Recent developments about the New York State Department of Financial Services
(Not affiliated with NYDFS; just a blog.)
NYDFS announced a $3 million settlement with Pacific Life Insurance Company for engaging in the pension risk transfer business in New York without being licensed. NYDFS maintains its long-term focus on penalizing financial companies that conduct business in New York without the necessary license; this is construed as an unfair competitive advantage by the regulator. The resolution may be found here:
https://www.dfs.ny.gov/system/files/documents/2021/12/ea20211221_co_pacific_life.pdf
Multi-Factor Authentication (MFA) is a core tenet of cybersecurity and recent NYDFS enforcement actions have highlighted such deficiencies. NYDFS issued guidance on compliance with Part 500 regarding MFA, an important read, which may be found here: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20211207_mfa_guidance
NYDFS Issued a $100 million to Mashreqbank. Enforcement takeaways:
– Conduct is failing to implement an effective OFAC compliance program, submitting incomplete reports to NYDFS, and failing to report misconduct to NYDFS;
– Conduct relates to violations of federal economic sanctions against Sudan
– NYDFS previously penalized Mashreq Bank $40 million in 2018 for a deficient BSA/AML program;
– No monitor imposed;
– Parallel actions by OFAC and the Federal Reserve Board.
The enforcement action may be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr20211109
NYDFS created a new Climate Risk Division, with a new Executive Deputy Superintendent overseeing the Division, which will:
– integrate climate risks into its supervision of regulated entities
– support industry growth in managing climate risks
– coordinate with international, national, and state regulators
– develop internal capacity on climate-related financial risks
– support capacity-building of peer regulators on climate-related supervision
– ensure fair access to financial services for all communities, especially those most impacted by climate change.
Press release is here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202111032
BIG News Out of DOJ Re: Monitorships: “To the extent that prior Justice Department guidance suggested that monitorships are disfavored or are the exception, I am rescinding that guidance. Instead, I am making clear that the department is free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations under the DPA or NPA.” — Deputy AG Lisa Monaco.
Announcement is here: https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute
NYDFS announced a new proposed regulation designed to improve transparency for small businesses seeking commercial loans. The regulation applies to companies offering commercial financing in amounts under $2.5 million, requiring them to make standardized disclosures about credit terms. The regulation implements legislation enacted by the State legislature earlier this year. It is the first proposed regulation issued by recently appointed Acting Superintendent Harris.
The proposed regulation may be found here:
https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202109211
Cyber-enforcement by NYDFS and others is only going to get more intense. I had the good fortune to sit down virtually with journalist Elizabeth Blosfield of the Insurance Journal to discuss ramped up enforcement by NYDFS in cybersecurity on the Insuring Cyber Podcast.
The link to the podcast episode can be found here: https://www.insurancejournal.tv/videos/19537/
NYDFS WATCH: Governor Hochul has nominated Adrienne Harris, a former economic advisor in the Obama White House and Treasury Department, to be the next NYDFS Superintendent. While the press release does not specify, each of the past two Superintendents became Acting Superintendent while their Senate nomination was pending.
The link to the nomination announcement is here: https://www.governor.ny.gov/news/governor-hochul-announces-nomination-adrienne-harris-superintendent-department-financial
UPDATE ON NYDFS ENFORCEMENT ACTION VS. ROBINHOOD: There is a deal in principle, according to an amended S-1 filing. Expected penalty is $30MM, and there apparently will be appointment of an independent monitor. Robinhood says NYDFS informed it of alleged violations involving cybersecurity and virtual currency (Part 500 and Part 200) requirements, including deficiencies in policies and procedures regarding risk assessment, lack of an adequate incident response and business continuity plan, and deficiencies in application development security.
A Markets Insider article on the matter can be found here: https://markets.businessinsider.com/news/stocks/robinhood-ipo-30-million-fine-crypto-anti-money-laundering-probe-2021-7
On May 12, 2021, NYDFS issued another Cybersecurity enforcement action vs. Unum Life and Paul Revere Life. What you need to know from the findings in the Consent Orde (yes, another settlement):
• The companies must pay a $1.8 million penalty, & conduct remediation and an independent third-party audit
• The relevant Cybersecurity Events occurred in September 2018 and October 2019 – both phishing intrusions; dozens of employee email accounts compromised and NPI of New Yorkers and others made accessible
• The companies did not have effective multi-factor authentication (MFA) in place for the e-mail environment until August 2019, long after the Mar 2018 deadline
• The Consent Order specifically finds the companies “falsely certified compliance with the Cybersecurity Regulation for the calendar year 2018.” Still, there is no suggestion concerning the actual level of intent underlying false certification, or whether any other consequences flow.
• There is no specific finding regarding the number of violations underlying the penalty; NYDFS finds two subsections of the regulation as violations of law.
• ENFORCEMENT TAKEAWAY: A big focus on MFA is emerging. If an entity did not implement effective MFA by March 2018, a subsequent Cybersecurity Event involving access to non public information (NPI) is a likely enforcement target. Additionally, the insurance industry remains in focus.
The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2021/05/ea20210512_first_unum.pdf