Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled

    Privacy, Cyber Risk & Data Security

    The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.

    Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair and deceptive acts and practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.

    NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo released a notice directing the New York Department of Financial Services (NYDFS) to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.

    State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency State AG NYDFS Enforcement

    Share page with AddThis
  • NYDFS Issues Reminder on Cybersecurity Regulation Compliance Effective August 28

    State Issues

    On August 28, the New York Department of Financial Services (NYDFS) issued an announcement reminding all NYDFS-regulated banks, insurance companies, and other financial services institutions that they must now begin complying with the state’s “first-in-nation cybersecurity regulation.” As previously covered in Infobytes, the regulation took effect March 1, 2017, but August 28 was the first compliance date. Covered entities are now required to implement the following: (i) a cybersecurity program designed to protect consumers’ private data; (ii) board/senior officer-approved written policy or policies; (iii) a designated Chief Information Security Officer to help protect an entity’s data and systems; and (iv) “controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.” Furthermore, covered entities must begin reporting cybersecurity events through NYDFS’ online cybersecurity portal. (See previous InfoBytes coverage here.) Notices of exemption may be filed within “30 days of the determination that the covered entity is exempt,” and covered entities must file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018. NYDFS also released a series of frequently asked questions to provide assistance to institutions when complying with the regulation’s requirements.

    State Issues Privacy/Cyber Risk & Data Security NYDFS Compliance Bank Regulatory

    Share page with AddThis
  • OCC Files Motion Seeking Dismissal of NYDFS Fintech Challenge

    FinTech

    On August 18, the OCC filed a motion in the U.S. District Court for the Southern District of New York to dismiss a lawsuit brought by the New York Department of Financial Services (NYDFS) challenging the OCC’s fintech charter, which would allow the OCC to consider applications from fintech firms for Special Purpose National Bank Charters (SPNB). See Vullo v. Office of the Comptroller of the Currency, Case 17-cv-03574 (S.D.N.Y., Aug. 18, 2017). In a memorandum supporting its motion to dismiss, the OCC argued that the case is not ready for judicial review because NYDFS’ claims that the charter is unlawful and would grant preemptive powers over state law are “contingent on future actions that [the] OCC might or might not take.” Therefore, because NYDFS “cannot point to any injury-in-fact that it has suffered as a result of [the] OCC’s purported actions . . . all of the potential injuries . . . are future-oriented and speculative, and therefore insufficient to confer standing.” Citing Lujan v. Defenders of Wildlife, the OCC asserted that injury must be “likely”—not just “speculative” in nature.

    The OCC additionally contended that NYDFS’ challenge lacks standing because:

    • The matter fails to meet the fitness and hardship prongs for ripeness and lacks evidence of concrete hardship: (i) the fitness prong is not met because the OCC’s inquiry regarding whether to offer SPNB Charters is ongoing and it has not decided whether it will accept applications for the charters; and (ii) the hardship prong is not met because the OCC averred NYDFS “will not suffer any immediate or significant hardship” if the court were to delay review of this matter.
    • Any challenge to the OCC’s 2003 amendment to Section 5.20(e)(1) is “time-barred by the statute of limitations applicable to civil actions against federal agencies.” Furthermore, “[i]nsofar as the adoption of the amendment . . . constitutes a final agency action that [NYDFS] seeks to challenge here, any cause of action would have accrued on January 16, 2004, when the Final Rule became effective. 68 Fed. Reg. 70122 (Dec. 17, 2003). Accordingly, the time for filing a facial challenge to the regulation expired on January 16, 2010.”
    • NYDFS’ complaint fails to state a claim on which relief may be granted because the OCC would have had to have issued Section 5.20(e)(1) charters—non-finalized policy statements and requests for public input alone are insufficient to satisfy the “final agency action” requirement needed to give rise to a claim under the Administrative Procedure Act. The OCC asserted it has not completed its decision-making process and that its actions have not affected rights or obligations or resulted in legal consequences.
    • Under the National Bank Act, the OCC’s interpretation of “the business of banking”—in which a special purpose bank “must conduct at least one of the following three core banking functions: receiving deposits; paying checks; or lending money”—deserves Chevron deference.
    • The OCC has statutory and constitutional authority to issue a Section 5.20(e)(1) charter because: (i) the limited judicial authority cited by the DFS is not entitled to weight; (ii) the historical understanding of “bank” is consistent with the OCC’s interpretation; and (iii) any SPNB charters issued to fintechs pursuant to Section 5.20(e)(1) would not violate the Tenth Amendment.

