Tuesday, July 31, 2018

According to CEI, New York’s online lending report is ‘flawed’



The Competitive Enterprise Institute (CEI) contends that the New York Department of Financial Services’ recent report on online lending is “flawed.” In its July 30, 2018, release, the CEI asserts that the NYDFS report “makes dubious legal and economic arguments with little empirical evidence to back it up, omits important historical events that do not support its conclusions, and supports policies that would significantly inhibit credit markets in the state, harming consumers and small businesses alike.”

On July 11, 2018, the NYDFS released a report on online lenders based on a “New York Marketplace Lending Survey” sent by the agency to 48 institutions believed to be engaged in online lending activities in the state. Mandated by legislation, the NYDFS report includes an analysis of online lenders operating in New York, including: the lenders’ methods of operation; their lending practices, including interest rates and costs charged; the risks and benefits of the products offered by online lenders; the primary differences with products offered by traditional lending institutions; and complaints and investigations pertaining to online lenders. In addition, the report includes information regarding actions undertaken by the NYDFS to protect the state’s markets and consumers, as well as the state agency’s analyses and recommendations.

CEI’s contentions. Generally, the CEI maintains that, in a number of instances, the NYDFS study does not include “supporting evidence” or “makes broad assertions without substantiating the claims.” More specifically, the CEI:
  • disputes the NYDFS report’s statement that “payday lenders often operate in a regulation-free environment,” and asserts that many federal laws cover consumer credit generally and that all 50 states “regulate small-dollar loans extensively”—with 18 states and the District of Columbia prohibiting high-cost payday lending entirely;
  • takes issue with the report’s claim that small businesses “have reported dissatisfaction with their online loans because of both high interest rates and unfavorable terms that are not often clear to the owners,” because “no evidence is provided” to bolster that claim, and because certain market studies have found that “online lending can be cheaper and fairer than other sources;”
  • argues that small businesses frequently cannot gain access to conventional bank financing, and that the emergence of new technologies giving rise to online business models to fill this void is a “positive development;”
  • maintains that the high interest rates associated with online small-dollar lending “are also likely a genuine assessment of risk, demonstrated by the high level of competition in the marketplace;”
  • asserts that the NYDFS report’s attempt to draw parallels between the “predatory lending” of the financial crisis and online consumer lending is unsubstantiated, threadbare, and without merit, especially because the NYDFS claim omits any discussion of “the two enormous government sponsored enterprises (GSEs) that drove underwriting standards to dangerous lows during the financial crisis;”
  • observes that although commercial lending is a “completely different animal” from consumer lending, the NYDFS report fails to make this distinction in its proposed regulatory framework, and, therefore, “regulating business lending the same as consumer lending is conceptually flawed and will only further the exodus of innovative lenders from the New York market;” and
  • opposes “NYDFS’s call for the application of New York usury limits to all online lending” because, among other things, not only would that approach conflict with the National Bank Act, federal preemption principles, and long-standing Supreme Court precedent, it also would “drastically reduce credit availability” for both consumers and small businesses and would create “a greater number of unbanked customers” in the process.
For more information about regulators' reports affecting the financial services industry, subscribe to the Banking and Finance Law Daily.


Friday, July 27, 2018

Debt collection company and former CEO settle with CFPB

By Andrew A. Turner, J.D.

The Consumer Financial Protection Bureau announced that it has reached a settlement with National Credit Adjusters, LLC (NCA), a privately-held company headquartered in Kansas, and its former CEO and part-owner, Bradley Hochstein. The order imposes a judgment for civil money penalties of $3 million against NCA and $3 million against Hochstein. Full payment of those amounts is suspended subject to NCA paying a $500,000 civil money penalty and Hochstein paying a $300,000 civil money penalty.

As described in the consent order, the CFPB found that NCA and Hochstein used a network of debt collection companies to collect consumer debt on NCA’s behalf. Some of those companies engaged in unlawful debt collection acts, including representing that consumers owed more than they were legally required to pay and threatening consumers and their family members with lawsuits, visits from process servers, and arrest, when neither NCA nor the collection companies had the legal authority to take those actions.

