The New York State Department of Financial Services Introduced New Cybersecurity Regulations Amendments
By Joseph Mayo, LL.M. Candidate at New York University School of Law
The New York State Department of Financial Services (NYDFS) is finalizing its proposed cybersecurity regulation amendments to its 23 NYCRR 500 Cyber Security Requirements for Financial Services Companies. The first version of the amendments was introduced in July 2022, followed by the current version on November 9, 2022, with a sixty-day public comment period.
The NYDFS regulates and monitors almost 3,000 financial institutions, such as insurance companies, banks, credit unions, and national and international financial services companies (covered entities), that hold more than $8.8 trillion as of Dec. 31, 2021.
The regulations’ primary objective is to protect the covered entities and New York customers from nation-states, terrorist organizations, and independent criminals’ attempts to exploit technological vulnerabilities and gain access to sensitive electronic data. Among other significant changes to the original regulations, the most notable is the requirement, as part of the covered entity’s cybersecurity governance, that Chief Information Security Officer (CISO) must have adequate authority to ensure cybersecurity risks are appropriately managed.
The proposed regulations emphasize the need for an experienced board, either directly or through specialized committees, to direct and oversight cybersecurity risks, including implementing the entity’s cyber-security program.
Under the proposed regulations, covered entities must give the NYDFS notice in the case of a cybersecurity event to a third-party service provider that affects the entity itself, within seventy-two hours from the time the covered entity is aware of such event.
Another requirement is that each covered entity must, in accordance with its risk assessment, develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of the entity’s cybersecurity program. The proposed regulation mandates automated and manual vulnerability scans, undertaken timely, as part of the entity’s risk assessment program and after any major system changes.
The NYDFS is expected to adopt the newly amended regulations near the close of the comment period, around January 9, 2023, and most changes would take effect 180 days afterward.
Consumer Finance Law
CFPB Director Chopra Testifies Before House, Senate Committees on Semi-Annual Report
On December 14 and 15, 2022, Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra testified before the U.S. House Financial Services Committee and the Senate Banking Committee regarding the Bureau’s Semi-Annual Report to Congress. The Semi-Annual Report, which covers the Bureau’s activities from October 1, 2021, through March 31, 2022, discusses its significant rules and orders, complaints about consumer financial products or services, public supervisory and enforcement actions by the Bureau, significant actions by state regulators relating to federal consumer financial law, the Bureau’s efforts to fulfill its fair lending mission, diversity in the Bureau’s workforce, and the agency’s budget.
In written testimony (see House statement and Senate statement), Director Chopra described the state of the U.S. economy and household finances, pointing with concern to the increased utilization of Buy Now, Pay Later products, rising mortgage interest rates, and issues with medical debt and related credit reporting. He also described the presence of “Big Tech” firms in the payment space, noting the Bureau’s data collection efforts directed at such firms and its interest in how these payment platforms implement existing consumer protections, as well as how they make “decisions on account approvals, freezes, and terminations.” Chopra called on Congress to pass legislation that would “ensure that payments systems are neutral and nondiscriminatory, by eliminating the incentive for firms to use their control over payments to favor their other interests,” and legislation to strengthen financial privacy protections.
In response to questions from legislators during the hearings, Director Chopra covered a wide variety of topics, including the Fifth Circuit’s decision that the Bureau is unconstitutionally funded in Consumer Financial Services Association of America v. CFPB, the role of Bureau guidance, regulation of credit reporting agencies, changes in overdraft fee practices, student debt relief, medical debt, financial data privacy, and the use of the Bureau’s Civil Penalty Fund.
CFPB Proposal Would Create Public Registry and Attestation Requirement for Nonbanks Subject to Enforcement Orders
On December 12, 2022, the CFPB promulgated a proposed rule aimed at nonbank entities subject to federal, state, and local consumer financial protection law enforcement orders. The proposal would require nonbanks to report to the Bureau final agency any court orders or judgments brought under federal consumer financial protection laws or state laws regarding unfair, deceptive, or abusive acts or practices. In a press release accompanying the proposal, the Bureau stated that the resulting registry would help the Bureau “detect[,] . . . track and mitigate the risks posed by repeat offenders” and “monitor all lawbreakers subject to agency and court orders.”
The proposal would also impose an attestation requirement for certain larger nonbanks subject to the Bureau’s supervisory authority. Any such entity would be required to annually designate an executive responsible for and knowledgeable of the entity’s efforts to comply with any order in the registry, and annually submit a written statement signed by the executive regarding the entity’s compliance with each order.
The proposed rule would exempt insured banks and credit unions from its requirements. In its press release, the Bureau stated that “[w]hile the CFPB might later consider collecting or publishing the information described in the proposal from insured banks and credit unions, there is currently greater need to collect this information from nonbanks under its jurisdiction” in light of the active supervision of banks by the prudential financial regulatory agencies.
