Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS reminds covered entities of upcoming cybersecurity regulation compliance dates; updates FAQs

    State Issues

    On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial services institutions (collectively, “covered entities”) that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date. As of September 4, a covered entity must (i) start presenting annual reports to the board by the Chief Information Security Officer on “critical aspects of the cybersecurity program”; (ii) create an “audit trail designed to reconstruct material financial transactions” in case of a breach; (iii) institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications”; and (iv) implement encryption to protect nonpublic information it holds or transmits. Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.” Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data.

    In coordination with the reminder, NYDFS provided new updates to its FAQs related to 23 NYCRR Part 500. The original promulgation of the FAQs was covered in InfoBytes, as were the last updates in February and March. The four new updates to the FAQs add the following guidance:

    • Clarifies that in certain circumstances, an entity can be a covered entity, an authorized user, and a third party service provider, and therefore must comply fully with all applicable provisions;
    • Outlines specific compliance provisions for covered entities that have limited exemptions from the NYDFS cybersecurity requirements;
    • Identifies a covered entity’s responsibilities when addressing cybersecurity risks with respect to bank holding companies; and
    • Clarifies situations and requirements for when a covered entity can rely upon the cybersecurity program that another covered entity has implemented for a common trust fund.

    Find continuing InfoBytes coverage on NYDFS’ cybersecurity regulations here.

    State Issues NYDFS Privacy/Cyber Risk & Data Security 23 NYCRR Part 500

    Share page with AddThis
  • Buckley Sandler Special Alert: OCC announces it will accept fintech charter applications, following the release of Treasury report on nonbank financial institutions

    Federal Issues

    On July 31, the OCC announced that nondepository financial technology firms engaged in one or more core banking functions may apply for a special purpose national bank (SPNB) charter. The announcement follows a report released the same day by the Treasury Department, which discusses a number of recommendations for creating a streamlined environment for regulating financial technology, and includes an endorsement of the OCC’s SPNB charter for fintech firms (fintech charter).

    * * *

    Click here to read the full special alert.

    If you have questions about the report or other related issues, please visit our Fintech practice page, or contact a Buckley Sandler attorney with whom you have worked in the past.

    Federal Issues Fintech OCC Department of Treasury CFPB Fintech Charter Non-Depository Institution Comptroller's Licensing Manual CSBS NYDFS Bank Holding Company Act Payday Rule

    Share page with AddThis
  • NYDFS issues final rule to establish standards for insurance sellers

    State Issues

    On July 18, the New York Department of Financial Services (NYDFS) issued a final rule requiring licensed insurers that offer life insurance and annuity products to New York consumers to establish standards and procedures to ensure that the financial objectives of the consumer are addressed at the time of the transaction and financial exploitation is prevented. According to the NYDFS, the rule amends the state’s current suitability regulation and “provides for a best interest standard of care for all sales of life insurance and annuity products.” The rule provides that when making a recommendation to consumers with respect to policies, the producer must “appropriately address the insurance needs and financial objectives of the consumer at the time of the transaction.” According to NYDFS Superintendent Maria Vullo, “financial compensation or incentives may not influence the recommendation.”

    State Issues NYDFS Insurance

    Share page with AddThis
  • Supreme Court of New York strikes down NYDFS’ Insurance Regulation 208

    State Issues

    On July 5, the Supreme Court of the State of New York ordered the annulment of Insurance Regulation 208, which was promulgated by the New York State Department of Financial Services (NYDFS) in October 2017. The decision results from an Article 78 petition by several title insurance companies challenging the state regulation, which prohibits title insurance entities from providing benefits such as meals, tickets to events, gifts, cash, access to parties, trips and other incentives to referral sources. The regulation clarifies that certain “reasonable and customary” advertising and marketing expenses are permitted under New York’s insurance law, provided they are “without regard to insured status or conditioned directly or indirectly on the referral of title business.” The title insurance companies argue that Regulation 208’s restrictions are inconsistent with New York’s insurance law because the law only prohibits “quid pro quo inducements given in exchange for title insurance business” and the law permits marketing and entertainment payments so long as they are not being exchanged for “a specific identified piece of business.”

    The court agreed and found that the insurance law—which prohibits a “commission,” “rebate,” “fee,” or “other consideration or valuable thing”—could not be construed to include marketing and entertainment expenses because “it is common sense that marketing is an inducement for business” and it would be “an absurd proposition” that the New York Legislature intended to prohibit companies from marketing themselves. Additionally, construing the insurance law to include marketing and entertainment expenses as prohibited expenditures but also including a provision which delineates certain types of marketing and entertainment expenses as permissible is “irreconcilable and irrational.” The court ultimately concluded that Regulation 208 must fail because it contravenes the will of the Legislature under the insurance law.

