The New York State Department of Financial Services (NYDFS) has adopted a regulation requiring consumer credit reporting agencies with significant operations in New York to register with the NYDFS and to comply with its new cybersecurity standards. Further, the regulation requires these credit bureaus to report annually to the NYDFS superintendent, and empowers the superintendent to deny, suspend, and potentially revoke a credit reporting agency’s authorization to do business with the state’s regulated financial institutions and consumers “if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.” The regulation takes effect upon publication of the “Notice of Adoption” in the State Register.
In a June 25, 2018, release, NYDFS Superintendent Maria Vullo stated that the data breach at Equifax “demonstrated the absolute necessity of strong state regulation, such as New York’s first-in-the-nation cybersecurity regulation, to safeguard New York's markets, consumers, and sensitive information from cyberattacks.” Similarly referencing the Equifax data breach as exposing the personal and private information of millions of the state’s residents, New York Governor Andrew Cuomo remarked, “As the federal government weakens consumer protections, New York is strengthening them with these new standards.”
Regulation highlights. After receiving, reviewing, and incorporating public comments on the proposal, the NYDFS promulgated “Registration Requirements & Prohibited Practices for Credit Reporting Agencies” (23 NYCRR 201). Among other things, the final state regulation:
- requires all consumer credit reporting agencies that reported on 1,000 or more New York consumers in the preceding year to register annually with the NYDFS, beginning “on or before September 1, 2018, and by February 1 of each successive year for the calendar year thereafter;”
- requires that the registration form list a credit reporting agency's officers and directors who will be responsible for compliance with New York’s financial services, banking, and insurance laws, and regulations;
- authorizes the NYDFS superintendent to refuse to renew a credit reporting agency’s registration if the agency is found: to be in violation of federal or state laws or regulations; to be in noncompliance with the regulation’s requirements; to have engaged in fraudulent, coercive, or dishonest practices; or to have provided materially incorrect, untrue, or misleading information;
- subjects credit reporting agencies to examinations by the NYDFS as often as the superintendent determines is necessary;
- prohibits credit reporting agencies, to the extent not preempted by federal law, from engaging in certain specified conduct, including any “unfair, deceptive, or predatory act or practice toward any consumer;” and
- requires credit reporting agencies to comply with the NYDFS’s cybersecurity regulation (23 NYCRR 500), beginning on Nov. 1, 2018, and, in keeping the time table set forth, to have in place: a cybersecurity program; a policy (or policies) approved by the board or senior officer; a Chief Information Security Officer; controls and plans to help ensure the safety and soundness of New York’s financial services industry; the protection of data from third-party vendors; and the filing of an annual certification of compliance.
For more information about new state regulations affecting the financial services industry, subscribe to the Banking and Finance Law Daily.