InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS announces cybersecurity toolkit for small businesses
On November 17, NYDFS announced a partnership with a non-profit company to provide a free cybersecurity toolkit to small businesses, including those in the financial services sector. The toolkit is intended to help small businesses strengthen their cybersecurity and to protect themselves and their customers from growing cyber threats. Operational tools and educational resources covered in the toolkit address “identifying hardware and software, updating defenses against cyber threats, strengthening passwords and multi-factor authentication, backing up and recovering data, and protecting email systems.” NYDFS’ partnership with the company also includes the development of a set of sample policies based on cybersecurity best practices to help small businesses install necessary governance and procedures. The sample policies include, among other things, a risk assessment and a sample third-party service provider policy. NYDFS advises small businesses to “review the tools and sample policies and to adapt them to their specific business risks and operations, including to comply with any applicable state and federal laws.”
NYDFS: Regulated financial institutions must manage climate change-related financial risks
On October 29, NYDFS issued a letter encouraging state-regulated financial institutions to “prudently manage” climate change-related financial risks. The letter was sent to “all New York-regulated banking organizations, branches and agencies of foreign banking organizations, mortgage bankers and servicers, and limited purpose trust companies (regulated organizations), as well as New York-regulated non-depositories (other than New York regulated mortgage bankers, mortgage servicers, and limited purpose trust companies), including New York regulated money transmitters, licensed lenders, sales finance companies, premium finance agencies, and virtual currency companies (regulated non-depositories).” The letter outlines NYDFS’s expectations for regulated organizations, beginning with changing their governance frameworks, risk management processes, and business strategies to reflect the increasing financial risks of climate change. Regulated non-depositories are expected to conduct risk assessments that consider the “disruptive consequences of climate change” on their customers and in the communities they serve, and should start developing strategic plans to mitigate risk.
NYDFS encourages institutions to take a “proportionate approach” that reflects the complexity of their business and exposure to financial risks. In addition, when developing their approach to climate-related financial risk disclosures, regulated organizations are also encouraged to consider engaging with the Task Force for Climate-related Financial Disclosures framework and other established initiatives. NYDFS’ press release further notes that it “is developing a strategy for integrating climate-related risks into its supervisory mandate and will engage with regulated organizations and regulated non-depositories, as well as work and coordinate with the Department’s U.S. and international counterparts, to develop effective supervisory practices, as well as guidance and best practices to mitigate the financial risks from climate change within the financial services industry.”
NYDFS urges regulating social media companies following hacks
On October 14, NYDFS released a report detailing the Department’s investigation into the July 2020 social media hacks of public figures and cryptocurrency firms, concluding that the social media platform lacked adequate cybersecurity protections and recommending increased regulation of large social media companies. The investigation, which was requested by New York Governor Andrew Cuomo, determined, among other things, that (i) the social media hackers obtained log-in credentials from four employees by pretending to be from the company’s IT department; (ii) the hackers stole over $118,000 worth of bitcoin from consumers by tweeting “double your bitcoin” with a link to send bitcoin payments from celebrity accounts and several bitcoin companies; (iii) certain Department-regulated cryptocurrency companies blocked attempted transfers to the hacker’s addresses; and (iv) the social media company lacked adequate cybersecurity protection, including not having “a chief information security officer, adequate access controls and identity management, and adequate security monitoring.” The report recommends that the largest social media companies be designated as “systemically important institutions” subject to an analogue council of the Financial Stability Oversight Council. The report suggests the social media companies should be subject to enhanced regulation, including “stress test[]” scenarios covering cyberattacks and election interference.
