Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS finds credit card underwriting showed no evidence of wrongdoing

    State Issues

    In March, NYDFS released a report detailing the findings of an investigation into whether a global technology company and a New York state-chartered bank allegedly discriminated against women when making underwriting decisions for a co-branded credit card. According to the report, in 2019, allegations were made that the bank offered lower credit limits to women applicants and unfairly denied women accounts. NYDFS launched a fair lending investigation into the allegations and reviewed underwriting data for nearly 400,000 New Yorker residents, but ultimately found no evidence of unlawful disparate treatment or disparate impact. Among other things, the report noted that the bank “had a fair lending program in place for ensuring its lending policy—and underlying statistical model—did not consider prohibited characteristics of applicants and would not produce disparate impacts.” The bank also identified the factors it used when making the credit decisions, including credit scores, indebtedness, income, credit utilization, missed payments, and other credit history elements, all of which, NYDFS stated, appeared to be consistent with its credit policy.

    State Issues NYDFS Credit Cards Discrimination Disparate Impact State Regulators Bank Regulatory

  • States urge Department of Education to protect student loan borrowers

    State Issues

    On March 9, NYDFS sent a letter on behalf of a multi-state coalition of financial regulators inviting recently confirmed Department of Education Secretary Dr. Miguel Cardona to partner with the states to ensure protections for student loan borrowers. Specifically, the letter urges Secretary Cardona to reverse two policies instituted by former Secretary Betsy DeVos that the coalition claims “undermine state supervision of private companies that service federal student loans.” The first is a 2018 interpretation (covered by InfoBytes here), which takes the position that state regulation of servicers of loans made under the William D. Ford Federal Direct Loan Program and the Federal Family Education Loan Program is preempted by federal law. The coalition argues that the Department’s 2018 preemption interpretation has made “state-level oversight of student loan servicers more burdensome.” As such, the coalition urges Secretary Cardona to promulgate a regulation rejecting federal preemption of state consumer protection laws to ensure borrowers can “benefit from state oversight of student loan servicers.” The letter also discusses former Secretary DeVos’s attempt to use the Privacy Act of 1974 “as a shield from necessary state oversight”—an action the coalition claims leaves states “with no choice but litigation” to obtain documents needed for industry oversight.

    State Issues State Regulators NYDFS Student Lending Department of Education Bank Regulatory

  • NYDFS, mortgage lender reach $1.5 million cyber breach settlement

    State Issues

    On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.

    State Issues State Regulators NYDFS Enforcement Privacy/Cyber Risk & Data Security Settlement Mortgages Data Breach 23 NYCRR Part 500 Bank Regulatory

  • NYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data

    State Issues

    On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’ consent or knowledge. In 2019, the governor directed NYDFS to perform an investigation into the company’s collection of sensitive personal data from smartphone apps after a media report emerged that claimed app developers regularly sent sensitive data to the company. According to the NYDFS press release, the report’s findings conclude, among other things, that inadequate controls at the company allowed sensitive data to be wrongfully shared, and that the company “did little to track whether app developers were violating its policies” and to date has taken “no real action against developers” that transmit the data. The report outlines various remedial measures the company has undertaken as a result of the investigation, including (i) building and implementing a screening system to identify and block sensitive information prior to entering the company’s system; (ii) enhancing app developer education to better inform developers that they are obligated to avoid transmitting sensitive data; and (iii) taking measures to provide users more control over data that is collected about them, including from off-company activity. The report also includes recommendations for the company to implement to better protect consumer privacy and ensure app developers “are fully aware of the prohibition” on transmitting sensitive data. The steps include that the company should “do more [] to prevent developers from transmitting sensitive data in the first place rather than simply relying so heavily on a back-end screening system.” The report also urges the company to “undertake significant additional steps to police its own rules” by putting in place appropriate consequences for doing so.

