On February 8, New York DFS Superintendent Benjamin Lawsky announced that the DFS would begin (i) regularly examining insurance companies’ cyber security preparedness; (ii) enhancing regulations that will require insurance providers to meet higher standards of cyber security; and (iii) examining “stronger measures related to the representations and warranties insurance companies receive from third-party vendors.” Lawsky expects the targeted exams to begin in the “coming weeks and months.” The announcement was accompanied by the release of the state agency’s report on cybersecurity in the insurance industry.
On February 17, Governor Steve Bullock of Montana signed S.B. 98 into law, which amends the Montana Mortgage Act to clarify licensing requirements. Among other things, the revised Montana Mortgage Act (i) modifies education and experience requirements; (ii) revises the responsibilities of designated managers; (iii) allows reports and notices to be filed and delivered through the NMLS; and (iv) amends the licensing requirements for loan processors and loan underwriters.
On February 11, the Pennsylvania AG announced a settlement with a national payday lender that will pay $8 million in restitution to consumers who were allegedly provided illegal payday loans. According to the state AG, the lender misled consumers by charging a “monthly participation fee” on a loan product, when it was actually interest added on to consumers’ account balances. The state AG charged that the practices violated Pennsylvania’s Consumer Protection Law. In addition to providing restitution, the lender agreed to (i) forgive $12 million of unpaid principal balances; (ii) pay $1.75 million in total costs to the state AG’s office and the Department of Banking and Securities; (iii) pay $250,000 to a third-party administrator to distribute the restitution to eligible consumers.
On February 4, NY DFS Superintendent Benjamin Lawsky sent a letter to the CFPB urging the agency to adopt strong national rules for the payday loan industry. In his letter, Lawksy highlighted four steps the agency should consider in its drafting of rules including (i) making clear that state laws with stronger anti-payday-lending rules still apply to lenders; (ii) banning payday lenders from using “remotely created checks;” (iii) restricting the sharing of consumers’ personal information by payday lenders, lead generators and other third parties; and (iv) creating a rigorous “ability-to-repay” standard for payday loans.
On February 4, New York DFS proposed revisions to its anticipated regulation of virtual currency companies. The DFS originally released a proposal on July 17, 2014, and on December 18, Superintendent Lawsky delivered remarks stating the DFS was revising its proposal to provide more flexibility to virtual currency startups. The revised proposal (i) gives DFS the option of renewing a conditional BitLicense if the virtual currency firm continues to meet operating criteria; and (ii) removes previous language stating that a firm operating a BitLicense is required to obtain addresses and transaction data for all parties to a virtual currency transaction. Regardless of the changes, virtual currency firms still must meet strict standards for consumer protection and anti-money laundering requirements.
On February 3, the California Public Employees’ Retirement System (CalPERS) announced a $125 million settlement with a large credit rating agency and its parent company to resolve charges made in connection with the agency’s inflated ratings of three structured investment vehicle notes that collapsed during the financial crisis. The CalPERS settlement is separate from the DOJ’s settlement with the same credit rating agency. The state-operated retirement system will collect an additional $176 million from the State of California’s $210 million received from the DOJ settlement, for a total of $301 million.
On January 23, the California Department of Business Oversight (DBO) announced a $2.5 million settlement with a national mortgage servicer for failing to provide loan information to the state regulator. According to the consent order, the company must also (i) pay an independent third-party auditor selected by the DBO to ensure the servicer provides all requested information to DBO; (ii) cover administrative costs associated with the case; and (iii) cease acquiring new mortgage servicing rights that include loans secured by California properties until the DBO is satisfied that the servicer can satisfactorily respond to certain requests for information and documentation made in the course of a regulatory exam.
On January 19, the New York Attorney General (AG) announced an agreement with a New York-based community bank that the AG alleged had excluded predominantly minority neighborhoods from its mortgage lending business. As part of the agreement, the bank will (i) open two branches in neighborhoods with a minority population of at least 30 percent, with the first located within two miles of a majority-minority neighborhood and the second located within one mile of a majority-minority neighborhood; (ii) create a special financing program to provide $500,000 in discounts or subsidies on loans to residents of majority-minority neighborhoods; and (iii) create a marketing program directed at minority communities. Additionally, the bank agreed to submit to reporting and monitoring by the AG for a three-year period and pay $150,000 in costs to the State of New York.
