Special Alert: Revised NYDFS Cybersecurity Rule

On December 28, 2016, the New York Department of Financial Services (DFS) issued a revised version (Revised Proposed Rule) of its cybersecurity rule for financial institutions issued on September 13, 2016 (Proposed Rule). The revision came after DFS received more than 150 comments in response to the Proposed Rule, as well as a hearing before New York State lawmakers. The Revised Proposed Rule retains the spirit of the original Proposed Rule, but offers covered entities somewhat more flexibility in implementing the requirements.

Background
The Proposed Rule marked the next step in a period of increased focus on cybersecurity by the agency. Between May 2014 and April 2015, DFS issued three reports relating to cybersecurity in the financial and insurance industries. In November 2015, DFS issued a letter to federal financial services regulatory agencies, which alerted the federal regulators to DFS’s proposed regulatory framework and invited comment from the regulators.

In the September release, DFS explained that the Proposed Rule is a response to the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.” As originally written, the Proposed Rule covered financial institutions operating under a charter or license issued by DFS, and set cybersecurity program, policy, training, and reporting requirements that are more stringent than the current federal requirements. The Proposed Rule gave a January 1, 2017 effective date, with a 180-day transitional period. Taking into consideration these concerns, on December 19, 2016, the New York State Assembly’s Standing Committee on Banks held a public hearing regarding cybersecurity and the Proposed Rule. Among the chief concerns expressed at the hearing and in the comment letters was the cost of compliance, especially for smaller banks, and that the Proposed Rule’s “one-size-fits-all” requirements do not consider the varying operational structures, business models, and risk profiles of financial institutions. There was also concern that the Proposed Rule was too different from the current federal requirements.

Click here to read full special alert

* * *

We will continue to monitor the DFS rulemaking process. If you have questions about the Revised Rule or other cybersecurity issues, visit our Privacy, Cyber Risk & Data Security practice for more information, or contact a BuckleySandler attorney with whom you have worked in the past.

LinkedInFacebookTwitterGoogle+Share

Special Alert: OCC Takes the Next Step Toward a Fintech National Bank Charter

On December 2, 2016, the Office of the Comptroller of the Currency (“OCC”) announced its plans to move forward with developing a special purpose national bank charter for financial technology (“fintech”) companies. Accompanying the Comptroller of the Currency, Thomas J. Curry’s announcement, the OCC published a white paper that describes the OCC’s authority to grant national bank charters to fintech companies and outlines minimum supervisory standards for successful fintech bank applicants.[1] These standards would include capital and liquidity standards, risk management requirements, enhanced disclosure requirements, and resolution plans. Over the past several months, the OCC has taken a series of carefully calculated steps to position itself as the preeminent regulator of fintech companies in a hotly-contested race among other federal and state regulators who have similarly expressed interest in formalizing a regulatory framework for fintech companies. This proposal from the OCC reflects the culmination of those efforts.

Click here to read the full special alert

* * *

BuckleySandler welcomes questions regarding this new approach to fintech and banking, and would be happy to assist companies in determining whether a national bank charter would be beneficial for executing on their corporate strategies. Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.

LinkedInFacebookTwitterGoogle+Share

Election Results: Preliminary Thoughts and Reactions

As a result of last Tuesday’s election, Republicans will control the White House and both houses of Congress in 2017. It is likely there ultimately will be some significant changes affecting financial services regulation and enforcement, but they will take time to implement. The President-elect has articulated sympathy for less regulation and opposition to the Dodd-Frank Act but also an unconventional economic populism. The Congressional Republicans have already prepared, and in some cases passed, more specific changes to limit and cabin the CFPB. We anticipate efforts focused on changing the CFPB Director and CFPB structure, reduced regulation that may encourage product innovation (particularly in the FinTech space), and potentially less emphasis on certain Department of Justice (“DOJ”) enforcement initiatives such as fair lending and the Residential Mortgage-Backed Securities (“RMBS”) task force. Nonetheless, we expect continued enforcement and supervisory activity, including by states and by prudential regulators that are less directly tied to shifting political winds.

Click here to read the full special alert

* * *

Questions regarding the matters discussed in this alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.

LinkedInFacebookTwitterGoogle+Share

Special Alert: Summary of CFPB’s final prepaid rule

I. Overview of the CFPB’s Final Prepaid Rule
On October 5, 2016, the Consumer Financial Protection Bureau (Bureau) issued a final rule (Prepaid Rule) amending Regulations E and Z to extend consumer protections to prepaid card accounts. The new protections include pre-acquisition disclosures, error resolution rights, and periodic statements. In addition, prepaid card accounts that include a separate credit feature are subject to some of Regulation Z’s credit card provisions, including an ability-to-repay requirement. Prepaid card issuers are also required to submit to the Bureau and to post to their websites any new and revised prepaid card account agreements. In this alert we summarize key provisions of the Prepaid Rule except those provisions that apply only to payroll and government benefits prepaid cards, which will be covered in a separate alert.

II. Effective Date
The Prepaid Rule’s effective date is October 1, 2017, however, the effective date for posting prepaid card account agreements is October 1, 2018. Heeding concerns about burden, the Bureau stated that the Prepaid Rule does not require financial institutions to pull and replace prepaid account access devices or packaging materials that were manufactured, printed, or otherwise produced in the normal course of business prior to October 1, 2017. Instead, financial institutions must provide consumers with notice of certain changes in terms and updated initial disclosures, in certain circumstances.

Click here to read full Special Alert

* * *

Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.

 

 

 

LinkedInFacebookTwitterGoogle+Share

Special Alert: D.C. Circuit Panel Rejects CFPB’s RESPA Interpretation and Alters its Structure in PHH Corp. v. CFPB

On October 11, a three-judge panel of the U.S. Court of Appeals for the District of Columbia Circuit issued an opinion vacating a $109 million penalty imposed on PHH Corporation under the anti-kickback provisions of the Real Estate Settlement Procedures Act (RESPA), concluding that the CFPB misinterpreted the statute and violated due process by reversing the interpretation of the prior regulator and applying its own interpretation retroactively. Furthermore, the panel rejected the CFPB’s contention that no statute of limitations applied to its administrative actions and concluded that RESPA’s three-year statute of limitations applied to any actions brought under RESPA.

In addition, a majority of the panel held that the CFPB’s status as an independent agency headed by a single Director violates the separation of powers under Article II of the U.S. Constitution. However, rather than shutting down the CFPB and voiding all of its regulations and prior actions, the majority chose to remedy the defect by making the CFPB’s Director subject to removal at will by the President. In effect, this makes the CFPB an executive agency (like the Department of the Treasury) rather than, as envisioned by the Dodd-Frank Act, an independent agency (like the Federal Trade Commission). (One member of the panel, Judge Henderson, dissented from this portion of the opinion on the grounds that it was not necessary to reach the constitutional issue because the panel was already reversing the CFPB’s interpretation of RESPA.)

The panel remanded the case to the CFPB to determine whether, within the three-year statute of limitations, the payments to PHH’s affiliate exceeded the fair market value of the services provided in violation of RESPA. The CFPB is expected to petition for en banc reconsideration by the full D.C. Circuit or to seek direct review by the United States Supreme Court. Therefore, final resolution of this matter may be delayed by a year or more.

Click here to read the full Special Alert.

* * *

Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.

LinkedInFacebookTwitterGoogle+Share