    State Issues NYDFS Privacy/Cyber Risk & Data Security State Regulators Consumer Protection Bank Regulatory

  • NYDFS announces cybersecurity fraud alert

    State Issues

    On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. NYDFS states that it has received reports from several regulated entities of “successful or attempted data theft” from websites providing instant rate quotes such as auto insurance rates, noting that even if NPI is redacted, “hackers have shown that they are adept at stealing the full unredacted NPI.” NYDFS advises regulated entities to review security controls for public-facing websites that display or transmit NPI (even redacted NPI), and reminds entities of their obligations under the state’s cybersecurity regulation to promptly report the theft of consumers’ NPI. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) The cybersecurity fraud alert furthers NYDFS’ commitment to improving cybersecurity protections for both consumers and the industry, and follows an enforcement action taken last year alleging cybersecurity regulation violations (see InfoBytes coverage of NYDYS’ complaint against a title insurer for allegedly failing to safeguard mortgage documents here), as well as the regulator’s recently issued cybersecurity insurance framework (covered by InfoBytes here).

    State Issues NYDFS Privacy/Cyber Risk & Data Security State Regulators Data Breach 23 NYCRR Part 500 Bank Regulatory

  • NYDFS says climate-based activities may qualify for state CRA credit

    State Issues

    On February 9, NYDFS issued new guidance stating that financing activities that support the climate resiliency of low- and moderate-income (LMI) and underserved communities may receive credit under the New York Community Reinvestment Act (the “New York CRA”). The industry letter notes that LMI and underserved communities are “disproportionally affect[ed]” by climate change because they “tend to be more susceptible to flooding and heat waves” and have “fewer resources to recover from natural disasters.” NYDFS reminds institutions that one way banking institutions subject to the New York CRA are evaluated is the extent to which their activity revitalizes or stabilizes both LMI geographies and underserved geographies, and that financing climate resiliency actions “may help mitigate climate change risks and at the same time revitalize or stabilize those geographic areas.” Accordingly, NYDFS outlines a non-exhaustive list of specific examples that may qualify for credit under the New York CRA, including (i) “renewable energy, energy-efficiency and water conservation equipment or projects for affordable housing…”; (ii) “microgrid or battery storage projects in LMI areas with high flood and/or wind risk…”; and (iii) “installation of air conditioning in multifamily buildings offering affordable housing….” Moreover, NYDFS states that banking institutions may also receive credit for climate resiliency promoting investments or loans to Community Development Financial institutions, among others.

    State Issues NYDFS CRA State Regulators Bank Regulatory

  • NYDFS details redlining issues from nonbank lenders

    State Issues

    On February 4, NYDFS released a report on redlining in the Buffalo metropolitan area, concluding that there is a “distinct lack of lending by mortgage lenders, particularly non-depository lenders” to majority-minority populations and to minority homebuyers in general. Among other things, the report concluded that (i) while minorities in the Buffalo region comprise about 20 percent of the population, they receive less than 10 percent of total loans made in the region; (ii) nonbank lenders lent at a lower rate in majority-minority neighborhoods than depository institutions did; and (iii) several of the nonbank mortgage lenders did not have adequate fair lending compliance programs and do not make an effort to serve majority-minority neighborhoods. The report made numerous recommendations, including a recommendation to amend the New York Community Reinvestment Act (CRA) to cover nonbank mortgage lenders and a request that the OCC and the CFPB investigate federally regulated institutions serving the Buffalo area for violations of fair lending laws.

    Additionally, NYDFS announced a settlement with a nonbank lender in connection with its lending to minorities and in majority-minority neighborhoods in Buffalo and Syracuse, New York. The settlement agreement found no evidence of intentional discrimination or fair lending law violations but rather weaknesses in the lender’s compliance program. The agreement outlines efforts the lender will take to “provide more meaningful access to residential loans and financing for minorities and individuals living in majority-minority neighborhoods” in Western and Central New York. Among other things, the lender will (i) develop a compliance management plan; (ii) increase marketing to majority-minority census tracts; (iii) create a $150,000 special financing program to increase loan originations for residents of majority-minority neighborhoods; and (iv) increase annual training.

