Alston & Bird Consumer Finance Blog

Archives for July 13, 2023

NY DFS Releases Revised Proposed Second Amendment of its Cybersecurity Regulation

By , , ,

The New York Department of Financial Services (“NY DFS”) published an updated proposed Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500) in the New York State Register on June 28, 2023, updating its previous proposed Second Amendment, which was published November 9, 2022. While the language proposed is largely similar to the previous draft, which we previously summarized, NY DFS incorporated a number of changes as a result of the 60-day comment period.

Below we outline some of the key revisions to the proposed Second Amendment of NY DFS’s Cybersecurity Regulation compared to the previously issued version from November 9, 2022:

  • Risk Assessment (§§ 500.01 & 500.09). NY DFS previously proposed (in the November 2022 draft) to revise the definition of “Risk Assessment,” which NY DFS has repeatedly emphasized is a core and gating requirement for compliance with the Cybersecurity Regulation, permitting covered entities to “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” By contrast, the newly proposed definition more formally defines the components of and inputs to the risk assessment: “Risk assessment means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.” The revised definition omits the explicit reference to tailoring and customization currently found in § 500.09.  The removal of this language and codification of the risk assessment’s general parameters suggests that although risk assessments can and should be customized to some extent, NY DFS may expect risk assessments to address a more standard set of components that as a general framework is not open to customization.
    • In addition, NY DFS removed the requirement that Class A companies (which are generally large entities with at least $20M in gross annual revenue in each of the last two fiscal years from business operations in New York, and over 2,000 employees, on average over the last two years, or over or over $1B in gross annual revenue in each of the last two fiscal years from all business operations) use external experts to conduct a risk assessment once every three years.
  • Multi-factor Authentication (“MFA”) (§ 500.12). NY DFS continues to stress the importance of MFA in the newly revised draft of the proposed Second Amendment by broadening the requirement (relative to the current MFA requirements and proposed draft from November 2022) and bringing it in alignment with the FTC’s amended Safeguards Rule. In the revised language, MFA is explicitly required to “be utilized for any individual accessing any of the covered entity’s information systems,” (with limited exceptions, outlined below); NY DFS removed from § 500.12(a), (1) the pre-requisite that MFA be implemented based on the covered entity’s risk assessment, and (2) the option of implementing other effective controls, such as risk-based authentication. By doing so, NY DFS appears to strongly recommend MFA implementation across the board, despite retaining the limited exception if the CISO approves in writing a reasonably equivalent or more secure compensating controls (and such controls must be reviewed periodically, and at least annually).
    • For covered entities that fall under the limited exemption set forth in § 500.19(a), which are generally smaller covered entities (based on number of employees and/or annual revenue), MFA must at least be utilized for (1) remote access to the covered entity’s information systems, (2) remote access to third-party applications that are cloud-based, from which nonpublic information is accessible, and (3) all privileged accounts other than service accounts that prohibit interactive logins. As with all other covered entities, the CISO may approve, in writing, reasonably equivalent or more secure compensating controls, but such controls must be reviewed periodically, and at least annually.
  • Incident Response Plan (“IRP”) and Business Continuity and Disaster Recovery Plan (“BCDR”) (§ 500.16). NY DFS added an additional requirement that a covered entity’s IRP include requirements to address the root cause analysis of a cybersecurity event, describing how the cybersecurity event occurred, the business impact from the cybersecurity event, and remediation steps to prevent reoccurrence. NY DFS clarified that the IRP and BCDR must be tested at least annually, and must include the ability to restore the covered entities “critical data” and information systems from backup (but NY DFS does not define “critical data”). As noted in our previous summary, the concept of BCDR is new as of the Second Amendment and not currently in effect in the existing regulation.
  • Annual Certification of Compliance (§ 500.17(b)). NY DFS maintains its current requirement of an annual certification of compliance by a covered entity, but has adjusted the standard for certification from “in compliance” to a certification that the covered entity “materially complied” with the Cybersecurity Regulation during the prior calendar year.  Although NY DFS does not define material compliance, this revision should provide some flexibility for covered entities to complete the certification.  Going forward, covered entities would be presented with two options: (i) submit a written certification that it “materially complied” with the regulation (§ 500.17(b)(1)(i)(a)); or (ii) a written acknowledgment that it did not “fully comply” with the regulation (§ 500.17(b)(1)(ii)(a)), while also identifying “all sections…that the entity has not materially complied with” (§ 500.17(b)(1)(ii)(b)).  It is unclear how NY DFS intends for covered entities to parse the distinction between material compliance and a lack of full compliance, but the requirement for the covered entity to list each section with which it was not in material compliance suggests that it may expect a section-by-section analysis of material compliance for purposes of completing the certification process.
  • Penalties (§ 500.20). Interestingly, NY DFS added that it would take into consideration the extent to which the covered entity’s relevant policies and procedures are consistent with nationally-recognized cybersecurity frameworks, such as NIST, in assessing the appropriate penalty for non-compliance with the Cybersecurity Regulation.  DFS maintains its proposed amendment that a “violation” is: (1) the failure to secure or prevent unauthorized access to an individual’s or entity’s NPI due to non-compliance or (2) the “material failure to comply for any 24-hour period” with any section of the regulation.

