InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS launches online registration form for credit reporting agencies to comply with new regulation
On August 22, the New York Department of Financial Services (NYDFS) announced an online registration form for credit reporting agencies (CRAs) to comply with the state’s final regulation that requires CRAs with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity regulation. (As previously covered by InfoBytes, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS.) Registration must be complete by September 15 of this year and by February 1 of each successive year for the calendar year thereafter. Under the new regulation, CRAs are also required to comply with New York’s cybersecurity requirements by November 1, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Continuing InfoBytes coverage on NYDFS’ cybersecurity regulation available here.)
NYDFS reminds covered entities of upcoming cybersecurity regulation compliance dates; updates FAQs
On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial services institutions (collectively, “covered entities”) that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date. As of September 4, a covered entity must (i) start presenting annual reports to the board by the Chief Information Security Officer on “critical aspects of the cybersecurity program”; (ii) create an “audit trail designed to reconstruct material financial transactions” in case of a breach; (iii) institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications”; and (iv) implement encryption to protect nonpublic information it holds or transmits. Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.” Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data.
In coordination with the reminder, NYDFS provided new updates to its FAQs related to 23 NYCRR Part 500. The original promulgation of the FAQs was covered in InfoBytes, as were the last updates in February and March. The four new updates to the FAQs add the following guidance:
- Clarifies that in certain circumstances, an entity can be a covered entity, an authorized user, and a third party service provider, and therefore must comply fully with all applicable provisions;
- Outlines specific compliance provisions for covered entities that have limited exemptions from the NYDFS cybersecurity requirements;
- Identifies a covered entity’s responsibilities when addressing cybersecurity risks with respect to bank holding companies; and
- Clarifies situations and requirements for when a covered entity can rely upon the cybersecurity program that another covered entity has implemented for a common trust fund.
Find continuing InfoBytes coverage on NYDFS’ cybersecurity regulations here.
Buckley Sandler Special Alert: OCC announces it will accept fintech charter applications, following the release of Treasury report on nonbank financial institutions
On July 31, the OCC announced that nondepository financial technology firms engaged in one or more core banking functions may apply for a special purpose national bank (SPNB) charter. The announcement follows a report released the same day by the Treasury Department, which discusses a number of recommendations for creating a streamlined environment for regulating financial technology, and includes an endorsement of the OCC’s SPNB charter for fintech firms (fintech charter).
* * *
Click here to read the full special alert.If you have questions about the report or other related issues, please visit our Fintech practice page, or contact a Buckley Sandler attorney with whom you have worked in the past.
NYDFS issues final rule to establish standards for insurance sellers
On July 18, the New York Department of Financial Services (NYDFS) issued a final rule requiring licensed insurers that offer life insurance and annuity products to New York consumers to establish standards and procedures to ensure that the financial objectives of the consumer are addressed at the time of the transaction and financial exploitation is prevented. According to the NYDFS, the rule amends the state’s current suitability regulation and “provides for a best interest standard of care for all sales of life insurance and annuity products.” The rule provides that when making a recommendation to consumers with respect to policies, the producer must “appropriately address the insurance needs and financial objectives of the consumer at the time of the transaction.” According to NYDFS Superintendent Maria Vullo, “financial compensation or incentives may not influence the recommendation.”
Supreme Court of New York strikes down NYDFS’ Insurance Regulation 208
On July 5, the Supreme Court of the State of New York ordered the annulment of Insurance Regulation 208, which was promulgated by the New York State Department of Financial Services (NYDFS) in October 2017. The decision results from an Article 78 petition by several title insurance companies challenging the state regulation, which prohibits title insurance entities from providing benefits such as meals, tickets to events, gifts, cash, access to parties, trips and other incentives to referral sources. The regulation clarifies that certain “reasonable and customary” advertising and marketing expenses are permitted under New York’s insurance law, provided they are “without regard to insured status or conditioned directly or indirectly on the referral of title business.” The title insurance companies argue that Regulation 208’s restrictions are inconsistent with New York’s insurance law because the law only prohibits “quid pro quo inducements given in exchange for title insurance business” and the law permits marketing and entertainment payments so long as they are not being exchanged for “a specific identified piece of business.”