NYDFS to host first-ever virtual currency techsprint
On October 15, NYDFS, in collaboration with the Conference of State Bank Supervisors and the Alliance for Innovative Regulation, announced that a first-of-its-kind techsprint focusing on virtual currency will take place early 2021. The techsprint will bring together regulators, fintech and virtual currency industry stakeholders, and experts to collaborate on regulatory compliance solutions. Possible solutions may include “process improvements to a functional prototype of a reporting mechanism,” such as Digital Regulatory Reporting (DRR), which will “give regulators instant access to data provided by firms under their supervision.” Based on the takeaways from the techsprint, NYDFS intends to “develop a set of common standards and an open source technical framework for DRR” that may be adopted by NYDFS and other regulatory agencies. As part of the collaboration, future techsprints will also be developed that focus on other types of nonbank entities subject to financial regulation.
NYDFS issues first “conditional Bitlicense”
On October 21, NYDFS announced authorization for a digital payments company to launch a service for U.S. customers to buy, sell, and hold certain NYDFS-approved cryptocurrencies. Under the terms of the “conditional Bitlicense,” the payments company will partner with a New York-chartered trust company responsible for providing cryptocurrency trading and custodial services. According to NYDFS Superintendent Linda Lacewell, this first conditional Bitlicense represents the state regulator’s efforts “to encourage, promote, and assist interested institutions to have a well-regulated way to access the New York virtual currency marketplace in a way that is both timely and protective of New York consumers.” NYDFS first announced the proposed conditional licensing framework in June (covered by InfoBytes here).
Global financial institution pays $2.9 billion to settle Malaysian FCPA conspiracy and bribery charges
On October 22, the DOJ announced that it entered into a deferred prosecution agreement with a global financial institution headquartered in New York (the company), in which the company agreed to pay a criminal fine of over $2.9 billion related to violations of the FCPA’s anti-bribery provisions. The company’s Malaysian subsidiary also pleaded guilty to one count of conspiracy to violate the anti-bribery provisions of the FCPA.
According to the DOJ, between 2009 and 2014, the company participated in a scheme to pay over $1.6 billion in bribes, directly and indirectly, to Malaysian and Abu Dhabi officials to obtain business, including a role in underwriting approximately $6.5 billion in three bond deals for a Malaysian sovereign wealth fund regarding energy development (previous InfoBytes coverage on the charges available here). The DOJ stated that the company admitted to engaging in the scheme through certain employees and agents, including (i) the company’s former Southeast Asia Chairman and managing director, who pleaded guilty in 2018 to conspiring to launder money and to violate the FCPA (covered by InfoBytes here); (ii) a former managing director and head of investment banking for the company’s Malaysian subsidiary, who was charged and subsequently extradited to the U.S. in 2019 and is scheduled to stand trial in March 2021 for conspiring to launder money and to violate the FCPA (covered by InfoBytes here); and (iii) a former executive who held leadership positions in Asia. The company admitted that their former employees and agents conspired with a Malaysian financier (who was indicted in 2018, covered by InfoBytes here) to bribe officials involved in the strategic development initiative by using funds diverted and misappropriated from bond offerings underwritten by the company. The employees and financer also retained a portion of the diverted funds for themselves. The company admitted that it did not take significant steps to ensure the Malaysian financier was not involved in the bond transactions even though they were aware his involvement posed “significant risk,” and the company ignored or nominally addressed the “significant red flags” raised during the due diligence process. The company received approximately $606 million in fees and revenue as a result of the scheme.
The company’s $2.9 billion criminal penalty and disgorgement includes $1.6 billion in payments with respect to separate resolutions with foreign authorities in the United Kingdom, Singapore, Malaysia, and other domestic authorities in the U.S., including $154 million to the Federal Reserve, over $400 million to the SEC, and $150 million to the New York Department of Financial Services.
New York regulator permits video hearings
October 9, the New York State Department of Financial Services amended its rules governing adjudication proceedings to permit hearings to be held by videoconference. Whether a hearing is conducted by videoconference is at the discretion of the official who issued the notice for the hearing, although the respondent or applicant may object. When a hearing is conducted by videoconference, none of the parties nor the hearing officer need by physically present at the same location. The amendments, which were adopted on an emergency basis, will remain effective for 90 days from the date of filing. The regulator intends to submit a similar notice of proposed rulemaking in the future.
