Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.
Governor’s Proposed NY State Executive Budget Includes More Online Lending Supervision; State Assembly Budget “Rejects” Proposed Change
Article 7 of the New York State Constitution requires the Governor to submit an executive budget each year, which contains, among other things, recommendations as to proposed legislation. On February 16, New York Governor Andrew Cuomo released a proposed 2017-18 Executive Budget that includes a proposed amendment to the New York Banking Law that would provide the New York Department of Financial Services (“NYDFS” or “DFS”) expanded licensing authority over online and marketplace lenders. (See Part EE (at pages 243-44) of the Transportation, Economic Development and Environmental Conservation Bill portion of the Executive Budget).
According to a Memorandum in Support of the Governor’s Budget, the proposed amendment would (i) address “[g]aps in the State’s current regulatory authority [that] create opportunities for predatory online lending,” and (ii) “ensure that all types of online lenders are appropriately regulated,” by (a) “increase[ing] DFS’ enforcement capabilities,” and (b) “expand[ing] the definition of ‘making loans’ in New York to not only apply to online lenders who solicit loans, but also online lenders who arrange or otherwise facilitate funding of loans, and making, acquisition or facilitation of the loan to individuals in New York.” If enacted, the NYDFS’s new authority would, under the Governor’s current proposal, become effective January 1, 2018.
This proposal in the Governor’s Executive Budget has, however, been challenged by the New York State Legislature. On March 13, after several hearings on the Governor’s proposed budget, the New York State Assembly released its own 2017-18 Assembly Budget Proposal (“Assembly Budget”), which, among other things, expressly rejected the aforementioned proposed amendment to the banking law found in “Part EE.” The Senate is now expected to release its own budget proposal shortly. And, once it is released, the two house of the State Legislature will reconcile the two bills in committees and pass legislation that stakes out the House’s position on the Governor’s proposals. From there, negotiations will begin in earnest between the Legislature and the Executive, with the goal of reaching a budget agreement on or before March 31, 2017.
 See also N.Y. Banking Law § 340; N.Y. Gen. Oblig. Law § 5-501(1); N.Y. Banking Law § 14-a(1); N.Y. Gen. Oblig. Law § 5-521(3); N.Y. Ltd. Liab. Co. Law § 1104(a).
In a Decision released on February 16, 2017, the New York Industrial Board of Appeals struck down the portions of a New York Department of Labor regulation (12 NYCRR § 192), set to go into effect on March 7, that would have restricted a New York employers’ ability to pay its employees via payroll debit card. Specifically, the board ruled that the Department had exceeded its authority under New York labor law and encroached upon the jurisdiction of banking regulators when imposing fee limits and other restrictions on the cards.
The new rule – which was adopted by the Department of Labor in September 2016, and codified at section 192 of the New York Labor Law – set forth numerous regulations clarifying and/or specifying the acceptable methods by which employers in New York State may pay wages to certain employees. Among other things, the regulation required that an employer provide written notice to the employee and obtain written consent from the employee at least seven business days prior to taking action to issue the payment of wages by payroll debit card. The new rule would also have prohibited many fees, including charges for monthly maintenance, account inactivity and overdrafts, and for checking a card’s balance and contacting customer service.
At issue before the Industrial Board of Appeals was a petition submitted by a single payroll debit card vendor challenging the Department of Labor’s authority to regulate payroll debit cards. Ultimately, the Board agreed with the vendor, finding that the Department sought to improperly regulate banking services provided by financial institutions – an area subject to the exclusive jurisdiction of the New York Department of Financial Services. In reaching this holding, the Board noted that that the Department of Financial Services already regulates and has issued guidance concerning the fees that financial institutions may charge for banking services, including those related to checking accounts and licensed check cashers. The Board also noted that, should the Department of Labor wish to challenge the Decision, it may bring an Article 78 proceeding in New York Supreme Court, or, alternatively, it may choose to revise the Prepaid Card-related provisions identified in the Decision.
On February 16, New York Governor Andrew Cuomo announced that with the New York Department of Financial Services’ (NYDFS) publication of a Final Regulation, New York’s “First-in-the-Nation Cybersecurity Regulation” is set to take effect on March 1. As discussed previously in InfoBytes, the regulation—which requires banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data—imposes broad and, in some cases proscriptive, data security and cybersecurity requirements on Covered Entities that venture into new territory for both state and federal financial regulators. Indeed, as described by Governor Cuomo, the regulation reflects New York’s efforts to “lead the nation” through “decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”
Moreover, as detailed in a follow-up InfoBytes Special Alert, NYDFS issued a updated proposed regulation on December 28 in response to over 150 comments and testimony presented at a hearing before New York State lawmakers. Though the updated proposed regulation did not differ drastically from the original, the revised proposed regulation provided for somewhat greater flexibility in how covered entities could go about implementing the requirements. Among other things, the December 28 revisions provided for: (i) longer timeframes for compliance with its requirements; (ii) more flexibility for compliance with certain requirements and acknowledgement that some requirements may not be applicable to all financial institutions; and (iii) clarifications to certain key definitions.
