Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • NYDFS issues cybersecurity compliance certificate reminder

    Privacy, Cyber Risk & Data Security

    On March 5, the New York Department of Financial Services (NYDFS) published FAQs for regulated entities that have not yet filed cybersecurity certifications of compliance (Certification of Compliance) required under 23 NYCRR 500. The deadline to file was February 15 and notices recently were sent to regulated entities. Among other things, the FAQs state that a separate Certification of Compliance must be filed for each license an entity holds, and that entities who have failed to submit a Certification of Compliance must do so “as soon as possible.” Entities that received a reminder to certify their compliance but filed for an exemption under Section 500.19 are still required to file the Certificate of Compliance to “confirm that they are in compliance with those provisions of the regulation that apply.”

    Find continuing InfoBytes coverage on NYDFS’s cybersecurity regulation here.

    Privacy/Cyber Risk & Data Security State Issues NYDFS Compliance

    Share page with AddThis
  • NYDFS releases new updates to cybersecurity regulation FAQs

    Privacy, Cyber Risk & Data Security

    On February 21, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500, which was last updated in December 2017. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. This week’s updates to the FAQs add the following guidance:

    • Due to increasing cybersecurity risks facing financial institutions, NYDFS “strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500”;
    • Not-for-profit mortgage brokers are Covered Entities under the cybersecurity regulation;
    • Covered Entities, when acquiring or merging with a new company, must conduct a factual analysis of how the cybersecurity regulation applies to the acquisition or merger.  In addition, NYDFS emphasized that Covered Entities must have in place serious due diligence processes and ensure cybersecurity is a priority; and
    • Health Maintenance Organizations and continuing-care retirement communities are Covered Entities and must comply with the cybersecurity regulation requirements.

    As previously covered in InfoBytes, on January 22, NYDFS issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance was February 15.

    Privacy/Cyber Risk & Data Security NYDFS State Issues

    Share page with AddThis
  • Coalition of state attorneys general urge Department of Education to reject accreditor’s application

    State Issues

    On February 20, Massachusetts Attorney General Maura Healey, along with 20 other state attorneys general and the Executive Director of the Hawaii Office of Consumer Protection, issued a letter to U.S. Department of Education (DOE) Secretary Betsy DeVos in opposition to an application submitted by the Accrediting Council for Independent Colleges and Schools (ACICS) to regain its status as a nationally recognized accreditor. According to Healey’s letter, which was submitted in response to the DOE’s January request for comments concerning ACICS’ application, “ACICS’ systemic accreditation failures and refusal to fulfill its obligations to students and taxpayers have enabled predatory schools to ruin the lives of hundreds of thousands of students. . . . Given the gravity of these failures, the Department should not grant any application for recognition made by ACICS without verifying that ACICS has corrected every deficiency and complied with all Departmental requirements effectively and consistently.” As previously covered in InfoBytes, this is not the first time that state attorneys general have reached out to the DOE concerning ACICS’ actions. The DOE upheld the decision to terminate ACICS’ recognition in December 2016.

    State Issues Student Lending NYDFS State Attorney General Department of Education

    Share page with AddThis
  • NYDFS issues policies and procedures reminder to virtual currency companies

    State Issues

    On February 7, the New York Department of Financial Services (NYDFS) issued a guidance document reminding virtual currency entities (VC entities) licensed by the state or chartered as limited purpose trust companies that they are required to have policies and procedures in place to guard against fraud, and that they should be particularly vigilant concerning efforts at market manipulation. The guidance requires VC entities to implement written policies that will (i) identify and assess fraud-related areas of risk, including market manipulation; (ii) provide procedures and controls to protect against identified risks; (iii) allocate risk monitoring responsibilities; (iv) periodically evaluate and revise risk monitoring processes to “ensure continuing effectiveness” and “compliance with all applicable laws and regulations; and (v) “provide for the effective investigation of fraud and other wrongdoing.” NYDFS also requires VC entities to submit incident reports detailing any identified wrongdoing, follow-up reports outlining any material developments, measures taken or to be taken concerning the developments, and a statement outlining any changes to the VC entity’s operations to prevent repeat occurrences.

    State Issues NYDFS Fraud Cryptocurrency Virtual Currency Fintech

    Share page with AddThis
  • NYDFS adjusts minimum interest requirements of escrow accounts

    State Issues

    On January 29, the New York Department of Financial Services (NYDFS) announced an order adjusting the minimum rate of interest that New York State-chartered banks and other New York State-chartered financial institutions (collectively, “covered institutions”) must pay on certain mortgage escrow accounts. Prior to the order, covered institutions were required to pay a minimum rate of two percent per annum on certain residential escrow accounts. To more closely align with requirements for federal banking institutions, the order adjusts the minimum rate of interest that covered institutions must pay to the lesser of two percent or the six-month yield on United States Treasury securities.