    See additional InfoBytes coverage on NYDFS’s challenge to the OCC’s special purpose fintech charter here and here.

    Fintech Courts OCC NYDFS Litigation

    Share page with AddThis
  • NYDFS Launches New Cybersecurity Portal, Sets Compliance Deadlines

    Privacy, Cyber Risk & Data Security

    On July 31, the New York Department of Financial Services (NYDFS) announced the launch of an online cybersecurity portal for businesses to securely report cybersecurity events as required by the state’s cybersecurity regulation that took effect March 1. (See previous InfoBytes summary here.) The regulation, Cybersecurity Requirements for Financial Services Companies, requires all banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain cybersecurity programs to safeguard consumers’ private data. The cyber portal is designed to facilitate easy reporting of cybersecurity events and will allow regulated entities to file compliance certifications. Starting August 28, 2017, all entities required to comply with NYDFS cybersecurity regulations “must file certain notifications to the [Financial Services] Superintendent including notices of certain cybersecurity events within 72 hours from a determination that a reportable event has occurred.” A cybersecurity event is reportable if it: (i) “impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body”; or (ii) “has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.” Additionally, covered entities are required to file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018.

    Privacy/Cyber Risk & Data Security NYDFS State Issues Bank Regulatory Compliance

    Share page with AddThis
  • OCC Requests Pre-Motion Conference to Discuss NYDFS Fintech Challenge

    FinTech

    On July 25, acting U.S. Attorney for the Southern District of New York, Joon H. Kim, filed a letter with the federal court in that district on behalf of the OCC, requesting a pre-motion conference to discuss its anticipated motion to dismiss the New York Department of Financial Service’s (NYDFS) suit against the OCC’s special purpose fintech charter. See Vullo v. Office of the Comptroller of the Currency, Case 17-cv-03574 (S.D.N.Y., Jul. 25, 2017). As previously covered in InfoBytes, NYDFS filed the lawsuit May 12 on the grounds that the charter is unlawful and would grant preemptive powers over state law. Kim cites the following three reasons for dismissal of NYDFS’s complaint:

    • NYDFS lacks standing to bring the suit because, although the OCC has “publically contemplated the possibility of issuing fintech charters…those public statements do not amount to a ‘final agency action’ subject to challenge under the [Administrative Procedure Act].” Indeed, since any harm NYDFS can identify is “conjectural or hypothetical,” and it has not suffered any “actual or imminent” injury, the Court lacks subject matter jurisdiction.
    • OCC’s interpretation of its statutory authority under the National Bank Act (NBA) refers to Section 5.20(e)(1), which “reasonably limits the issuance of charters to institutions that carry on at least one of three ‘core banking activities’ [such as] the receipt of deposits, the payment of checks, or the lending of money.” Thus, regulations that allow chartering approvals—even if the chartered companies don't take deposits—is reasonable because they carry on at least one core banking function.
    • The Supremacy Clause of the U.S. Constitution would protect fintech banks chartered under the relevant OCC rules and entitle them to NBA protections against state interference.   Kim noted that it “is well established that the Supremacy Clause operates in concert with the NBA to displace state laws or state causes of action that conflict with federal law or that prevent or significantly interfere with national bank powers.”

