Posts filed under ‘New York State’

Cybersecurity Fine Against Carnival Is A Reminder To Take Your Cybersecurity Obligations Seriously

New York’s Department of Financial Services recently announced the imposition of a $5M fine against Carnival Corporation and its subsidiaries for failing to promptly report a series of data breaches and ransomware attacks and providing inadequate cybersecurity training to its staff.  The fine is the latest example of how New York is aggressively pursuing actions against “covered entities” that don’t comply with New York’s cybersecurity regulations.

I’ve decided to use Carnival’s misfortune as a pretext for reminding you of New York’s regulations.  Even if you are not a “covered entity”, you would be well advised to be aware of New York’s mandates as they are playing a leading role in shaping industry expectations when it comes to cybersecurity programs. 

Under New York State’s regulations, a “covered entity” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” [23 CRR-NY 500.1(c)].  This definition means that state chartered institutions as well as CUSOs that are licensed by New York State must comply with this regulation.  For example, Carnival Corporation was licensed to provide insurance in New York State, a license it surrendered following this fine.

A cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system. [23 CRR-NY 500.1(d)]. 

Last, but not least, “covered entities” are responsible for implementing a cybersecurity framework which, at a minimum :

(1) Identifies and assesses internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity’s information systems;

(2) Uses defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts;

(3) Detects cybersecurity events;

(4) Responds to identified or detected cybersecurity events to mitigate any negative effects;

(5) Recovers from cybersecurity events and restore normal operations and services; and

(6) Fulfills applicable regulatory reporting obligations.

DFS’s latest action involved a series of data breaches and ransomware attacks against Carnival Corporation.  Carnival Corporation is a licensed insurance provider in New York State.  According to the Department, there were at least four separate cyber security incidents that were not reported to DFS within 72 hours as required under the regulations.  Covered entities must file notice of a cybersecurity event with the Department pursuant to the requirements of 23 NYCRR §§ 500.17(a)(1) and (a)(2). Section 500.17(a)(1) requires notice to the Superintendent, within 72 hours of determining there has been a cybersecurity event, when notices are “required to be provided to any government body, self-regulatory agency or any other supervisory body.” 

New York’s regulation also underscores why it is so important to understand the specific obligations in the states in which you operate.  New York has a particularly broad definition of what constitutes a reportable event since reporting obligations are triggered as soon as non-public information (NPI) is exposed to an unauthorized third party, regardless of whether or not there is evidence that the NPI was stolen or misused.  Furthermore, reporting obligations are triggered for any cybersecurity events “… that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity”.  This is a broad net and the Department has repeatedly demonstrated that it has little patience for entities that don’t follow the 72 hour mandate.

Carnival Corporation’s other mistakes shouldn’t surprise anyone responsible for overseeing their credit union’s operations in this space.   For example, there was a period during which employees with access to NPI did not have to use multifactor authentication. 

Finally, remember that every year now, every “covered entity” has an individual personally verify that it is complying with these regulations.  New York State’s latest action is the latest example of why you must take this verification seriously. 

June 28, 2022 at 10:34 am Leave a comment

The Good The Bad and The Ugly of NYs Legislative Session, Part 2

No one is ever going to accuse the NY Legislature of being hesitant to legislate.  Here is the second part of my end of session recap.    

The New York Privacy Act:  S6701-B Thomas

One of the issues I blog about frequently is data portability legislation such has already been passed in Virginia, Colorado and California.  Once again, the legislature gave consideration to S6701 which would impose a California style data privacy framework on New York businesses.  We continue to work on getting important changes to this bill including insuring that it does not create a duplicative regulatory framework.  Most importantly, the Legislature should follow the lead of Virginia and not impose these requirements on institutions that already have to protect member data pursuant to the Gramm-Leach-Bliley Act.

Overdraft Regulations: S7202-A Sanders / A9659  Fahy

The Legislature passed a bill requiring state-chartered institutions to provide members with overdraft payment information once every six months.  Specifically, the bill would require members to receive written notification of the dates and amounts of overdraft fees, the total amount charged, information on the customer’s ability to negotiate fees; and a telephone number and full contact information for a representative of the financial institution responsible for resolving any matter relating to such fee.

