InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Harris confirmed as NYDFS superintendent
On January 25, the New York State Senate confirmed Adrienne A. Harris as Superintendent of NYDFS. “I am honored to serve as the Superintendent of the Department of Financial Services. As the first African American woman to lead DFS, I am personally committed to working with all stakeholders to build a robust, fair and sustainable financial system, creating a better economic future for all New Yorkers,” Harris said in a press release announcing her confirmation. NYDFS highlighted many of Harris' actions to advance economic opportunities and financial services for consumers in the state during her first 100 days.
NYDFS concerned with CFPB’s small business loan data collection proposal
On January 6, NYDFS issued a comment letter responding to the CFPB’s Notice of Proposed Rulemaking (NPRM), “Small Business Lending Data Collection under the Equal Credit Opportunity Act (Regulation B).” The NPRM—mandated under Section 1071 of the Dodd-Frank Act—would require a broad swath of lenders to collect data on loans they make to small businesses, including information about the loans themselves, the characteristics of the borrower, and demographic information regarding the borrower’s principal owners. This information would be reported annually to the Bureau, and eventually published by the Bureau on its website, with some potential modifications. According to the Bureau, the statute’s stated intent is to “facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority-owned, and small businesses.” (Covered by a Buckley Special Alert.)
In its comment letter, NYDFS discussed its responsibilities for examining state-chartered banking institutions’ compliance with the New York Community Reinvestment Act (NYCRA), New York Banking Law § 28-b, which NYDFS noted largely mirrors the current federal Community Reinvestment Act (CRA). Additionally, NYDFS stated that it examines regulated institutions for compliance with state fair lending requirements and agreed with the Bureau that “collecting critical information about minority- and women-owned businesses (MWOBs) to address fair lending concerns and allow financial institutions to identify gaps in the market” is an important goal. To that end, NYDFS is in the process of implementing its own MWOB data collection regulation under the NYCRA, which would require New York state-chartered banking institutions to start collecting MWOB-related data. (Covered by InfoBytes here.) Due to similarities between the proposed regulation and the Bureau’s NPRM, and to avoid imposing an undue burden on institutions covered by both regulations, NYDFS’s proposed regulation includes language that would “permit, but not obligate, NYDFS to treat compliance with the CFPB’s rule implementing Section 1071 as compliance with the NYCRA’s MWOB-related data collection regulation.”
Two specific issues were raised in response to the Bureau’s NPRM. First, NYDFS expressed concerns about the NPRM’s silence as to whether the Bureau intends to share more detailed data with state regulators to help states identify fair lending violations and enforce anti-discrimination laws, even if this information is not made available to the public. NYDFS urged the Bureau to include specific language stating it “may share all data submitted by financial institutions with state regulators in accordance with information sharing agreements between the CFPB and the state regulators.” Second, NYDFS asked the Bureau to reconsider its proposal to require data collection only for MWOBs with a threshold of $5 million or less in gross annual revenue. In particular, NYDFS warned of the risk of “dissimilarity in data collected by lenders for submission to the CFPB and the NYDFS” as NYDFS’s proposed regulation “requires evaluation of MWOB lending without respect to size.” NYDFS stressed that this dissimilarity “may prevent the NYDFS from deeming compliance with the CFPB regulation sufficient to comply with the NYDFS regulation.”
NYDFS puts CFDL compliance obligations on hold
On December 31, NYDFS announced that providers’ compliance obligations under the state’s Commercial Finance Disclosure Law (CFDL) will not take effect until the necessary implementing regulations are issued and effective. The CFDL was enacted at the end of December 2020, and amended in February 2021, to expand coverage and delay the effective date to January 1, 2022. (See S5470-B, as amended by S898.) Under the CFDL, providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less. In October 2021, NYDFS published a notice announcing a proposed regulation (23 NYCRR 600) to implement the CFDL, which provided that the compliance date for the final regulation will be six months after the final adoption and publication of the regulation in the State Register (covered by InfoBytes here). Comments on the proposed regulation were due December 19. NYDFS noted in its announcement that “[i]n light of the significant feedback received, the Department is carefully considering the comments received and intends to publish a revised proposed regulation for notice-and-comment early in the new year.”