The CFPB found that NCA and Hochstein continued placing debt with those companies for collection with knowledge or reckless disregard of the companies’ illegal consumer debt collection practices. They also sold millions in consumer debt to those companies with knowledge or reckless disregard of the company’s illegal consumer debt collection practices. Between 2011 and 2015, NCA sold more than $700 million in consumer debt portfolios to the companies.

The CFPB charged NCA and Hochstein with violating the Consumer Financial Protection Act and also charged NCA with violating the Fair Debt Collection Practices Act. Under the terms of the consent order, NCA and Hochstein are barred from certain collection practices and Hochstein is permanently barred from working in any business that collects, buys, or sells consumer debt. NCA must submit a comprehensive compliance plan to the CFPB, designed to ensure that its future debt collection practices are in compliance with federal law.

For more information about CFPB oversight of debt collectors, subscribe to the Banking and Finance Law Daily.

Thursday, July 26, 2018

CFPB settles loan disclosure violation charges with small-dollar lender

By Andrew A. Turner, J.D.

The Consumer Financial Protection Bureau has reached a settlement with Triton Management Group, Inc., and related entities, relating to alleged violations of the Truth in Lending Act and implementing Regulation Z, as well as the Consumer Financial Protection Act, the agency announced. Triton is a small-dollar lender operating in Alabama, Mississippi, and South Carolina, and does business under several names including “Always Money” and “Quik Pawn Shop.” The companies entered into a consent order pursuant to a stipulation, without admitting or denying any wrongdoing.
 
According to the Bureau, Triton violated the TILA and Reg. Z by failing to properly disclose finance charges associated with Mississippi auto title loans. The Bureau further determined that these actions constituted deceptive acts or practices in violation of the CFPA. In addition, Triton’s advertisements failed to disclose annual percentage rate and other information required by TILA, the Bureau alleged.
 
The order imposed a judgment against Triton and its related companies in the amount of $1,522,298, which represents the undisclosed finance charges consumers paid on their Triton loans. However, the order suspends payment of the judgment subject to Triton’s payment of $500,000 in redress to affected consumers, who are expected to number approximately 1,309, representing approximately 2,136 loans.
 
The order also prohibits Triton and its related businesses from:
  • using or disclosing payment schedules for title pledges or loans that contradict or obscure the actual finance charge or other terms of the obligation between the parties; and
  • misrepresenting, in connection with the marketing or offering of consumer credit, the fees charged for loan extensions, the finance charge and annual percentage rate for loans, and any other terms or conditions for credit.
For more information about CFPB enforcement actions, subscribe to the Banking and Finance Law Daily.

Wednesday, July 25, 2018

TCF and CFPB settle overdraft fee litigation

By J. Preston Carter, J.D., LL.M.

TCF National Bank reached a $25 million-plus settlement with the Consumer Financial Protection Bureau to resolve litigation alleging the bank violated rules regarding its marketing and sale of overdraft services. The Bureau’s press release announcing the settlement stated that it alleged in its lawsuit that when attempting to obtain proper legal consent from consumers to charge overdraft fees, TCF obscured the fees it charged and made consenting to overdraft fees seem mandatory for new customers to open an account. Banks are required by Reg. E, 12 CFR 1005.17, to obtain a customer’s consent before they can lawfully charge overdraft fees on ATM withdrawals and one-time debit purchases, the Bureau noted.

TCF agreed to abide by an injunction not to engage in such practices and to pay $25 million in restitution to customers the bank charged fees for overdrafts. The proposed order would also impose a $5 million civil money penalty, which would be adjusted to account for a $3 million penalty imposed on the bank by the Office of the Comptroller of the Currency as part of a separate action. In its proposed agreement with the Bureau, TCF did not admit to any wrongdoing.

The agreement requires TCF to send a letter to all TCF customers who opted in to accept overdraft fees before May 1, 2015, that only includes a copy of a federal notice entitled "What You Need to Know About Overdrafts and Overdraft Fees." In addition, TCF would have to contact all consumer reporting agencies to request that any information TCF provided about covered overdraft fees paid by its customers in the past seven years "be corrected to update or remove such information." TCF would also have to submit a plan within 60 days of the effective settlement detailing how customers would receive a pro-rated share of the $25 million settlement based on the number of covered overdraft charges.

