Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS reaches $4.5 million settlement over cybersecurity violations

    State Issues

    On October 18, NYDFS announced a $4.5 million settlement with a licensed health insurance company for alleged violations of the Department’s Cybersecurity Regulation (23 NYCRR Part 500), which contributed to the exposure of consumers’ sensitive non-public information (NPI). According to NYDFS, a bad actor gained access to a shared email mailbox in 2020 via a phishing attack. This mailbox, NYDFS said, allegedly contained more than six years’ worth of consumer NPI. An NYDFS investigation found that the company allegedly, among other things, failed to implement multi-factor authentication throughout its email environment, did not limit user access privileges (thus allowing nine employees to share login credentials to the compromised mailbox), and failed to implement sufficient data retention and disposal procedures. NYDFS asserted that the cybersecurity event may have been avoided or limited in scope if these security controls had been implemented. Furthermore, the company’s alleged failure to conduct an adequate risk assessment as required by 23 NYCRR Part 500, prevented it from being able to identify the user access privilege and data disposal risks associated with the mailbox that was impacted by the phishing attack. Consequently, the company’s cybersecurity certifications for calendar years 2018 - 2021 were improper, NYDFS said.

    Under the terms of the consent order, the company is required to pay a $4.5 million civil money penalty and must conduct a comprehensive cybersecurity risk assessment of its information systems. NYDFS recognized the company’s cooperation throughout the investigation and commended its ongoing and completed remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program” and making “changes to its policies, procedures, systems, and governance structures.”

    State Issues Bank Regulatory NYDFS New York Enforcement Privacy, Cyber Risk & Data Security 23 NYCRR Part 500

  • NYDFS announces fair lending settlement with indirect auto lender

    State Issues

    On October 6, NYDFS announced a settlement with a New York State-licensed bank to resolve allegations that the bank violated New York Executive Law § 296-a while engaged in indirect automobile lending. NYDFS alleged that the bank’s practices resulted in minority borrowers paying higher interest rates than non-Hispanic white borrowers regardless of their creditworthiness. According to the announcement, the bank allegedly “failed to effectively monitor automobile dealers from which [the bank] agreed to purchase loans, thereby allowing the dealers to charge members of protected classes more in discretionary dealer markups than borrowers identified as non-Hispanic White.” Under the terms of the consent order, the bank agreed to pay a $950,000 civil money penalty to the state, as well as restitution to eligible borrowers impacted during the period of January 1, 2017 through March 31, 2022. The bank also agreed to undertake fair lending compliance remediation efforts to increase its monitoring of dealers participating in its indirect auto lending program to precent discriminatory markups in the future.

    State Issues NYDFS State Regulators Enforcement Fair Lending Auto Finance Consumer Finance Markups New York

  • Agencies announce hurricanes Fiona and Ian disaster relief guidance

    On September 29, the FDIC, Federal Reserve Board, NCUA, OCC, and the Conference of State Bank Supervisors issued a joint interagency statement covering supervisory practices for financial institutions affected by Hurricanes Fiona and Ian. Among other things, the agencies informed institutions facing operational challenges that the regulators will expedite requests for temporary facilities, noting that in most cases, “a telephone notice to the primary federal and/or state regulator will suffice initially to start the approval process, with necessary written notification being submitted shortly thereafter.” The agencies also called on financial institutions to “work constructively” with affected borrowers, noting that “prudent efforts” to adjust or alter loan terms in affected areas “should not be subject to examiner criticism.” Institutions facing difficulties in complying with any publishing and reporting requirements should contact their primary federal and/or state regulator. Additionally, the agencies noted that institutions may receive Community Reinvestment Act consideration for community development loans, investments, or services that revitalize or stabilize federally designated disaster areas. Institutions are also encouraged to monitor municipal securities and loans impacted by Hurricanes Fiona and Ian.

