionally, NYDFS said an institution’s statements and claims of consumers’ deficiency balances that do not include correctly calculated and applied Rebates are considered to be deceptive, as they mislead consumers about the amount they owe after considering all setoffs. NYDFS said it expects institutions to fulfill their contractual obligations by ensuring Rebates are properly accounted for, either by deducting them from deficiency balances or issuing refund checks if no deficiency balance is owed.
NYDFS further noted in its announcement that recent CFPB examinations found that certain auto loan servicers engaged in deceptive practices when they notified consumers of deficiency balances that misrepresented the inclusion of credits or rebates. The Bureau’s supervisory highlights from Winter 2019, Summer 2021, and Spring 2022 also revealed that collecting or attempting to collect miscalculated deficiency balances that failed to account for a lender’s entitled pro-rata refund constituted an unfair practice.
NYDFS publishes new proposal on cybersecurity regs
On June 28, NYDFS published an updated proposed second amendment to the state’s cybersecurity regulation (23 NYCRR 500) reflecting revisions made by the department in response to comments received on proposed expanded amendments published last November. (Covered by InfoBytes here.) NYDFS’ cybersecurity regulation, effective in March 2017, imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. (Covered by InfoBytes here.) Proposed changes include:
- New and amended definitions. The proposed second amendment defines “Chief Information Security Office or CISO” to mean “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program.” Certain references to a CISO’s responsibilities have been moved and slightly modified throughout. The amendments also clarify that affiliates should only include “those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity” for the purposes of calculating the number of employees and gross annual revenue for consideration as a “Class A Company.” The definition of a “privileged account” has also been modified to remove a condition that an authorized user account or service account be able to affect a material change to the technical or business operations of the covered entity. Risk assessments also no longer include a requirement that a covered entity “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” Additionally, “senior governing body” now specifies that for “any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.”
- Notice of a cybersecurity event. Under 23 NYCRR 500, entities are required to notify NYDFS within 72 hours after a determination has been made that a cybersecurity event has occurred at a covered entity, its affiliates, or a third-party service provider. The amendments remove a 90-day period for covered entities to provide the superintendent with requested information, and instead provides that “[e]ach covered entity shall promptly provide any information requested regarding such event. Covered entities shall have a continuing obligation to update and supplement the information provided.” Covered entities will be required to maintain for examination, and now inspection by the department upon request, all records, schedules, and supporting data and documentation.
- Exemptions. The proposed second amendment now offers that “[a]n employee, agent, wholly-owned subsidiary, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, wholly-owned subsidiary, representative or designee is covered by the cybersecurity program of the covered entity.”
- Additional modifications. Other slight modifications have been made throughout that include removing a requirement that covered entities “document material issues found during testing and report them to its senior governing body and senior management,” and deleting a requirement that Class A companies use external experts to conduct risk assessments at least once every three years. The proposed second amendment makes changes to third-party service provider policy requirements and multi-factor authentication provisions and replaces a reference to a covered entity’s board of directors or equivalent with the “senior governing body.” Language defining these responsibilities has been slightly modified. Additionally, incident response plans must also now include a root cause analysis describing “how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.” Furthermore, when assessing penalties, the superintendent may now also consider “the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST.”
The proposed second amendment is subject to a 45-day comment period expiring August 14.
NYDFS circulates advisory on file transfers
On June 2, NYDFS notified all regulated entities that an identified SQL injection vulnerability found in a web application of a managed file transfer software may allow unauthenticated attackers to gain access to its database. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others circulated the advisory, which cautioned that this vulnerability is being actively exploited by threat actors to deploy ransomware, steal data, and disrupt operations. NYDFS advised all regulated entities to conduct prompt risks assessments on their organizations, customers, consumers, and third-party service providers to mitigate risk. Regulated entities were also reminded about the requirement to report cybersecurity events as promptly as possible but no later than 72 hours at the latest, and that “evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated,” are considered a reportable cybersecurity event under 23 NYCRR Section 500.17(a)(2).
NYDFS proposes vetting guidance for licensed or chartered entities
On May 9, NYDFS Superintendent Adrienne A. Harris released proposed guidance for banking organizations and non-depository financial institutions chartered or licensed under the New York Banking Law concerning the Department’s character and fitness assessment expectations. The proposed guidance sets forth several criteria, including that covered institutions (i) update and modernize policies and procedures to ensure designated persons, including senior officers and governing board members, undergo a robust initial vetting process to make sure no new circumstances or conflicts of interests arise that may compromise the organization; (ii) take a risk-based and proportionate approach to ensure their vetting frameworks are tailored to meet their specific business needs, operations, and risks; (iii) promptly inform NYDFS if, through a character and fitness review, a determination is made that a previously vetted designated person is no longer fit to perform the current function, or if a designated person has been transferred to another position or group (or modifications are made to a designated person’s current functions); and (iv) vet each designated person at the time they become a designated person, regardless of whether the person currently is or previously was a designated person at a different covered institution, including in instances involving a merger or acquisition. The announcement noted that a covered institution’s compliance with the guidance will be reviewed as part of its regular examination framework. Comments on the proposed guidance are due June 30.