TCF said in a statement it is "pleased to have reached a resolution" to the litigation. "We believe that we have thoroughly addressed these issues and that our disclosures comply with all laws and regulations," TCF said. "We believe it is in the best interests of our customers, shareholders and other stakeholders to avoid continuing a protracted and expensive lawsuit, and instead focus solely on executing our strategy to grow our business and drive value for our shareholders."

The company added it believes it has gone "above and beyond compliance standards outlined in Regulation E....In fact, the OCC notes in its consent order that during the period in question we provided customers with written disclosures concerning our overdraft service that complied with the technical requirements of Regulation E."

For more information about the Consumer Finacial Protection Bureau, subscribe to the Banking and Finance Law Daily.

Thursday, July 19, 2018

FHFA organization violates separation of powers, unlike CFPB organization

By Katalina M. Bianco, J.D.
 
Congress went too far in its effort to create a Federal Housing Finance Agency that would not be subject to political influence, a deeply divided three judge panel of the U.S. Court of Appeals for the Fifth Circuit has decided. An independent agency can be insulated, but it cannot be isolated, the opinion of the court said. As a result, the provisions of the Housing and Economic Recovery Act that allow the president to remove the FHFA director only for cause must be severed from the remainder of the Act, rendering the director removable at the president’s discretion (Collins v. Mnuchin, July 16, 2018, per curiam).
 
The separation of powers discussion bears a striking similarity to the analysis of the Consumer Financial Protection Bureau’s organization in PHH Corp. v. CFPB. However, the Fifth Circuit distinguished the two agencies by noting that the CFPB is restrained by the ability of the Financial Stability Oversight Council to block the Bureau’s regulations from taking effect. There is no similar restraint on the FHFA, and that leads to a different result.
 
GSE shareholders’ challenge. The genesis of the opinion was a suit by Fannie Mae and Freddie Mac shareholders who were challenging the "net worth sweep"—an agreement under which the Treasury Department provides financial support to the GSEs in exchange for quarterly dividends that equal each of the GSEs’ net worth. The shareholders raised two claims: the FHFA exceeded its statutory authority in reaching the agreement, and the FHFA was structured unconstitutionally.
 
The opinion of the court examined the effect of five organizational factors on the constitutionality of the FHFA:
  1. the for-cause protection from removal; 
  2. the single-director structure; 
  3. the absence of bipartisan balance; 
  4. the exemption from the appropriations process; and 
  5. the lack of formal executive branch control over the FHFA’s operations.
 
While none of the five factors decided the outcome of the case individually, the combination of them all interfered with the president’s ability to carry out his Constitutional duty of ensuring that federal laws were enforced, according to the opinion of the court.
 
FHFA v. CFPB. It was the fifth factor that separated the FHFA’s structure from that of the CFPB, the opinion of the court said. The FHFA is supervised by the Federal Housing Finance Oversight Board, the court noted; however, that entity is purely advisory and has no authority to impose any requirements on the FHFA.
 
On the other hand, the FSOC has the power to nullify CFPB regulations that threaten the safety and soundness of the banking system or the stability of the financial system. A supermajority of the FSOC’s 10 members are selected by the president, the opinion pointed out. That creates an "emergency brake" that is adequate to make the Bureau accountable to the president.
 
Severance as remedy. Like the three-judge panel in the D.C. Circuit’s first PHH Corp. v. CFPB opinion, the court refrained from striking down the entire FHFA. Rather, it deemed the severance of the offending for-cause protection clause from the rest of the Act to be an adequate remedy. As a result, the FHFA will be converted to "a properly supervised executive agency."
 
Dissenting opinions. Two of the three judges dissented from parts of the opinion of the court, which apparently was written by Judge Catharina Haynes.
 
