Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 10, NYDFS entered into a consent order with a United Arab Emirates-based bank and its New York branch to resolve alleged violations of the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) laws related to the branch’s U.S. dollar clearing operations for foreign customers located in high risk jurisdictions. The alleged violations were discovered during examinations conducted in 2016 by the NYDFS and 2017 by the NYDFS and Federal Reserve Bank of New York. During this time, NYDFS downgraded the bank’s score due to certain alleged deficiencies identified in the branch’s BSA/AML programs and policies designed to ensure compliance with OFAC regulations. According to the consent order, among other things, the branch (i) failed to maintain adequate transaction monitoring and had deficient recordkeeping practices; (iii) “maintained insufficient documentation concerning its dispositions of OFAC alerts and cases”; (iv) failed to substantiate its rationales for waiving specific alerts and cases; and (v) failed to sufficiently oversee the third-party auditor who conducted the branch’s 2017 BSA/AML audit and remedial work evaluation.
The United Arab Emirates-based bank and its New York branch are required to pay a $40 million civil money penalty, and must also engage an independent third party to assist the branch in addressing its BSA/AML compliance deficiencies and develop (i) a BSA/AML compliance program; (ii) a suspicious activity monitoring and reporting program; (iii) a customer due-diligence program; and (iv) a plan to enhance oversight of the branch’s BSA/AML corporate governance and management oversight.
NYDFS issues best practices guidance for state-chartered institutions issuing loans to multi-family residential owners and landlords
On September 25, NYDFS released new guidance to assist regulated, state-chartered institutions when engaging in permissible lending activities involving New York rent-stabilized or rent-regulated multifamily residential buildings. According to the press release, the department received complaints concerning certain owners/landlords of rent-stabilized multifamily residential buildings who allegedly engaged in “inappropriate practices including tenant harassment and unsafe living conditions” and may have obtained loans to purchase or renovate buildings directly or indirectly from regulated institutions. The guidance is intended to ensure that regulated institutions apply best practices, including pre-loan and post-loan due diligence, to prevent the possibility of knowingly or unknowingly facilitating these types of practices. Among other things, pre-loan due diligence best practices include (i) conducting due diligence on property owners, including when the bank’s role is to provide indirect financing to the property owner; (ii) conducting due diligence on properties and property owners, including enhanced diligence on properties with a high number of violations; (iii) ensuring “realistic and sound underwriting terms” for loans involving multifamily residential buildings; and (iv) establishing a debt service coverage ratio subject to documentation based on the specific facts of each loan as well as realistic assumptions, consistent with safe and sound underwriting standards and practices. The best practices for post-loan monitoring should include (i) establishing covenants or procedures to ensure emergency and hazard repairs are completed within six months of a loan’s closing; and (ii) considering the property owner’s level of responsiveness and willingness to address building code violation when factoring future loans to the property owner.
On October 1, NYDFS announced the commencement of the final phase of its initiative to manage the license application and regulation of all non-depository financial institutions operating in the state through the Nationwide Multistate Licensing System and Registry (NMLS). As such, NYDFS now allows financial services companies holding check casher and virtual currency business activity licenses to transition those licenses to NMLS. Additionally, companies applying for new licenses may now submit applications through NMLS. As previously covered in InfoBytes, licensed budget planners, sales finance agencies, money transmitter licensees, and mortgage providers have already made the transition to NMLS.
New York Attorney General issues Virtual Markets Integrity Report, following cryptocurrency integrity initiative
On September 18, the New York Attorney General’s office announced the results of its Virtual Markets Integrity Initiative, a fact-finding inquiry into the policies and practices of platforms used by consumers to trade virtual or “crypto” currencies. As previously covered in InfoBytes, last April questionnaires were sent to 13 virtual asset trading platforms to solicit information on their operations, policies, internal controls, and safeguards to protect consumer assets. The resulting Virtual Markets Integrity Report finds that virtual asset trading platforms vary significantly in the comprehensiveness of their response to the risks facing the virtual markets, and presents three broad areas of concern: (i) the potential for conflicts of interest due to platforms engaging in various overlapping business lines that are not restricted or monitored in the same way as traditional trading environments; (ii) a lack of protection from abusive trading platforms and practices; and (iii) limited protections for customer funds, such as the insufficient availability of insurance for virtual asset losses and platforms that do not conduct any type of independent auditing of virtual assets. According to the report, the Attorney General’s office also referred three platforms to the New York Department of Financial Services for potential violations of the state’s virtual currency regulations.
