On December 18, Superintendent Lawsky delivered remarks regarding New York’s revised proposal for regulating virtual currency companies. The new proposal stems from the original July 17 proposal and includes certain revisions previously alluded to on October 17. Lawsky noted that the revisions will provide flexibility to virtual currency startups, while simultaneously allowing the New York Department of Financial Services to remain committed to protecting consumers. Most notably, the revised regulation “will offer a two-year transitional BitLicense, which may be issued to those firms who are unable to satisfy all of the requirements of a full license, and will be tailored to startups and small businesses.” According to Lawsky, while the companies will still have to abide by anti-money laundering and consumer protection requirements, the revisions are intended to “strike an appropriate balance between permitting innovation to proceed, while at the same time strongly protecting consumers and helping root out illicit activity.”
On December 16, the Conference of State Bank Supervisors (CSBS) announced its draft regulatory framework and requested public comment on specific questions intended to aid state regulators on the regulation of virtual currencies. The regulation of virtual currency activities currently varies from state to state. The draft framework is intended to create uniform state regulation. Comments are due by February 16, 2015.
On December 10, NY DFS Superintendent Benjamin Lawsky issued a bulletin to all New York state-chartered or licensed banking institutions regarding an updated IT examination process. Effective immediately, cybersecurity examinations will be included within the overall IT examination process. The DFS cybersecurity examinations will incorporate a number of new topics, including: (i) corporate governance; (ii) protections against intrusion, such as multi-factor or adaptive authentication, along with server and database configuration; (iii) information security testing and monitoring; and (iv) cybersecurity insurance coverage, along with other third-party protections. Ultimately, the new examination process will assess a bank’s cybersecurity protections, in addition to how it manages potential cyber risks and handles a cybersecurity attack.
On December 8, a large bank settled with the state of Massachusetts for $825,000 over a data breach that exposed the personal information of at least 260,000 customers. In March 2012, the bank allegedly lost unencrypted backup tapes with customer information and failed to report the missing tapes until October 2012. According to the Massachusetts AG, the bank violated state law by failing to (i) sufficiently protect information; and (ii) provide timely notification of the data breach. In the settlement agreement, Massachusetts credited the bank with $200,000 to upgrade its security procedures, while $325,000 will be paid in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a consumer aid education fund.
On December 3, New York Governor Cuomo announced that the DFS finalized regulations to help end abusive debt collection practices. The new regulations will (i) require debt collectors and debt buyers to provide enhanced disclosures regarding the debt; (ii) protect consumers who may have debts where the statute of limitations has expired; (iii) require that the debt collector substantiate that the debt is actually owed; (iv) ensure that consumers receive written confirmation of settlement agreements; and (v) allow consumers to communicate with debt collectors via personal email. The new regulations will take effect on March 3, 2015, with the exception of Sections 1.2(b) and 1.4, which will take effect August 30, 2015. Section 1.2(b) refers to disclosure requirements and 1.4 refers to substantiation of debts.
On November 18, the New York DFS announced a consent order with a foreign bank for allegedly misleading regulators regarding its transactions with sanctioned countries, most notably Iran, Sudan, and Myanmar. According to the press release and consent order, from approximately 2007 through 2008, the bank convinced a consulting firm to “water down” reports submitted to regulators on its transactions. Specifically, the bank pressured the consulting firm to alter an historic transaction review (HTR) report to exclude key information, such as: (i) the English translation of the bank’s wire transfer instructions, which included a statement that the bank conducted business with “’enemy countries’ of the U.S.;” (ii) a majority of the consultant’s description of the bank’s wire transfer activities; and (iii) information “concerning [the bank’s] potential misuse of OFAC screening software” in connection with its wire transfer activities. The DFS ordered the bank to pay $315 million in penalties, in addition to the $250 million the DFS ordered the bank to pay June 2013 in connection with its sanctioned transactions.
On November 13, Governor Cuomo announced that four additional financial institutions have agreed to use a database created by the State’s Department of Financial Services to “help identify and stop illegal, online payday lending in New York.” The database includes a list of companies that the DFS has identified and taken action against for making illegal internet payday loans to people in New York. The total number of institutions using the database now stands at five.
On November 2, New York Superintendent Lawsky delivered remarks at the Money 20/20 Conference on the state’s virtual currency and Bitcoin regulation. In October, Lawsky publicly stated that, as a result of the comments received on New York’s proposed BitLicense framework, there would be important changes made to the July 17 proposal. This week, on behalf of the NYDFS, Lawsky announced that additional changes are being considered to address “concern about the compliance costs of regulation on new or fledging virtual currency enterprises.” Specifically, Lawsky introduced the concept of a Transitional BitLicense, which would allow certain small, money transmitting startups to begin operating without huge compliance costs. Lawsky noted four main factors the NYDFS would consider when deciding whether or not to grant a Transitional BitLicense: (i) the nature and scope of the business and the associated risks for consumers; (ii) projected transactional and business volume; (iii) registration status as a Money Services Business with FinCEN; and (iv) previously established mitigating risk controls.