Chief Judge Carl E. Stewart disagreed with the opinion of the court on the constitutionality issue. He echoed the en banc majority opinion in PHH, but added that he believed the FHFA also is subject to adequate presidential oversight. Judge Stewart was unconvinced that the FHFOB is not a sufficient check on the FHFA, even if it is merely an advisory board.
 
Judge Don Willett agreed that the FHFA is unconstitutional. However, he disagreed with a different, unrelated part of the opinion of the court—that HERA’s anti-injunction provisions bar the shareholders from suing the agency. According to Judge Willett, the anti-injunction provision prevents suits against the FHFA as conservator; however, the new worth sweep was a step the agency could take only as the GSEs’ receiver. The distinction makes the anti-injunction provisions inapplicable.
 
The case is No. 17-20364.

For more information about FHFA and CFPB cases, subscribe to the Banking and Finance Law Daily.

Tuesday, July 17, 2018

Foreclosures, home forfeitures decreased during past year, OCC reports


By Thomas G. Wolfe, J.D.

According to a recent report released by the Office of the Comptroller of the Currency, while mortgage loan servicers initiated 37,300 new foreclosures during the first quarter of 2018, an increase of 8.1 percent from the prior quarter, there still was a 21.5 percent decrease in mortgage foreclosures overall when compared to a year earlier. Similarly, home forfeiture actions—completed foreclosure sales, short sales, and deed-in-lieu-of-foreclosure actions—decreased to 19,360 during the first quarter of 2018, a reduction of 32.5 percent compared with a year earlier. At the same time, the “OCC Mortgage Metrics Report: First Quarter 2018” indicates that the performance of first-lien residential mortgages remained unchanged during the first quarter of 2018 compared with a year earlier.

The OCC’s latest mortgage-metrics report, which tracked national bank mortgage-loan data through March 31, 2018, indicates that reporting banks serviced approximately 17.8 million first-lien mortgage loans with $3.30 trillion in unpaid principal balances. As observed by the OCC, this $3.30 trillion figure represents “33 percent of all residential mortgage debt outstanding in the United States.”

According to the report, the percentage of mortgages that were current and performing at the end of the first quarter of 2018 remained at 95.6 percent relative to the previous year. In addition, loan servicers implemented 23,427 mortgage modifications in the first quarter of 2018—a 7.1 percent increase from the prior quarter’s modifications. Of those 23,427 completed mortgage modifications, 78.5 percent of them reduced borrowers’ monthly payments.

For more information about reports prepared by federal or state regulators that pertain to the financial services industry, subscribe to the Banking and Finance Law Daily.

Thursday, July 12, 2018

Banking regulators detail response to regulatory relief law

By Andrew A. Turner, J.D.

Federal banking agencies have responded to the enactment of the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) by providing insight into their plans for implementation.
 
An interagency statement describes interim positions affecting company-run stress testing, resolution plans, the Volcker rule, high volatility commercial real estate exposures, examination cycles, municipal obligations as high-quality liquid assets, and other provisions.
 
The Federal Reserve Board announced that it will no longer subject primarily smaller, less complex banking organizations to certain regulations, including those relating to stress testing and liquidity. The Fed also provided guidance and Consumer Compliance Examination Procedures on the restoration of the Protecting Tenants at Foreclosure Act.
 
In addition, the Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, Fed, and Office of the Comptroller of the Currency issued statements regarding the implementation of amendments to the Home Mortgage Disclosure Act.
 
