InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: NYDFS Stakes Claim on Cybersecurity Regulation
On September 13, the New York Department of Financial Services (DFS) issued a proposed rule establishing cybersecurity requirements for financial services companies, and has thus ventured into new territory for state regulators. In the words of Governor Cuomo, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises."
Given the concentrated position of financial service companies in New York and the regulation’s definition of a Covered Entity – which includes “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” – it could create an almost de facto national standard for medium to large financial services companies, regardless of where they keep their servers or suffer a cyberattack. This type of state-level regulation is not unprecedented. In 2003, California passed a data breach notification law that requires companies doing business in California to notify California residents of the breach and more recently amended the law to require 12 months of identity protection and strengthen data security requirements. In 2009, Massachusetts enacted a regulation mandating businesses implement security controls to protect personal information relating to state residents.
The DFS designed the regulation to protect both consumers and the financial industry by establishing minimum cybersecurity standards and processes, while allowing for innovative and flexible compliance strategies by each regulated entity. Yet the proposed regulation goes further than to just ask financial entities to conduct a risk assessment and to design measures to address the identified risks.
Click here to view the full Special Alert.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- John P. Kromer, (202) 349-8040
- Elizabeth E. McGinn, (202) 349-7968
New York Senate Confirms Maria Vullo as Superintendent of NYDFS
On June 15, the New York State Senate confirmed Governor Andrew Cuomo’s nomination of Maria Vullo as Superintendent of the NYDFS. Replacing former Superintendent Benjamin Lawsky, Vullo will be responsible for the regulation of more than 1,500 insurance companies and almost 1,600 banking and other financial institutions. Prior to joining the NYDFS as Acting Superintendent in February 2016, Vullo was a litigation partner in private practice, and formerly served as Executive Deputy Attorney General for Economic Justice Division in the New York AG’s office. Commenting on her role, Vullo noted that she is “committed to strengthening New York’s status as the financial capital of the world, protecting consumers, and ensuring that everyone follows the law.”
NYDFS Issues Virtual Currency License to XRP II, LLC
On June 13, the NYDFS announced that it approved XRP II, LLC’s application for a virtual currency license. Before approving the company’s August 2015 application, NYDFS conducted a “rigorous review” of the company’s anti-money laundering, capitalization, consumer protection, and cybersecurity standards. To date, NYDFS has received 26 BitLicense applications; two companies, including this one, have been approved for BitLicenses and two have received state trust charters. NYDFS further noted that it recently denied two applications for a virtual currency license; the companies in receipt of the denial letters were ordered to stop any New York operations.
NYDFS Announces First Settlements to Provide Restitution to Consumers Affected by Alleged Unlawful Payday Lending Practices
The NYDFS recently announced that it entered into consent orders with two debt buyers, one based out of Kansas and the other out of Virginia. According to the Department, the debt buyers improperly purchased and collected on illegal payday loans from New York consumers, with the Kansas-based debt buyer allegedly attempting to collect on more than 7,000 payday loan debts of New York consumers and collecting payments on more than 4,000 of those debts between 2007 and 2014. The NYDFSs press statement further alleges that the Kansas-based debt buyer repeatedly called New York consumers at work and at home, threatened to call consumers employers, and called family members to pressure consumers into paying their alleged payday loan debts. Pursuant to the consent order with the Kansas company, the debt buyer will (i) discharge more than $2.26 million in consumers payday loan debts; (ii) contact credit reporting bureaus and request that they remove any negative information that it previously provided associated with New Yorkers payday loan accounts; (iii) move to vacate judgments it obtained on New Yorkers payday loan accounts; and (iv) release pending garnishments, levies, liens, restraining notices, or attachments associated with judgments on New York consumers payday loan accounts. The Kansas debt buyer will issue almost $725,000 in refunds to more than 3,000 New Yorkers. The Virginia-based debt buyer will provide refunds totaling more than $66,000 to 52 New Yorkers allegedly affected by its lending practices, and discharge almost $53,000 in payday loan debts to 106 New Yorkers. The two settlements are the first NYDFS settlements to provide consumer restitution to New Yorkers affected by payday loans.