NYDFS issues proposed amendment to third-party debt collection rules
On December 15, NYDFS announced a proposed amendment to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. The proposed amendment factored in findings from NYDFS investigations, which revealed instances of abusive and deceptive debt collection practices, as well as consumer debt collection complaint data. According to acting Superintendent Adrienne A. Harris, the “proposed amendment requires clear communication on consumer debt obligations and ensures the consumer has the right information to dispute the validity of the debt.” The proposed regulation will mitigate predatory debt collection by taking measures to ensure consumers only pay debts they owe and only pay them once. Harris added that the proposed amendment will offer enhanced consumer protections by increasing transparency, requiring enhanced disclosures, reducing misleading statements about consumer debt obligations, and limiting harassment by placing stricter limits on debt collection phone calls than those currently imposed under federal regulations. Among other things, the proposed amendment also:
- Defines “communication” as “the conveying of information regarding a debt directly or indirectly to any person through any medium.”
- Defines “creditor” as “any person or such person’s successor in interest by way of merger, acquisition, or otherwise, to whom a debt is owed or allegedly owed.”
- Amends the definition of “debt collector” to include “any creditor that, in collecting its own debts, uses any name other than its own that would suggest or indicate that someone other than such creditor is collecting or attempting to collect such debts.” The definition also includes certain exemptions, such as persons “performing the activity of serving or attempting to serve legal process” in the judicial enforcement of a debt “or serving, filing, or conveying” other specified documents pursuant to rules of civil procedure, but that are “not a party to, or providing legal representation to a party to, the action[.]”
- Requires collectors to clearly and conspicuously send written notification within 5 days after an initial communication with a consumer letting the consumer know specific information about the debt, including (i) validation information; (ii) the type of reference date used to determine the itemization date; (iii) account information associated with the debt; (iv) merchant/affinity/facility brand association; (v) the date the last payment (including any partial payment) was made; and (vi) the statute of limitations, if applicable.
- Requires collectors to inform consumers they have “the right to dispute the validity of the debt, in part or in whole,” and provides instructions on how consumers may dispute the validity of the debt.
- States that certain disclosures may not be sent exclusively through an electronic communication, and prohibits treating a formal pleading in a civil action as an initial communication.
- Provides that, if a collector “has reason to know or has determined” that the statute of limitations on a debt it seeks to collect has expired, the collector is required to provide clear and conspicuous notice in all communications that, among other items, it believes the statute of limitations has expired. For debts not subject to a statute of limitations, collectors must notify consumers that they are “not required to provide the debt collector with an admission, affirmation, or acknowledgment of the debt, a promise to pay the debt, or a waiver of the statute of limitations.”
- Prohibits collectors from communicating by telephone or other means of oral communication when attempting to collect on debts for which the statute of limitations has expired, without certain consent or permission.
- Requires collectors to provide consumers written substantiation of a debt (no longer specified as a “charged-off” debt) in hard copy by mail within 30 days of receiving a request for substantiation of a debt (unless a consumer has consented to receiving electronic communications). The written substantiation must include, among other information, (i) a statement describing the complete chain of title from the creditor “to which the debt was originally owed or alleged to be owed” to the present creditor “or owner of the debt”; and (ii) notice that a consumer may request additional documentation and instructions on how to make such a request. Collectors are also required to provide within 30 days after the consumer makes such a request for substantiation, documents sufficient to establish the complete chain of title, including documents sufficient to establish the specific dates on which the debt was assigned, sold or transferred and names of each previous owner of the account to the current owner.
- Requires collectors to retain certain information on a debt “until the debt is discharged, sold, or transferred, or for 7 years, whichever is longer.”
- Requires collectors to provide written confirmation of the satisfaction of a debt to a consumer within 20 business days of receiving receipt of the satisfaction of a debt. The confirmation must include the name of the creditor to which the debt was originally owed and the account number unless stipulated otherwise.
- Limits collectors to 1 telephone call and 3 attempted telephone calls in a 7-day period per alleged debt, without certain consents or permission, “except that telephone calls in excess of one time per seven day period are permitted when” a consumer requests to be contacted or when the communication is required under the proposed amendment or other federal or state law.
- Permits collectors to communicate with persons through electronic channels to collect a debt only if (i) the person has voluntarily provided certain contact information to the debt collector; and (ii) the person has given certain revocable consent in writing directly to the debt collector. The proposed amendment also provides (i) certain disclosure requirements for electronic communications “initiated by” a collector; (ii) privacy requirements that incorporate 15 U.S. Code § 1692c(b); and (iii) outlines compliance requirements for collectors should a consumer revoke consent.