    The OCC faces a separate fintech lawsuit in the District Court for the District of Columbia brought by the Conference of State Bank Supervisors. (See previous Special Alert.)

    Fintech Agency Rule-Making & Guidance OCC NYDFS National Bank Act Litigation Licensing

    Share page with AddThis
  • NYDFS Fines Global Bank $350 Million for Alleged Foreign Exchange Trading Violations

    Securities

    On May 24, the New York Department of Financial Services (NYDFS) announced that it had assessed a $350 million fine against a global bank and its New York branch (Bank) as part of a consent order addressing allegations that the Bank’s foreign-exchange business had engaged in long-term violations of New York banking law. According to the announcement, NYDFS investigated alleged misconduct occurring between 2007 to 2013 and found the improper conduct “included collusive activity by foreign exchange traders to manipulate foreign exchange currency prices and foreign exchange benchmark rates; executing fake trades to influence the exchange rates of emerging market currencies; and improperly sharing confidential customer information with traders at other large banks.” Specifically, the violations include the following:

    • collusion through on-line chat rooms to manipulate securities prices and artificially increase profits;
    • improperly exchanging information about past and impending customer trades, including sharing confidential customer information via personal email, in order to maximize profits at customers’ expense;
    • manipulating “the price at which daily benchmark rates were set—both from collusive market activity and improper submissions to benchmark-fixing bodies”; and
    • “misleading customers by hiding markups on executed trades, including by using secretive hand signals when customers were on the phone; or by deliberately ‘underfilling’ a customer trades, in order to keep part of a profitable trade for the Bank’s own book.”

    In addition to the $350 million monetary penalty, the Bank must, within 90 days of the consent order, submit written plans to (i) improve senior management’s oversight of the Bank’s compliance with New York laws and regulations governing its foreign exchange trading business; (iii) enhance internal controls and compliance to adhere to state and federal laws and regulations; and (iii) improve its compliance risk management and internal audit programs. Additionally, the Bank terminated certain employees involved in the misconduct and has agreed it will not—directly or indirectly—re-hire these individuals in the future. As part of this process, the Bank conducted an “employee accountability review” and disciplined other employees “for misconduct or supervisory failures.”

    Securities Enforcement NYDFS

    Share page with AddThis
  • NYDFS Issues Interpretative Guidance Regarding Banking Law Approval Requirements

    Agency Rule-Making & Guidance

    On May 22, the New York State Department of Financial Services (NYDFS) announced it was issuing interpretative guidance regarding the New York Banking Law requirement that mandates prior NYDFS approval for an acquisition or change of control of a banking institution. The guidance was released in response to a request by the New York Bankers Association amid concerns that some investors have been developing non-transparent methods of acquiring and controlling banking institutions without obtaining NYDFS’ review and approval. According to the guidance, “control” is achieved by having direct or indirect power to direct or cause the direction of a banking institution’s management and policies through the ownership of voting stocks or otherwise, and that control is achieved when individuals or entities work together or act in concert to acquire control of a banking institution but with each individual or entity staying below the threshold required for seeking NYDFS’ prior review and approval. The Superintendent of Financial Services, Maria T. Vullo issued a reminder to state-chartered banks that “all proposed changes of control in any banking institution must be submitted to the Department for prior approval under our mandate to safeguard the institutions we supervise and regulate, and to protect the public they serve.”

    The guidance was released the same day Vullo testified at a New York State Assembly hearing on the “Practices of the Online Lending History,” which sought to “explore . . . predatory online lending practices which need to be mitigated, and potential regulatory or legislative action which may be needed to address [this issue].” Vullo urged legislators to clarify the statutory definition of “making loans” to include a wider range of companies and “to include situations where an entity, in addition to soliciting a loan, is arranging or facilitating the funding of a loan, or ultimately purchasing or acquiring the loan.”