    HUD also announced disaster assistance for areas in Puerto Rico affected by Hurricane Fiona. The disaster assistance follows President Biden’s major disaster declaration on September 21. According to the announcement, effective immediately, HUD is issuing 29 regulatory and administrative waivers intended to provide flexibility and relief to impacted communities. The waivers cover the following HUD programs: The Community Development Block Grant Program, HOME Investment Partnerships Program, Housing Opportunities for Persons with AIDS Program, Continuum of Care Program, and Emergency Solutions Grant Program. HUD is also providing an automatic 90-day moratorium on foreclosures of FHA-insured home mortgages for covered properties effective September 21, as well as for mortgages to Native American borrowers guaranteed under Section 184 Indian Home Loan Guarantee program and home equity conversion mortgages. HUD is also making various FHA insurance options available to victims whose homes require repairs or were destroyed or severely damaged. HUD’s Section 203(h) program allows borrowers from participating FHA-approved lenders to obtain 100 percent financing, including closing costs, for homes in which “reconstruction or replacement is necessary.” Additionally, HUD’s Section 203(k) loan program will allow individuals to finance the purchase of a house, or refinance an existing house and the costs of repair, through a single mortgage. The program also allows homeowners with damaged property to finance the repair of their existing single-family homes. HUD will also share information on housing providers and HUD programs with FEMA and the state, and will provide flexibility to public housing agencies. Similar disaster assistance measures were also announced (see here and here) for areas of Alaska affected by severe storms, flooding, and landslides from September 15-20, and areas in Florida impacted by Hurricane Ian.

    The FDIC also issued FIL-42-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Puerto Rico affected by Hurricane Fiona from September 17 and later. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.

    Additionally, the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices affected by Hurricane Ian in Florida “for as long as deemed necessary for bank operation or public safety.” The proclamation directed institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close, and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.

    NYDFS also issued an industry letter advising state-regulated financial institutions to take reasonable and prudent measures to assist consumers and businesses affected by Hurricane Fiona in Puerto Rico. The guidance recommends that financial institutions (i) waive ATM and overdraft fees; (ii) increase ATM withdrawal limits; (iii) ease restrictions on cashing out-of-state and non-customer checks; (iv) ease credit terms for new loans; (v) increase credit card limits for creditworthy customers; (vi) waive late fees on credit card and other loan balances; (vii) work with customers to defer payments or extend payment due dates on loans to help prevent delinquencies and negative credit reporting caused by disaster-related disruptions; and (viii) work with money transmitters and money services businesses to facilitate and expedite the transmission of funds. The actions are intended to help ease financial burdens for New Yorkers seeking to support individuals located in Puerto Rico, as well as consumers in Puerto Rico who hold New York bank accounts. 

    Bank Regulatory Federal Issues State Issues FDIC HUD NYDFS Disaster Relief Puerto Rico Consumer Finance Mortgages Florida Alaska

  • New NYDFS proposal to implement Commercial Finance Disclosure Law

    State Issues

    On September 14, NYDFS published a notice of proposed rulemaking under New York’s Commercial Financing Disclosure Law (CFDL) related to disclosure requirements for certain providers of commercial financing transactions in the state. As previously covered by InfoBytes, the CFDL was enacted at the end of December 2020, and amended in February to expand coverage and delay the effective date. (See S5470-B, as amended by S898.) Under the CFDL, providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less. Last December, NYDFS announced that providers’ compliance obligations under the CFDL will not take effect until the necessary implementing regulations are issued and effective (covered by InfoBytes here).