On October 22, the Ninth District Court of Appeals reversed a summary judgment decision allowing a trust unit of a bank to foreclose on a home. In this case, the loan servicers were unable to prove who held the promissory note when the trust unit requested a foreclosure order from the trial court. Employees at both servicers failed to attach records relied upon in their respective affidavits, but rather provided copies of the promissory note, mortgage, and the assignment of the mortgage. The Court held that the copies “do not establish when or if the Bank came into possession of the Note or that the Bank was in possession of the Note at the time of the filing of the complaint.” Deutsche Bank Natl. Trust Co. v. Dvorak, 2014-Ohio-4652 29, Ohio. Ct. App., 27120 (Oct.22, 2014)
On October 16, a California district court issued a declaratory judgment ordering a company to comply with Rule 34 as cited in the Federal Rules of Civil Procedure. Rule 34 has two specific and separate requirements: (i) “[a] party must produce documents as they are kept in the ordinary course of business or must organize and label them to correspond to the categories in the request;” and (ii) [if] a request does not specify a form for producing electronically stored information (ESI), a party must produce it in a form in which it is ordinarily maintained or in a reasonably usable forms.” In this case, the defendant served initial document requests to the company. The parties agreed to meet and discussed about how the company would produce the requested documents. Thereafter, the company produced 41,000 pages of ESI consisting of flash drive and email. The drive and email contained no custodial index, table, or categories – just all folders of files. The Court ruled that, although the company satisfied with the first requirement of Rule 34, the company failed to adhere to the second requirement because the company must (i) either organize and label each document it has produced or it shall provide custodial and other organizational information along the lines outlined above and (2) produce load files for its production containing searchable text and metadata. Venture Corp. v. Barrett, 5:13-cv-03384-PSG, WL 5305575 (N.D. Cal. Oct.16, 2014)
Recently, the New York Appellate Division held an affidavit supporting an Oklahoma bank’s motion to foreclose a New York mortgage conformed to New York statutory requirements. An affidavit acknowledged out of state must be accompanied by a certificate of conformity under N.Y. Civil Practice Law and Rules §2309(c), providing that an oath taken outside New York is treated as if taken in New York if accompanied by a certificate required to entitle a deed to be recorded in New York. Oaths acknowledged outside New York by non-New York notaries require a certificate of conformity in substantially the form set out in Real Property Law §309-b. Here, an affidavit of the holder’s senior foreclosure litigation specialist established the mortgage, the default and assignment of the mortgage. It was accompanied by a “Uniform, All Purpose Certificate of Acknowledgment” which substantially conformed to Real Property Law §309-b. The borrowers did not oppose the motion to foreclose; the holder was therefore entitled to judgment. Midfirst Bank v. Agho, 991 N.Y.S.2d 623 (Aug. 13, 2014).
On October 21, New York DFS’s Superintendent Lawsky issued a letter to a large loan servicer institution regarding its systems and processes, most significantly the practice of backdating letters to borrowers. As a result of the alleged backdating issue, Lawsky’s letter highlights the servicer’s failure to meet state and federal agreements concerning its communication timing with borrowers on requests for mortgage modifications or the initiation of foreclosure proceedings. According to the letter, potentially hundreds of thousands of borrower letters were incorrectly dated. The DFS alleged that one letter in particular contained a time lapse of nearly a year: “[The servicer’s] system shows that [it] sent a borrower a pre-foreclosure dated May 23, 2013, stating that the borrower was in default and at risk of foreclosure. Yet, a conflicting notice record in [the servicer’s] system indicates that the notice was created on April 9, 2014.” The NYDFS stresses the urgency the servicer must take to remedy these issues by fixing its systems, and notes that it “intends to take whatever action is necessary to ensure that borrowers are protected.”
On October 14, Superintendent Lawsky delivered remarks on virtual currency and Bitcoin regulation in New York City. Specifically, Lawsky addressed the comments received in connection with the DFS’s July 17 proposal to establish a licensing regime for virtual currency businesses. Lawsky clarified the following five areas of concern: (i) who will be required to obtain a BitLicense; (ii) which type of license, money transmitter and/or virtual currency, a business will be required to obtain, confirming that, if both are required, the application process will be streamlined; (iii) the requirements that banks providing virtual currency services will need to comply with; (iv) the regulation of mining when a miner engages in virtual currency services; and (v) the “compliance costs of regulation on new or fledging virtual currency enterprises.” Noting that the DFS hopes that companies will work with the DFS as opposed to “run[ning] from regulation,” Lawsky emphasized the significance of appropriate regulation as it pertains to safeguarding customers’ money at financial companies.
On October 15, the New York Attorney General’s office announced a settlement with a large financial institution in connection with a 2012 data breach. Of the $850,000 settlement agreement, New York State will receive over $114,000. The terms of the settlement require that the bank reform its former security practices, which caused over one million customer files to be compromised. Specifically, in 2012, the bank lost over one million unencrypted files that contained personal information for over 200,000 customers nationwide. Going forward, the bank must (i) notify state residents of security breaches in a timely manner; and (ii) maintain security policies that will protect personal information.
On September 26, Virginia Attorney General Mark Herring issued a letter declaring that the Virginia State Board of Elections is not legally precluded from directing general registrars to accept voter registration applications with electronic signatures. “It is my opinion that, although no law requires the acceptance of mailed voter registration applications with electronic signatures, the State Board of Elections is not precluded from directing that general registrars accept such applications, and the State Board, in its discretion, may do so[.]” The letter also stated that the Board of Elections also has authority to establish standards to ensure the security of voter information and to verify the authenticity and validity of the electronic signatures. The letter validates the Board of Election’s decision to accept electronic signatures during the 2013 gubernatorial election.