Matthew L. Levine – Page 17 – The Blog About NYDFS

NYDFS Issues Findings Concerning Facebook Data Privacy Deficiencies

November 25, 2022April 12, 2021 by Matthew L. Levine

NYDFS issued a report last week concerning Facebook data privacy deficiencies, following a WSJ report that Facebook received sensitive user data from some popular apps, including a fertility-tracking app named “Flo,” for use in Facebook’s analytics tool.
– Facebook’s subsidiary, Facebook Payments Inc., is licensed as a money transmitter but the report found Facebook Payments “had no involvement in the privacy issues examined.” Since Facebook, the parent, indicated its willingness to cooperate “fully” the parties sought to avoid any clash about jurisdictional issues.
– NYDFS found that, while Facebook had taken steps to remediate, such as building a screening tool that would reject sensitive health information, it failed to “engage fully” with respect to other remediation proposals, and its effort to enforce its own policies against collection of sensitive data was “seriously lacking.”
– In January 2021, the Federal Trade Commission reached a proposed settlement with “Flo,” the fertility tracking app, requiring it to keep promises about user privacy.
– NYDFS argues this is another incident demonstrating the need for greater regulation on the federal and state level.

The NYDFS report can be found here: https://www.dfs.ny.gov/system/files/documents/2021/02/facebook_report_20210218.pdf

The proposed Consent Order and Complaint for the Flo Health matter can be found here: https://www.ftc.gov/enforcement/cases-proceedings/1923133/flo-health-inc

NYDFS Issues Its Second Cybersecurity Enforcement Action

November 25, 2022April 12, 2021 by Matthew L. Levine

NYDFS Cybersecurity Enforcement Action No. 2 — this time from a routine examination. Agency examiners identified significant non-compliance with the Cybersecurity Regulation by a mortgage banker, Residential Mortgage Services Inc.
– An employee handling sensitive customer information fell victim to a phishing scam in 2019
– The company failed to report the breach to NYDFS within 72 hours as required
– Indeed, it only reported it for the first time during an examination in mid-2020
– The company also failed to conduct a “comprehensive” cybersecurity risk assessment in 2019 as required
– Yet its CISO certified in April 2020 that the firm was in full compliance with the regulation
– The company will pay a $1.5 MM penalty and remediate
– Important: the penalty is assessed under the Banking Law for unsafe/unsound conduct — not the Financial Services Law.

Link to the Consent Order can be found here: https://www.dfs.ny.gov/system/files/documents/2021/03/ea20210303_residential_mortgage_0.pdf

NYDFS Issues Cybersecurity Alert to Regulated Entities

November 25, 2022April 12, 2021 by Matthew L. Levine

On March 9, 2021 NYDFS issued another cybersecurity alert to regulated entities. It disclosed that in recent days thousands of organizations were compromised via zero-day (newly discovered) vulnerabilities in the Microsoft Exchange Server. Microsoft made patches available for these vulnerabilities on March 2 but many organizations apparently were compromised before the patches were either available or applied. NYDFS is urging all regulated entities with vulnerable Microsoft Exchange services to act immediately by patching or disconnecting vulnerable servers. CISA has also released a current activity update outlining how to search for the type of compromise identified.

The alert may be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202103092

A View from the Inside: A Guide to CFPB Investigations

November 25, 2022April 12, 2021 by Matthew L. Levine

Part I of a two part article I co-authored with with Tony Alexis and Kyle Tayman of Goodwin, Procter & Hoar, LLP concerning how Federal agencies, including the CFPB, are expected to ramp up enforcement under the new administration. I am fortunate to have the opportunity to co-author this article concerning navigation of CFPB investigations and how they relate to NYDFS investigations. Stay tuned for Part II of the article — NYDFS investigations, coming soon.

Part One of the two part series can be found here: Alexis_Levine_Tayman_RBFS_Final — Part One

A View From Inside: A Guide to NYDFS Investigations

November 25, 2022April 12, 2021 by Matthew L. Levine

Here is the NYDFS part — Part II of the article I co-authored with Tony Alexis and Kyle Tayman of Goodwin that discusses the navigation of a NYDFS investigation, especially where there is a parallel CFPB investigation.