    The newest proposed regulations (see Assessment of Public Comments for the Revised Proposed New Part 600 to 23 NYCRR) introduce several revisions and clarifications following the consideration of comments received on proposed regulations published last October (covered by InfoBytes here). Updates include:

    • A new section stating that a “transaction is subject to the CFDL if one of the parties is principally directed or managed from New York, or the provider negotiated the commercial financing from a location in New York.”
    • A new section requiring notice be sent to a recipient if a change is made to the servicing of a commercial financing agreement.
    • An revised definition of “recipient” to now “include entities subject to common control if all such recipients receive the single offer of commercial financing simultaneously.”
    • Clarifying language stating that the “requirements pertaining to the statement of a rate of finance charge or a financing amount, as that term appears in Section 810 of the CFDL, shall be in effect only upon the quotation of a specific commercial financing offer.”
    • Provisions allowing providers to perform calculations based upon either a 30-day month/360-day year or a 365-day year, with the acknowledgment that different methods of computation may lead to slightly different results.
    • An amendment stating that “a ‘provider is not required to provide the disclosures required by the CFDL when the finance charge of an existing financing is effectively increased due to the incurrence, by the recipient, of avoidable fees and charges.’”
    • An acknowledgement of comments asking that 23 NYCRR Part 600 be identical to California’s disclosure requirements (covered by InfoBytes here) “or as consistent as possible.” In response, NYDFS said that while it generally agrees, and has consulted with the California Department of Financial Protection and Innovation (DFPI), the regulations cannot be identical because the CFDL differs from the California Consumer Financial Protection Law and the Department cannot anticipate any future revisions DFPI may make to its proposed regulations.

    Comments on the proposed regulations are due October 31.

    State Issues Agency Rule-Making & Guidance Bank Regulatory State Regulators NYDFS Commercial Finance Disclosures New York CFDL California DFPI

  • New York proposes new cybersecurity reporting requirements for financial institutions

    Privacy, Cyber Risk & Data Security

    Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose whether their directors have expertise in overseeing security risks or whether they rely on third-party cyber consultants. Among other things, the proposed amendments would require cybersecurity executives to provide directors timely alerts of significant cyber issues or events and provide annual reports to the board on cyber risks and defenses as well as on plans for remediating identified inadequacies. Additional requirements include: (i) multi-factor authentication for all privileged accounts (except for service accounts), as well as for “remote access to the network and enterprise and third-party applications from which nonpublic information is accessible”; (ii) limitations on asset and data retention management; (iii) training and monitoring of email to prevent unauthorized access; and (iv) incident response, business continuity, and disaster recovery plans.

    The proposed amendments also contain provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the entity’s information system. Entities would also be directed to alert the Department within 24 hours of making a ransom payment to a hacker—similar to a ransomware payment disclosure mandate included within the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” covering critical infrastructure (covered by InfoBytes here). Within 30 days, entities would also be required to explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations including federal sanctions implications.

    Comments on the proposed amendments are due August 18.

    See continuing InfoBytes coverage on 23 NYCRR Part 500 here.

    Privacy, Cyber Risk & Data Security State Issues Bank Regulatory NYDFS 23 NYCRR Part 500

  • Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses

    State Issues

    The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.

    The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.

    The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.

    State Issues Financial Crimes Special Alerts NYDFS Enforcement Examination Digital Assets Virtual Currency Money Service / Money Transmitters Bank Secrecy Act Anti-Money Laundering Privacy, Cyber Risk & Data Security Of Interest to Non-US Persons

  • NYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations

    State Issues

    On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.

    In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.

    A Buckley Special Alert is forthcoming. 

    State Issues NYDFS Enforcement State Regulators Bank Secrecy Act Anti-Money Laundering Money Service / Money Transmitters Virtual Currency Privacy, Cyber Risk & Data Security New York Digital Assets Cryptocurrency

  • NYDFS to study overdraft fees

    State Issues

    On July 15, New York’s governor signed S9348, directing the superintendent of NYDFS to conduct a study of overdraft fees in the state. (See also NYDFS press release here.) The study will examine, among other things: (i) the total amount of overdraft fees paid in the state; (ii) the geographical distribution of these fees; (iii) whether certain communities have higher rates of overdraft fees than others and the possible reason for such high rates; (iv) “the percentage of overdraft fees reduced through direct or indirect negotiation”; and (v) the enumeration of consumer rights related to overdraft fee negotiations. The results of the study are to be delivered within one year to the governor, the temporary president of the senate, and the speaker of the assembly. The act is effective immediately.

