InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS, crypto payment company reach AML/cybersecurity settlement
On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.
NYDFS adds enhancements for detecting virtual currency fraud
On February 21, NYDFS Superintendent Adrienne A. Harris announced enhancements to the Department’s ability to detect fraud in the virtual currency industry. The new enhancements will improve NYDFS’s ability to combat financial crime and detect illegal activity among state-regulated entities engaged in virtual currency activity through new insider trading and market manipulation risk monitoring tools. Specifically, the enhancements will strengthen NYDFS’s virtual currency supervision and aid the Department in detecting potential insider trading, market manipulation, and front-running activity associated with regulated entities’ and applicants’ exposure or potential exposure to listed virtual currency wallet addresses. The announcement builds upon recently issued guidance related to the use of blockchain analytics tools, the issuance of U.S. dollar-backed stablecoins, and custodial guidance on crypto insolvency, as well as guidance for addressing measures for preventing market manipulation. (Covered by InfoBytes here, here, here, and here.)
NYDFS implements state CRA revisions
On February 8, NYDFS announced the adoption of updates to the state’s Community Reinvestment Act (CRA) regulation. The final regulation implements amendments to Banking Law § 28-b, and allows the Department to obtain necessary data to evaluate how well regulated banking institutions are serving minority- and women-owned businesses in their communities. These findings will be integrated into institutions’ CRA ratings, NYDFS said. As previously covered by InfoBytes, NYDFS issued proposed revisions last October, announcing that the modifications are intended to minimize compliance burdens by making sure the regulation’s proposed language complements requirements in the CFPB’s proposed rulemaking for collecting data on credit access for small and minority- and women-owned businesses. The final regulation details how regulated institutions must collect and submit the necessary data to NYDFS while abiding by fair lending laws. Regulated institutions must inquire as to whether a business applying for a loan or credit is minority- or women-owned or both, and submit a report to the Department providing application details, such as the date of application, type of credit applied for and the amount, whether the application was approved or denied, and the size and location of the business. The final regulation also includes a form for regulated institutions to use to obtain the required data from business loan applications. NYDFS said it will publish a data submission template in the coming months for regulated institutions to use during CRA evaluations. The final regulation takes effect August 8, and provides for a compliance date six months following the publication of the Notice of Adoption in the State Register. Regulated institutions will also have an additional transition period of three months from the compliance date to comply with certain provisions.
New York FY 2024 budget proposes to end unfair overdraft practices
On February 1, the New York governor released the state’s FY 2024 budget proposal, which includes measures for ending certain bank overdraft and insufficient fee practices. Specifically, the proposed legislation would amend section 9-y of the banking law to grant authority to the NYDFS superintendent to promulgate regulations related to (i) supervised banking organizations’ transaction processing practices; (ii) the charges (including overdraft and insufficient funds fees) that banks may impose in connection with dishonored transactions; and (iii) associated disclosures provided to consumers regarding how transactions are processed and any associated fees. In an accompanying budget briefing book, the governor said the proposed measures are part of “nation-leading legislation that comprehensively addresses abusive bank fee practices, which tend to disproportionally harm low- and moderate-income New Yorkers.” Proposed actions include “stopping the opportunistic sequencing of transactions in a way designed to maximize fees charged to consumers, ending other unfair overdraft and non-sufficient funds fee practices, and ensuring clear disclosures and alerts of any permissible bank processing charges.”
NYDFS finalizes commercial financing disclosures
On February 1, NYDFS adopted a final regulation (23 NYCRR 600) outlining disclosure requirements for commercial financing transactions in the state. Under the state’s Commercial Finance Disclosure Law (CFDL)—which was enacted at the end of December 2020—providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less.
The final regulation took into consideration comments received on revised proposed regulations published in 2021 and 2022 (covered by InfoBytes here and here), and provides specific instructions for providers on how to comply with the CFDL. Among other things, the final regulation:
- Outlines detailed definitions for terms used within the CFDL and in the regulation;
- Clarifies the definition of “finance charge” with respect to commercial financing transactions, and explains how the finance charge and annual percentage rate should be calculated;
- Describes allowed tolerances and specifies occurrences where providers or financers will not assume liability for disclosure errors or inadvertent disclosures;
- Lays out formatting and content requirements for disclosures required by the CFDL for the following types of financing: (i) sales-based financing; (ii) closed-end financing; (iii) open-end financing; (iv) factoring transaction financing; (v) lease financing; (vi) general asset-based financing; and (vii) all other commercial financing transactions that do not fall within the aforementioned categories;
- Clarifies specific itemization disclosure requirements for when the amount financed is greater than the recipient funds;
- Outlines signature requirements;
- Describes how the CFDL’s disclosure threshold of $2,500,000 is calculated;
- Explains how providers should calculate required disclosures for commercial financing transactions with multiple payment options/balances payable on demand;
- Details certain duties of financers and brokers involved in commercial financing;
- Prescribes a process under which certain providers that use the opt-in method of calculating an estimated annual percentage rates will report data to the superintendent; and
- Specifies provisions related to the assignment of commercial financing agreements.