Comments on the proposal will be due sixty days following its publication in the Federal Register. The proposal states that the Bureau anticipates the registry to launch “no earlier than January 2024.”
State AGs Weigh in on Supreme Court Review of Bureau’s Funding Structure
On December 14, 2022, twenty-two Democratic and sixteen Republican state attorneys general filed separate amicus briefs requesting that the U.S. Supreme Court grant cross-petitions for certiorari in CFPB v. Community Financial Services Association of America, Ltd. In October, a panel of the U.S. Court of Appeals for the Fifth Circuit ruled that the Bureau’s funding structure violates the Constitution’s Appropriations Clause. The panel also invalidated a 2017 Bureau payday lending rule at issue in the litigation (the “Payday Rule”).
In the Democratic attorneys general amicus brief, amici argue that the Supreme Court should grant certiorari and reverse the Fifth Circuit as to remedial action. They explain that even if “the Court were to find a constitutional defect” in the Bureau’s funding structure, “the remedy imposed by the court below was neither justified nor compelled by law,” and “[l]eft undisturbed, the court of appeals’ reasoning could jeopardize many of the CFPB’s actions from across its decade-long existence, to the detriment of both consumers protected by those actions and financial-services providers that rely on them to guide their conduct.” They describe the Bureau’s role as a source of crucial financial regulatory authority, and they argue that the Supreme Court should reverse the ruling below and reinstate the Payday Rule.
In the Republican attorneys general brief, amici argue that the Supreme Court should grant certiorari and affirm the Fifth Circuit’s ruling, “apply[ing] its reasoning nationwide.” They point to the “undeniable and unenviable uncertainty” for financial markets caused by the circuit split between the Fifth Circuit and contrary precedent from the D.C. Circuit, and argue that the Supreme Court must “restore the CFPB’s accountability to the states.”
CFPB Prevails at Ninth Circuit in Dispute with Student Aid Company
On December 13, 2022, the U.S. Court of Appeals for the Ninth Circuit handed down a decision in CFPB v. Aria, et al., siding with the CFPB in a dispute with a student aid company and its CEO. The appeal resulted from a 2015 Bureau enforcement lawsuit against Global Financial Support, Inc. and Armond Aria. In that suit, the CFPB alleged that the defendants engaged in deceptive acts or practices in advertising a program to assist students applying for scholarships. The trial court in 2021 entered a judgment in favor of the Bureau, imposing approximately $15 million in civil money penalties and restitution.
On appeal, Aria contested the judgment by arguing that he was not a “covered person” under the Consumer Financial Protection Act because he was not “providing financial advisory services . . . to consumers on individual financial matters or relating to proprietary financial products or services . . . ,” citing 12 U.S.C. § 5481(15)(A)(viii). The Court rejected this view on the grounds that the scholarships discussed in his solicitations were financial in nature, the advice he provided covered general topics on financial aid, and he held himself out as an expert in finance. The Court also rejected arguments from Aria surrounding the deceptiveness of his solicitations and the calculation of restitution and penalties.
California Issues Cosigner Notice Translations
The California Department of Financial Protection and Innovation (DFPI) has released the Translated Notice to Cosigner on its website, in anticipation of a January 1, 2023, effective date for its cosigner notice amendment resulting from SB 633.
Lenders may use these translated notices from the DFPI website to satisfy the cosigner notice requirement. Therefore, any entity offering a consumer credit contract in California (including loans, retail installment contracts, consumer leases, and other extensions of credit) should review and implement the translated cosigner notice prior to January 1, 2023. Note that the DFPI did not provide any guidance to supplement the translations, so creditors will need to rely on the text of the bill to determine how to implement the translations. If the amended notice is not implemented prior to the effective date, any entity offering consumer credit contracts in California will potentially be subject to the risk that a cosigner can claim that they are not bound to pay on the contract if the borrower stops making payments.
Health & Life Sciences
FTC Issues New Health Products Compliance Guidance
By Lynette I. Hotchkiss, McGlinchey Stafford, PLLC
The Federal Trade Commission (FTC) has issued a new Health Products Compliance Guidance document to provide guidance to businesses on how to ensure that claims about the benefits and safety of health-related products are truthful, not misleading, and supported by science. The Guidance replaces the FTC’s Dietary Supplements: An Advertising Guide for Industry document that was issued in 1998. The Guidance notes that, since 1998, the FTC has settled or adjudicated more than 200 cases involving false or misleading advertising claims about the benefits or safety of dietary supplements or other health-related products, including foods, over-the-counter drugs, homeopathic products, health equipment, diagnostic tests, and health-related apps.
The new Guidance is provided to illustrate how the FTC identifies the express and implied claims conveyed in advertising and how the FTC evaluates the scientific support for those claims. The Guidance states that the principles and examples are intended to help advertisers comply with the basic tenets of FTC law, but the Guidance does not have the force or effect of law and does not provide a safe harbor from potential liability.