Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS releases proposed guidance for mitigating climate-related risks

    State Issues

    On December 21, NYDFS proposed guidance for regulated banking and mortgage institutions to support efforts for responding to evolving risks stemming from climate change. The proposed guidance—which was developed to align with the climate-related work of federal and international banking regulators—will aid institutions in identifying, measuring, monitoring, and controlling material climate-related financial risks, consistent with existing risk management principles. Institutions should “minimize and affirmatively mitigate adverse impacts on low- and moderate-income communities while managing climate-related financial risks,” NYDFS said, explaining that the proposed guidance focuses on areas of risk management related to corporate governance, internal control frameworks, risk management processes, data aggregation and reporting, and scenario analysis that also accounts for unknown future risks. Among other things, the proposed guidance warned institutions of the importance of ensuring fair lending is provided to all communities, including low- to moderate-income neighborhoods that may face heightened risks, when managing climate-related financial risks. The proposed guidance also outlined tools institutions should use to measure and protect against climate change risks. NYDFS warned institutions that they may have to directly absorb a greater portion of losses and should plan for insurance coverage premiums to either increase or be withdrawn entirely in areas where climate risks are prevalent.

    NYDFS commented that the proposed guidance serves as a basis for supervisory dialogue and instructed interested parties to provide input as it undertakes a data-driven approach to formulating the final guidance. Comments are due by March 21, 2023. A webinar will be held on January 11, 2023 to provide an overview of the proposed guidance.

    “Regulators must anticipate and respond to new risks to operational resiliency and safety and soundness, jeopardizing an institution’s future,” Superintendent Adrienne A. Harris said. “NYDFS is committed to working with all stakeholders to further refine expectations and finalize guidance appropriate for institutions to address material climate-related financial risks.”

    State Issues State Regulators Bank Regulatory NYDFS Climate-Related Financial Risks Redlining New York Mortgages Risk Management Supervision Fair Lending

  • NYDFS announces benchmark for mortgage lending institutions

    State Issues

    On December 16, NYDFS issued industry guidance to all mortgage lending institutions in the state regarding a New York subprime law requirement and the discontinued publication of the primary mortgage market survey rate for 5/1 adjustable rate mortgage (ARM) loans. According to NYDFS, as required by state law, lending institutions must use the weekly Primary Mortgage Market Survey (PMMS), published by Freddie Mac, for loans that are comparable to the term of the underlying loan, to assess whether a home loan qualifies as “subprime” in New York. In November, Freddie Mac discontinued publication of its weekly PMMS average commitment rate for loans in the U.S. for the 5/1 ARM. NYDFS noted that Freddie Mac’s decision “disrupted the ability of lending institutions to determine whether a residential mortgage loan with a comparable duration to the 5/1 ARM is a subprime home loan.” NYDFS continued that the “inability to ensure compliance with the requirements of Section 6-m has made it impossible for lending institutions to offer this loan product in New York, limiting the availability of certain mortgage financing for consumers in New York.” To address availability of mortgage financing in New York, NYDFS announced the designation of the Average Prime Offer Rate for 5/1 ARMs, as published by the Federal Financial Institutions Examination Council, as the replacement benchmark lending institutions should use for calculating the subprime threshold for loans with a fixed rate for at least three years.

    State Issues New York NYDFS Mortgages Bank Regulatory State Regulators Subprime

  • NYDFS reminds institutions to seek prior approval before engaging in virtual currency activities

    State Issues

    On December 15, NYDFS released virtual currency guidance for regulated banking institutions and licensed branches and agencies of foreign banking organizations. NYDFS reminded covered institutions that they must seek prior approval at least 90 days before engaging in any new or significantly different virtual currency-related activity. The agency noted that this requirement also applies in situations where any portion of the activity will be handled by a third party. The guidance outlines the process institutions should observe for seeking prior approval and summarizes the following categories of information that the agency will consider when assessing proposals: business plan, risk management, corporate governance and oversight, consumer protection, financials, and legal and regulatory analysis. The guidance includes a supplemental checklist of initial documents and required information.

    NYDFS reiterated that prior approvals “to engage in virtual currency-related activity does not constitute general consent for that institution to engage in other types of virtual currency-related activity, nor does it authorize other Covered Institutions to undertake that same activity.” Institutions already engaging in virtual-currency related activities should immediately notify NYDFS, if they have not already done so. The guidance, which is not intended to limit the scope or applicability of any law or regulation, is effective as of its release date and applies to all regulated institutions for all virtual currency-related activities.

     

    State Issues Bank Regulatory Digital Assets NYDFS Virtual Currency Agency Rule-Making & Guidance

  • NYDFS's Harris to serve as the state banking representative on the FSOC

    State Issues

    On December 13, the Conference of State Bank Supervisors (CSBS) announced that NYDFS Superintendent Adrienne A. Harris will serve as the state banking representative on the Financial Stability Oversight Council (FSOC). According to the announcement, in 2013, Superintendent Harris joined the Obama Administration as a Senior Advisor in the U.S. Department of Treasury prior to being appointed as the Special Assistant to the President for Economic Policy. In this role, she managed the financial services portfolio, focusing on the implementation of Dodd-Frank, and developed strategies for financial reform, consumer protections, cybersecurity and housing finance reform. According to James M. Cooper, president and CEO of CSBS, Harris’s “background and experience at both the federal and state level will be an asset for the council as it manages emerging risk during a time of economic uncertainty.”