    Agency Rule-Making & Guidance Online Lending NYDFS

    Share page with AddThis
  • NYDFS Files Independent Lawsuit Against OCC Fintech Charter

    FinTech

    Following the April 26 lawsuit filed by the Conference of State Bank Supervisors (CSBS) opposing the OCC’s fintech charter (see previous InfoBytes post), the New York Department of Financial Services (NYDFS) filed its own lawsuit on May 12, asking the court to block the OCC from creating a new special purpose fintech charter. “The OCC’s charter decision is lawless, ill-conceived, and destabilizing of financial markets that are properly and most effectively regulated by New York and other state regulators,” NYDFS Superintendent Maria T. Vullo said in a statement announcing the lawsuit. “This charter puts New York financial consumers . . . at great risk of exploitation by newly federally chartered entities seeking to be insulated from New York’s strong consumer protections.” NYDFS’s complaint, filed in the U.S. District Court for the Southern District of New York, alleges that the OCC’s charter would include “vast preemptive powers over state law.” Specific concerns include the risk of (i) weakened regulatory controls on usury, payday loans, and other predatory lending practices; (ii) consolidation of multiple non-depository business lines under a single federal charter, thus creating more “too big to fail” institutions; and (iii) creating competitive advantages for large, well-capitalized fintech firms that could overwhelm smaller market players and thus restrict innovation in financial products and services. The complaint also asserts that the “OCC’s action is legally indefensible because it grossly exceeds the agency’s statutory authority.” Finally, the complaint claims that the proposed fintech charter would injure NYDFS monetarily because the regulator’s operating expenses are funded by assessments levied by the OCC on New York licensed financial institutions. According to NYDFS, every non-depository financial firm that receives a special purpose fintech charter from the OCC in place of a New York license deprives NYDFS of crucial resources that are necessary to fund its regulatory function.

    Citing violations of the National Bank Act and conflicts with state law in violation of the Tenth Amendment of the U.S. Constitution, NYDFS seeks declaratory and injunctive relief that would declare the fintech charter proposal to be unlawful and prohibit the OCC from taking further steps toward creating or issuing the charter without express Congressional authority.

    In a press release issued the same day, the CSBS said it “strongly supports the [NYDFS] lawsuit” and reiterated that the OCC “does not have the authority to issue federal charters to non-banks, and its unlawful attempt to do so will harm markets, innovation and consumers.”

    Fintech OCC NYDFS CSBS Licensing Agency Rule-Making & Guidance

    Share page with AddThis
  • Conference of State Bank Supervisors Announce Initiatives to Obviate Need for Fintech Charter, New York Joins Nationwide Mortgage Licensing System for Fintechs

    FinTech

    On May 10, the Conference of State Bank Supervisors (CSBS) announced a “series of initiatives to modernize state regulation of non-banks, including financial technology [fintech] firms.” The raft of initiatives, branded “Vision 2020,” appear to be generally geared towards streamlining the state regulatory system so that it is capable of supporting business innovation, while still protecting  the rights of consumers. As explained by CSBS Chairman and Texas Commissioner of Banking Charles G. Cooper, the CSBS is “committed to a multi-state experience that is as seamless as possible,” and, to this end, “state regulators will transform the licensing process, harmonize supervision [and] engage fintech companies.”

    The initial set of actions that CSBS and state regulators are taking includes the following: 

