InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS promises to fill CFPB regulatory void
On January 25, the New York Department of Financial Services (NYDFS) Superintendent, Maria T. Vullo, issued a statement critical of the recent policy changes by the CFPB’s new leadership. As previously covered by InfoBytes, acting CFPB Director Mick Mulvaney announced, among other things, that the CFPB will no longer “push the envelope” in pursuit of the agency’s mission. Vullo stated that NYDFS remains “committed to its mission to safeguard the financial services industry and protect New York consumers,” and promised to fill the “regulatory voids” left by the new administration.
In December, as previously covered by InfoBytes, seventeen state attorneys general sent a letter to President Trump expressing concern about Mulvaney serving as acting director, and emphasizing that if the CFPB does not do the job, the states will “redouble our efforts at the state level to root out such misconduct and hold those responsible to account.”
NYDFS warns financial institutions of February 15 cybersecurity compliance certification deadline
On January 22, the New York Department of Financial Services (NYDFS) issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance is February 15, 2018. Mandated by NYDFS’ cybersecurity regulation that went into effect March 1, 2017 (see previous InfoBytes coverage here), the certification covers the prior calendar year and must be filed electronically through the DFS cybersecurity portal. NYDFS Superintendent Maria T. Vullo also announced that going forward, cybersecurity will be incorporated into all department examinations, and cybersecurity-related questions will be added to NYDFS’ “first day letters” issued to commence examinations of financial services companies.
New York Senate bill proposes replacing online lending task force with study
On January 8, the New York State Senate Committee on Rules voted to amend legislation to authorize the New York Department of Financial Services (NYDFS) to conduct a study about online lending. The original legislation, S6593A, signed into law by Governor Cuomo on December 29, 2017, created a seven-person task force responsible for analyzing online lending activity in the state. The proposed amendments to this legislation, S07294 and A8938, which would be effective immediately if passed by both houses of the New York legislature and signed into law, remove the requirement for a task force, and instead authorize NYDFS to direct the study and produce a public report with recommendations prior to July 1. According to the amendments, the study should analyze (i) lending practices of the online lending industry and primary differences between online lenders and traditional lenders; (ii) types of credit products available online; (iii) a review of available complaints, actions and investigations related to online lenders; and (iv) a survey of existing state and federal laws that apply to the online lending industry.
NYDFS fines global money service $60 million for AML deficiencies
On January 4, New York Department of Financial Services (NYDFS) ordered one of the largest global money transfer services to pay $60 million for willfully failing to implement an effective anti-money laundering (AML) program. According to the consent order, between 2004 and 2012, three of the company’s New York locations allowed the company’s services to be used to pay debts to human traffickers based in China. Additionally, the order emphasizes that the company was aware of weaknesses in its compliance program for years and failed to implement controls that could have detected and prevented the payments in question. The NYDFS investigation resulted from a January 2017 settlement with the Department of Justice, which found that during the same time period (2004-2012), the company processed hundreds of thousands of transactions for company agents and others involved in an international consumer fraud scheme, as previously covered by InfoBytes. In addition to the fine, the order requires that the company put in place stricter AML compliance measures, including the creation of an Independent Compliance Committee of the Board of Directors.
NYDFS orders Korean bank to pay $11 million civil money penalty for BSA/AML compliance deficiencies
On December 21, the New York Department of Financial Services (NYDFS) entered into a consent order with a Korean bank and its New York branch to resolve issues regarding alleged deficiencies in the branch’s Bank Secrecy Act and other anti-money laundering (BSA/AML) compliance and risk management. The alleged deficiencies were discovered during three examinations between 2014-2016 by NYDFS and the Federal Reserve Bank of New York. According to the consent order, among other things, the branch failed to maintain adequate transaction monitoring and suspicious activity reporting (SAR), lacked compliance staff with proper BSA/AML background experience, and lacked adequate BSA/AML and OFAC risk assessments.