On September 14, New York Department of Financial Services (NYDFS) Superintendent, Maria T. Vullo, filed a lawsuit against the OCC arguing that the agency’s decision to allow fintech companies to apply for a Special Purpose National Bank Charter (SPNB) is a “lawless” and “ill-conceived” move that will destabilize financial markets more effectively regulated by the state. As previously covered in InfoBytes, last December the U.S. District Court for the Southern District of New York dismissed NYDFS’ previous challenge because the court lacked subject matter jurisdiction over NYDFS’ claims since the OCC had yet to finalize its plans to actually issue SPNBs. However, in light of the OCC’s July announcement welcoming nondepository fintech companies engaged in one or more core banking functions to apply for a SPNB (previously covered by Buckley Sandler Special Alert here), Superintendent Vullo once again issued a challenge to the OCC’s decision, arguing that it is unlawful and grants federal preemptive powers over state law. Among other things, NYDFS requests the court to (i) declare that the OCC’s decision to grant SPNBs exceeds its statutory authority under the National Bank Act, and specifically that the decision improperly defines the “‘business of banking’ to include non-depository institutions,” and (ii) enjoin the OCC “from taking further actions to implement its provisions.”
On August 24, 13 state banking supervisors sent a letter asking congressional leaders “to consider legislation that creates a safe harbor for financial institutions to serve state-compliant [marijuana] business, or entrusts sovereign states with the full oversight and jurisdiction of marijuana-related activity.” According to the letter, while 31 states, the District of Columbia, and two territories have legalized medical and/or recreational marijuana use as of August 1, many financial institutions choose not serve marijuana businesses due to a perceived threat of asset forfeitures or criminal penalties. The letter notes that this results in inadequate regulation, cash transactions that are difficult to track, “a diminished ability to identify operators acting to circumvent federal and state licensing and regulatory frameworks,” and concerns for public safety. In addition, according to the state regulators, the rescission of the 2013 “Cole Memo”—which outlined the DOJ’s marijuana enforcement priorities and was relied upon by a limited number of financial institutions—has led to greater uncertainty for banks that serve marijuana businesses. The letter also discusses the Financial Crimes Enforcement Network’s 2014 guidance—which clarifies expectations under the Bank Secrecy Act for financial institutions providing services to marijuana businesses—and further stresses that “the Rohrabacher amendment prohibiting federal funds being used to inhibit state medicinal marijuana programs [is] an impermanent approach that requires a permanent resolution.”
In July, and as previously covered in InfoBytes, the New York Department of Financial Services (NYDFS) issued guidance which encouraged New York state chartered banks and credit unions to consider establishing relationships with regulated and compliant medical marijuana and industrial hemp-related businesses operating in New York. NYDFS stated it will not impose any regulatory action on a New York financial institution that establishes a relationship with a regulated marijuana business as long as the institution also complies with other applicable guidance and regulations.
On August 23, the New York Department of Finance Services (NYDFS) released updated guidance reminding institutions engaged in indirect auto lending through third parties that they must comply with the state’s Fair Lending Law, despite the May repeal of the CFPB’s Bulletin 2013-02 on indirect auto lending and compliance with the Equal Credit Opportunity Act (ECOA). (The repeal was previously covered by InfoBytes here.) The updated guidance “consolidates, streamlines and reinforces previous guidance issued by [NYDFS]’s predecessor, the New York State Banking Department,” which applies to supervised financial institutions and their subsidiaries and affiliates (lenders). The guidance provides a list of actions lenders should take to develop a fair lending compliance program for indirect auto lending, including (i) submitting all applications for loans that are rejected or withdrawn to an automatic review by a higher-level supervisor; (ii) implementing a fair lending training program for both new hires and current employees; (iii) obtaining written agreements from all dealers that certify that the dealer acknowledges its responsibility to comply with fair lending laws and the policies and procedures contained in the fair lending plan; and (iv) extending fair lending plan principles to refinancing and collection practices.