    • Redesign the Nationwide Multistate Licensing System (NMLS). CSBS plans to redesign the NMLS, which is a web-based system that allows non-depository companies, branches, and individuals in the mortgage, consumer lending, money services businesses, and debt collection industries to apply for, amend, update, or renew a license online. In particular, the CSBS’s redesign will “provide a more automated licensing process for new applicants, streamline multi-state regulation, and shift state resources to higher-risk cases.”
    • Harmonize multi-state supervision. CSBS has created “working groups to establish model approaches to key aspects of non-bank supervision,” to “enhance uniformity in examinations, facilitate best practices,” and “capture and report non-bank violations at the national level.” CSBS also intends to “create a common technology platform for state examinations.”
    • Form an industry advisory panelCSBS will “establish a fintech industry advisory panel to identify points of friction in licensing and multi-state regulation, and provide feedback to state efforts to modernize regulatory regimes.”
    • Assist state banking departments. CSBS intends to start “education programs” that “will make state departments more effective in supervising banks and non-banks.”
    • Make it easier for banks to provide services to non-banksCSBS is also “stepping up efforts to address de-risking—where banks are cautious about doing business with non-banks, due to regulatory uncertainty – by increasing industry awareness that strong regulatory regimes exist for compliance with laws for money laundering, the Bank Secrecy Act, and cybersecurity.”
    • Make supervision more efficient for third parties. CSBS also intends to “support[] federal legislation that would allow state and federal regulators to better coordinate supervision of bank third-party service providers.”

    By harmonizing the supervision and licensing system and working more closely together, state regulators appear to want to eliminate a key reason to seek the OCC charter, namely the ability to deal with one federal agency and follow a single set of rules. As previously covered in InfoBytes, the CSBS and a number of individual stakeholders have fiercely opposed the OCC’s other main fintech initiative—the development of a special purpose national bank charter for payments processors, online lenders and other new entrants in the financial industry. CSBS sued the OCC last month, arguing it lacked the legal power to move forward. The overall initiative appears to be a response to the OCC’s own “responsible innovation” efforts, which—as previously covered in InfoBytes—culminated in the creation of a new office last year to correspond with fintechs and the banks interested in partnering with them.

    Concurrent with CSBS’s Vision 2020 initiatives, on May 11, the New York State Department of Financial Services (NYDFS) announced that beginning July 1, 2017, it will transition to the NMLS to manage the license application and ongoing regulation of all nondepository financial institutions conducting business in the state, commencing with money transmitters. Specifically, on July 1, 2017, financial services companies holding New York money transmitter licenses will have the opportunity to transition those licenses to NMLS, and companies applying for new licenses will be able to apply through NMLS. As previously covered in InfoBytes, NMLS—a secure, web-based licensing system—will allow for easier on-line licensing renewal and enable NYDFS to “provide better supervision of the money transmitter industry by linking with other states to protect consumers.” Financial Services Superintendent Maria T. Vullo stressed that “[b]y working with the CSBS, which is leading the modernization of state regulation through Vision 2020, DFS is supporting the strong nationwide regulatory framework created by states to provide improved licensing and supervision by State regulators.”

    Additional information about NMLS can be accessed through the NMLS Resource Center.

    Fintech Licensing NYDFS NMLS Agency Rule-Making & Guidance CSBS OCC

    Share page with AddThis
  • Gov. Cuomo Announces New Title Insurance Regulations Target Business Gifts, Ancillary Fees and Transactions with Affiliates

    State Issues

    On May 1, New York Governor Andrew M. Cuomo announced two new proposed regulations to “crack down on unscrupulous practices in the title insurance industry.” According to the Governor, the proposed measures were drafted in response to an investigation by the state Department of Financial Services (“NYDFS”), which found that “meals, entertainment, gifts” and other “inducements” provided in exchange for referring business to a title insurance company or agents, were charged to customers under the guise of “marketing expenses.”  The first proposed regulation would, among other things, clarify the rules about “meals and entertainment” expenses, and other ancillary fees that title agents or title insurers may charge a customer. The second proposed regulation would require title insurance companies or agents that generate a portion of their business from affiliates to function separately and independently from any affiliate and obtain business from other sources. Importantly, a press release issued by NYDFS explains that “emergency” versions of both of these regulations have already been adopted by NYDFS (in response to the aforementioned investigation). As explained by NYDFS, the emergency rules, which are currently in effect, will remain in effect until final regulations are adopted.

    State Issues Agency Rule-Making & Guidance Insurance NYDFS

    Share page with AddThis

Pages