Reacting to the Equifax data breach, the New York State Department of Financial Services (DFS or the Department) is expanding its already far reaching cybersecurity regulations. As we previously explained, the cybersecurity regulations impose requirements on all entities operating in New York under a DFS license, registration, or similar authorization (Covered Entities). The regulations took effect on March 1, 2017, with a two-year phased-in implementation of certain provisions, including the third-party service provider security rule that requires certain non-affiliates of Covered Entities to have cybersecurity protections in place. Arguably, this existing regulatory requirement would be applied to consumer credit reporting agencies (CCRAs), as third-party service providers to Covered Entities licensed in New York.
Notwithstanding the cybersecurity regulation’s two-year implementation period, the Department did not wait to take action. On Sept. 18, 2017, Governor Cuomo directed the Department to promulgate proposed regulations: (i) requiring CCRAs to register with DFS; (ii) establishing certain prohibited practices for CCRAs; and (iii) clarifying that CCRAs must comply with the cybersecurity regulations. Prior to this proposal, CCRAs have not been licensed by the Department and, therefore, fall outside the DFS’s regulatory reach. Arguably, the CCRAs are currently only subject to regulation pursuant to the consumer protection provisions of the federal Fair Credit Reporting Act and New York’s General Business Law, including obligations to report certain data breaches to the NYS Attorney General; the NYS Division of State Police; and the Department of State’s Division of Consumer Protection, pursuant to the General Business Law. This regulatory shift could represent a major expansion of DFS’s role in enforcing financial consumer protection laws.
Proposed Regulations: Registration Requirements & Prohibited Practices
The proposed regulations would require every CCRA that assembles, evaluates, or maintains a consumer credit report on New York consumers to annually register, and file annual reports, with the Superintendent of the DFS. CCRAs already engaging in credit reports regarding New York consumers would have to register by Feb. 1, 2018. CCRAs not yet operating in New York would have to register prior to handling consumer credit reports for New York consumers. CCRA registrants would also be subject to examination by the Department as frequently as the Superintendent deems necessary. The proposed regulation gives the Superintendent authority to non-renew, revoke, or suspend a registration if, in her or his judgment, the registrant (or any members, principals, officers, directors or controlling persons of the registrant) is not trustworthy or competent, has violated any law or provided materially incorrect, misleading or incomplete information to the Department or consumers.
The prohibited practices included in the proposed rule largely restate existing federal law regulating CCRAs and include bars against:
- Directly or indirectly employing any schemes to defraud or mislead consumers;
- Engaging in any unfair, deceptive or predatory act or practices toward consumers;
- Engaging in any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd- Frank Wall Street Reform and Consumer Protection Act;
- Including inaccurate information in any consumer report relating to a consumer located in New York;
- Refusing to communicate with an authorized representative of a consumer located in New York who provides valid authorization; and
- Making any false statement or omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation by a governmental agency.
Finally, the proposed regulation deems every CCRA registrant a Covered Entity subject to certain provisions of DFS’s cybersecurity regulations. As currently drafted, the cybersecurity regulations would apply to all consumer CCRAs, regardless of the size of the corporation, as the proposed regulation does not cross-reference the exceptions in the cybersecurity regulation. Moreover, compliance with the cybersecurity requirements would be phased in on an incremental schedule beginning on April 4, 2018, tracking the timeframe set out for other Covered Entities.
Discussion & Next Steps
There is a legal question as to whether promulgation of these sweeping regulations would exceed the Department’s statutory authority. It is well accepted that the DFS Superintendent has authority to regulate historically unregulated financial products, services, and entities, so long as such regulations are not inconsistent with the Financial Services Law. It is unclear, however, whether CCRAs fall into this space of hybrid products that DFS is empowered to regulate and subject to licensure. Even assuming the proposed regulations were wholly valid, many additional questions remain due to their breadth and the omission of details that are left to future regulation or Department discretion. For example, the proposal does not give clear authority for the Superintendent to deny any registration. This ambiguity presents logistical questions as to whether the registration would be deemed effective upon filing, after a certain number of days, or only upon affirmative approval from the Department. The proposed regulation also mandates annual reports to include an affirmation that the information is true under penalties of perjury, but is silent as to what information needs to be reported. Instead, the regulation would give the Superintendent authority to prescribe what matters must be reported to the Department. Likewise, the registration, reporting, and affirmation forms have not yet been released by the Department. Lastly, the term “located” with respect to consumers is undefined, and if interpreted broadly could include out-of-state residents merely if an act of consumerism within New York State impacts a consumers credit report.
The proposed regulation was released via a press release issued by Governor Cuomo’s office on a Monday morning. The proposal will need to be formally published in the State Register in order to begin the 30-day public comment period mandated by the State Administrative Procedures Act before adoption. Such publication could occur as early as Wednesday, Sept.27, 2017.