On November 9, the New York DFS sent a letter to federal regulators and other interested parties, including the CFPB, Federal Reserve Board, and the OCC, regarding potential new regulations aimed at increasing cybersecurity efforts within the financial sector. The letter references recent DFS reports that covered key findings from surveys given to regulated banking organizations on their cybersecurity programs, costs, and future plans. The reports raised the following concerns: (i) the speed of technological change and the increasingly sophisticated nature of threats; (ii) third-party service providers tend to have access to sensitive information and companies’ IT systems, providing potential hackers with a point of entry; and (iii) the “scale and breadth of the most recent breaches and incidents.” In light of these concerns, the DFS asserts that it would be beneficial to coordinate with state and federal regulators to “develop a comprehensive [cybersecurity] framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” According to the letter, the DFS expects to propose regulations requiring entities to set specific requirements in areas such as: (i) cybersecurity policies and procedures; (ii) third-party service provider management; (iii) cybersecurity personnel and intelligence, including implementing mandatory cybersecurity training programs; and (iv) notice of cybersecurity breaches.
State AGs Urge Card Companies to Advance Consumer Protection by Implementing Chip and PIN Technology
On November 16, nine state attorneys general sent a letter urging leading card brands to expedite the implementation of chip and PIN technology in the United States. The letter summarizes research connected to recent data breaches, stating “individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.” Addressing concern that PIN technology would be burdensome or confusing to consumers, the AGs maintain that many consumers are accustomed to financial transactions that rely on PIN technology, such as transactions involving debit cards, and point to a November 2014 poll that indicated cardholders were supportive of chip and PIN technology. The AGs emphasize that PIN technology is “nothing new” and is considered the “gold standard” for payment card security, noting that countries around the world have seen a dramatic decrease in fraud since implementing the technology. Finally, while the letter stresses that chip and PIN technology would better protect both consumers and businesses from data breaches, it does not suggest that the technology be legally mandated at the federal or state level: “[T]his letter calls upon you as good corporate citizens to voluntarily expedite the implementation of existing technology that offers the most substantial security benefits, and to continue to adapt and improve security as quickly as possible as technology advances.”
On November 5, Massachusetts AG Maura Healey announced a settlement with a national auto lender to resolve allegations that the lender charged excessive interest rates on subprime auto loans. The company agreed to provide over $5 million – approximately $11,000 per consumer – in relief to those affected by its alleged practice of charging consumers excessive interest rates as a result of including fees from an add-on GAP insurance product. Under the terms of the assurance and discontinuance, the company will (i) eliminate the alleged excessive interest on certain loans as a result of the GAP fee; and (ii) forgive outstanding interest on loans. In addition, the company must pay $150,000 to Massachusetts and perform supervised audits of its existing loan portfolio to ensure that no additional consumers were overcharged because of GAP fees.
Texas Department of Banking Issues Supervisory Memorandum to Money Services Business License Holders
On October 29, the Texas Department of Banking (the Department) issued a supervisory memorandum to Money Services Business (MSB) license holders. The purpose of the memorandum “is to provide license holders with industry best practices regarding the documentation of [authorized delegate] and agent compliance monitoring efforts.” According to the Department, agents and Authorized Delegates (AD) pose substantial compliance risks to MSBs, with agent and AD file review comprising “a significant component of the examination process for assessing compliance with AML Program requirements and Texas law.” The memorandum provides MSBs with industry guidance on how to meet regulators’ expectations for maintaining documentation in compliance with agent and AD oversight. The Department identifies various documents that support effective agent and AD on-boarding due diligence, including: (i) agent and AD BSA policies and procedures; (ii) approval by foreign regulators to conduct money transmission; (iii) evidence of initial AML/BSA training; and (iv) credit review and approval documents, such as financials and credit reports. Moreover, the memorandum indicates that on-going due diligence requires MSBs to maintain, among other things, evidence to support (i) periodic BSA training; (ii) agent compliance with independent AML review requirements; and (iii) the license holder’s review of updated BSA/AML Program policies and procedures.