We opposed this bill since federal law already mandates that members be notified of their overdraft charges.  In addition, this is just one more mandate that would be imposed on institutions that choose to be chartered by New York state, as opposed to NCUA.

BDD Program Extended: S9152 Sanders / A9804  Jean-Pierre

The Legislature extended until 2029 the Banking Development District Program bill which allows financial institutions, including state and federal credit unions to receive public funds in return for opening branches in financially underserved areas.  I’ve talked to credit unions that are seriously examining the program and the Associations can help facilitate discussions with institutions that might want to consider this option.  The bill has not yet been sent to the Governor.

Power Of Attorney Clarification: S9209 Hoylman / A10234  Rules (Weinstein)

I haven’t done an official tally, but I would bet that the most frequent questions the Association receives on its Compliance Hotline have to do with the validity of Power of Attorney documents.  The issue was made even trickier because effective June 13, 2021 major new changes to New York’s POA took effect.  This bill stipulates that any Power of Attorney that was validly executed at the time it was made remains valid even if it is signed by the agent after June 13, 2021.  This bill has not yet been signed by the Governor.

Salary Ranges Made Publicly Available: S9427-A Ramos / A10477  Rules (Joyner)

The most important new HR legislation approved in the closing days of the session would mandate that any employer with four or more employees publish a job description and salary range any time it is posting for a job, promotion or transfer opportunity.  If the Governor signs this bill, the Department of Labor would be responsible for developing regulations.  This would apply to federally chartered credit unions. 

Grace Period For Credit Card Points Extended: S9121  Mayer / A10490  Rules (Rozic)

Last year the Legislature passed and the Governor signed into law a bill requiring consumers to be given at least 90 days to use reward points on credit card accounts that are being shut down.  The legislature passed a bill, supported by credit unions, which extends the effective date of this requirement until December 10, 2023.

June 9, 2022 at 10:53 am Leave a comment

The Good The Bad and The Ugly of NYs Legislative Session, part 1

NY’s Legislative Recap, Part 1

On Saturday morning the Assembly gaveled out putting an unofficial end to another New York State legislative session.  With the caveat that the session never really comes to an official end, except for a couple of seconds in January, here is my first look at some of the key developments that will impact your credit union and/or the industry. 

The Political Environment

This was the year of redistricting, which means that an inherently political process becomes even more political.  As a result of a Court of Appeals decision striking down the Congressional and State Senate maps for violating new provisions of the State Constitution, we still don’t know what Congresspersons and State Senators will be running in which districts this November.  Primaries for these seats are now scheduled for August 23rd.  In contrast, we were recently chatting about legislation with an Assemblywoman who was preparing to campaign later that day for her June 28th primary.  Assembly districts were not thrown out.  All this took place as Governor Hochul navigated her first session since taking over for former Governor Cuomo.  She is seeking a full term in November.  Against this backdrop, here are some of the key legislative developments.  Part 2 will be tomorrow.

More Progress on Public Deposits

Municipal Deposits – S670 Sanders

For the first time in decades, a bill which would authorize municipalities to place their deposits in credit unions passed the Senate.  While we will have to get the Senate to repass the bill next year, and get the Assembly to go along, this is more evidence that things are trending in the right direction.  Over the last few years we have passed legislation permitting credit unions to accept public funds as part of their participation in Banking Development Districts and receive subsidies for certain types of small business loans under the Excelsior Linked Deposit program.  Incidentally, all these votes mean that we have a record of who’s with us and who’s against us.

Mortgage Foreclosure and Defense

The legislature continues to aggressively examine New York’s mortgage lending process.  For my money, the most problematic bill that passed this year was S5473-D Sanders / A7737-B Weinstein.  Although the bill is being sold as a means of preventing putative abuses in New York’s foreclosure process, in reality it would create a hyper-technical foreclosure process that will retroactively allow hundreds, if not thousands, of people to gain clear title to houses they cannot afford.  New York already has the longest foreclosure process in the country and this bill would simply make things worse.