On January 15, New York AG Eric Schneiderman announced that he intends to propose legislation that would “overhaul New York State’s data security law and require new and unprecedented safeguards for the personal data of consumers.” Specifically, the bill would (i) make companies responsible for protecting a broader range of information by expanding the definition of “private information;” (ii) require better data security measures for entities that collect and/or store private information; and (iii) create a safe harbor for companies that would shield them from liability if they adopt heightened security practices. In addition, the proposal would incentivize companies to share forensic data with authorities in the event of a data breach by ensuring that disclosure does not affect the company’s privileges. The proposed legislation follows New York AG’s release of a July 2014 report, which examined the growing number of data breaches occurring within the state. Schneiderman expects the new law to be “the strongest, most comprehensive in the nation… [making] [New York] a national model for data privacy and security.”
CSBS Issues Policy, Draft Model Regulatory Framework, and Request for Comment Regarding State Regulation of Virtual Currency
As previously reported in our January 8 Digital Commerce & Payments alert and in InfoBytes, the Conference of State Bank Supervisors (“CSBS”) issued a Policy on State Regulation of Virtual Currency (the “Policy”), Draft Model Regulatory Framework, and a request for public comment regarding the regulation of virtual currency on December 16, 2014. The Policy and Draft Model Regulatory Framework were issued through the work of the CSBS Emerging Payments Task Force (the “Task Force”). The Task Force was established to explore the nexus between state supervision and the development of payment systems and is seeking to identify where there are consistent regulatory approaches among states.
On January 6, the Connecticut Department of Banking issued a cease and desist order against the head of an American Indian tribe and two payday loan companies owned by the tribe for allegedly violating a state cap on interest rates. The order requires (i) the two companies pay a combined civil penalty of $800,000 and (ii) that the head of the tribe pay a civil penalty in the amount of $700,000.This action is considered to be the first enforcement action ever against the leader of a Native American tribe.
On December 19, the New York Department of Financial Services announced a recent settlement with a Long Island-based auto lender to resolve allegations of violations of several consumer protection laws including the DFA, TILA, NY Banking Law, and NY Financial Services Law. According to the consent judgment, the Defendants allegedly (i) failed to notify consumers who made overpayments on their accounts; (ii) miscalculated the interest charged to customers; and (iii) endangered the security of its customer information by leaving loan files openly around common areas. As part of the settlement, the auto dealer must (i) pay $3 million in penalties; (ii) pay full restitution plus nine percent interest to all affected customers; (iii) liquidate all remaining loans; and (iv) surrender its licenses in all states.
On December 16, the Conference of State Bank Supervisors (CSBS) announced its draft regulatory framework and requested public comment on specific questions intended to aid state regulators on the regulation of virtual currencies. The regulation of virtual currency activities currently varies from state to state. The draft framework is intended to create uniform state regulation. Comments are due by February 16, 2015.
On December 18, Superintendent Lawsky delivered remarks regarding New York’s revised proposal for regulating virtual currency companies. The new proposal stems from the original July 17 proposal and includes certain revisions previously alluded to on October 17. Lawsky noted that the revisions will provide flexibility to virtual currency startups, while simultaneously allowing the New York Department of Financial Services to remain committed to protecting consumers. Most notably, the revised regulation “will offer a two-year transitional BitLicense, which may be issued to those firms who are unable to satisfy all of the requirements of a full license, and will be tailored to startups and small businesses.” According to Lawsky, while the companies will still have to abide by anti-money laundering and consumer protection requirements, the revisions are intended to “strike an appropriate balance between permitting innovation to proceed, while at the same time strongly protecting consumers and helping root out illicit activity.”
On December 10, NY DFS Superintendent Benjamin Lawsky issued a bulletin to all New York state-chartered or licensed banking institutions regarding an updated IT examination process. Effective immediately, cybersecurity examinations will be included within the overall IT examination process. The DFS cybersecurity examinations will incorporate a number of new topics, including: (i) corporate governance; (ii) protections against intrusion, such as multi-factor or adaptive authentication, along with server and database configuration; (iii) information security testing and monitoring; and (iv) cybersecurity insurance coverage, along with other third-party protections. Ultimately, the new examination process will assess a bank’s cybersecurity protections, in addition to how it manages potential cyber risks and handles a cybersecurity attack.