Crypto platform reaches $1.2 million settlement on alleged compliance failures
On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged deficiencies in the respondent’s cybersecurity program, as required by both the cybersecurity regulation and the state’s virtual currency regulation (23 NYCRR Part 200). Following the examinations, NYDFS initiated an investigation into the respondent’s cybersecurity program. The Department concluded that the respondent failed to conduct periodic cybersecurity risk assessments “sufficient to inform the design of the cybersecurity program,” and failed to establish and maintain an effective cybersecurity program and implement a reviewed and board-approved written cybersecurity policy. Moreover, NYDFS claimed the respondent’s policies and procedures were not customized to meet the company’s needs and risks. Under the terms of the consent order, the respondent must pay a $1.2 million civil monetary penalty and submit quarterly progress reports to NYDFS detailing its remediation efforts.
House subcommittee holds hearing on stablecoin regulation
The House Financial Services Subcommittee on Digital Assets, Financial Technology and Inclusion recently held a hearing to examine stablecoins’ role in the payment system and to discuss proposed legislation for creating a federal framework for issuing stablecoins. A subcommittee memorandum identified different types of stablecoins (the most popular being pegged to the U.S. dollar to diminish volatility) and presented an overview of the market, which currently consists of more than 200 different types of stablecoins, collectively worth more than $132 billion. The subcommittee referred to a 2021 report issued by the President’s Working Group on Financial Markets, along with the FDIC and OCC (covered by InfoBytes here), in which it was recommended that Congress pass legislation requiring stablecoins to be issued only by insured depository institutions to ensure that payment stablecoins are subject to a federal prudential regulatory framework. The subcommittee discussed draft legislation that would define a payment stablecoin issuer and establish a regulatory framework for payment stablecoin issuers, including enforcement requirements and interoperability standards.
Subcommittee Chairman, French Hill (R-AR), delivered opening remarks, in which he commented that the proposed legislation would require stablecoin issuers to comply with redemption requirements, monthly attestation and disclosures, and risk management standards. Recognizing the significant amount of work yet to be done in this space, Hill said he believes that “innovation is fostered through choice and competition,” and that “one way to do that is through multiple pathways to become a stablecoin issuer, though with appropriate protections [to] prevent regulatory arbitrage and a race to the bottom.” He cited reports that digital asset developers are leaving the U.S. for countries that currently provide a more established regulatory framework for digital assets, and warned that this will stymie innovation, jobs, and consumer/investor protection. He also criticized ”the ongoing turf war between the SEC and CFTC” with respect to digital assets, and warned that “[w]hen you have two agencies contradicting each other in court about whether one of the most utilized stablecoins in the market is a security or a commodity, what you end up with is uncertainty.”
Witness NYDFS Superintendent Adrienne A. Harris discussed the framework that is currently in place in New York and highlighted requirements for payment stablecoin issuers operating in the state. In a prepared statement, Harris said many domestic and foreign regulators call the Department’s regulatory and supervisory oversight of virtual currency the “gold standard,” in which virtual currency entities are “subject to custody and capital requirements designed to industry-specific risks necessary for sound, prudential regulation.” Harris explained that NYDFS established “additional regulations, guidance, and company-specific supervisory agreements to tailor [its] oversight” over financial products, including stablecoins, and said the Department is the first agency to provide regulatory clarity for these types of products. She highlighted guidance released last June, which established criteria for regulated entities seeking to issue USD-backed stablecoins in the state (covered by InfoBytes here), and encouraged a collaborative framework that mirrors the regulatory system for more traditional financial institutions and takes advantage of the comparative strengths offered by federal and state regulators. Federal regulators will be able to comprehensively address “macroprudential considerations” and implement foundational consumer and market protections, while states can “leverage their more immediate understanding of consumer needs” and more quickly modernize regulations in response to industry developments and innovation, Harris said.
NYDFS to impose supervision fees on virtual currency licensees
On April 17, NYDFS announced the adoption of a final regulation establishing how certain licensed virtual currency businesses will be assessed for supervision and examination costs. Under 23 NYCRR Part 102, licensed virtual currency companies holding a Bitlicense will be assessed for their supervisory costs, similar to other licensees regulated by the Department. Last year, NYDFS first proposed a provision in the state budget authorizing the Department to collect supervisory costs from virtual currency businesses licensed pursuant to the Financial Services Law in order to add talent to its virtual currency regulatory team. (Covered by InfoBytes here.) NYDFS explained that the regulation will only apply to licensed virtual currency businesses and that the fees will only cover the costs and expenses associated with the Department’s oversight of a licensee’s virtual currency business activities. A licensee’s total annual assessment fee will be the sum of its supervisory component and its regulatory component, as defined in the regulation, and will be billed five times per fiscal year, once per quarter and a final true-up at the end of the fiscal year. The background to the final regulation notes that to the extent that a person holds multiple licenses to engage in virtual currency business activities, or concurrently acts as a money transmitter, such person will be billed separately for each license, adding that “[p]ersons who engage in virtual currency business activities as a limited purpose trust company or a banking organization will continue to be assessed under 23 NYCRR Part 101.” The final regulation takes effect upon publication of the Notice of Adoption in the New York State Register.