If this bill becomes law, credit unions with delinquent mortgage loans may have to dramatically increase their loan loss provisions. The bill has not yet been sent to the Governor and we continue to join with other industry stakeholders in opposing this bill.

As for some good news, the legislature did not pass bill S2143A Kavanagh / A2428A Dinowitz, which would create a private right of action, replete with treble damages, against mortgage servicers who commit even technical violations of Part 419, which is New York’s mortgage servicer regulation.  This bill raises a host of technical and policy issues which we will continue to address in the months ahead. 

State Level Antitrust Legislation

As I discussed in this post, the Legislature seriously considered a measure  S933-A Gianaris / A1812-A Dinowitz which would impose a state level European style antitrust framework.  The new framework would impact all businesses including credit unions.  Among the concerns we have about the bill is that it would make credit unions vulnerable to class action lawsuits for providing services in underserved areas and make any type of merger more expensive and time consuming by duplicating federal law.  This bill passed the Senate but fortunately never gained traction in the Assembly. 

Stay tuned.  My recap will continue tomorrow.

June 8, 2022 at 10:08 am Leave a comment

What CFPB Guidance Means For New York

Last week the CFPB issued an interpretive ruling clarifying the power that state regulators and attorneys general have to enforce provisions of the Consumer Financial Protection Act (CFPA) against both state and federally chartered institutions.  It could have important implications for those of us living in states such as New York with an aggressive enforcement approach to consumer protections. 

12 USC § 5552 is one of the most important provisions of the CFPA.  Prior to the Act, federal bank regulators, most notably the OCC, had aggressively preempted state law which they argued interfered with the federal bank charter.  NCUA was pulled in a similar direction but has never interpreted preemption as aggressively as its banking counterparts.  This section, entitled “Preservation of enforcement powers of States” was designed to reverse this trend.  Most importantly, for our purposes, it gives states the authority to bring legal actions against both state and federally chartered institutions for violations of regulations enforced by the CFPB.

The law hasn’t been amended in more than a decade and regulators such as New York’s Superintendent Adrienne Harris, who helped promulgate the initial regulations are certainly aware of this provision.  So why the need for this interpretation?  First, it underscores that the CFPB is encouraging states to take a more active role in enforcement.  (The problem is that those of us who live in the states most likely to be inspired by this encouragement don’t feel that additional encouragement is necessary.) 

The most important aspect of this guidance is that it explains that states not only have the authority to enforce specific regulations but that they also have the authority to utilize the CFPB’s unfair, deceptive, or abusive acts or practices (UDAAP) powers as part of their enforcement efforts [see section 1036(a)(1)(B)].  This is a big deal.  New York’s DFS does not currently have UDAP powers as a matter of state law.  The CFPB just clarified that it has this more flexible enforcement tool when it comes to enforcing key federal consumer protections. 

May 26, 2022 at 7:00 am Leave a comment

New York State Issues Important Guidance on Virtual Currency and BSA Requirements

New York’s Department of Financial Services issued guidance yesterday emphasizing the unique BSA concerns raised by virtual currency.  While this guidance only applies to entities subject to the Department’s virtual currency license requirements as well as certain trust companies, categories which do not include credit unions, I would suggest anyone responsible for integrating virtual currency oversight into your credit unions compliance framework would be well advised to analyze New York State’s missive. 

In today’s blog, yours truly is not going to summarize the guidance but instead provide some context as to the considerations that regulators and financial institutions should take into account as they begin to dip their virtual toes into the virtual currency space.  In doing so I want to illustrate why I think the DFS guidance is important. 

What virtual currencies such as Bitcoin and Ether have in common is that they allow individuals to transfer these currencies between computers so long as the sender and receiver have set-up virtual wallets.  The key to this arrangement is Distributed-Ledger-Technology (DLT). 

With apologies to the technologically savvy out there, every time a request is made to send or receive “currency” from, or to, a wallet and the transaction is confirmed as valid, a notation is added to a computer program called a block-chain.  This technology is the key to the whole process since it provides a virtual ledger confirming the transfer of debits and credits. 