North Carolina Passes Legislation to Clarify Applicability of Motor Vehicle Service Agreement Protections
On October 22, North Carolina Governor Pat McCrory signed into law North Carolina SB 195 to clarify the types of service agreements that come under the existing framework governing how motor vehicle service agreements are sold. The bill revises the existing statute to specifically describe a set of products considered to be motor vehicle service agreements and delegates to the Commissioner of Insurance power to define additional products consistent with the law. The bill also amends the statute to expressly carve out from the regulatory framework maintenance agreements offered by certain entities. Finally, the new law amends the statute to clarify that ancillary anti-theft protection program and ancillary anti-theft protection program warranty products are not considered contracts of insurance. The amendments are effective as of October 1, 2015.
On October 28, the New York DFS resolved an enforcement action with a New York State-charted bank for alleged violations of state banking law. The DFS alleged that the bank hired a former New York Federal Reserve Bank examiner and permitted him to work on matters for an entity that the employee had examined while at the New York Fed, in violation of a notice of post-employment restrictions from the New York Fed. The DFS also alleged that the employee obtained confidential regulatory or supervisory information from a now former New York Fed employee and distributed the information to a Managing Director at the bank for the purpose of advising the entity. In addition to the bank’s alleged failure to screen the employee from working on matters related to the entity he had examined, the DFS’s order alleges that the bank failed to “provide training to personnel regarding what constituted confidential supervisory information and how it should be safeguarded.” Under the settlement terms, the bank will (i) pay a civil money penalty of $50 million to the DFS; (ii) reform its policies and procedures to ensure the proper handling of confidential supervisory information and the monitoring of assignments of former government employees; and (iii) not re-hire the bank employee and Managing Director, who had been terminated as result of the matter.
On October 27, New York Attorney General Eric Schneiderman issued a letter to nearly 100 banks operating in New York requesting that they examine and revise their screening policies for deposit accounts to expand access to mainstream banking to the unbanked and underbanked communities. The letter is part of a 2013 initiative that led to agreements with five banks regarding their screening of applicants seeking to open checking or savings accounts. According to the New York AG’s office, its prior examination revealed that “many financial institutions reject applicants for minor financial missteps, even when those missteps occurred years ago, involved de minimis amounts, or otherwise did not reflect a consumer’s ability to pay responsibly.” In the prior agreements, the five banks committed to taking a number of steps to reform deposit account screening criteria to expand access. The recent letter urges approximately 100 banks to examine their practices and adopt similar measures.
On October 21, the Georgia Department of Banking and Finance (the Department) announced a consent order with a South Carolina-based mortgage lender and its individual owner to resolve a Notice of Intent to Revoke Annual License and an Order to Cease and Desist. The Department alleged that the individual and the company violated the Georgia Residential Mortgage Act by (i) making false statements or misrepresentations to the Department; (ii) making false statements and misrepresenting material facts in mortgage loan documents; (iii) operating an unapproved branch with an unapproved branch manager; (iv) failing to perform the appropriate background checks on covered employees; and (v) transacting business with an unlicensed person who was not exempt from licensing requirements. Under the terms of the Order, the individual is prohibited from (i) applying for a Georgia mortgage loan originator, mortgage broker, or mortgage lender license; (ii) serving as a director, officer, or any other equivalent role for a Georgia mortgage broker or lender; and (iii) acting as a branch manager for a Georgia branch of a Georgia licensed mortgage broker or lender. In addition, the lender must pay $29,000 to the Department and $1,000 to the State Regulatory Registry, LLC to support the NMLS. The lender also must surrender its license from the Department.
On October 14, the Illinois Division of Banking announced that it would host two Cyber Risk and Security Conferences on November 9 and November 16. With the growing number of threats to financial data systems, cyber and data security has become a top concern for regulators in the financial industry. Topics to be addressed at the conferences include: (i) current cyber threats; (ii) bank and credit unions’ cyber preparedness and response to threats; and (iii) existing trends and the globalization of cyber crimes. The CSBS will co-host the conferences.
