InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS addresses “potential confusion” over new consumer credit transaction SOL
On April 7, NYDFS issued guidance to debt collectors addressing potential confusion about how to comply with the notice requirements of 23 N.Y.C.R.R. § 1.3(b) that went into effect April 7. The new amendments are set forth in Section 4 of the Consumer Credit Fairness Act (which was enacted last November and was covered by InfoBytes here), and address the statute of limitations (SOL) applicable to actions arising out of consumer credit transactions. Specifically, Section 214-i provides that “when the applicable limitations period expires, any subsequent payment toward, written or oral affirmation of or other activity on the debt does not revive or extend the limitation period.” The amendments also decreased the SOL period to three years and requires additional notices to be made. While the guidance provides sample disclosure statements that address each of the requirements under § 1.3(b), NYDFS states that “23 N.Y.C.R.R. § 1.3 does not prohibit debt collectors from adding explanatory language to the model disclosure language set forth in § 1.3(c) or using their own language to comply with § 1.3(b).”
NYDFS’ guidance follows letters sent last month by the New York attorney general to several large credit card companies and major debt collectors operating in the state, which reminded entities about the new obligations and disclosures that will be required when filing collection lawsuits against consumers starting May 7. (Covered by InfoBytes here.)
NY AG warns debt collectors of new state regulations
On March 29, the New York attorney general announced that letters were sent to large credit card companies and major debt collectors operating in New York, providing a warning regarding new state debt collection regulations. As previously covered by InfoBytes, the New York governor signed S.153 in November 2021, which enacted The Consumer Credit Fairness Act and expanded consumer protections against abusive debt collection by, as explained by NYDFS acting Superintendent Adrienne A. Harris, “address[ing] known predatory debt collection practices, [and] barring an abusive common tactic engaged by predatory debt collectors which is to sue on time-barred consumer debts for which they lack even the most basic of documentation.” The letter noted that its recipients are “aware of these obligations and that [they] are taking appropriate steps to comply with the new requirements.” The letter stated that beginning April 7, the statute of limitations on consumer debt collection actions in the state will be decreased to three years, a period of time that cannot be extended by partial payments made after the statute of limitations has expired, and that “debt collectors must ensure that validation notices for debts that will become time-barred on April 7, 2022 include this disclosure if the notice is likely to be received after that date.” The letter also reminded debt collectors of new disclosures that will be required when filing collection lawsuits against consumers starting May 7. Complaints are required to include an itemization of the debt and include more information about the chain of ownership, including providing a copy of the original contract on which the debt is based. Collectors must also begin utilizing a “more comprehensive” notice that is provided to the clerk of the court and subsequently passed on to consumers and must use a new form when filing for summary judgments. Lastly, the letter requested information on how the companies are complying with Regulation F and the new disclosure requirements.
NYDFS fines money transmitter $8.25 million for AML compliance failures
On March 16, NYDFS announced the imposition of an $8.25 million fine on a money transmitter alleged to have violated anti-money laundering (“AML”) requirements and New York law by failing to adequately supervise local agents in New York City that processed an unusual volume of suspicious transactions to China. NYDFS conducted an examination and enforcement investigation, which found that the company “did not adequately oversee the activity of six agents that saw a large spike in transaction volume of business with China.” According to the investigation, there were roughly 7,500 transactions aggregating approximately $30 million in 2014. These figures rose to more than 25,000 transactions aggregating more than $100 million during the period between January 2016 and May 2017. Most of these transactions were processed by small, store-front independent agents—“a clear indicator of increased money laundering risk, particularly given that the destination was known to carry a high AML risk,” NYDFS stated, adding that the company should have also addressed risks resulting from a suspicious pattern of different senders transmitting money to the same recipient. NYDFS acknowledged that the company, when alerted to the increased transaction activity, severed its relationship with the problematic agents and implemented remedial measures to improve supervision of its agents. Under the terms of the consent order, the company will pay an $8.25 civil money penalty and is required to submit a report to NYDFS outlining enhancements made with respect to new and existing agents, suspicious activity reporting program, and special transaction limitations. Additionally, NYDFS announced that the company will also update the Department on improvements to the policies and procedures of its Bank Secrecy Act/AML compliance program and will provide data to NYDFS for ongoing monitoring purposes.