    State Issues NYDFS Mortgages Settlement Enforcement CRA Fair Lending Bank Regulatory

  • NYDFS issues Cybersecurity Insurance Risk Framework

    State Issues

    On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S. regulator on this topic. In recognizing the growing risk and the challenges insurers face when trying to manage that risk, NYDFS advised insurers to “establish a formal strategy for measuring cyber insurance risk that is directed and approved by its board or other governing entity[.]” According to the guidance, the insurer’s strategy should be proportionate to the insurer’s risk and take into account “the insurer’s size, resources, geographic distribution, and other factors.” NYDFS also advised insurers to:

    • Eliminate exposure to “silent” cyber insurance risk resulting from a cyber incident that an insurer is obligated to cover even though its policy “does not explicitly mention cyber incidents.”
    • Evaluate systemic risk, including how catastrophic cyber events impact third-party vendors.
    • Measure and assess potential cybersecurity gaps and vulnerabilities through a data-driven approach.
    • Educate insureds and insurance producers on the value of cybersecurity measures, as well as the uses and limitations of cyber insurance.
    • Recruit and hire employees with cybersecurity experience.
    • Include a requirement in cyber insurance policies that victim-insureds notify law enforcement when a cyber attack occurs.

    State Issues NYDFS Privacy/Cyber Risk & Data Security State Regulators Bank Regulatory

  • NYDFS virtual currency techsprint set for March

    State Issues

    On January 21, NYDFS announced the details of its first-of-its-kind techsprint focusing on virtual currency that will open on March 1 and culminate on March 12. As previously covered by InfoBytes, the techsprint is a collaboration with the Conference of State Bank Supervisors and the Alliance for Innovative Regulation, and the objective is “to achieve creative and collaborative prototyping as a step toward smarter regulatory reporting in virtual currency.” NYDFS notes that the virtual format will allow flexibility for the techsprint to include a combination of full-day facilitated exercises and self-paced, team-managed efforts. The teams will work to address one of several problem statements, including (i) “[h]ow can DFS achieve real-time or more frequent access to company financial data from virtual currency licensees and receive early warning signs of financial risks to the companies or their customers?” (i) “[h]ow can DFS obtain real-time transaction data from its licensees and automatically analyze the data to safeguard against illicit financing risks?” and (iii) “[h]ow can DFS use tools such as natural language processing, machine learning, and artificial intelligence to identify risks by processing and analyzing supervisory reports that are submitted by licensees in a wide range of formats?”

    State Issues NYDFS Fintech Virtual Currency Techsprint Bank Regulatory Digital Assets

  • CSBS challenges OCC’s pending fintech charter

    State Issues

    On December 22, the Conference of State Bank Supervisors (CSBS) filed a complaint in the U.S. District Court for the District of Columbia opposing the OCC’s impending approval of a national bank charter for a financial services provider (company), arguing that the OCC is exceeding its chartering authority. According to the complaint, the company’s charter is close to being formally approved by the OCC after being “solicited, vetted and in November 2020 accepted as complete” by the agency. The complaint asserts the company will continue its lending and payment activities (which are currently state-regulated) without obtaining deposit insurance from the FDIC. The complaint alleges that the company is applying for the OCC’s nonbank charter, which was invalidated by the U.S. District Court for the Southern District of New York in October 2019 (which concluded that the OCC’s Special Purpose National Bank Charter (SPNB) should be “set aside with respect to all fintech applicants seeking a national bank charter that do not accept deposits,” covered by InfoBytes here). CSBS argues that “by accepting and imminently approving” the company’s application, the “OCC has gone far beyond the limited chartering authority granted to it by Congress under the National Bank Act (the “NBA”) and other federal banking laws,” as the company is not engaged in the “business of banking.” CSBS seeks to, among other things, have the court declare the agency’s nonbank charter program unlawful and prohibit the approval of the company’s charter under the NBA without obtaining FDIC insurance.

    State Issues CSBS OCC Fintech National Bank Act Courts Preemption NYDFS Fintech Charter Bank Regulatory FDIC

Pages

Upcoming Events