NYDFS Announces Senior Staff Additions
Last week, the NYDFS appointed Scott Fischer Executive Deputy Superintendent for Insurance and Laura E. Evangelista Deputy Superintendent for Insurance. Fischer joins the NYDFS from the New York Liquidation Bureau where he served as Special Deputy Superintendent. Previously, Fischer worked at the European Bank for Reconstruction and Development in London, served as Senior Counsel in the Office of General Counsel at the New York Insurance Department, and as Assistant AG at the New York State Attorney General’s Office. Evangelista most recently served as Vice President and Assistant General Counsel at an international insurance brokerage firm; previously, she was a commercial litigator in private practice.
NYDFS Names Celeste Koeleveld General Counsel
On April 11, the NYDFS appointed Celeste Koeleveld as General Counsel. Koeleveld will be responsible for all legal matters in the Department. Prior to joining the NYDFS, Koeleveld held various public service positions, including Executive Assistant Corporation Counsel at the New York City Law Department, and positions as Chief of the Criminal Division and Chief Appellate Attorney at the U.S. Attorney’s Office for the Southern District of New York.
Pakistani Bank Reaches Agreement with NYDFS to Enhance AML Compliance Controls
Recently, the Federal Reserve and NYDFS announced that a New York branch of a Pakistani bank agreed to strengthen its compliance with BSA/AML requirements and OFAC regulations. The NYDFS’s and the NY Federal Reserve Bank’s recent examination into the bank’s branch found deficiencies related to its risk management and compliance with BSA/AML and OFAC regulations. Pursuant the agreement, the bank must submit written plans to the NYDFS and the NY Federal Reserve Bank on its strategy to improve its BSA/AML/OFAC compliance and its suspicious activity reporting. In addition, the bank must submit quarterly progress reports to the aforementioned regulators.
The recently issued agreement comes after a similar agreement earlier this month in which a New York branch of a Korean bank agreed to enhance its BSA/AML/OFAC compliance.
New York DFS Takes Action Against Online Payday Loan Lead Generator
Recently, the New York DFS announced that an online payday loan lead generator and its CEO will pay a $1 million penalty and cease payday loan lead generation activities in New York to resolve allegations that its payday loans charge fees had interest rates greater than the usury limits allowed under New York law, and that it failed to protect consumers' personal information. According to the DFS, the company (i) "advertised payday loans and connected New York consumers to payday lenders without disclosing that the payday loans contained terms that violate New York usury laws"; and (ii) failed to take any protective measures when selling leads to its network of lead buyers, despite advertising that it "prides itself in putting [its] customer's security and personal information protection at the top of [its] priority list." In the event that the company solicits non-payday lending services in New York in the future, the order requires it to establish and adhere to data security protocols for the secure use, transfer, and storage of consumers' personal information. This action represents the DFS's first action to require a company to implement consumer data security measures to its future collection of consumers' personal information.
New York Governor Andrew Cuomo Nominates Maria Vullo as NYDFS's Superintendent
On January 21, New York Governor Andrew Cuomo nominated Maria Vullo to serve as the NYDFS’s superintendent. If approved by the New York State Senate, Vullo would replace former superintendent Benjamin Lawsky, who left the Department in June 2015. Governor Cuomo noted that Vullo is a “tough and fair litigator” who “has shown an immovable commitment to upholding the law and protecting consumers.” Vullo has worked in the private and public sectors, and has over 25 years of practice in business litigation and investigations. In 2010, Vullo also served under then AG Cuomo as Executive Deputy Attorney General for Economic Justice, handling various consumer protection, investor protection, and antitrust matters.
New York DFS Announces Enforcement Action Against Pakistan-Based Bank's New York Branch
On December 17, the New York DFS announced an enforcement action against a New York branch of a Pakistan-based bank. The Federal Reserve Bank of New York (FRBNY) and the DFS recently conducted an examination of the branch and found significant risk management and compliance failures with regard to state and federal laws, rules, and regulations relating to anti-money laundering (AML) compliance. Under the terms of the DFS’s order, the branch agreed to reform its policies and procedures to ensure compliance with AML laws. Per the order, the bank must submit to the DFS, within 60 days of the order, a number of written programs regarding its (i) corporate governance and management oversight; (ii) BSA/AML compliance review; (iii) customer due diligence; and (iv) suspicious activity monitoring and reporting. The branch must also hire an independent third-party approved by the DFS and the FRBNY to review the effectiveness of the bank’s compliance program, and to prepare a written report of its findings, conclusions, and recommendations for the program. Because the branch’s compliance with OFAC regulations was insufficient, the order also mandates that the bank retain an independent third-party to examine its U.S. dollar-clearing transactions between October 2014 and March 2015. Significantly, the order does not require the branch to pay a civil money penalty.