InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: Revised NYDFS Cybersecurity Rule
On December 28, 2016, the New York Department of Financial Services (DFS) issued a revised version (Revised Proposed Rule) of its cybersecurity rule for financial institutions issued on September 13, 2016 (Proposed Rule). The revision came after DFS received more than 150 comments in response to the Proposed Rule, as well as a hearing before New York State lawmakers. The Revised Proposed Rule retains the spirit of the original Proposed Rule, but offers covered entities somewhat more flexibility in implementing the requirements.
Background
The Proposed Rule marked the next step in a period of increased focus on cybersecurity by the agency. Between May 2014 and April 2015, DFS issued three reports relating to cybersecurity in the financial and insurance industries. In November 2015, DFS issued a letter to federal financial services regulatory agencies, which alerted the federal regulators to DFS’s proposed regulatory framework and invited comment from the regulators.
In the September release, DFS explained that the Proposed Rule is a response to the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.” As originally written, the Proposed Rule covered financial institutions operating under a charter or license issued by DFS, and set cybersecurity program, policy, training, and reporting requirements that are more stringent than the current federal requirements. The Proposed Rule gave a January 1, 2017 effective date, with a 180-day transitional period. Taking into consideration these concerns, on December 19, 2016, the New York State Assembly’s Standing Committee on Banks held a public hearing regarding cybersecurity and the Proposed Rule. Among the chief concerns expressed at the hearing and in the comment letters was the cost of compliance, especially for smaller banks, and that the Proposed Rule’s “one-size-fits-all” requirements do not consider the varying operational structures, business models, and risk profiles of financial institutions. There was also concern that the Proposed Rule was too different from the current federal requirements.
Click here to read full special alert
* * *
We will continue to monitor the DFS rulemaking process. If you have questions about the Revised Rule or other cybersecurity issues, visit our Privacy, Cyber Risk & Data Security practice for more information, or contact a Buckley Sandler attorney with whom you have worked in the past.
NYDFS to Revise Proposed Cybersecurity Regulation Following Public Hearing Before State Lawmakers
On December 19, the New York Assembly Standing Committee on Banks held a public hearing, receiving testimony about a recently proposed regulation intended to address cybersecurity risks to entities regulated by the New York Department of Financial Services (NYDFS). Previously covered by InfoBytes upon its initial release in September 2016, the proposed regulation has since been subject to a public comment period before final issuance.
The hearing before the NY State Assembly provided an opportunity for representatives from a variety of NYDFS-regulated entities to offer testimony and/or raise objections. Many of the witnesses cited the proposal’s “one-size-fits-all” approach as a source of concern, noting that the proposed regulation currently does not account for variations in the business models, IT system structures, or risk profiles of the institutions they affect. Other concerns raised by the witnesses included onerous reporting requirements, a lack of harmony between the proposal and federal regulations and guidance, high costs of compliance, and even reputational risk arising out of exposure through FOIA Laws. An archived video of the hearing can be accessed here.
Two days after the hearing in Albany, NYDFS indicated that it is now planning to release an updated version of the regulation on December 28—thereby pushing the effective date to March 1, 2017. InfoBytes will continue to monitor the status of the proposed regulation and will issue an update once NYDFS publishes its revised regulation.
N.Y. Attorney General's Office, SEC and FINRA Assess Penalties, Fines Against Securities Firm Over Dark Pool Access Disclosures
On December 16, N.Y. Attorney General Eric Schneiderman announced a $37 million settlement against a major securities firm following its joint investigation with the Securities and Exchange Commission (SEC) into allegedly false statements and omissions made by the firm in connection with the marketing of its electronic order routing services, known as its “Dark Pool Ranking Model.” As explained by Attorney General Schneiderman, “Electronic order routing systems that route investor orders to various markets, including dark pools, are a part of modern equities trading, and companies that promote their routing capabilities must do so truthfully.” As part of the agreement, the firm admitted that it misled investors and violated New York State and federal securities laws; its conduct was also censured by both regulators.
That same day, FINRA announced its decision to fine the same firm $3.25 million for failing to disclose accurate information to all clients about services and features of its alternative trading system (ATS). In Form ATS filings with the SEC, the firm represented that all ATS users would have “identical access” to the system’s services and features. However, FINRA found that some ATS users, including high-frequency traders, were provided with more information than others and received services not available to others. The firm settled without admitting or denying the charges.
NYDFS Fines Italian Bank $235 Million for Repeated Violations of BSA/AML Laws
On December 14 the New York State Department of Financial Services (NYDFS) announced the imposition of a $235 million fine against an Italian bank and its New York branch as part of a consent order addressing “significant violations of New York Bank Secrecy Act and anti-money laundering (BSA/AML) laws.” According to the consent order, a NYDFS investigation identified “compliance failures . . . arising from deficiencies in the implementation and oversight of the transaction monitoring system located at the New York Branch,” as well as “non-transparent practices to process payments on behalf of Iranian clients” and “shell company activity indicative of potentially suspicious transactions” and a general “breakdown in audit and management oversight.” The consent order findings stipulate that the wrongdoing dated back to 2002, but also acknowledge that the Bank made the decision to discontinue certain of its non-transparent practices in 2006. In addition to a civil monetary penalty, the consent order also requires that the bank continue to engage an independent consultant to help “remediate the identified shortcomings,” “audit the Bank’s transaction review efforts”, and submit a report of its findings, conclusions and recommendations within 60 days. Thereafter, the Bank must submit, in writing for NYDFS review, across-the-board enhancements to its internal control policies and procedures.