    In response to the decision, NYDFS Superintendent, Maria T. Vullo, issued a statement that the state intends to appeal as they “remain certain of [their] legal opinion and are confident [they] will prevail on appeal.” On July 6, NYDFS filed a notice of appeal with the court.

    State Issues Courts NYDFS Title Insurance

    Share page with AddThis
  • NYDFS recommends online lenders be subject to state licensure and usury limits in new report


    On July 11, the New York Department of Financial Services (NYDFS or the Department) released a study of online lending in New York, as required by AB 8938. (Previously covered by InfoBytes here.)  In addition to reporting the results of its survey of institutions believed to be engaging in online lending activities in New York, NYDFS makes a series of recommendations that would expand the application of New York usury and other statutes and regulations to online loans made to New York residents, including loans made through partnerships between online lender and banks where, in the Department’s view, the online lender is the “true lender.”

    In particular, NYDFS recommends, “[a]ll New York lenders should operate under the same set of rules and be subject to consistent enforcement of those rules to achieve a level playing field for all market participants….”  Elsewhere in the report, the Department states that it “disagrees with [the] position” that online lenders are exempt from New York law if they partner with a federally-chartered or FDIC-insured bank that extends credit to New York residents.  NYDFS criticizes these arrangements, stating its view that “the online lender is, in many cases, the true lender” because the online lender is “typically … the entity that is engaged in marketing, solicitation, and processing of applications, and dealing with the applicants” and may also purchase, resell, and/or service the loan.  

    NYDFS also noted that it opposed pending federal legislation that would reverse the Second Circuit’s decision in Madden v. Midland Funding, LLC, which held that federal preemption of New York’s usury laws ceased to apply when a loan was transferred from a national bank to a non-bank.  The Department expressed concern that, if passed, the bill “could result in ‘rent-a-bank charter’ arrangements between banks and online lender that are designed to circumvent state licensing and usury laws.”

    Noting that many online lenders remain unlicensed in New York, the Department states that “[d]irect supervision and oversight is the only way to ensure that New York’s consumers and small business owners receive the same protections irrespective of the channel of delivery….”  To this end, NYDFS recommended lowering the interest rate threshold for licensure from 16 percent to 7 percent.

    Although NYDFS stressed that its survey results may be unreliable due to uneven response rates, it reported that, for respondents, the average median APR for online loans to businesses was 25.9%, the average median APR for online loans to individuals for personal use was 14.8%, and the average median APR for the underbanked customers was 19.6% (New York currently caps interest for civil liability at 16% and at 25% for criminal liability).

    Overall, the report appears to forecast a more difficult regulatory and enforcement environment in New York for online lenders, as has been the case in West Virginia and Colorado.

    Lending State Issues NYDFS Online Lending Usury Consumer Finance Madden

    Share page with AddThis
  • NYDFS encourages New York state chartered financial institutions to establish relationships with medical marijuana businesses

    State Issues

    On July 3, the New York Department of Financial Services (NYDFS), at the direction of Governor Andrew Cuomo, released guidance encouraging New York state chartered banks and credit unions to consider establishing relationships with regulated and compliant medical marijuana and industrial hemp-related businesses operating in New York. According to the guidance, these businesses often rely solely on cash to conduct transactions, because of a lack of access to traditional financial services. The press release announcing the guidance cites to the New York Compassionate Care Act, enacted in 2014, which provides medical patients suffering from “debilitating symptoms and diseases” access to, under strict requirements, medical marijuana. NYDFS is encouraging New York financial institutions to form appropriate banking relationships with these business, because “[p]roviding access to regulated banking services is an essential part of taking the legal cannabis industry out of the shadows and establishing it as a transparent, regulated, tax-paying part of our economy, and a necessary part of fulfilling the goal of relieving the suffering of seriously ill patients.”

    NYDFS will not impose any regulatory action on a New York financial institution that establishes a business relationship with legal medical marijuana and industrial hemp-related businesses, as long as the institution also complies with other applicable guidance and regulations, such as the Financial Crimes Enforcement Network’s 2014 guidance—which clarifies expectations under the Bank Secrecy Act (BSA) for financial institutions providing services to these businesses. 

    State Issues NYDFS Compliance Bank Secrecy Act FinCEN Medical Marijuana

    Share page with AddThis
  • Credit reporting agency agrees to cybersecurity corrective action with eight state regulators

    Privacy, Cyber Risk & Data Security

    On June 27, the New York Department of Financial Services (NYDFS) announced that a major credit reporting agency has agreed to cybersecurity and internal control corrective action following its 2017 data breach, which reportedly affected 143 million American consumers. The consent order, which was entered into with NYDFS and seven other state regulators, requires a wide range of corrective actions. The company must: (i) review and approve a written risk assessment which identifies data breach risks and the likelihood of threats; (ii) establish and oversee a formal internal audit program; (iii) improve oversight of its information security program; and (iv) improve oversight and ensure sufficient controls are developed for critical vendors. The consent order does not include any monetary penalties.