Banking regulators list interim positions. The federal banking agencies released a statement detailing rules and reporting requirements that are immediately affected by the enactment of EGRRCPA. The interagency statement describes interim positions the regulatory agencies will take on the following changes before incorporating them into their regulations:
  • Stress testing. The agencies are extending the deadlines for all regulatory requirements related to company-run stress testing for depository institutions with average total consolidated assets of less than $100 billion until Nov. 25, 2019.
  • Resolution plans. Consistent with EGRRCPA, the Fed and FDIC will not enforce the final rules establishing resolution planning requirements in a manner inconsistent with the amendments made by the law to section 165 of the Dodd-Frank Act.
  • Volcker Rule. The agencies will not enforce the regulation implementing section 13 of the Bank Holding Company Act, relating to covered funds under the Volcker Rule, in a manner that is inconsistent with the amendments made by EGRRCPA.
  • High volatility commercial real estate exposures. EGRRCPA provides that the federal banking agencies may only require a depository institution to assign a heightened risk weight to an HVCRE exposure if such exposure is an "HVCRE ADC Loan." The agencies will not take action to require a bank holding company, savings and loan holding company, or intermediate holding company of a foreign bank to estimate and report HVCRE on Schedule HC-R, Part II of the FR Y-9C consistent with the existing regulatory requirements and reporting form instructions, provided that the holding company reports HVCRE in a manner consistent with its subsidiary depository institution(s) and EGRRCPA.
  • Examination cycles. The agencies intend to engage in rulemaking to implement EGRRCPA’s increases in the total asset threshold for well-capitalized insured depository institutions to be eligible for an 18-month examination cycle.
Fed announces regulatory response. The Fed’s statement provides guidance on the implementation of other changes made by the legislation, including those relating to assessments and high volatility commercial real estate exposures.
 
EGRRCPA raised the threshold for Dodd-Frank Act enhanced prudential standards from $50 billion to $100 billion dollars in total consolidated assets for bank holding companies. The change created inconsistencies between Fed regulations and the new law and until EGRRCPA's changes are incorporated into the regulations, the Fed will not take actions to enforce the regulations against firms with less than $100 billion in total consolidated assets.
 
The Fed set forth the positions it would take until the regulations are modified:
  • Assessments. The Fed collects assessments from bank holding companies and savings and loan holding companies with $50 billion or more in total consolidated assets to cover the cost of their supervision. Beginning with the year 2018, assessments will not be collected from bank holding companies and savings and loan holding companies with total consolidated assets of less than $100 billion.
  • High volatility commercial real estate (HVCRE). EGRRCPA provides that the federal banking agencies may only require a depository institution to assign a heightened risk weight to an HVCRE exposure if such exposure is an "HVCRE ADC Loan." The Fed will not take action to require a bank holding company, savings and loan holding company, or intermediate holding company of a foreign bank to estimate and report HVCRE on Schedule HC-R, Part II of the FR Y-9C consistent with the existing regulatory requirements and reporting form instructions, provided that the holding company reports HVCRE in a manner consistent with its subsidiary depository institution(s) and EGRRCPA.
  • Enhanced prudential standards. Dodd-Frank required the Fed to establish stricter prudential standards for bank holding companies with total consolidated assets of $50 billion or more. EGRRCPA increased the $50 billion asset threshold in two stages, initially to $100 million and in 18 months, to $250 million. Consistent with EGRRCPA, the Fed will not take action to require bank holding companies with less than $100 billion in total consolidated assets to comply with certain existing regulatory requirements, including the enhanced prudential standards in Regulation YY, the liquidity coverage ratio requirements in Regulation WW, and the capital planning requirements in the Regulation Y. The Fed is also extending the date for financial companies with total consolidated assets between $10 billion and $100 billion to comply with the company-run stress testing requirements until Nov. 25, 2019 (at which time the statutory exemption will be in effect).
The Fed will not take action to require bank holding companies, state member banks, and savings and loan holding companies with less than $100 billion in total consolidated assets to comply with certain reporting, disclosure, and recordkeeping requirements associated with regulations affected by EGRRCPA. However, the Fed will continue to review the capital planning and risk management practices of these institutions through the regular supervisory process.
 
Agencies issue statements on HMDA amendments. HMDA, which is implemented by Regulation C, requires certain financial institutions to collect, report, and disclose information about their mortgage lending activity. The Economic Growth, Regulatory Relief, and Consumer Protection Act provides partial exemptions for some insured depository institutions and insured credit unions from certain HMDA requirements.
 
The agencies’ statements explain which institutions are entitled to these exemptions, provide information on the formatting and submission of Loan/Application Registers, and describe HMDA compliance expectations for data collected in 2018 and reported in 2019. The CFPB expects later this summer to provide further guidance on the applicability of the Act to HMDA data collected in 2018.
 