On August 22, the New York Department of Financial Services (NYDFS) announced an online registration form for credit reporting agencies (CRAs) to comply with the state’s final regulation that requires CRAs with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity regulation. (As previously covered by InfoBytes, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS.) Registration must be complete by September 15 of this year and by February 1 of each successive year for the calendar year thereafter. Under the new regulation, CRAs are also required to comply with New York’s cybersecurity requirements by November 1, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Continuing InfoBytes coverage on NYDFS’ cybersecurity regulation available here.)
On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial services institutions (collectively, “covered entities”) that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date. As of September 4, a covered entity must (i) start presenting annual reports to the board by the Chief Information Security Officer on “critical aspects of the cybersecurity program”; (ii) create an “audit trail designed to reconstruct material financial transactions” in case of a breach; (iii) institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications”; and (iv) implement encryption to protect nonpublic information it holds or transmits. Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.” Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data.
In coordination with the reminder, NYDFS provided new updates to its FAQs related to 23 NYCRR Part 500. The original promulgation of the FAQs was covered in InfoBytes, as were the last updates in February and March. The four new updates to the FAQs add the following guidance:
- Clarifies that in certain circumstances, an entity can be a covered entity, an authorized user, and a third party service provider, and therefore must comply fully with all applicable provisions;
- Outlines specific compliance provisions for covered entities that have limited exemptions from the NYDFS cybersecurity requirements;
- Identifies a covered entity’s responsibilities when addressing cybersecurity risks with respect to bank holding companies; and
- Clarifies situations and requirements for when a covered entity can rely upon the cybersecurity program that another covered entity has implemented for a common trust fund.
Find continuing InfoBytes coverage on NYDFS’ cybersecurity regulations here.
Buckley Sandler Special Alert: OCC announces it will accept fintech charter applications, following the release of Treasury report on nonbank financial institutions
On July 31, the OCC announced that nondepository financial technology firms engaged in one or more core banking functions may apply for a special purpose national bank (SPNB) charter. The announcement follows a report released the same day by the Treasury Department, which discusses a number of recommendations for creating a streamlined environment for regulating financial technology, and includes an endorsement of the OCC’s SPNB charter for fintech firms (fintech charter).
If you have questions about the report or other related issues, please visit our Fintech practice page, or contact a Buckley Sandler attorney with whom you have worked in the past.
- Valerie L. Hletko to discuss "Forecasting litigation and settlement trends in the mortgage servicing and fair lending context" at the American Conference Institute National Forum on Residential Mortgage Regulatory Enforcement & Litigation
- Michelle L. Rogers and Jonice Gray Tucker to discuss “Building a govt affairs program; Government investigations” at the TechGC National Summit
- Tina Tchen to deliver keynote address at the American Bar Foundation Montgomery Summer Research Diversity Fellowship 30th Anniversary Celebration
- Douglas F. Gansler to discuss "Privacy, security and protection of your assets in contracts; Security exercises and tactical measures" at the TechGC National Summit
- H Joshua Kotin will discuss federal regulatory developments in mortgage lending and servicing at the Mortgage Bankers Association of Arkansas Fall Conference
- Kate Shrout to discuss "Conducting workplace investigations" at the TechGC National Summit
- Kathryn R. Goodman to discuss "HECM servicing policies and updates" at the National Reverse Mortgage Lenders Association Annual Meeting & Expo
- Fredrick S. Levin to discuss "Reverse mortgage litigation trends" at the National Reverse Mortgage Lenders Association Annual Meeting & Expo
- Melissa Klimkiewicz to speak at the "Digital marketing compliance roundtable" at the National Reverse Mortgage Lenders Association Annual Meeting & Expo
- Hank Asbill to discuss "The role of the media in white collar criminal investigations and the Mueller probe" at the American Bar Association White Collar Crime Town Hall
- John C. Redding to discuss "Regulatory compliance update" at PowerSports Finance
- Matthew P. Previn to discuss "Enforcement trends: Who is doing what and how?" at the Cambridge Forums Inc. Forum on Consumer Finance Litigation & Enforcement
- Jonice Gray Tucker to discuss "Protect yourself from a CFPB investigation" at the National Association of Settlement Purchasers Conference
- Tina Tchen to deliver keynote address at the American Bar Association Professional Success Summit
- Andrea K. Mitchell to discuss "Developments in fair lending law" at the Mortgage Bankers Association Summit on Diversity and Inclusion
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "New CDD Rule: Pitfalls in compliance" at the American Bankers Association/American Bar Association Financial Crimes Enforcement Conference