    State Issues State Legislation New York Overdraft NYDFS Consumer Finance State Regulators

  • NYDFS releases best practices for promoting PSLF program and time-limited waiver

    State Issues

    On July 13, NYDFS called on all federal student loan servicers to increase awareness of and enroll borrowers in public service loan forgiveness programs before a temporary waiver expires on October 31. NYDFS’s letter reminded servicers that under the Public Service Loan Forgiveness (PSLF) program, full-time government and certain non-profit employees may be eligible to have federal direct loans forgiven after making 120 qualifying monthly payments. Last October, the Department of Education announced temporary PSLF changes due to the Covid-19 pandemic. These changes provided qualifying borrowers a time-limited PSLF waiver, which allows all payments to count towards PSLF regardless of loan program or payment plan (covered by InfoBytes here). Expressing concerns that many borrowers may not learn of this opportunity before it expires in October, NYDFS encouraged servicers to adopt eight best practices to promote awareness of the PSLF Program and the waiver. These include “enhanced trainings for customer service staff, proactive communications with borrowers, and increased promotion of the PSLF program on servicer websites and on borrower account pages,” NYDFS said in its announcement.

    The letter follows a December 2021 NYDFS request sent to federal student loan servicers asking for updates on steps taken to address the waived rules. NYDFS also reminded servicers that it “will diligently enforce all servicer legal requirements concerning the PSLF program and will consider the extent to which servicers engaged in proactive measures to promote the PSLF Waiver in future supervisory examinations.”

    State Issues New York State Regulators NYDFS Student Lending PSLF Covid-19 Consumer Finance Department of Education Student Loan Servicer

  • NYDFS issues overdraft and NSF fee guidance

    State Issues

    On July 12, NYDFS issued guidance in an industry letter to regulated banking institutions, calling into question bank practices that can cause consumers to receive multiple overdraft and non-sufficient funds (NSF) fees from a single transaction. The industry letter identifies three specific types of fee practices as unfair or deceptive:

    • Charging overdraft fees for “authorize positive, settle negative” transactions, where consumers are charged an overdraft fee even if they have sufficient money in their account when a bank approves a transaction, but the balance is negative when the payment is settled. Per NYDFS, imposing an overdraft fee in this situation is unfair because, among other things, consumers “have no control over or involvement in” when or how their debit transactions get settled.
    • Charging “double fees” to consumers for a failed overdraft protection plan transfer, which occurs when a bank goes to transfer money from one deposit account to another deposit account to cover an overdraft transaction, but the first account lacks sufficient funds to cover the overdraft. Per NYDFS, double fees injure consumers “by imposing fees for a transfer that provides no value to the consumer and is not reasonably avoidable by consumers, who have no reason to expect that they will be charged a fee for an overdraft protection transfer that does not in fact protect them against an overdraft.”
    • Charging NSF representment fees when a merchant tries several times to process a transaction that is deemed an overdraft and the bank charges a fee for each blocked representment without adequate disclosure. Banks that currently charge multiple NSF fees should “make clear, conspicuous, and regular disclosure to consumers that they may be charged more than one NSF fee for the same attempted debit transaction,” NYDFS stated. Additionally, banks are advised to consider other steps to mitigate the risk that consumers are charged multiple NSF fees, including limiting time periods for when multiple NSF fees may be charged, performing periodic manual reviews to identify instances of multiple NSF Fees, and offering refunds to affected consumers. NYDFS “ultimately expects [i]nstitutions will not charge more than one NSF fee per transaction, regardless of how many times that transaction is presented for payment,” the industry letter said.

    NYDFS informed regulated entities that it will evaluate whether they “are engaged in deceptive or unfair practices with respect to overdraft and NSF fees in future Consumer Compliance and Fair Lending examinations.”

    State Issues State Regulators NYDFS Consumer Finance New York Overdraft NSF Fees Unfair Deceptive

Pages

Upcoming Events