NYDFS to Oppose Any Effort to Federalize Regulation of FinTech Companies
On December 2, NYDFS Superintendent Maria T. Vullo issued a public statement stating the NYDFS’ opposition to “any effort to federalize” regulation of Fintech companies, such as that proposed recently by the OCC in its announcement on Fintech charters. According to Superintendent Vullo, state regulators have “long-standing expertise in this arena” and are therefore best positioned to balance innovation with a tailored regulatory regime.”
NYDFS Unveils Consumer Bill of Rights for Mortgage Foreclosures; Announces New Regulations for "Zombie Properties"
On December 7, Governor Andrew M. Cuomo announced the publication of the NYDFS Residential Foreclosure Actions Consumer Bill of Rights – intended to offer guidance to homeowners facing foreclosure in New York. Concurrently, the New York Governor also announced new NYDFS regulations intended to curb the threat to communities posed by vacant and abandoned properties (“zombie properties”) by “expediting foreclosure proceedings, improving the efficiency and integrity of the mandatory settlement conferences, and obligating banks and mortgage servicers to secure, protect and maintain vacant and abandoned properties before and during foreclosure proceedings.”
The Consumer Bill of Rights acts as guidance for homeowners facing foreclosure, and specifies that homeowners have certain rights and obligations, including, among others: (i) the right to stay in the home unless and until a court orders the homeowner to vacate the property; (ii) the right to be represented by an attorney; (iii) the right to be free from harassment and foreclosure scams; (iv) the right to avoid foreclosure by making a full or negotiated payment prior to foreclosure sale; (v) the right to be notified at least 90 days prior to a foreclosure suit being filed; (vi) the right to explore loss mitigation options; and (vii) the right to receive a copy of legal papers in a lawsuit. The Consumer Bill of Rights also outlines various obligations of a homeowner, including to respond to complaints, appearing at court, and negotiating in good faith. Under the law, the court must provide homeowners a copy of the Consumer Bill of Rights at the initial mandatory settlement conference.
With respect to vacant and abandoned properties, the new regulations target blight caused by such zombie properties by, among other things, requiring that bank and mortgage servicers: (i) complete an inspection of a property subject to delinquency within 90 days; (ii) secure and maintain the property where the bank or servicer has a reasonable basis to believe that the property is vacant and abandoned; (iii) report all such vacant and abandoned properties to NYDFS; and (iv) submit quarterly reports detailing both their efforts to secure and maintain the properties and the status of any foreclosure proceedings. The NYDFS Superintendent is authorized under the new regulations to issue civil penalties of $500 per day per property for violations of the new regulations.
Illinois Regulator Seeks Comment on Proposed "Digital Currency Regulatory Guidance"
The Illinois Department of Financial and Professional Regulation (IDFPR) is requesting comment on its proposed “Digital Currency Regulatory Guidance” on decentralized digital currencies—including Bitcoin, Dogecoin, Litecoin, Ethereum, and Zcash. The proposed guidance seeks to establish the regulatory treatment of decentralized digital currencies under existing definitions of money transmission in Illinois, as defined in the Illinois Transmitters of Money Act (205 ILCS 657) (TOMA). Currently, digital currencies do not fit the statutory definitions of “money” and, therefore, do not independently trigger the licensing requirements of TOMA. However, some business activities involving decentralized digital currency that involve the receipt of “money” can trigger the licensing requirements of TOMA. Comments must be received by January 18, 2017 at 6:00pm EST and may be submitted by clicking here.
Dept. of Energy Releases Updated PACE Loan Guidelines
On November 18, the Department of Energy released new best practices guidelines for residential Property-Assessed Clean Energy (PACE) mortgages, which provide homeowners a way to finance energy-efficient home improvements through property tax assessments. The new guidelines are intended to help state and local governments as they expand their PACE programs, and address the various problems that have emerged in the market since the PACE framework was first established in 2009. Among other things, the guidelines suggest that PACE programs confirm property owners’ ability to repay their assessments, and that state and local governments work with program administrators to establish underwriting guidelines and criteria for PACE programs.
Mortgage Services Provider Agrees to Settlement with NYDFS
In a press release issued November 9, Governor Andrew M. Cuomo announced that a leading mortgage services provider and its affiliate, agreed to pay a $28 million fine and engage a third-party auditor as part of a settlement agreement and consent order with the NY Department of Financial Services. The matter arose after a series of audits conducted by the NYDFS had revealed inconsistencies in how mortgage foreclosures were documented and processed. As part of the settlement agreement, the company has agreed to allow an independent third-party auditor to help identify borrowers entitled to refunds.
New NYDFS Regulation Requires All Institutions of Higher Education to Immediately Provide Uniform Financial Aid Award Information Sheet
On November 3, Governor Andrew M. Cuomo announced that the state Department of Financial Services has adopted a new regulation requiring all institutions of higher education and vocational schools in New York to immediately begin providing a uniform Financial Aid Award Information Sheet to undergraduate students when responding to financial aid applications. The U.S. Department of Education utilizes a similar form, however it is less extensive and is not mandatory – except for schools that accept assistance to make loans to military students. Additional information concerning the regulations and model forms can be found here.