NYDFS addresses use of cyber assessment framework in risk assessment process
On December 9, NYDFS updated its FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on 23 NYCRR Part 500 here.) New FAQ 41 addressed whether covered entities should use a cyber assessment framework as part of their risk assessment process as required by Sections 500.9 and 500.2(b). NYDFS clarified that while it “does not require a specific standard or framework for use in the risk assessment process," it expects covered entities “to implement a framework and methodology that best suits their risk and operations.” Commonly employed frameworks cited by NYDFS include the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.
NYDFS addresses multi-factor authentication weaknesses
On December 7, NYDFS issued guidance on multi-factor authentication (MFA) to all regulated entities. According to NYDFS, “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” affecting both large companies and small businesses. The regulator noted that, since the Cybersecurity Regulation (23 NYCRR Part 500) went into effect (covered by InfoBytes here), MFA failures have continued to impact both financial services entities and consumers. From January 2020 to July 2021, more than 18.3 million consumers were affected by reported cyber incidents involving covered entities’ MFA failures, according to NYDFS. NYDFS has also taken two enforcement actions in the past year against companies whose failure to implement MFA fully resulted in unauthorized access to nonpublic information. The New York banking regulator is increasing its review of MFA during examinations and will focus on searching for common MFA failures discussed in the guidance. Covered entities are advised to consider carefully the importance of MFA as they implement their risk-based cybersecurity programs. Under the Cybersecurity Regulation, MFA is required for remote access, and must “be implemented beyond that as necessary to ensure effective access controls based on a comprehensive risk assessment.” The guidance provides examples of common problems related to MFA as well as recommendations for preventing problems.
NYDFS issues final guidance for insurers on climate change financial risks
On November 15, NYDFS issued final guidance to New York regulated-domestic insurers on managing climate change-related financial risks. The final guidance reflects the agency’s consideration of stakeholder comments from proposed guidance issued in March, and was informed by NYDFS’s collaboration with the insurance industry and international regulators. Building on a 2020 insurance circular letter addressing climate change and financial risks, the final guidance outlines expectations that insurers begin “integrating the consideration of the financial risks from climate change into their governance frameworks, business strategies, risk management processes and scenario analysis, and developing their approach to climate-related financial disclosure.” Specifically, an insurer should (i) incorporate into its governance structure, at either “the group or insurer entity level,” climate-risk considerations; (ii) consider current and forward-looking climate-related implications on its operations through “time horizons” appropriately tailored to the insurer’s activities and decisions; (iii) incorporate in its current financial risk management framework analyses of the effect of climate risks on existing risk factors; (iv) employ scenario analysis to inform business strategy decisions, risk assessments, and identification; and (v) disclose its climate risks and engage with NYDFS’s Task Force on Climate-related Financial Disclosures when developing climate disclosure approaches. NYDFS will monitor insurers’ progress in implementing these expectations with respect to organizational structures, which insurers must have in place by August 15, 2022. The NYDFS noted it will provide further guidance on timing for implementing “the more complex expectations outlined in the guidance.”
UAE bank fined $100 million for Sudanese sanctions violations
On November 9, NYDFS announced that a United Arab Emirates bank will pay a $100 million penalty to resolve an investigation into payments it allegedly processed through financial institutions in the state, including one of the bank’s New York branches. These transactions, NYDFS stated, were in violation of Sudan-related U.S. sanctions. According to NYDFS’ investigation, the bank instructed employees to avoid including certain details in messages sent between banks that would have linked the transactions to Sudan. By concealing these details, the transactions bypassed other banks’ sanctions filters, which otherwise might have triggered alerts or transaction freezes, NYDFS said. As a result, between 2005 and 2009, the bank illegally processed more than $4 billion of payments tied to Sudan. Following an announcement in 2009 that a Swiss bank used by the bank to process these transactions was being investigated by the New York County District Attorney’s Office for violating economic sanctions rules, the bank closed all U.S. dollar accounts held by Sudanese banks, but failed to disclose the prohibited transactions to NYDFS as required until 2015. NYDFS asserted that “despite having ample notice of the prohibited nature of the Sudan-related [transactions] by 2009,” the bank’s New York branch processed an additional $2.5 million in Sudan-related payments. Under the terms of the consent order, the bank—which was previously cited by NYDFS for anti-money laundering and sanctions compliance deficiencies in a 2018 consent order that included a $40 million fine—is also required to provide a status report on its U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) compliance program, in addition to paying the $100 million penalty. NYDFS acknowledged the bank’s substantial cooperation and ongoing remedial efforts.