Fed updates institutions on reinstated tenant foreclosure protection law. The Fed has updated its supervised institutions on the reinstatement of the Protecting Tenants at Foreclosure Act (PTFA) of 2009, which became effective June 23, 2018. Section 304 of the Economic Growth, Regulatory Relief, and Consumer Protection Act reinstated the PTFA. The Fed’s Consumer Affairs letter (CA 18-4), which was sent to all Federal Reserve Banks, is to be distributed to all supervised institutions, consumer compliance examiners, and supervisory staff.
 
Prior to the passage of the PTFA, renters living in property that went into foreclosure were often required to move with as little as a few days’ notice. The law ensured that most tenants can stay in their home for the remainder of their lease or for at least 90 days post-foreclosure. However, Congress did not extend the PTFA, and it expired on Dec. 31, 2014.
 
The PTFA establishes a minimum time period that a tenant can remain in a foreclosed property before eviction. Under the law, bona fide tenants must be provided with 90 days’ notice prior to eviction. Additionally, bona fide tenants with leases must be allowed to occupy property until the end of the lease term, except the lease can be terminated on 90 days’ notice if the unit is sold to a purchaser who will occupy the property. The law does not affect any state or local law that provides longer time periods or other additional protections for tenants.
 
The Fed letter states that the law is self-executing, meaning that no federal agency has authority to issue regulations implementing the law or to interpret the law. According to the Fed's compliance procedures for the newly restored Act, examiners must assess an institution’s awareness of its responsibilities, as well as its compliance management policies and procedures under the Protecting Tenants at Foreclosure Act.
 
Consumer compliance examiners will "employ risk-focused consumer compliance supervision principles to determine if they should include a review of compliance with the Protecting Tenants at Foreclosure Act in an examination." If compliance with PTFA is included in the examination scope, examiners will use the examination procedures to evaluate an institution’s awareness of the law, its compliance efforts, and its responsiveness to addressing implementation deficiencies.
 
For more information about regulatory reform, subscribe to the Banking and Finance Law Daily.

Thursday, July 5, 2018

2018 ABA regulatory compliance conference adds ‘conduct’ to core topics

By Katalina M. Bianco, J.D.

The American Bankers Association held its 2018 regulatory compliance conference June 24 - 27 in Nashville, Tenn., and it was, as usual, informative and interesting.

Overview. Attendees were introduced to a new area of banking operations this year: managing conduct risk. Conduct risk is actually misconduct risk as it applies here. The managing of conduct has become a major concern in light of the Wells Fargo sales practices fiasco. Institutions have responded by developing and implementing best practices to rein in misconduct issues.

Also featured in this year’s conference: Bank Secrecy Act/anti-money laundering; modernization of the Community Reinvestment Act; banking in the digital age; and the new statute with the name that nobody could remember—the Economic Growth, Regulatory Relief, and Consumer Protection Act, simply referred to as S. 2155 or the Crapo bill.

Conduct and culture. A team led by a senior representative of Wells Fargo (a bit of irony there but who better to know the aftermath of reputational risk?) discussed lessons learned in the aftermath of the sales practices debacle and how financial institutions have begun to formalize those lessons. The session covered the elements of conduct risk, how conduct risk management frameworks are constructed, the various roles and responsibilities of bank personnel, and leading practices on controlling conduct risk.

BSA/AML and the need to digitalize. While BSA and anti-money laundering discussions have been staples at the ABA conferences for many years, this year the focus was on the need to drag this area of practice into the 21st century. Speakers referred to the BSA as "woefully behind" in its progress given the importance in this day and age for protections against money laundering activities. Using technology is key, but there are challenges. Speakers described testing done by the Financial Conduct Authority in London to determine if issuing a regulation via code rather than text is feasible. The test was a success. The FCA has gathered hundreds of bankers, regulators, and techies, observed by six U.S. regulatory agencies, to apply the technology to the BSA.