This means that without the use of a financial institution, any two individuals, using fictitious names, can transfer money.  Needless to say, since the emergence of the Bitcoin, there have been concerns raised about the utility of this technology to facilitate money laundering and other illicit activities (since we’re on the subject of money laundering, my wife and I have started binge watching Ozarks, which is the best show I’ve seen since I binged Breaking Bad, but I digress). 

These concerns have been partially vindicated since ransomware attacks typically include a demand for payment in Bitcoin.  But that may be changing.  Law enforcement is beginning to understand DLT.  For example, the ransomware attack on the Colonial Pipeline understandably got a lot of attention last year, but as significant as the attack itself, is the fact that the FBI was able to track down at least some of the culprits and retrieve much of the ransomed funds. 

Now, I’m not suggesting that credit unions or vendors need to be as savvy as the FBI in order to ensure compliance with BSA and AML requirements, but in the old days it was thought that the only way of deterring illicit activity was to make it as difficult as possible to convert Bitcoin and its prodigies into cold hard cash.  The DFS guidance emphasizes that even now there are basic steps that financial institutions can take as they begin to consider how to integrate virtual currency offerings into their lines of products or working with third party vendors as already permitted by the NCUA.  Besides, as virtual currencies become more widely accepted, there will be less and less need to convert them into fiat currency, but that’s a blog for another day.

April 29, 2022 at 10:20 am Leave a comment

New York Court Invalidates Congressional and Legislative Districts

In a decision which could have a direct and substantial impact on the political environment in which credit unions operate, not only in New York State but around the country, New York’s highest court invalidated a Congressional map which would have favored Democrats to pick up at least three seats, and a state Senate map which was the first drawn by Senate Democrats since the modern redistricting process started in the 1960s and would have helped them maintain their super-majority

In the decision, the Court of Appeals not only invalidated the new maps but put a special master in charge of developing an alternative.  The Court concluded that there was insufficient time to allow the Legislature to redress the situation.  To put it nicely, the decision scrambles the political timeline.  Currently, primaries are scheduled to take place on June 28th, but with members not knowing precisely what districts they will be running in, it looks like New York is headed for a frenzy of political activity over the summer. 

This was the first redistricting cycle following amendments to the state constitution in which a bi-partisan Independent Redistricting Commission (IRC) was charged with drawing a map to be submitted to the legislature for its approval.  Under the process outlined in the Constitution, the IRC was supposed to make at least two attempts at coming up with a single plan for submission to the legislature.  The IRC deadlocked however, and its only submission to the Legislature was a set of competing maps.  State law now also mandates that maps not be politically gerrymandered. 

The Court of Appeals ruled that the maps approved by the Legislature failed both tests.  “Through the 2014 amendments, the People of this state adopted substantial redistricting reforms aimed at ensuring that the starting point for redistricting legislation would be district lines proffered by a bipartisan commission following significant public participation, thereby ensuring each political party and all interested persons a voice in the composition of those lines. We decline to render the constitutional IRC process inconsequential…”.

While this is a big deal, remember that we won’t know its precise impact until Election Day and New York is still a state with an overwhelming Democratic enrollment edge. 

April 28, 2022 at 9:35 am Leave a comment

Getting Ready For The Legislature’s Stretch Run

Yours truly is back from his Carolina vacation and has caught up with enough e-mail to finally post again.  While there is a lot I want to get off my chest – there is only so much my wife wants to hear about the banking industry during an eight-hour car ride – I think I will start with a description of some of the key legislative and regulatory issues that will be impacting New York state credit unions in the coming weeks. 

Not only is this an election year, but it is an election year following the redrawing of the election map, meaning that the legislature will want to get out of town as quickly as possible, especially with primaries scheduled for June. 

One of the most important issues we are dealing with is a bill that would retroactively impose strict new requirements on lenders foreclosing on property (S5473D Sanders).  As many of our members have already explained to their representatives during our state GAC, as currently drafted, the retroactive application of this bill and the ambiguity regarding the right of lenders and borrowers to negotiate modifications without running out of time to foreclose on property will actually make it more difficult to work with delinquent borrowers.