NYDFS coordinated its investigation with the Federal Reserve Board and OFAC, both of which announced separate settlements with the UAE bank the same day. The Fed’s announcement of its order to cease and desist cites the bank for having insufficient policies and procedures in place to ensure that activities involving branches outside the U.S. were in compliance with U.S. sanctions laws. Under the terms of the order, the bank is required, among other things, to implement an enhanced compliance program to ensure global compliance with U.S. sanctions, and must also conduct annual reviews, including a “risk-focused sampling” of its U.S. dollar payments, led by an independent external party. The order did not include any additional monetary penalties for the bank.
OFAC also issued a finding of violation (FOV) for violations of the now-repealed Sudanese Sanctions Regulations related to the bank’s actions. These violations included 1,760 transactions that involved USD transfers from Sudanese banks that were processed by the bank’s London branch and routed through U.S. banks. In determining that the appropriate administrative action was an FOV rather than a civil monetary penalty, OFAC stated the bank “voluntarily entered into a retroactive statute of limitations waiver agreement, without which OFAC would have been time-barred from charging the violations.” Because the payment messages did not include the originating Sudanese bank, U.S. correspondent banking partners “could not interdict the payments, and the payments were successfully processed through the U.S. financial system,” OFAC stated. However, OFAC credited the bank with providing substantial cooperation during the investigation, and noted that the bank had taken “extensive remediation” efforts before the investigation began in 2015, and has spent more than $122 million on compliance enhancements.
New York expands consumer protections
On November 8, the New York governor signed several pieces of legislation relating to consumer protection. Among those, S.153 enacts The Consumer Credit Fairness Act, which expands consumer protections against abusive debt collection by, as explained by NYDFS acting Superintendent Adrienne A. Harris, “address[ing] known predatory debt collection practices, barring an abusive common tactic engaged by predatory debt collectors which is to sue on time-barred consumer debts for which they lack even the most basic of documentation.” Certain parts of the Consumer Credit Fairness Act are effective immediately. S.4823, effective 30 days after being signed into law, prohibits utility companies from engaging in harassment, oppression, or abuse when coordinating with a residential customer. According to the press release, this legislation responds “to various unscrupulous practices that utility corporations engage in, such as creating a ‘payment agreement’ with customers that encourage customers to take large down payments in exchange for utilities such as energy not being shut down.” S.1199 requires the Public Service Commission to have at least one member who is an expert in consumer advocacy. It will also go into effect 30 days after being signed into law.
NYDFS proposes expanding CRA to support minority- and women-owned businesses
On November 3, NYDFS issued proposed changes to the state’s Community Reinvestment Act (New York CRA) to guarantee the department “has the necessary data to ensure banks are evolving to best serve their communities and protect against redlining and fair lending violations.” The proposed regulation further specifies the type of communities the New York CRA plans to support and will enable NYDFS to evaluate the extent to which minority- and women-owned businesses are offered and provided credit. In June 2020, NYDFS issued an industry letter (covered by InfoBytes here) to alert regulated entities that it planned to make changes to its CRA examination process in response to an amendment to the New York CRA, which required NYDFS to consider “several aspects of banking institutions’ activities with respect to minority- and women-owned businesses.” Among other things, the proposed regulation outlines data collection and submission requirements, including (i) asking whether a business applying for a loan or credit is minority- or women-owned or both; (ii) reporting application details such as the date, type of credit applied for and amount, and whether the application was approved or denied; and (iii) reporting a business’s size and location. Comments will be accepted for 60 days following publication in the State Register.
The New York CRA has undergone several expansions recently. As previously covered by InfoBytes, the New York governor signed legislation on November 1 expanding the New York CRA to cover non-depository lenders. Under the amendments, nonbank mortgage providers’ lending and investment in low- and moderate-income communities will be subject to NYDFS review.