    State Issues CSBS NYDFS New York FSOC

  • NYDFS finds racial disparities in mortgage lending

    State Issues

    On December 8, NYDFS announced a second report in an ongoing statewide inquiry into redlining and other forms of housing discrimination by mortgage lenders, particularly non-depository lenders. This report focuses on racial disparities in mortgage lending in Long Island, Rochester, and Syracuse, and follows one on Buffalo (covered by InfoBytes here). The report maps lending activity and details individual institutions' lending in majority-minority neighborhoods and to borrowers identifying as members of a minority group. 

    Analyzing HMDA data, NYDFS’s recent report concluded that: “ In Nassau county, where the population is 41.8 percent non-white, on average, lenders make 35.32 percent of their loans to borrowers identifying as people of color. Among lenders operating in the county, lending to borrowers identifying as people of color ranges from 14.9 percent to 50.22 percent. In Suffolk county, where the population is 33.7 percent non-white, on average, lenders make 22.44 percent of their loans to borrowers identifying as people of color. Among lenders operating in the county, lending to borrowers identifying as people of color ranges from 13.07 percent to 36.85 percent. In the Rochester metro area, where 23.9 percent of the population is non-white, on average lenders make 11.32 percent of their loans to borrowers identifying as people of color, less than half of what would be expected based solely on population make-up. Similarly in the Syracuse metro area, 18.7 percent of the population is non-white, but on average lenders make 8.67 percent of their loans to borrowers identifying as people of color.”

    In the announcement, NYDFS noted that it is currently developing regulations to implement the updated New York Community Reinvestment Act, which expands oversight to non-depository mortgage lenders operating in the state. The insights uncovered through these reports’ investigations will be reflected in these proposed regulations which will be published for public comment in 2023.

    State Issues Bank Regulatory NYDFS New York Mortgages New York CRA Fair Lending Redlining

  • NYDFS proposes virtual currency firms to pay supervision fees

    Recently, NYDFS announced it is seeking public comment on a proposed rule establishing how certain licensed virtual currency businesses would be assessed for the costs of their supervision and examination. According to NYDFS, the proposed regulation establishes a provision in the state budget granting NYDFS new authority to collect supervisory costs from virtual currency businesses that are licensed pursuant to the Financial Services Law, and will permit NYDFS “to continue adding top talent to its virtual currency regulatory team.” The proposed regulation states that it will apply only to licensed persons engaged in virtual currency business activity and that the fees will only cover the costs and expenses associated with NYDFS's oversight of each licensee. Specifically, the draft regulation states that a licensee's total annual assessment fee will be the “sum of its supervisory component and its regulatory component” and that each licensee will be billed five times per fiscal year. According to the regulation, there will be four quarterly fees, each approximately 25 percent of the anticipated annual amount, and a final fee based on the actual total operating cost for the fiscal year. Comments on the proposed regulation are due March 20.

    Licensing State Issues Agency Rule-Making & Guidance Digital Assets New York NYDFS Virtual Currency Supervision

  • Senators demand answers on collapsed cryptocurrency exchange; NYDFS seeks tougher crypto approach

    Federal Issues

    On November 16, Senator Elizabeth Warren (MA-D) and Senator Richard Durbin (IL-D) sent a letter to the ex-CEO and his successor of a cryptocurrency exchange that filed for bankruptcy. In the letter, the senators requested a series of files from the cryptocurrency exchange, including copies of internal policies and procedures regarding the relationship between the firm and its affiliated crypto hedge fund. The senators stated that the cryptocurrency exchange’s customers and Americans “fear that they will never get back the assets they trusted to [the cryptocurrency exchange] and its subsidiaries.” Additionally, the senators argued that “the apparent lack of due diligence by venture capital and other big investment funds eager to get rich off crypto, and the risk of broader contagion across the crypto market that could multiply retail investors’ losses, ‘call into question the promise of the industry.’” The senators emphasized that “the public is owed a complete and transparent accounting of the business practices and financial activities leading up to and following the cryptocurrency lending firm's collapse and the loss of billions of dollars of customer funds.” Among other things, the senators asked the cryptocurrency exchange to provide requested information by November 28, including: (i) complete copies of all the firm’s and its subsidiaries’ balance sheets, from 2019 to the present; (ii) an explanation of how “a poor internal labeling of bank-related accounts” resulted in the firm’s liquidity crisis; (iii) a list of all the firm’s transfers to its affiliated crypto hedge fund; (iv) copies of all written policies and procedures regarding the relationship between the firm and its affiliated crypto hedge fund; and (v) an explanation of the $1.7 billion in the firm’s customer funds that were allegedly reported missing.

