Does NY’s Cybersecurity Regulation Apply To Your Credit Union?

May 22, 2017 at 9:52 am 1 comment

With the recent ransomware attack demonstrating how vulnerable the world is to cyberattacks, I spent part of my weekend looking back over NY’s regulations and to whom they apply to. These regulations took effect in March, but there is a six month transition period, with some requirements being phased in over the next year.

What follows is one man’s opinion and not a substitute for consultation with your own counsel and compliance team.

NY’s regulations apply to “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” This definition clearly applies to state chartered credit unions and CUSO incorporated or licensed in New York State, such as a mortgage banking or title insurance business.

What if you have a federally chartered credit union that makes mortgage loans? Here is where people part ways with my analysis. Even though originators working for banks and credit unions are exempt from state licensing requirements under Section 12C of the banking law, they still must be registered with NYS as loan originators. (N.Y. Banking Law § 599-c(3)(a) (McKinney). On its face the regulation is broad enough to be triggered by this requirement.

Persons within the industry, which whom I have discussed the regulations reach, argue that even if my interpretation is correct it is hard to see how NYS could actually enforce the regulations against a federal chartered institution. To me this argument overlooks the fact that this regulation’s requirements will impact more than your compliance system. If it works the way I think it will, it will become an integral part of your most basic business relationships.

For example the regulation will impact your third party relationships. Entities covered by the regulations must identify and perform a risk assessment on all third party vendor relationships. They also must explain the minimum cybersecurity protocols for which they expect third party vendors to comply. This requirement is broadly consistent with third party vendor guidelines. If I was drafting a contract for your credit union, reference to NY’s cybersecurity requirements could provide a useful and precise baseline for the expectations that you expect vendors to meet. This is particularly true given the increasing importance that adequate encryption plays in your cybersecurity program.

Even if NYS’s regulation doesn’t apply to you today, you don’t have to be Nostradamus to figure out that similar regulations will soon be imposed on your credit union. The ransomware attack demonstrated just how vulnerable our county is. Like it or not, NY’s regulation provides a template upon which regulators can quickly build, and my guess is they will do so.

Entry filed under: General, Legal Watch, New York State, Regulatory. Tags: .

Mortgage Lending Mishap You Can Easily Avoid BS(A) Strikes Again

1 Comment Add your own

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 511 other followers