23 NYCRR 600 will take effect upon publication of the Notice of Adoption in the State Register. The compliance date is six months after the Notice of Adoption is published.
NYDFS gives custodial guidance on crypto insolvency
On January 23, NYDFS reiterated expectations for sound custody and disclosure practices for entities that are licensed or chartered to custody or temporarily hold, store, or maintain virtual currency assets on behalf of customers (virtual currency entities or “VCEs”). NYDFS explained that under the state’s virtual currency regulation (23 NYCRR Part 200), VCEs operating under the BitLicense and Limited Purpose Trust Charter are required to, among other things, “hold virtual currency in a manner that protects customer assets; maintain comprehensive books and records; properly disclose the material terms and conditions associated with their products and services, including custody services; and refrain from making any false, misleading or deceptive representations or omissions in their marketing materials.”
The regulatory guidance on insolvency clarifies standards and practices intended to ensure that VCEs are providing high levels of customer protection with respect to licensed asset custody. Specifically, the guidance addresses customer protection concerns regarding:
- The segregation of and separate accounting for customer virtual currency. VCEs “should separately account for, and segregate a customer’s virtual currency from, the corporate assets of the VCE Custodian and its affiliated entities, both on-chain and on the VCE Custodian’s internal ledger accounts.”
- VCEs limited interest in and use of customer virtual currency. VCEs that take possession of a customer’s assets should do so “only for the limited purpose of carrying out custody and safekeeping services” and must not “establish a debtor-creditor relationship with the customer.”
- Sub-custody arrangements. VCEs may choose, after conducting appropriate due diligence, to safekeep a customer’s virtual currency through a third-party sub-custody arrangement provided the arrangement is consistent with regulatory guidance and approved by NYDFS.
- Customer disclosures. VCEs are “expected to clearly disclose to each customer the general terms and conditions associated with its products, services and activities, including how the VCE Custodian segregates and accounts for the virtual currency held in custody, as well as the customer's retained property interest in the virtual currency.” Additionally, a customer agreement should be transparent about the parties’ intentions to enter into a custodial relationship as opposed to a debtor-creditor relationship.
NYDFS issues check-cashing fee regulations
On January 18, NYDFS announced that it has adopted an updated check cashing regulation. As previously covered by InfoBytes, NYDFS issued a proposed check cashing regulation in June 2022, following an emergency regulation announced in February 2022, that halted annual increases on check-cashing fees and locked the current maximum fee set last February at 2.27 percent (covered by InfoBytes here). The regulation establishes a new fee methodology that evaluates the needs of licensees and consumers who use check cashing services. Two tiers of fees for licensed check cashers are recommended: (i) the maximum fee that a check casher may charge for a public assistance check issued by a federal or state government agency (including checks for Social Security, unemployment, retirement, veteran’s benefits, emergency relief, housing assistance, or tax refunds) is set at 1.5 percent; and (ii) the maximum fee a check casher is permitted to charge for all other checks, drafts, or money orders is $1 or 2.2 percent, whichever is greater. According to NYDFS Superintendent Adrienne Harris, “the existing fee methodology wasn’t just outdated, but inappropriate and punitive to consumers.” She further noted that “[c]heck cashers should not be entitled to automatic, annual fee increases.”
NYDFS describes plan to include medical debt in Consumer Credit Fairness Act
On January 10, NYDFS announced that the New York governor revealed several healthcare-related proposals in the State of the State address, including a plan to include medical debt in the state’s Consumer Credit Fairness Act. NYDFS noted that the governor “will create a comprehensive plan to address excessive medical debt” by amending “the Consumer Credit Fairness Act to cover medical debt, launching an industry and consumer education campaign that addresses medical debt and affordability, and reforming hospital financial assistance applications to require hospitals to use a uniform application form.” According to NYDFS, the best way to combat “medical debt is a commitment to an affordable and equitable healthcare system with transparency that empowers consumers, regardless of their socioeconomic status.”