We are also continuing to advocate for changes to a proposed data portability and privacy bill which does not currently exempt financial institutions (S6701A Thomas / A680B Rosenthal) as well as continuing to express a strong opposition to state level anti-trust legislation (S933A Gianaris) which could negatively impact the ability of credit unions to help provide communities banking services, particularly in underserved areas. 

All this is taking place as New York’s highest court hears an appeal of a case challenging the legality of New York’s redrawn Congressional map which could allow Democrats to pick up four additional seats as they struggle to keep their majority.  Expect a decision to come down shortly.

As for the federal level, there is an interesting article in today’s WSJ reporting that privacy legislation may finally be getting traction in Congress.  This is potentially good news, provided the legislation does not impose additional requirements on credit unions and the legislation preempts state law.  But I still remain skeptical that Congress will be able to get legislation done this year.  Hopefully, I am wrong.

On the regulatory front, we are still waiting to see what will come out of the CFPB’s initiative against so-called “junk fees”.  The president of the American Bankers Association has already taken to publicly accusing the Bureau of going rouge.  My bet is that we are going to be hearing a lot about overdraft fees in the coming months. 

Last, but not least, let’s hope that the NCUA is going to be following up on its reach-out to credit unions by providing additional guidance as credit unions begin to explore the banking issues raised by distributed-ledger technologies and cyber currencies.  On May 11th yours truly will be discussing the state of regulation in this area and how it is going to impact your credit union as part of the Southern Tier’s Spring Chapter Event in Binghamton.  I noticed it’s at an Irish pub, so let’s share a half-and-half as we ruminate on how technology is once again upending the way banking is done.

Full disclosure, my wife and kids won’t be attending.  They already heard enough about how the NCUA needs to move more quickly and provide additional guidance in this area.  It was one of my favorite topics as we drove around North Carolina.

April 27, 2022 at 9:57 am Leave a comment

CDFIs, DFS Among the Winners In State Budget

With one eye on the final round of the Masters, yours truly did an initial review of the legislation included in New York’s budget plan for this fiscal year and my initial take is that CDFIs and the Department of Financial Services are among the biggest winners.  This is of course good news for those New York State chartered credit unions which have CDFI designations. 

Last year the Association was successful in getting legislation passed allowing credit unions to participate in the Excelsior Linked Deposit program.  This program allows participating lenders to receive state deposits in return for making subsidized low interest loans to eligible small businesses.  Language included in the budget makes any loan involving a CDFI eligible for the program.  The budget also makes CDFIs eligible to receive loans.  This is a huge incentive for CDFI credit unions to get qualified to participate in the program.  Give me a call if you want to further discuss potential opportunities. 

As Washington dithers over how best to regulate crypto currencies, New York moved decisively to give DFS regulatory power over those portions of the industry based in New York.  The budget amends the Financial Services Law to authorize the DFS to examine “persons engaged in the virtual currency business” and to make the industry pay for the cost of such examinations, just like other state regulated institutions currently do. 

What is also striking about this new power is that DFS is also given the authority to promulgate regulations defining what entities are going to be subject to this new framework.  While this type of regulatory handoff is normal in Washington, it is unusual in New York where a new authority such as this would typically be accompanied with a detailed statute. 

Finally, the legislature approved the creation of a $250M public/private fund for the purpose of providing money for social equity licensees who are seeking to open retail cannabis businesses.  This is a smartly drafted piece of legislation since it permits the state to enter into subleases with cannabis retail businesses.  One of the key challenges for businesses where cannabis has been legalized is acquiring retail space. 

Of course, this just underscores yet again why the federal government must act on the SAFE Act, but you folks already know how I feel about that.   

Perhaps Masters winner Scottie Scheffler would be interested in contributing to the state cannabis fund.  His Masters win is his fourth tournament victory in six weeks, a feat that has been worth approximately $8.6M.  Not bad for a 25 year old.   

April 11, 2022 at 9:23 am Leave a comment

Do All Financial Institutions Have A Role To Play In Combating Climate Change?