The article may be found here: Levine_RBFS_Final — Part Two

NYDFS Issues Fair Lending Report on Goldman Sachs Apple Card

November 25, 2022April 12, 2021 by Matthew L. Levine

A lengthy declination letter: What happens when a regulator conducts an investigation and finds no wrongdoing? For its fair lending inquiry of Goldman Sachs co-branded credit card, the Apple Card, NYDFS issued a report on March 23, 2021 that resembles a lengthy declination letter. The report makes clear after “exhaustive review of documentation and data” NYDFS failed to uncover “evidence of deliberate or disparate impact discrimination.” Other notes:
– The investigation commenced following a viral Tweet from a tech entrepreneur alleging his wife received less favorable terms under the Apple Card.
– Tweets and other social media are increasingly visible sources for investigations (worthy or not)
– NYDFS undertook a massive statistical analysis as part of its investigation, finding no wrongdoing
– Goldman Sachs offered strong cooperation and a consumer-oriented program to assist people with inadequate credit ratings to improve their credit, a program it called “Path to Apple Card”
– 70,000 consumers enrolled in “Path to Apple Card” and about 5,000 of them have been approved for an Apple Card
– The report contains valuable guidance on the agency’s current thinking on fair lending

The report is here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202103231

NYDFS Issues Cyber Fraud Alert

November 25, 2022April 11, 2021 by Matthew L. Levine

On March 30 2021 NYDFS issued a followup cybercrime alert: “This cybercrime campaign is a serious threat to the personal information of New Yorkers, and we urge all personal lines insurers and other financial services companies to take aggressive action to prevent the further loss of consumer information. All financial services companies should immediately check for any evidence of this cybercrime and ensure that they have implemented [] the robust access controls required by DFS’s cybersecurity regulation, 23 NYCRR 500.”

https://www.dfs.ny.gov/industry_guidance/industry_letters/il20210330_cyber_alert_followup

MATTHEW LEVINE JOINS “BANK TALK” PODCAST ON THE ANTI-MONEY LAUNDERING ACT OF 2020

November 26, 2022April 4, 2021 by Matthew L. Levine

Matthew Levine joined Trish Sullivan of Deutschebank and Chris Boehing of Paul Weiss Rifkind Wharton & Garrison to discuss the new anti-money laundering amendments to the Bank Secrecy Act for theis episode of the International Institute of Banker’s podcast “Bank Talk.” The podcast can be found here:

WHAT IS A REGULATOR’S FAVORITE SNACK? LOW HANGING FRUIT — RISK ALERT FROM SEC DIVISION OF EXAMINATIONS

November 26, 2022March 29, 2021 by Matthew L. Levine

What is a regulator’s favorite snack? Low hanging fruit: the recent Risk Alert from the SEC’s Division of Examinations concerning Suspicious Activity Reporting (SAR) for Broker-Dealers indicates a cornucopia. Some examples found by the Division:
– Firms failing to report as suspicious large deposits of low-priced securities that were immediately followed by liquidation of those positions and wiring out of the proceeds
– Firms failing to report noticeable customer sales of shares occurring simultaneously with explicit promotional activity
– Firms failing to tailor red flags to address risks associated with trading activity commonly engaged in by customers
– For cyber-intrusions, firms failing to include in a SAR known details concerning the nature of the scheme, including theft of assets or funds

Periodic check ups on policies, procedures, governance and systems surrounding SAR reporting are a key means of avoiding the consequences of a deficiency letter or enforcement action. The alert is here:

https://www.sec.gov/files/aml-risk-alert.pdf

NYDFS Issues Enforcement Action Against Industrial Bank of Korea

November 26, 2022April 20, 2020 by Matthew L. Levine

On April 20, 2020, NYDFS issued an enforcement action against the Industrial Bank of Korea (“IBK”) for violations of New York’s anti-money laundering and recordkeeping obligations. It is the first of either of these types of BSA/AML enforcement actions issued by the Department in some time; this is not surprising, given that NYDFS, like other regulators, has been consumed with responding to the COVID-19 pandemic. Significant elements of the Consent Order include:

a $35 million penalty to be paid to NYDFS;
findings by NYDFS that IBK repeatedly failed to improve its BSA/AML program over many examination cycles;
the requirement of remediation plans concerning the Bank’s BSA/AML program, suspicious activity reporting, customer due diligence and corporate governance; and
two years of quarterly reporting obligations.

More detailed analysis and the Consent Order can be found on my blog post for the NYU Program on Corporate Compliance and Enforcement Blog here:

NYDFS Issues Enforcement Action Against Industrial Bank of Korea