    The consent order follows the June 25 announcement by NYDFS that credit reporting agencies will be required to register annually with the state and comply with the state’s cybersecurity regulation (covered by InfoBytes here).

    Privacy/Cyber Risk & Data Security State Issues Data Breach NYDFS

    Share page with AddThis
  • New York regulation requires all credit reporting agencies to register with NYDFS

    State Issues

    On June 25, the New York governor announced the issuance by the New York Department of Financial Services (NYDFS) of a final regulation that requires consumer credit reporting agencies (CRAs) with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity standard. Specifically, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS, beginning on or before September 1, 2018 for 2017 reporting, and by February 1 for every year thereafter. Among other things, the regulation also (i) authorizes the NYDFS superintendent to refuse to renew a CRA’s registration for various reasons, including if the applicant or affiliate of the applicant fails to comply with the cybersecurity regulations; (ii) subjects the CRAs to examination by NYDFS at the superintendent’s discretion; and (iii) prohibits CRAs from engaging in any “unfair, deceptive, or predatory act or practice toward any consumer,” to the extent not preempted by federal law. Additionally, beginning on November 1, the regulation requires every CRA to comply with NYDFS’ cybersecurity regulation, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Recent InfoBytes coverage on NYDFS’ cybersecurity regulation available here and here.)

    According to Governor Cuomo, the oversight of CRAs will help to ensure New York consumers’ information is less vulnerable to the threat of cyber-attacks, stating, “[a]s the federal government weakens consumer protections, New York is strengthening them with these new standards.”

    State Issues NYDFS Credit Reporting Agency Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • NYDFS fines global banking firm $205 million for alleged FX violations


    On June 20, the New York Department of Financial Services (NYDFS) announced a $205 million settlement with a global banking firm to resolve allegations that the bank engaged in unsafe and unsound practices in its foreign exchange (FX) trading business. According to the consent order, the bank did not implement and maintain sufficient controls to identify and prevent unsafe and unsound activities conducted by certain FX traders. Among other things, the order states that FX traders (i) used electronic chatrooms to coordinate trading activity with competitors to improperly affect FX prices; (ii) engaged in a practice known as “jamming the fix,” which entails accumulating a large trading position and subsequently making aggressive trades with the intention of moving the fix price in a desired direction; (iii) disclosed confidential customer information to competitors through electronic chatrooms; and (iv) mislead customers by hiding markups on trades. In addition to the fine, the bank is required to improve its internal controls and programs to comply with applicable New York State and federal laws and regulations, submit a written plan to improve its compliance risk management program, and provide an enhanced written internal audit program.

    Securities NYDFS Enforcement Bank Compliance Foreign Exchange Trading

    Share page with AddThis
  • NYDFS will continue to pursue litigation if OCC moves forward with fintech charter

    State Issues

    On June 6, New York Department of Financial Services (NYDFS) Superintendent, Maria T. Vullo, spoke to the Exchequer Club in Washington, DC, emphasizing, among other things, her opposition to the OCC’s proposal for a fintech charter. Vullo noted that the OCC has not actually finalized plans for the new charter and Comptroller, Joseph Otting, is expected to announce his views on the pending proposal soon. As previously covered by InfoBytes, two legal challenges, one by NYDFS and one by the Conference of State Bank Supervisors, were recently dismissed in separate district courts for lack of subject matter jurisdiction and ripeness due to the fact that the OCC has not issued a fintech charter nor has it finalized its plans to issue one. In her speech, Vullo, acknowledged these lawsuits and her desire to continue the litigation “rather than accept the OCC’s lack of authority in the non-depository space and respect the states’ regulation of and consumer protections in this area.” Vullo noted that fintech, when done right, is a “very good thing” that can assist in bringing banking services to underserved customers. But she also stated that companies that use financial technology should not be granted “an exemption from the rules that banks and other financial institutions follow to manage risk and protect consumers.”

    Vullo also touched on (i) her support for the CFPB’s final rule on payday loans, vehicle title loans, and certain other high-cost installment loans; (ii) her concerns over the dismantling of the Bureau’s Office for Students; (iii) her opposition to the Department of Education’s position that only the federal government may oversee student loan servicers (see InfoBytes coverage here); and (iv) the potential risks with the unregulated virtual currency market.

    State Issues NYDFS OCC Fintech Fintech Charter

    Share page with AddThis