The Korean bank and its branch are required to pay an $11 million civil money penalty, and in addition must submit the following documentation (i) a BSA/AML compliance program; (ii) a customer due-diligence program; (iii) a SAR program; (iv) a revised internal audit program; and (v) a plan to enhance oversight of the branch’s BSA/AML compliance requirements. The Korean bank and branch are also required to submit quarterly reports for two years with updates on the branch’s compliance progress.
NYDFS updates cybersecurity regulation FAQs
Recently, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1 and establishes cybersecurity requirements for banks, insurance companies, and other financial services companies. The December updates to the FAQs address risk-based requirements affecting covered entities, including the following topics; (i) penetration testing and vulnerability assessments; (ii) third-party service provider due diligence requirements; (iii) limited notices of exemption; and (iv) record requirements.
OCC Recent Enforcement Actions Target BSA/AML Compliance Programs and National Flood Insurance Act Violations
On December 14, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such parties. The new enforcement actions include cease and desist orders, civil money penalty orders, removal/prohibition orders, and restitution orders. The list also includes recently terminated enforcement actions.
Cease and Desist Order. On November 9, the OCC issued a consent order (2017 Order) two days after converting a Japanese bank’s two New York branches under the supervision of the New York Department of Financial Services (NYDFS) to federally licensed branches under the supervision of the OCC. As part of the OCC’s approval process, the bank’s federal branches and New York branches agreed to the issuance of the 2017 Order, which requires adherence to “remedial provisions . . . substantively the same as those” in consent orders entered into in 2013 and 2014 with NYDFS. The previously issued consent orders addressed deficiencies related to the bank’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) sanctions compliance programs, specifically concerning the removal of key warnings to regulators on transactions with sanctioned countries.
The 2017 Order, among other things, requires the bank to: (i) submit an action plan on enhancing internal controls and updating policies and procedures to correct BSA/AML deficiencies, address provisions applicable under the Office of Foreign Assets Control’s requirements, and implement requirements outlined in the 2013 and 2014 consent orders; (ii) ensure adherence to the action plan and 2017 Order under the direction of the bank’s general manager; (iii) submit a management oversight plan designed to improve and enhance the bank’s sanctions compliance programs; and (iv) prevent the retention or future engagement of any individual identified and “barred by the 2014 Consent Order from engaging, directly or indirectly, in any duties, responsibilities, or activities at or on behalf of the [b]ank or the [b]ank’s affiliates that involve their banking business in the [U.S.].” The 2017 Order does not require the bank to pay a civil monetary penalty.
Civil Monetary Penalty. On October 10, the OCC assessed a $452,000 civil monetary penalty against a national bank lender for alleged violations of the National Flood Insurance Act and/or the Flood Disaster Protection Act. The bank agreed to pay the penalty without admitting or denying any wrongdoing.
Judge Dismisses OCC Fintech Charter Challenge
A U.S. District Court Judge dismissed the New York Department of Financial Services’ (NYDFS) challenge to the OCC’s proposed federal charter for fintech firms. (See previous InfoBytes coverage here.) In the December 12 order, the judge agreed with the OCC that the court lacked subject matter jurisdiction over NYDFS’ claims because the OCC has yet to finalized its plans to actually issue fintech charters. The case was dismissed without prejudice.
As previously covered by InfoBytes, the Conference of State Bank Supervisors (CSBS) has also filed a lawsuit, which challenges the same statutory authority allowing the OCC to create charters for fintech companies. The CSBS lawsuit is still active.
Credit Reporting Agencies Must Comply With Emergency Regulations
On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft. The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:
- provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
- identify dedicated points of contact to assist the Division’s effective administering of the program;
- make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
- clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.
Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.
As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.
New York Enters Second Stage in Use of Nationwide Licensing System
On November 1, the New York Department of Financial Services (NYDFS) announced that it will transition licensed lenders and sales finance companies to the Nationwide Multistate Licensing System (NMLS). NMLS allows companies to apply for, update, and renew licenses in one or more states online. According to the announcement, transitioning to NMLS will allow NYDFS to link with other states and thus provide enhanced supervision of nondepository institutions. As previously covered by InfoBytes, in July, NYDFS began its initiative to manage the licensing and regulation of all nondepository financial institutions operating in the state by transitioning money transmitters to the web-based system.