The court agreed and found that the insurance law—which prohibits a “commission,” “rebate,” “fee,” or “other consideration or valuable thing”—could not be construed to include marketing and entertainment expenses because “it is common sense that marketing is an inducement for business” and it would be “an absurd proposition” that the New York Legislature intended to prohibit companies from marketing themselves. Additionally, construing the insurance law to include marketing and entertainment expenses as prohibited expenditures but also including a provision which delineates certain types of marketing and entertainment expenses as permissible is “irreconcilable and irrational.” The court ultimately concluded that Regulation 208 must fail because it contravenes the will of the Legislature under the insurance law.
In response to the decision, NYDFS Superintendent, Maria T. Vullo, issued a statement that the state intends to appeal as they “remain certain of [their] legal opinion and are confident [they] will prevail on appeal.” On July 6, NYDFS filed a notice of appeal with the court.
NYDFS recommends online lenders be subject to state licensure and usury limits in new report
On July 11, the New York Department of Financial Services (NYDFS or the Department) released a study of online lending in New York, as required by AB 8938. (Previously covered by InfoBytes here.) In addition to reporting the results of its survey of institutions believed to be engaging in online lending activities in New York, NYDFS makes a series of recommendations that would expand the application of New York usury and other statutes and regulations to online loans made to New York residents, including loans made through partnerships between online lender and banks where, in the Department’s view, the online lender is the “true lender.”
In particular, NYDFS recommends, “[a]ll New York lenders should operate under the same set of rules and be subject to consistent enforcement of those rules to achieve a level playing field for all market participants….” Elsewhere in the report, the Department states that it “disagrees with [the] position” that online lenders are exempt from New York law if they partner with a federally-chartered or FDIC-insured bank that extends credit to New York residents. NYDFS criticizes these arrangements, stating its view that “the online lender is, in many cases, the true lender” because the online lender is “typically … the entity that is engaged in marketing, solicitation, and processing of applications, and dealing with the applicants” and may also purchase, resell, and/or service the loan.
NYDFS also noted that it opposed pending federal legislation that would reverse the Second Circuit’s decision in Madden v. Midland Funding, LLC, which held that federal preemption of New York’s usury laws ceased to apply when a loan was transferred from a national bank to a non-bank. The Department expressed concern that, if passed, the bill “could result in ‘rent-a-bank charter’ arrangements between banks and online lender that are designed to circumvent state licensing and usury laws.”
Noting that many online lenders remain unlicensed in New York, the Department states that “[d]irect supervision and oversight is the only way to ensure that New York’s consumers and small business owners receive the same protections irrespective of the channel of delivery….” To this end, NYDFS recommended lowering the interest rate threshold for licensure from 16 percent to 7 percent.
Although NYDFS stressed that its survey results may be unreliable due to uneven response rates, it reported that, for respondents, the average median APR for online loans to businesses was 25.9%, the average median APR for online loans to individuals for personal use was 14.8%, and the average median APR for the underbanked customers was 19.6% (New York currently caps interest for civil liability at 16% and at 25% for criminal liability).
Overall, the report appears to forecast a more difficult regulatory and enforcement environment in New York for online lenders, as has been the case in West Virginia and Colorado.