The newly released Final Regulation retains the revisions incorporated in the December 28 revision, but also contains the following notable revisions:
- Record retention requirements for audit trail materials relating to Cybersecurity Events were reduced from five years to three years.
- Clarification that Covered Entities’ policies and procedures for reporting by Third Party Service Providers of Cybersecurity Events only apply to the Covered Entity’s Nonpublic Information.
- The limited exemption for small businesses to certain requirements of the rule has been narrowed by including a Covered Entity’s New York affiliates when calculating its number of employees and annual revenue.
- Further clarification on the exemptions for companies regulated under New York’s Insurance Law.
With the expiration of the 30-day comment period and the publication of the Final Rule, New York’s Cybersecurity regulation is officially cleared to become effective upon publication in the New York State Register on March 1.
InfoBytes will continue to monitor the rollout of this pioneering regulation as it progresses.
On January 30, the New York Department of Financial Services (NYDFS) announced that it had assessed a $425 million fine against a German bank as part of a consent order addressing allegations that the bank allowed $10 billion in “mirror trades” involving Russian investors by failing to properly enforce protections against money laundering. According to the press release, the bank and several of its senior managers allegedly “missed key opportunities to detect, intercept and investigate a long-running mirror-trading scheme facilitated by its Moscow branch and involving New York and London branches.” Specifically, the consent order claims the bank (i) conducted its business in an unsafe and unsound matter; (ii) implemented weak “Know Your Customer” processes; (iii) failed to accurately rate its country and client risks for money laundering throughout the relevant time period and lacked a global policy benchmarking its risk appetite; (iv) maintained ineffective, understaffed anti-financial crime, AML, and compliance units; and (v) had a flawed corporate structure and organization.
In addition to the $425 million monetary penalty, the bank must, within 60 days of the consent order, engage an independent monitor to “conduct a comprehensive review of the [b]ank’s existing BSA/AML compliance programs, policies and procedures.” Furthermore, the bank must submit in writing for NYDFS review an action plan outlining enhancements to its current BSA/AML compliance programs.
On January 18, the New York State Department of Financial Services (NYDFS) announced that it had approved the application of Coinbase, Inc., for a virtual currency and a money transmitter license. According to NYDFS, the license was issued to Coinbase—a digital currency wallet that facilitates transactions with Bitcoin and other virtual currencies—only after “a comprehensive review of Coinbase’s applications, including the company’s anti-money laundering, capitalization, consumer protection, and cyber security policies.” Having met the New York regulator’s standards for operations in the state, Coinbase may now operate, under supervision by NYDFS, as a service for buying, selling, sending, receiving and storing Bitcoin.
As previously covered in InfoBytes, NYDFS’s BitLicense framework—which was finalized back in June 2015—requires virtual currency companies to submit a 31-page application providing information covering, among other things: (i) written policies and procedures including, but not limited to BSA/AML, cybersecurity, privacy and information security, (ii) company information, (iii) biographical information on company directors and stockholders, and (iv) an explanation of the methodology used to calculate the value of virtual currency in fiat currency. In addition, the NYDFS released a set of FAQs to help clarify the BitLicense requirements. To date, NYDFS has approved five firms for virtual currency charters or licenses, while denying those applications that did not meet its standards.
On January 17, the New York Department of Financial Services (NYDFS) Superintendent Maria T. Vullo submitted a comment letter in stern opposition to the OCC proposal to create a new FinTech charter, stating that the proposed regulatory scheme is not authorized by federal law and would create a number of problems, including a serious risk of regulatory confusion and uncertainty. New York’s top financial regulator is of the opinion that “the OCC should not use technological advances as an excuse to attempt to usurp state laws.” More specifically, NYDFS’ contends, among other things, that: (i) state regulators are better equipped to regulate cash-intensive nonbank financial service companies; (ii) a national charter is likely to stifle rather than encourage innovation; (iii) the proposal could permit companies to engage in regulatory arbitrage and avoid state consumer protection laws; and (iv) a national charter would encourage large “too big to fail” institutions, permitting a small number of technology-savvy firms to dominate different types of financial services.