Of course they do, but that’s not the appropriate question that regulators should be asking themselves. The real question is, whether or not financial regulators should mandate if how and when credit unions choose to address these challenges? My answer to this question is that credit unions should be left to address climate change in a way which best reflects a given institutions resources, risk profile, and membership base.  

As luck would have it, I’m not the only one who feels this way. Earlier this week the FDIC released a draft of the principles it expects bankers to consider when addressing climate change issues. Crucially the proposed guidance only applies to institutions that have $100 billion or more in assets (yes, that’s billion with a B, Dr. Evil).

In a statement accompanying the proposal, FDIC chairman Martin J. Gruenberg explains that “all financial institutions, regardless of size, complexity, or business model, are subject to climate-related financial risks.  However, smaller financial institutions, especially community banks, may lack the financial resources and expertise necessary to effectively identify and measure climate-related financial risks.” 

What is true for community banks is certainly true for credit unions. After all, the small handful of institutions that will be subject to the FDIC’s framework, hold more assets then the entire credit union industry. This approach is similar to one taken by NCUA board members Hood and Hampton, who have stressed that at this point, individual credit unions are best positioned to respond to climate change without prodding by regulators. 

What I like so much about the FDIC’s statement is that it underscores that you don’t have to be a climate change denier to recognize that imposing specific requirements on many financial institutions at this time would impose clear burdens without resulting in any clear benefits. Simply put, we are still years away from cost effectively identifying the costs associated with climate change on a micro level and integrating these costs into specific financial products. For example, without access to the most sophisticated computer modeling, can anyone really predict how many thirty-year mortgages are not appropriately priced given the risks posed by climate change in specific geographical areas? Imagine how much Fiserv would charge for adding this on to your core processer?

And even if we had cost effective technology in place, there are some complicated legal and policy tradeoffs that have to be considered. Most importantly there is no shortage of research indicating that the effects of climate change disproportionality impacts low-income communities. What is the best way to address climate change while at the same time ensuring that low-income communities have access to cost effective housing and basic financial services and products?

April Fool’s Day Is No Joke for the Legislature

The legislature was scheduled to have next week off, but those plans were thrown into disarray yesterday.  First, the Governor and the Legislature were unable to agree on a budget before the start of the fiscal year.  Then, in a development with national implications, a state court has invalidated New York’s new congressional maps and state legislative districts on the grounds that they violate the state constitutional amendments passed in 2014 which were designed to prevent gerrymandering.  This case is going to be appealed but it means that efforts to collect petitions and start campaigning in all those newly configured districts are on hold. 

April 1, 2022 at 9:16 am 1 comment

Does New York’s Commercial Lending Law Apply To Your Credit Union?

Greetings folks, today I am the bearer of good news. 

Lately, it seems to me that a New York State law passed in 2020 has gotten a lot of attention; at least I’ve gotten a concerned phone call and have seen some recent analysis (Law360 subscription required) of this important new requirement.  I’m here to reassure you that it does not apply to either state or federal credit unions in New York. 

Take a look at State Financial Services Law starting at section 801. The article creates a comprehensive framework for the disclosure of commercial loans of $2.5M or less made by non-bank entities.  The law is called the New York Financial Services Law (the “Commercial Finance Disclosure Law” or “CDFL”).  Under this new framework, these commercial lenders will have to provide disclosures similar to those mandated by the Truth in Lending Act.  The law technically took effect in January but DFS issued this guidance explaining that the statute will be enforced once the accompanying regulations take effect later this year.  It’s enough to make anyone in charge of commercial lending break into a hives for fear that they’ve missed the boat on getting ready for these new requirements.

But breathe easy.  Section 802 of the law makes it clear that this article does not apply to financial institutions, a term that includes both state and federally chartered credit unions and banks.  Still, yours truly will be keeping a close eye on developments in this area of the law.  In recent years, consumer groups have expressed concern that existing federal law does not do enough to protect small businesses, particularly those that are women and minority owned.  New York’s law is based on a similar measure already in effect in the great state of California.    In short, I would look at this framework and ask yourself how difficult it would be for your credit union to meet similar requirements. 

On that concise note, I wish you all a happy and warm Tuesday… peace out!

March 29, 2022 at 9:09 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 775 other followers