DFPI reminds financial institutions of their sanctions compliance obligations
On March 4, the California Department of Financial Protection and Innovation (DFPI) issued guidance, in light of the evolving situation in Ukraine, to remind financial institutions of their sanctions compliance obligations under state and federal law. Licensees are reminded that they are prohibited from participating in financial transactions with individuals and entities listed on the SDN List, and encouraged to review specific, more limited sanctions that have been placed on several Russian entities. This information can be found on OFAC's website.
Additionally, licensees are strongly encouraged to immediately ensure their systems, programs, and processes comply with OFAC regulations, and review and monitor all transactions (particularly trade finance transactions and funds transfers) to identify and block transactions subject to sanctions. Licensees should also follow OFAC directions related to blocked funds.
DFPI further warned that Russia’s invasion of Ukraine increases the risk that listed individuals and entities will attempt to evade sanctions by using virtual currency transfers, and encouraged licensees to review OFAC Guidance to protect against these risks. Licensees engaged in transactions involving virtual currencies are instructed to implement policies, procedures, and processes to protect against the unique risks posed by virtual currencies and should “consider virtual currency-specific control measures including sanctions lists, geographic screening, and any other measures appropriate to the licensee’s specific risk profile.”
Additionally, DFPI cautioned that the “Russian invasion significantly elevates the cyber risk for the U.S. financial sector,” and licensees are instructed to take measures to mitigate cybersecurity threats, including adopting core cybersecurity hygiene measures, eliminating any non-essential networking protocols, ensuring procedures are able to address a ransomware attack, and reevaluating “plans to maintain essential services, protect critical data, and preserve customer confidence considering the realistic threat of extended outages.” Licensees are encouraged to track alerts from the Cybersecurity and Infrastructure Security Agency.
Licensees conducting business in Ukraine and/or Russia should also “take increased measures to monitor, inspect, and isolate traffic from Ukrainian or Russian offices and service providers,” and “segregate networks for Ukrainian or Russian offices from the global network.”
NYDFS also recently issued similar guidance for New York state regulated entities on its cybersecurity and virtual currency regulations in response to the Russian invasion and recently imposed sanctions. (Covered by a Buckley Special Alert.)
Special Alert: Latest developments in OFAC sanctions against Russia
Beginning February 21, the U.S. Department of the Treasury’s Office of Foreign Assets Control has issued significant sanctions in response to the Russian Federation’s military invasion of Ukraine and its recognition of Ukraine’s separatist regions.
Since Buckley’s last update on February 25, there have been a number of developments in the sanctions against Russia, which include:
- A prohibition on the importation into the United States of Russian crude oil and certain petroleum products, liquified natural gas, and coal
- A ban on new investment by U.S. persons in the Russian energy sector
- The imposition of asset blocking sanctions on Vladimir Putin, Sergei Lavrov, numerous oligarchs and families with ties to Putin, and Russian-backed disinformation services
- Sanctions targeting Russia’s U.S. foreign reserves by prohibiting all dealings with Russia’s Central Bank, National Wealth Fund, and Ministry of Finance
- The issuance of the Russian Harmful Foreign Activities Sanctions Regulations, which codify the prohibitions imposed under Executive Order 14024, discussed below, and include several interpretations and general licenses
- The issuance of a general license that exempts “transactions related to energy” from certain prohibitions imposed under Executive Order 14024
NYDFS will take expedited measures to enforce Russian sanctions
On March 2, New York Governor Kathy Hochul announced that NYDFS will increase its sanctions enforcement actions against Russia, including taking measures to expedite the procurement of blockchain analytics tools to detect exposure among regulated licensed virtual currency businesses to Russian individuals, banks, and other entities sanctioned by the Biden administration. “Accelerating the procurement process is a critical step to strengthen the Department's ability to enforce anti-money laundering and Bank Secrecy Act laws in this immediate crisis and beyond,” the announcement stated, explaining that “[l]everaging purpose-built technologies and service providers for virtual currency protects the financial system from illicit activity including money laundering, terrorist financing and ransomware activity.” NYDFS Superintendent Adrienne A. Harris added that monitoring transactions and exposure in real-time is imperative for preventing actors from attempting to evade sanctions through the transmission of virtual currency. The announcement follows NYDFS guidance on cybersecurity and virtual currency issued last week, which raised the specter of elevated cyber risk due to ongoing cyberattacks against Ukraine that could spill over to other networks, as well as potential direct attacks against U.S. critical infrastructure. (Covered by a Buckley Special Alert.) Governor Hochul also issued an Executive Order at the end of February, which directed all New York State agencies and authorities to review and divest public funds from Russia.