An interview of Superintendent Vullo discussing this topic may be accessed here.
On December 28, 2016, the New York Department of Financial Services (DFS) issued a revised version (Revised Proposed Rule) of its cybersecurity rule for financial institutions issued on September 13, 2016 (Proposed Rule). The revision came after DFS received more than 150 comments in response to the Proposed Rule, as well as a hearing before New York State lawmakers. The Revised Proposed Rule retains the spirit of the original Proposed Rule, but offers covered entities somewhat more flexibility in implementing the requirements.
The Proposed Rule marked the next step in a period of increased focus on cybersecurity by the agency. Between May 2014 and April 2015, DFS issued three reports relating to cybersecurity in the financial and insurance industries. In November 2015, DFS issued a letter to federal financial services regulatory agencies, which alerted the federal regulators to DFS’s proposed regulatory framework and invited comment from the regulators.
In the September release, DFS explained that the Proposed Rule is a response to the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.” As originally written, the Proposed Rule covered financial institutions operating under a charter or license issued by DFS, and set cybersecurity program, policy, training, and reporting requirements that are more stringent than the current federal requirements. The Proposed Rule gave a January 1, 2017 effective date, with a 180-day transitional period. Taking into consideration these concerns, on December 19, 2016, the New York State Assembly’s Standing Committee on Banks held a public hearing regarding cybersecurity and the Proposed Rule. Among the chief concerns expressed at the hearing and in the comment letters was the cost of compliance, especially for smaller banks, and that the Proposed Rule’s “one-size-fits-all” requirements do not consider the varying operational structures, business models, and risk profiles of financial institutions. There was also concern that the Proposed Rule was too different from the current federal requirements.
* * *
We will continue to monitor the DFS rulemaking process. If you have questions about the Revised Rule or other cybersecurity issues, visit our Privacy, Cyber Risk & Data Security practice for more information, or contact a BuckleySandler attorney with whom you have worked in the past.
On December 19, the New York Assembly Standing Committee on Banks held a public hearing, receiving testimony about a recently proposed regulation intended to address cybersecurity risks to entities regulated by the New York Department of Financial Services (NYDFS). Previously covered by InfoBytes upon its initial release in September 2016, the proposed regulation has since been subject to a public comment period before final issuance.
The hearing before the NY State Assembly provided an opportunity for representatives from a variety of NYDFS-regulated entities to offer testimony and/or raise objections. Many of the witnesses cited the proposal’s “one-size-fits-all” approach as a source of concern, noting that the proposed regulation currently does not account for variations in the business models, IT system structures, or risk profiles of the institutions they affect. Other concerns raised by the witnesses included onerous reporting requirements, a lack of harmony between the proposal and federal regulations and guidance, high costs of compliance, and even reputational risk arising out of exposure through FOIA Laws. An archived video of the hearing can be accessed here.
Two days after the hearing in Albany, NYDFS indicated that it is now planning to release an updated version of the regulation on December 28—thereby pushing the effective date to March 1, 2017. InfoBytes will continue to monitor the status of the proposed regulation and will issue an update once NYDFS publishes its revised regulation.
On December 14 the New York State Department of Financial Services (NYDFS) announced the imposition of a $235 million fine against an Italian bank and its New York branch as part of a consent order addressing “significant violations of New York anti-money laundering and Bank Secrecy Act (AML/BSA) laws.” According to the consent order, a NYDFS investigation identified “compliance failures . . . arising from deficiencies in the implementation and oversight of the transaction monitoring system located at the New York Branch,” as well as “non-transparent practices to process payments on behalf of Iranian clients” and “shell company activity indicative of potentially suspicious transactions” and a general “breakdown in audit and management oversight.” The consent order findings stipulate that the wrongdoing dated back to 2002, but also acknowledge that the Bank made the decision to discontinue certain of its non-transparent practices in 2006. In addition to a civil monetary penalty, the consent order also requires that the bank continue to engage an independent consultant to help “remediate the identified shortcomings,” “audit the Bank’s transaction review efforts”, and submit a report of its findings, conclusions and recommendations within 60 days. Thereafter, the Bank must submit, in writing for NYDFS review, across-the-board enhancements to its internal control policies and procedures.
On December 2, NYDFS Superintendent Maria T. Vullo issued a public statement stating the NYDFS’ opposition to “any effort to federalize” regulation of Fintech companies, such as that proposed recently by the OCC in its announcement on Fintech charters. According to Superintendent Vullo, state regulators have “long-standing expertise in this arena” and are therefore best positioned to balance innovation with a tailored regulatory regime.”