The revised proposed Second Amendment are subject to a 45-day comment period, ending August 14, 2023.

Georgia, Florida, Connecticut Enact Commercial Financial Disclosure Laws

By ,

A&B Abstract:

Georgia, Florida, and Connecticut are among a growing list of states, including California, New York, Utah, and Virginia, that have enacted laws requiring consumer-style disclosures for commercial financing transactions. These laws are part of a burgeoning trend by state legislatures to impose burdensome disclosures, like those required by the federal Truth in Lending Act (TILA), on providers of small-balance commercial loans and financings. These laws apply to business-purpose transactions but not to transactions having a consumer, family, or household purpose.

The Georgia Law

On May 1, 2023, Georgia amended its Fair Business Practices Act to require certain providers of commercial financings of $500,000 or less to furnish various disclosures to small-business borrowers before the consummation of the transactions. The statute, known as Senate Bill 90, applies to covered commercial financings consummated on or after January 1, 2024.

The Georgia law requires providers of commercial credit in amounts of $500,000 or less to provide TILA-like disclosures to small-business borrowers before the consummation of the transaction but does not specify the time period. The Georgia law defines “provider” as “a person who consummates more than five commercial financing transactions” in Georgia during any calendar year, including participants in commercial purpose marketplace lending arrangements. “Commercial financing transactions” include both closed-end and open-end commercial loans as well as accounts receivable purchase transactions but do not include real-estate-secured transactions.

Exemptions

The Georgia law exempts federally insured depository institutions and their subsidiaries, affiliates, and holding companies; Georgia-licensed money transmitters; captive finance companies; and institutions regulated by the federal Farm Credit Act. The law also exempts purchase money obligations.

Required Disclosures

The Georgia law requires providers of commercial financing transactions to furnish the following information prior to consummation:

  • Total funds provided to the business.
  • Total funds disbursed.
  • Total amount paid to the provider.
  • Total dollar cost of the transaction.
  • Payment schedule.
  • Costs associated with prepayment.

Penalties

Providers who violate these disclosure requirements face civil penalties ranging from $500 per violation to $20,000 with possible additional penalties for continued violations. Notably, violations do not affect the enforceability of the transactions, and there is no private right of action under the law.

The Florida Law

On June 26, 2023, Florida enacted the Florida Commercial Financing Disclosure Law, which requires covered providers to furnish consumer-oriented disclosures to businesses for certain commercial non-real-estate-secured financing transactions exceeding $500,000. The Florida law takes effect July 1, 2023 and becomes mandatory for transactions consummated on or after January 1, 2024.

The Florida law applies to providers of commercial financing transactions and defines “provider” as a “person who consummates more than five commercial financings” in Florida during any calendar year. “Commercial financing transactions” include commercial loans, open-end lines of credit, and accounts receivable purchase transactions. The Florida law exempts the following entities and transactions: federally insured depository institutions, their subsidiaries, affiliates, and holding companies; licensed money transmitters; real-estate-secured loans; loans exceeding $500,000; leases; and certain purchase money transactions.

Required Disclosures

The provider is required to disclose in writing the following at or before the consummation of a commercial financing transaction:

  • The total amount of funds provided to the business.
  • The total amount of funds disbursed to the business if less than the total amount of funds provided because of any fees deducted or withheld at disbursement and any amount paid to a third party on behalf of the business.
  • The total amount to be paid to the provider.
  • The total dollar cost of the commercial financing transaction, calculated by subtracting the total amount of funds provided from the total amount of the payments.
  • The manner, frequency, and amount of each payment or, if there are variable payments, an estimated initial payment and the methodology used for calculating it.
  • Certain information about prepayments.