NYDFS enforces its debt collection regulation for the first time
On September 16, NYDFS filed a statement of charges against a debt collector for allegedly failing to honor consumers’ requests for substantiation of debt. This is the first enforcement action alleging violations of New York’s Debt Collection Regulation, 23 NYCRR Part 1, which was promulgated in 2015. New York law dictates that substantiation must be provided within 60 days after receiving a request, and specifies what documentation must be provided to substantiate the debt. Charges filed against the company allege that requests made by consumers for information proving the validity of the debt and the company’s right to collect the debt were not honored in several ways, such as failing to provide (i) any substantiation to dozens of consumers; (ii) sufficient substantiation to hundreds of consumers, for example, by omitting a complete chain of title or underlying transaction documents; and (iii) substantiation within the required timeframes. NYDFS maintains that the company’s actions violate 23 NYCRR Part 1, Section 1.4, and that such violation carries civil penalties of up to $1,000 per offense under state law. Additionally, NYDFS claims that “each failure to provide any substantiation, timely substantiation, or sufficient substantiation of debt constitutes an independent offense.” A hearing is scheduled for January 12, 2021 before a hearing officer to be appointed by the Superintendent of Financial Services.
New York AG settles with student loan debt collector for $600k
On September 11, the New York attorney general announced one of the nation’s largest debt collectors will pay $600,000 in restitution to student loan borrowers and will make significant changes to its debt collection practices in order to resolve allegations that it made false, misleading, and deceptive statements in lawsuits and in communications with borrowers. According to the AG, the debt collector, among other things, (i) filed complaints that falsely identified trusts, which hold the defaulted loans, as the borrower’s “original creditor,” when in fact, the trusts are the assignees of the original financial institutions that originated the loans; (ii) filed various misleading sworn affidavits; (iii) filed complaints that represented borrowers applied for loans from a “servicing agent” when, in fact, borrowers never dealt with the entity; (iv) filed lawsuits beyond the applicable three-year statute of limitations; and (v) threatened legal action against borrowers even though the trusts “could not or would not sue because the statute of limitations for suing on the debt had expired.”
The assurance of discontinuance requires the debt collector to stop identifying the trusts as the original creditor and to cease using misleading language in communications with borrowers. In addition, the debt collector must (i) provide enhanced staff training; (ii) stop filing lawsuits beyond the statute of limitations, and voluntarily dismiss all wrongfully-filed lawsuits; (iii) voluntarily release “all pending garnishments, levies, liens, restraining notices, attachments, or any other judgment enforcement mechanism” obtained as a result of judgments obtained in wrongfully-filed lawsuits where the statute of limitations has expired; (v) take steps to vacate any judgment obtained in any of these wrongfully-filed lawsuits; and (vi) pay restitution to certain borrowers or to the state to be disbursed as appropriate.
NYDFS issues guidance on mortgage registration fees
On September 1, NYDFS issued guidance to regulated mortgage lenders and servicers clarifying that mortgagees cannot charge registration fees imposed by municipalities when a mortgage defaults to mortgagors’ accounts. The guidance reminds mortgagees that the state’s mortgage servicing regulation, 3 NYCRR Part 419, allows mortgagees to collect only certain types of fees from a mortgagor, consisting of “attorney’s fees, late and delinquency fees, property valuation fees, and fees for services actually rendered to a mortgagor when such fees are reasonably related to the cost of rendering the service to the borrower.” NYDFS asserts that municipality-required default registration fees do not fall under the specified list and therefore cannot be charged to a mortgagor. The guidance instructs mortgagees to refund any such fees that have been collected, or to reverse any such fees that have been charged to accounts. Moreover, the guidance directs mortgagees to create a log of any registration fee charges and their subsequent corrections for inspection during their next NYDFS examination.