    The same day, NYDFS Superintendent Adrienne Harris participated in a “fireside chat” before the Brooking Institute’s event, Digital asset regulation: The state perspective - Effective regulatory design and implementation for virtual currency. During the chat, Harris expressed her support for a national framework similar to what New York has because she believes that “it is proving itself to be a very robust and sustainable regime.” Harris also discussed NYDFS priorities regarding digital assets for the future, stating that crypto companies can expect more guidance on a number of key regulatory issues. Specifically, Harris disclosed that NYDFS will “have more to say on capitalization,” and “on consumer protection, disclosures, advertising … [and] complaints, making sure these companies have an easy way for consumers to complain.” She also warned that NYDFS will “bolster and broaden” its authority, adding that there is “lots of work for us to do to make clear the expectations that we have already, and to make sure that the things we have on the books equip us well to keep up with this marketplace.”

    Senators Warren and Sheldon Whitehouse (D-RI) also sent a letter to the DOJ asking that the former CEO and any complicit company executives be held personally accountability for wrongdoing following the cryptocurrency exchange’s collapse. 

    On December 13, the House Financial Services Committee will hold a hearing to discuss the cryptocurrency exchange’s collapse and the possible implications for other digital asset companies.

    Federal Issues Digital Assets State Issues Fintech Cryptocurrency NYDFS Bank Regulatory U.S. Senate DOJ House Financial Services Committee

  • NYDFS amends cybersecurity regs

    Privacy, Cyber Risk & Data Security

    On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”

    Some changes within the proposed amended regulation include:

    • New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
    • Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
      • The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
      • The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
      • The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
      • If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
    • Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
    • Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
    • Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
    • Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
      • Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory.  At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
      • Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
      • Multi-Factor Authentication:  The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
      • Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
    • Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
    • Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.

    The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.

    See continuing InfoBytes coverage on 23 NYCRR Part 500 here.

    Privacy, Cyber Risk & Data Security Bank Regulatory Agency Rule-Making & Guidance State Issues New York NYDFS 23 NYCRR Part 500

  • NYDFS issues RFI on private student loan refinancing

    State Issues

    On November 8, NYDFS issued a request for information (RFI) to student loan advocates, lenders, regulators, servicers, and other stakeholders, seeking information regarding private student loan refinancing in New York. The Private Student Loan Refinancing Task Force, tasked with “study[ing] and analyz[ing] ways lending institutions that offer non-federal student loans to students of New York institutions of higher education can be incentivized and encouraged to create student loan refinance programs,” issued questions to solicit information from stakeholders to inform a forthcoming report. According to the announcement, the Task Force is seeking responses to questions concerning private sector refinancing of student loans. The questions include, among other things: (i) “What options are available for student loan borrowers to refinance private student loans both in New York State and outside the state?”; (ii) “What options are available for student loan borrowers to refinance federal student loans both in New York State and outside the state?”; (iii) “What is the volume of private student loans refinanced, the terms of the borrowers’ prior loans, the terms of the borrowers’ refinancing loans, the unmet need for student loan refinancing, and the impact of these refinancing loans in New York and nationwide?”; (iv) “What is the volume of federal student loans refinanced, the terms of the borrowers’ prior loans, the terms of the borrowers’ refinancing loans, the unmet need for student loan refinancing, and the impact of these refinancing loans in New York and nationwide?”; and (v) “What publicly available data should the Task Force review? Is there privately owned data that could be made available to the Task Force?” Responses are due by December 8.

    State Issues NYDFS New York Student Lending State Regulators Consumer Finance

  • NYDFS revises state CRA regulations

    State Issues

    On October 26, NYDFS released revisions to its proposed state Community Reinvestment Act regulation, which would allow the Department to obtain the necessary data to evaluate the extent to which New York-regulated banking institutions are serving minority- and women-owned businesses in their communities. The revised proposed regulation addresses comments received during a prior 60-day comment period that began last November (covered by InfoBytes here), and is intended to minimize compliance burdens by making sure the regulation’s proposed language complements requirements in the CFPB’s proposed rulemaking for collecting data on credit access for small and minority- and women-owned businesses. Among other things, the revised proposed regulation would require regulated entities to inquire as to whether a business applying for a loan or credit is minority- or women-owned or both, and submit a report to the Department providing application details, such as the date, type of credit applied for and the amount, whether the application was approved or denied, and the size and location of the business. Additionally, the revised proposed regulation (i) establishes processes for regulated entities when soliciting, collecting, storing, and reporting information related to their provision of credit to minority- and women-owned businesses, including when requests for information should be made, and notifications informing applicants of their right to refuse to offer information in response to a request and that the provided information may not be used for any discriminatory purpose; (ii) provides that, to the extent feasible, underwriters should not be able to access information provided by an applicant; (iii) stipulates how long a regulated entity is required to preserve gathered information; and (iv) provides a sample data collection form that regulated entities may choose to use. According to NYDFS, the revisions are designed to make sure regulated entities abide by fair lending laws when collecting and submitting the necessary data. Comments will be accepted for 45 days following publication in the State Register.

    State Issues Bank Regulatory Agency Rule-Making & Guidance NYDFS New York New York CRA Fair Lending

Pages

Upcoming Events