Prohibited Acts

The Florida law prohibits a broker arranging a consumer financing transaction from engaging in any of the following acts:

  • Assessing, collecting, or soliciting an advance fee from a business to provide services to a broker. However, this prohibition would not preclude a broker from soliciting a business to pay for, or preclude a business from paying for, actual services necessary to apply for commercial financial products, such as a credit check or an appraisal of security, if certain conditions are met.
  • Making or using any false or misleading representations or omitting any material facts in the offer or sale of the services of a broker or engaging in any act that would “operate as fraud or deception upon any person in connection with the offer or sale of the services of the broker, notwithstanding the absence of reliance by the business.”
  • Making or using any false or deceptive representations in its business dealings.
  • Offering the services of a broker by any advertisement without disclosing the actual address and telephone number of the business of the broker.

Penalties 

Like the Georgia law, the Florida law punishes violations with civil fines ranging from $500 per incident to $20,000 with possible additional penalties for “aggregated violations.” Notably, violations do not impair the enforceability of the transactions or create a private right of action.

The Connecticut Law

On June 28, 2023, Connecticut enacted “An Act Requiring Certain Financing Disclosures,” which requires (1) lenders offering certain types of commercial purpose “sales-based financing” in amounts of $250,000 or less to provide specified consumer-like disclosures to applicants; and (2) mandates that lenders offering such credit register annually with the Connecticut Department of Banking starting by October 1, 2024. The Connecticut law authorizes the state banking commissioner to adopt promulgating regulations, and the law takes effect on July 1, 2024.

The Connecticut law applies to providers of commercial financings and defines “provider” as “a person who extends a specific offer of commercial financing to a recipient and includes, unless otherwise exempt … a commercial financing broker.”

“Commercial financing” means any extension of sales-based financing by a provider not exceeding $250,000. Under the statute, “sales-based financing” is a “transaction that is repaid by the recipient to the provider over time” (1) as a percentage of sales or revenue, in which the payment amount may increase or decrease according to the recipient’s sales or revenue, or (2) according to a fixed payment mechanism that provides for a reconciliation process that adjusts the payment to an amount that is a percentage of sales or revenue.

Notably, the Connecticut law exempts the following entities and transactions:

  • Banks, bank holding companies, credit unions, and their subsidiaries and affiliates.
  • Entities providing no more than five commercial financing transactions in a 12-month period.
  • Real-estate-secured loans.
  • Leases.
  • Purchase money obligations.
  • Technology service providers acting for an exempt entity as long as they do not have an interest in the entity’s program.
  • Transactions of $50,000 or more to motor vehicle dealers or rental companies.
  • Transactions offered in connection with the sale of a product that the person manufactures, licenses, or distributes.

Required Disclosures

The Connecticut law requires that before making a “specific offer” (i.e., a binding offer of credit) providers must furnish certain disclosures to borrowers, in a form prescribed by the state banking commissioner, including:

  • The total amount of the commercial financing.
  • The disbursement amount, which is the amount paid to the recipient or on the recipient’s behalf, excluding any finance charges that are deducted or withheld at disbursement.
  • The finance charge.
  • The total repayment amount, which is the disbursement amount plus the finance charge.
  • The estimated repayment period.
  • A payment schedule.
  • A description of fees not included in the finance charge such as draw fees, and late charges.
  • A description of any collateral requirements.
  • Information about brokerage compensation.

The Connecticut banking commissioner is expected to promulgate implementing regulations and model disclosures before the effective date of July 1, 2024.

Registration Requirement

The Connecticut law requires providers and brokers to register with the state banking commissioner by October 1, 2024 and to qualify to “do business” in the state. The registration must be renewed annually.

Penalties

The statute authorizes the banking commissioner to impose civil penalties of up to $100,000 for violations of the law as well as enjoin those violating the statute.

Takeaway

The three state laws recently enacted in Georgia, Florida, and Connecticut are part of a growing trend among states to regulate small-balance commercial non-real-estate-secured loans. The burdens imposed by the laws will be the lenders’ cross to bear unless they can avoid triggering the coverage of the statutes.