Fed, NYDFS fine Pakistan bank over $50 million for AML deficiencies
On February 24, the Federal Reserve Board and NYDFS announced an enforcement action against a Pakistan-based bank for alleged anti-money laundering (AML) violations. According to the Fed’s consent order and NYDFS’s consent order, following examinations conducted by the Fed and NYDFS in 2014 and 2015, the bank’s New York branch was identified as having deficiencies in its AML compliance and risk management programs, including compliance with related federal laws, rules, and regulations. According to the NYDFS press release, the bank did not comply with a Written Agreement with the Fed and NYDFS entered into in 2016 in which the bank acknowledged oversight and compliance deficiencies and agreed to remediate them. According to NYDFS, “[t]hese continued failures revealed that the Branch’s senior management were unwilling or unable to promote a culture of compliance, adequate resources were not provided for compliance programs, and the Bank failed to adequately supervise the Branch by allowing problems to worsen year after year. The conditions at the Branch demonstrated severe weaknesses, and unsafe, unsound conditions requiring urgent restructuring.”
Under the terms of the consent orders, the bank is required to pay civil money penalties of approximately $20.4 million to the Fed and $35 million to NYDFS. In addition to the monetary penalties, the bank is required to, among other things: (i) create a written plan detailing enhancements to the policies and procedures of the bank’s BSA/AML compliance program, its Suspicious Activity Monitoring and Reporting program, and its customer due diligence requirements; (ii) engage an independent consultant to conduct a comprehensive evaluation of the bank’s remediation efforts; and (iii) submit a status report within 60 days regarding a system of internal controls “reasonably designed to ensure compliance with BSA/AML requirements.” NYDFS acknowledged the bank’s “cooperation with the investigation and its ongoing remedial efforts.”
NYDFS proposes partnership with CDFIs
On February 25, NYDFS announced a proposal to partner with Community Development Financial Institutions (CDFIs) to deliver $150 million to small businesses. According to the announcement, the partnership was announced after Governor Kathy Hochul held a roundtable related to “how New York State can spur economic recovery in Black and brown communities,” as well as “new efforts to fight structural racism embedded in the financial system and support innovative community lending programs and economic development services focused on reaching communities of color.” The announcement pointed out that the partnership is part of the governor’s FY2023 budget, which proposed an unprecedented assistance package for small businesses, including more than $500 million to the state. Governor Hochul also announced an advisory council of New York State-chartered CDFIs and minority depository institutions, which will be led by NYDFS Superintendent Adrienne Harris, and “will elevate the specific concerns of New York CDFIs and MDIs to support communities of color and ensure their needs are met.”
Special Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing cyberattacks against Ukraine, which could spill over to other networks, as well as potential direct attacks against U.S. critical infrastructure.
