NYDFS Superintendent Adrienne A. Harris participated in a fireside chat with the Institute of International Bankers and gave the following updates (summarized):
• Impact of Change in Federal Administration: Superintendent Harris said that the change in administration at the CFPB and elsewhere would not alter DFS’ course; that there were gaps in consumer protection even before the change of administrations; and that DFS would continue to “run its drill” in this respect.
• Crypto Policy: Superintendent Harris likewise indicated there would be no change in course of DFS in light of the very clear movement towards more pro-crypto policies at the federal level. The Superintendent stated that, because DFS has been a prudential regulator in the crypto space for almost a decade, the agency had become very good at regulating crypto and had issued nine pieces of regulatory guidance during her tenure.
• Banking Crypto: The Superintendent referred to DFS guidance requiring banks to first advise DFS of any new activity or material change with respect to banking or otherwise participating in “virtual currency activity” before commencing the activity.
• Approach to Exams: When asked whether – in light of the fact that federal supervisors are taking a “fresh look” at their own approaches to examination and supervision — DFS is considering any revision to its own approach, Superintendent Harris indicated that this would not be the case; that changes had already been adopted by DFS since the failure of Signature Bank in 2023; and that it was possible to be “risk-based” and focus both on policies and procedures (i.e., process), as well as persistent problems within a particular regulated entity.
• Ransomeware: Superintendent Harris said that the decision whether or not to pay ransomeware ultimately resided with the impacted institution. She said that the preferred approach of DFS for its entities is to follow FBI protocol, and not to pay the ransomeware (questioning its effectiveness on average); but made clear, ultimately, it was up to the entity subject to the attack.
• Artificial Intelligence: Superintendent Harris indicated that the exam process includes review of the incorporation of AI into the systems of a regulated entity; that third-party vendor management included paying particular attention to this facet; and that banking institutions could take away lessons from the AI guidance already issued by DFS for insurance companies. The Superintendent also said that DFS itself was incorporating AI into its supervisory process, as part of a larger technology upgrade at the agency.