On October 13, the NYDFS announced that it reached its fifth agreement with a bank regarding record keeping requirements and other protections to ensure that the bank is responsibly using Symphony Communication Services, LLC’s chat and messaging platform (Symphony). In September, the NYDFS reached similar agreements with four banks after expressing concern that some Symphony features, most notably its promised service of “Guaranteed Data Deletion,” had the capability to hinder regulators’ and prosecutors’ investigations of misconduct at banks. Per the agreements reached with the NYDFS, the banks must (i) require Symphony to maintain copies of all communications sent through the chat and messaging platform for at least seven years; (ii) provide an independent custodian with a copy of decryption keys for encrypted messages sent through Symphony; and (iii) inform the NYDFS of the location of the decryption keys. Acting Superintendent Anthony Albanese outlined these requirements in the October 13 guidance issued to all NYDFS-regulated institutions, stressing that “any [NY]DFS-regulated institution that is considering using the Symphony platform should ensure that the entity’s anticipated use conforms to the standards included in the Agreements.”
On October 6, the CSBS released a summary of research presented and discussions had at the third annual Community Banking Research and Policy Conference, held September 30 through October 1. At the conference, community bankers, academics, and federal and state policymakers discussed trends in community banking, with a particular focus on small business and farm lending, community bank performance, and community banks pre- and post-financial crisis. 27 state regulators attended the conference and held a roundtable to address first-hand the challenges – such as increased regulatory burden and evolving technology – and opportunities community bankers face.
On October 12, North Carolina Governor Pat McCrory (R-NC) signed into law North Carolina SB 370. Effective August 2016, an application for a certificate of title, a registration plate, a registration card, and any other document required by the DMV to be submitted with the application and requiring a signature may be submitted with an electronic signature. The required notification may also be performed electronically. In addition, effective December 1, 2015, upon the satisfaction or other discharge of a security interest in a vehicle for which the certificate of title data is notated by a lien through electronic means, the secured party shall, within seven business days from the date of satisfaction, send electronic notice of the release of the security interest to the DMV through the electronic lien release system. The electronic notice of the release of the security interest sent to the DMV by the secured party shall direct that a physical certificate of title be mailed or delivered to the address noted by the secured party providing notice of the satisfaction or other discharge of the security interest. Upon receipt by the Division of an electronic notice of the release of the security interest, the Division shall mail or deliver a certificate of title to the address noted by the secured party within three business days.
On October 6, Governor Jerry Brown (D-CA) signed into law AB 964/Chapter 522, which, among other things, defines “encrypted” as it pertains to data breach notification requirements for business and public agencies. Current California law provides that when a business’s security system or data is breached, the business must disclose the breach to “any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Effective January 1, 2016, the bill – for the purpose of data breach notification requirements – defines “encrypted” as “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.”
CSBS’ Multi-State Mortgage Committee: Mortgage Companies Must Comply with Technology-Based Examination Process
On September 29, the Conference of State Bank Supervisors (CSBS) and the Multi-state Mortgage Committee (MMC) released a bulletin titled, “Supervisory Expectations Regarding the Use of Electronic Examination Tools.” The bulletin explains the MMC’s use of electronic examination tools and the supervisory expectations for mortgage companies undergoing the state examination process. As a result of a 2008 initiative by the MMC, state regulators have been using technology to review loan transaction data for years, originally setting the expectation that companies fully participate with the process by 2011. According to the bulletin, however, “the mortgage industry has regularly failed to provide clean data in a format acceptable to the regulators’ technology platform.” As a result of this non-compliance, the MMC recommended that, going forward, state regulators take enforcement action against companies that are unable to provide accurate data in a timely fashion, so as to ensure a “more efficient and timely regulatory process.”
On September 22, NYDFS Acting Superintendent Anthony Albanese announced that the New York Department of Financial Services (NYDFS) granted its first BitLicense from its current applicant pool. In June 2015, the NYDFS finalized the BitLicense framework, requiring existing virtual currency companies to apply by August 10. Via blog post, the first licensee acknowledged receiving the license. To date, the NYDFS has received 25 BitLicense applications and, according to Albanese, “will continue to move forward on evaluating and approving additional BitLicenses.”