On January 17, Secretary of the Pennsylvania Department of Banking and Securities, Robin L. Wiessmann, submitted a comment letter calling upon the OCC to give “more thoughtful deliberation about the intended and unintended consequences that will result from such an apparent departure from the OCC’s current policy and scope of supervision.” Specifically, Wiessman requested that the federal bank regulator address three concerns regarding: (i) the broad application and ambiguity of the term “fintech”; (ii) the need by the OCC to have an adequate regulatory scheme in place before approving charters; and (iii) the possible federal preemption of existing state consumer protection laws. The Secretary’s letter echoes many of the concerns raised in a recent comment letter submitted by the Conference of State Bank Supervisors (CSBS) “reiterating its opposition to the [OCC] proposal to issue a special charter for fintech companies.”
On January 17, the New York Department of Financial Services (NYDFS) Superintendent Maria T. Vullo submitted a comment letter in stern opposition to the OCC proposal to create a new FinTech charter, stating that the proposed regulatory scheme is not authorized by federal law and would create a number of problems, including a serious risk of regulatory confusion and uncertainty. New York’s top financial regulator is of the opinion that “the OCC should not use technological advances as an excuse to attempt to usurp state laws.” More specifically, NYDFS’ contends, among other things, that: (i) state regulators are better equipped to regulate cash-intensive nonbank financial service companies; (ii) a national charter is likely to stifle rather than encourage innovation; (iii) the proposal could permit companies to engage in regulatory arbitrage and avoid state consumer protection laws; and (iv) a national charter would encourage large “too big to fail” institutions, permitting a small number of technology-savvy firms to dominate different types of financial services.
An interview of Superintendent Vullo discussing this topic may be accessed here.
Pennsylvania’s Secretary of Banking and Securities, Robin L. Wiessmann, issued guidance to businesses engaged in money transmission to inform them of significant changes that will be required for their businesses as a result of amendments to the Money Transmission Business Licensing Law. Governor Tom Wolf signed the changes into law on November 3, 2016 (Act 129 of 2016) and the new law became effective on January 2, 2017.
On December 22, the Kentucky Department of Financial Institutions (the “Department”) issued a memorandum stating that master servicers and sub servicers are required to be licensed as mortgage loan companies under the Kentucky Mortgage Licensing and Regulation Act, unless they can document to the Department in writing that an exemption applies to them. The memorandum defines “master servicer” as “any entity or individual that owns the right to perform servicing of a mortgage loan. A master servicer typically reserves the legal right to either perform the servicing itself or to do so through a sub servicer.” The memorandum specifies that “[a] sub servicer does not own the right to perform mortgage servicing, but performs servicing on behalf of a master servicer, generally premised upon duties enumerated in a contract between the sub servicer and master servicer.” The licensing requirement is effective March 1, 2017.
On December 28, 2016, the New York Department of Financial Services (DFS) issued a revised version (Revised Proposed Rule) of its cybersecurity rule for financial institutions issued on September 13, 2016 (Proposed Rule). The revision came after DFS received more than 150 comments in response to the Proposed Rule, as well as a hearing before New York State lawmakers. The Revised Proposed Rule retains the spirit of the original Proposed Rule, but offers covered entities somewhat more flexibility in implementing the requirements.
The Proposed Rule marked the next step in a period of increased focus on cybersecurity by the agency. Between May 2014 and April 2015, DFS issued three reports relating to cybersecurity in the financial and insurance industries. In November 2015, DFS issued a letter to federal financial services regulatory agencies, which alerted the federal regulators to DFS’s proposed regulatory framework and invited comment from the regulators.
In the September release, DFS explained that the Proposed Rule is a response to the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.” As originally written, the Proposed Rule covered financial institutions operating under a charter or license issued by DFS, and set cybersecurity program, policy, training, and reporting requirements that are more stringent than the current federal requirements. The Proposed Rule gave a January 1, 2017 effective date, with a 180-day transitional period. Taking into consideration these concerns, on December 19, 2016, the New York State Assembly’s Standing Committee on Banks held a public hearing regarding cybersecurity and the Proposed Rule. Among the chief concerns expressed at the hearing and in the comment letters was the cost of compliance, especially for smaller banks, and that the Proposed Rule’s “one-size-fits-all” requirements do not consider the varying operational structures, business models, and risk profiles of financial institutions. There was also concern that the Proposed Rule was too different from the current federal requirements.
* * *
We will continue to monitor the DFS rulemaking process. If you have questions about the Revised Rule or other cybersecurity issues, visit our Privacy, Cyber Risk & Data Security practice for more information, or contact a BuckleySandler attorney with whom you have worked in the past.