NYDFS encourages New York state chartered financial institutions to establish relationships with medical marijuana businesses
On July 3, the New York Department of Financial Services (NYDFS), at the direction of Governor Andrew Cuomo, released guidance encouraging New York state chartered banks and credit unions to consider establishing relationships with regulated and compliant medical marijuana and industrial hemp-related businesses operating in New York. According to the guidance, these businesses often rely solely on cash to conduct transactions, because of a lack of access to traditional financial services. The press release announcing the guidance cites to the New York Compassionate Care Act, enacted in 2014, which provides medical patients suffering from “debilitating symptoms and diseases” access to, under strict requirements, medical marijuana. NYDFS is encouraging New York financial institutions to form appropriate banking relationships with these business, because “[p]roviding access to regulated banking services is an essential part of taking the legal cannabis industry out of the shadows and establishing it as a transparent, regulated, tax-paying part of our economy, and a necessary part of fulfilling the goal of relieving the suffering of seriously ill patients.”
NYDFS will not impose any regulatory action on a New York financial institution that establishes a business relationship with legal medical marijuana and industrial hemp-related businesses, as long as the institution also complies with other applicable guidance and regulations, such as the Financial Crimes Enforcement Network’s 2014 guidance—which clarifies expectations under the Bank Secrecy Act (BSA) for financial institutions providing services to these businesses.
Credit reporting agency agrees to cybersecurity corrective action with eight state regulators
On June 27, the New York Department of Financial Services (NYDFS) announced that a major credit reporting agency has agreed to cybersecurity and internal control corrective action following its 2017 data breach, which reportedly affected 143 million American consumers. The consent order, which was entered into with NYDFS and seven other state regulators, requires a wide range of corrective actions. The company must: (i) review and approve a written risk assessment which identifies data breach risks and the likelihood of threats; (ii) establish and oversee a formal internal audit program; (iii) improve oversight of its information security program; and (iv) improve oversight and ensure sufficient controls are developed for critical vendors. The consent order does not include any monetary penalties.
The consent order follows the June 25 announcement by NYDFS that credit reporting agencies will be required to register annually with the state and comply with the state’s cybersecurity regulation (covered by InfoBytes here).
New York regulation requires all credit reporting agencies to register with NYDFS
On June 25, the New York governor announced the issuance by the New York Department of Financial Services (NYDFS) of a final regulation that requires consumer credit reporting agencies (CRAs) with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity standard. Specifically, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS, beginning on or before September 1, 2018 for 2017 reporting, and by February 1 for every year thereafter. Among other things, the regulation also (i) authorizes the NYDFS superintendent to refuse to renew a CRA’s registration for various reasons, including if the applicant or affiliate of the applicant fails to comply with the cybersecurity regulations; (ii) subjects the CRAs to examination by NYDFS at the superintendent’s discretion; and (iii) prohibits CRAs from engaging in any “unfair, deceptive, or predatory act or practice toward any consumer,” to the extent not preempted by federal law. Additionally, beginning on November 1, the regulation requires every CRA to comply with NYDFS’ cybersecurity regulation, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Recent InfoBytes coverage on NYDFS’ cybersecurity regulation available here and here.)
According to Governor Cuomo, the oversight of CRAs will help to ensure New York consumers’ information is less vulnerable to the threat of cyber-attacks, stating, “[a]s the federal government weakens consumer protections, New York is strengthening them with these new standards.”
NYDFS fines global banking firm $205 million for alleged FX violations
On June 20, the New York Department of Financial Services (NYDFS) announced a $205 million settlement with a global banking firm to resolve allegations that the bank engaged in unsafe and unsound practices in its foreign exchange (FX) trading business. According to the consent order, the bank did not implement and maintain sufficient controls to identify and prevent unsafe and unsound activities conducted by certain FX traders. Among other things, the order states that FX traders (i) used electronic chatrooms to coordinate trading activity with competitors to improperly affect FX prices; (ii) engaged in a practice known as “jamming the fix,” which entails accumulating a large trading position and subsequently making aggressive trades with the intention of moving the fix price in a desired direction; (iii) disclosed confidential customer information to competitors through electronic chatrooms; and (iv) mislead customers by hiding markups on trades. In addition to the fine, the bank is required to improve its internal controls and programs to comply with applicable New York State and federal laws and regulations, submit a written plan to improve its compliance risk management program, and provide an enhanced written internal audit program.