Modernization of the CRA. As stressed by a number of moderators and speakers, including the banking regulators, it’s also time to modernize the CRA. Banking has changed over the years, but the CRA has remained stagnant. The regulators named CRA modernization as their number one priority and indicated that inter-agency discussions have been ongoing. The industry is expected to see an advance notice of proposed rulemaking in the near future. The regulators are hoping to receive feedback on the ANPR that they can use to move forward on a proposal. Speakers predicted that CRA reform not only is imminent, it will be as significant, if not more so, than the last reform conducted in 1995.

Banking in the digital age. A number of sessions at the conference addressed the challenges and benefits of banking in the digital age. Topics covered e-lending, social media, website "rehab," compliance risks in the new payments world, accounts opening concerns, data mining, and big data.

S. 2155 is here. The implications of S. 2155 were discussed and analyzed and certain provisions highlighted for their applicability to the compliance space.

The standards and the CFPB. Finally, the ABA presented an avalanche of materials targeting the compliance standards, such as: implementation of Home Mortgage Disclosure Act rules; mortgage servicing rules; fair lending; and UDAAP. Discussion about the role of the CFPB (or BCFP?) moving forward was interspersed throughout the conference.

Take away. All in all, a conference well worth attending. Next year: New Orleans!

For more information about compliance issues, subscribe to the Banking and Finance Law Daily.

Tuesday, July 3, 2018

New York requires credit bureaus to register, report, and comply with cybersecurity standards


The New York State Department of Financial Services (NYDFS) has adopted a regulation requiring consumer credit reporting agencies with significant operations in New York to register with the NYDFS and to comply with its new cybersecurity standards. Further, the regulation requires these credit bureaus to report annually to the NYDFS superintendent, and empowers the superintendent to deny, suspend, and potentially revoke a credit reporting agency’s authorization to do business with the state’s regulated financial institutions and consumers “if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.” The regulation takes effect upon publication of the “Notice of Adoption” in the State Register.

In a June 25, 2018, release, NYDFS Superintendent Maria Vullo stated that the data breach at Equifax “demonstrated the absolute necessity of strong state regulation, such as New York’s first-in-the-nation cybersecurity regulation, to safeguard New York's markets, consumers, and sensitive information from cyberattacks.” Similarly referencing the Equifax data breach as exposing the personal and private information of millions of the state’s residents, New York Governor Andrew Cuomo remarked, “As the federal government weakens consumer protections, New York is strengthening them with these new standards.”

Regulation highlights. After receiving, reviewing, and incorporating public comments on the proposal, the NYDFS promulgated “Registration Requirements & Prohibited Practices for Credit Reporting Agencies” (23 NYCRR 201). Among other things, the final state regulation:
  • requires all consumer credit reporting agencies that reported on 1,000 or more New York consumers in the preceding year to register annually with the NYDFS, beginning “on or before September 1, 2018, and by February 1 of each successive year for the calendar year thereafter;”
  • requires that the registration form list a credit reporting agency's officers and directors who will be responsible for compliance with New York’s financial services, banking, and insurance laws, and regulations;
  • authorizes the NYDFS superintendent to refuse to renew a credit reporting agency’s registration if the agency is found: to be in violation of federal or state laws or regulations; to be in noncompliance with the regulation’s requirements; to have engaged in fraudulent, coercive, or dishonest practices; or to have provided materially incorrect, untrue, or misleading information;
  • subjects credit reporting agencies to examinations by the NYDFS as often as the superintendent determines is necessary;
  • prohibits credit reporting agencies, to the extent not preempted by federal law, from engaging in certain specified conduct, including any “unfair, deceptive, or predatory act or practice toward any consumer;” and
  • requires credit reporting agencies to comply with the NYDFS’s cybersecurity regulation (23 NYCRR 500), beginning on Nov. 1, 2018, and, in keeping the time table set forth, to have in place: a cybersecurity program; a policy (or policies) approved by the board or senior officer; a Chief Information Security Officer; controls and plans to help ensure the safety and soundness of New York’s financial services industry; the protection of data from third-party vendors; and the filing of an annual certification of compliance.
For more information about new state regulations affecting the financial services industry, subscribe to the Banking and Finance Law Daily.