Crypto platform reaches $100 million settlement to resolve alleged compliance failures
On January 4, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of New York virtual currency, anti-money laundering, transaction monitoring, and cybersecurity regulations. According to the consent order, in 2020, NYDFS found significant deficiencies across the respondent’s compliance program, including its Know-Your Customer/Customer Due Diligence (KYC/CDD) procedures, Transaction Monitoring System (TMS), OFAC screening program, and AML risk assessments. As a result of these findings, the respondent agreed to improve its BSA/AML and OFAC compliance programs, including engaging an independent consultant to develop a remediation plan and improve its compliance program.
In 2021, NYDFS launched an investigation to determine whether the respondent’s compliance deficiencies had resulted in any legal violations. The investigation found “substantial lapses in [the respondent’s] KYC/CDD program, its TMS, and in its AML and OFAC sanctions controls systems, as well as issues concerning [the respondent’s] retention of books and records, and with respect to meeting certain of its reporting obligations to the Department.” NYDFS noted that in late 2020 and 2021, the respondent took steps to remediate the issues identified by the Department and the independent consultant; however, substantial weaknesses remained, and its compliance system was inadequate to handle the growing volume of the respondent’s business.
Under the terms of the consent order, the respondent must pay a $50 million civil penalty to NYDFS and invest $50 million in its compliance program. Additionally, an independent third party will continue to work with the respondent for another year, which may be extended at the Department’s sole discretion. NYDFS noted that the respondent has already taken steps to build a more effective and robust compliance program under the supervision of NYDFS and the NYDFS-appointed independent monitor. According to the respondent’s press release, the company “has taken substantial measures to address these historical shortcomings” and “remains committed to being a leader and role model in the crypto space, including partnering with regulators when it comes to compliance and other areas.”
NYDFS revises proposed amendments to third-party debt collection rules
In December, NYDFS released revised proposed amendments to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. NYDFS first issued a proposed amendment to 23 NYCRR 1 in December 2021 (covered by InfoBytes here), which factored in findings from NYDFS investigations that revealed instances of abusive and deceptive debt collection practices, as well as consumer debt collection complaint data. The first proposed amendment, among other things, is intended to enhance consumer protections by increasing transparency, requiring heightened disclosures, reducing misleading statements about consumer debt obligations, and placing stricter limits on debt collection phone calls than those currently imposed under federal regulations. The revised proposal, among other things, also include the following requirements:
- A debt collector must send written notification within five days after the initial communication with a consumer that clearly and conspicuously contains validation information as required under Regulation F. Debt collectors are prohibited from using the charge-off date as the itemization date for the alleged debt unless it is a revolving or open-end credit account. Instead, debt collectors should use the last payment date as the itemization date if available.
- Written notifications must be clear and conspicuous and also include the following, in addition to validation information: (i) the reference date relied upon to determine the itemization date; (ii) for revolving or open-end credit accounts, an account number (or a truncated version of the account number) associated with the debt on the last payment date or the last statement date if no payment has been made; (iii) the merchant brand, affinity brand, or facility name, if any, associated with the debt; (iv) the date and amount of the last payment or a statement noting that no payment was made, if available; (v) the applicable statute of limitations expressed in years for debt that has not been reduced to judgment; (vi) information on a debt that has been reduced to a judgment, if applicable; and (vii) notice that a consumer has the right to dispute the validity of a debt and instructions on how to submit a dispute.
- Debt collectors must inform consumers of available language access services and are required to record the consumer’s language preference, if other than English, in the written notification.
- Unless affirmatively requested by the consumer, required disclosures may not be made exclusively by electronic communication. Additionally, a debt collector may communicate with a consumer exclusively through electronic communication only if: (i) the consumer has voluntarily provided contact information for electronic communication; (ii) the consumer has given revocable consent in writing to receive electronic communication from the debt collector in reference to a specific debt (electronic signatures constitute written consent); (iii) the debt collector retains the written consent for six years or until the debt is discharged, sold, or transferred (whichever is longer); and (iv) all electronic communications include clear and conspicuous disclosures regarding revoking consent.
- Communications sent in the form of a pleading in a civil action will not be considered an initial communication for the purposes of these amendments.
- Debt collectors must provide substantiation of debt within 45 days.
- Debt collectors may not communicate or attempt to communicate excessively with a consumer. Specifically, debt collectors are limited to one completed phone call and three attempted phone calls per seven-day period per alleged debt. Telephone calls more than these limits may be permitted when required by federal or state law, or when made in response to the consumer’s request to be contacted and in the manner indicated by the consumer, if any.
Comments are due February 13. The amendments are scheduled to take effect 180 days after the notice of adoption is published in the State Register.