Updated cybersecurity regulation guidance
NYDFS suggested that regulated entities with programs pursuant to its cybersecurity regulation (23 NYCRR 500) have the potential to mitigate increased cyber threats and should take the following steps:
- Review cybersecurity programs for compliance, with particular attention to certain safeguards and core cybersecurity hygiene measures, including access control, vulnerability management, and privileged access review
- Review, update, and test incident-response and business-continuity plans and ensure they address ransomware events
- Review and implement practices pursuant to the June 2021 Ransomware Guidance
- Re-evaluate plans to maintain essential services and protect critical data in the event of an extended outage or service disruption
- Conduct a full test of backup and recovery abilities
- Provide additional cybersecurity awareness training and reminders for all employees
NYDFS also advised that regulated entities should keep track of known threat actors and take extra precautions when doing business in Russia and Ukraine, including segregating Russian and Ukrainian networks. Regulated entities must report cybersecurity events that meet the criteria of 23 NYCRR 500.17(a) as promptly as possible and within 72 hours, and should also report cybersecurity events immediately to law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency.
Guidance in response to recent sanctions
In the last week, the Biden administration imposed significant new sanctions targeting Russian assets, the Russian financial market, and Russian business dealings in response to Russia’s invasion of Ukraine. (See InfoBytes coverage here.) NYDFS reiterated that regulated entities should fully comply with U.S. sanctions on Russia, as well as Part 504 of its regulations regarding transaction monitoring and filtering. In order to comply with the new sanctions, NYDFS recommended that regulated entities take the following steps immediately:
- Monitor all communications from NYDFS, the U.S. Department of the Treasury, the Office of Foreign Assets Control (OFAC), and other federal agencies on a real-time basis to keep tabs on the latest developments
- Modify transaction monitoring and filtering programs as necessary to capture new sanctions as they are proposed
- Monitor all transactions, particularly trade finance transactions and funds transfers, and identify and interdict transactions prohibited by U.S. sanctions.
- Update OFAC compliance policies and procedures on a continuous basis to incorporate the recent sanctions and any new sanctions that may be imposed.
Updated virtual currency regulation guidance
NYDFS also cautioned that sanctioned entities may attempt to use virtual currency to evade sanctions. It said regulated entities must ensure they have “tailored policies, procedures, and processes to protect against the unique risks that virtual currency present” and are complying with the relevant state and federal laws, including the OFAC Sanctions Compliance Guidance for the Virtual Currency Industry and New York virtual currency regulation (23 NYCRR 200). Additionally, regulated entities should monitor the effectiveness of virtual currency-specific control measures, including sanctions lists, geographic screening, geolocation tools/IP address identification and blocking capabilities, and transaction monitoring and investigative tools, including blockchain analytics tools.
Buckley will continue to monitor the ongoing situation in Ukraine and provide updates in conjunction with significant developments.
If you have any questions regarding the NYDFS guidance or the recent Ukraine-related sanctions against Russia, please visit our Privacy, Cyber Risk & Data Security or Bank Secrecy Act/Anti-Money Laundering & Sanctions practice pages, or contact a Buckley attorney with whom you have worked in the past.
NYDFS locks maximum check-cashing fee at 2.27 percent
On February 14, NYDFS issued an emergency regulation halting annual increases on check-cashing fees and locking the current maximum fee set last February at 2.27 percent. “As our world evolves, so must our approach to regulation, which is why for the first time in Department history, we are reexamining the methodology used to determine the maximum check cashing fee,” Superintendent Adrienne A. Harris stated. “[NYDFS] has a responsibility to take a hard look at the impacts of financial products and services on New Yorkers, especially members of underserved communities.” NYDFS noted that the emergency regulation underscores its concerns over the fixed methodology used to determine annual check-cashing fees, which is based on the Consumer Price Index and is not, according to the Department, “necessarily a reliable or accurate indicator of the costs of operating within a specific sector of business, such as financial services.” NYDFS stated that it intends to promulgate a proposed regulation for a new fee methodology and will seek public comments before a final regulation is issued. The emergency regulation will remain in effect until a final regulation is adopted.