    State Issues State Legislation NYDFS Escrow Mortgages

    Share page with AddThis
  • NYDFS promises to fill CFPB regulatory void

    State Issues

    On January 25, the New York Department of Financial Services (NYDFS) Superintendent, Maria T. Vullo, issued a statement critical of the recent policy changes by the CFPB’s new leadership. As previously covered by InfoBytes, acting CFPB Director Mick Mulvaney announced, among other things, that the CFPB will no longer “push the envelope” in pursuit of the agency’s mission. Vullo stated that NYDFS remains “committed to its mission to safeguard the financial services industry and protect New York consumers,” and promised to fill the “regulatory voids” left by the new administration.

    In December, as previously covered by InfoBytes, seventeen state attorneys general sent a letter to President Trump expressing concern about Mulvaney serving as acting director, and emphasizing that if the CFPB does not do the job, the states will “redouble our efforts at the state level to root out such misconduct and hold those responsible to account.”

    State Issues NYDFS Enforcement Consumer Finance CFPB Succession CFPB

    Share page with AddThis
  • NYDFS warns financial institutions of February 15 cybersecurity compliance certification deadline

    Privacy, Cyber Risk & Data Security

    On January 22, the New York Department of Financial Services (NYDFS) issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance is February 15, 2018. Mandated by NYDFS’ cybersecurity regulation that went into effect March 1, 2017 (see previous InfoBytes coverage here), the certification covers the prior calendar year and must be filed electronically through the DFS cybersecurity portal. NYDFS Superintendent Maria T. Vullo also announced that going forward, cybersecurity will be incorporated into all department examinations, and cybersecurity-related questions will be added to NYDFS’ “first day letters” issued to commence examinations of financial services companies.

    Privacy/Cyber Risk & Data Security State Issues NYDFS Bank Compliance

    Share page with AddThis
  • New York Senate bill proposes replacing online lending task force with study

    State Issues

    On January 8, the New York State Senate Committee on Rules voted to amend legislation to authorize the New York Department of Financial Services (NYDFS) to conduct a study about online lending. The original legislation, S6593A, signed into law by Governor Cuomo on December 29, 2017, created a seven-person task force responsible for analyzing online lending activity in the state. The proposed amendments to this legislation, S07294 and A8938, which would be effective immediately if passed by both houses of the New York legislature and signed into law, remove the requirement for a task force, and instead authorize NYDFS to direct the study and produce a public report with recommendations prior to July 1. According to the amendments, the study should analyze (i) lending practices of the online lending industry and primary differences between online lenders and traditional lenders; (ii) types of credit products available online; (iii) a review of available complaints, actions and investigations related to online lenders; and (iv) a survey of existing state and federal laws that apply to the online lending industry. 

    State Issues NYDFS Consumer Finance Lending State Legislation

    Share page with AddThis
  • NYDFS fines global money service $60 million for AML deficiencies

    Financial Crimes

    On January 4, New York Department of Financial Services (NYDFS) ordered one of the largest global money transfer services to pay $60 million for willfully failing to implement an effective anti-money laundering (AML) program. According to the consent order, between 2004 and 2012, three of the company’s New York locations allowed the company’s services to be used to pay debts to human traffickers based in China. Additionally, the order emphasizes that the company was aware of weaknesses in its compliance program for years and failed to implement controls that could have detected and prevented the payments in question. The NYDFS investigation resulted from a January 2017 settlement with the Department of Justice, which found that during the same time period (2004-2012), the company processed hundreds of thousands of transactions for company agents and others involved in an international consumer fraud scheme, as previously covered by InfoBytes. In addition to the fine, the order requires that the company put in place stricter AML compliance measures, including the creation of an Independent Compliance Committee of the Board of Directors.

    Financial Crimes NYDFS Bank Secrecy Act Anti-Money Laundering Bank Compliance International

    Share page with AddThis
  • NYDFS orders Korean bank to pay $11 million civil money penalty for BSA/AML compliance deficiencies

    Financial Crimes

    On December 21, the New York Department of Financial Services (NYDFS) entered into a consent order with a Korean bank and its New York branch to resolve issues regarding alleged deficiencies in the branch’s Bank Secrecy Act and other anti-money laundering (BSA/AML) compliance and risk management. The alleged deficiencies were discovered during three examinations between 2014-2016 by NYDFS and the Federal Reserve Bank of New York. According to the consent order, among other things, the branch failed to maintain adequate transaction monitoring and suspicious activity reporting (SAR), lacked compliance staff with proper BSA/AML background experience, and lacked adequate BSA/AML and OFAC risk assessments.

    The Korean bank and its branch are required to pay an $11 million civil money penalty, and in addition must submit the following documentation (i) a BSA/AML compliance program; (ii) a customer due-diligence program; (iii) a SAR program; (iv) a revised internal audit program; and (v) a plan to enhance oversight of the branch’s BSA/AML compliance requirements. The Korean bank and branch are also required to submit quarterly reports for two years with updates on the branch’s compliance progress.

    Financial Crimes NYDFS Bank Secrecy Act Anti-Money Laundering SARs Settlement

    Share page with AddThis