Alston & Bird Consumer Finance Blog

State Law

New York Foreclosure Abuse Prevention Act Curtails Servicers’ Options

By , , ,

A&B ABstract:

Effective on approval by Governor Kathy Hochul on December 30, 2022, New York Assembly Bill 7737b – the Foreclosure Abuse Prevention Act (the “Act”) became law.  The Act is signifcant because it reverses judicial precedent that permitted a lender, after default, to undo the acceleration of a mortgage and stop the running of the statute of limitations in a foreclosure action through voluntary dismissal, discontinuance of foreclosure actions, or de-acceleration letters. Notably, the Act applies both prospectively and to any foreclosure action filed prior to its effective date that had not been resolved through a final judgment and order of sale. Further, unlike other provisions of New York law, the Act applies to all properties (and not only those that are owner-occupied). Public reaction has been mixed as to whether the measure will benefit consumers – but, regardless, it changes the rules of the game for lenders and servicers in New York State.

Background

Existing New York law establishes a six-year statute of limitations for the commencement of a mortgage foreclosure action, triggered when the borrower defaults on the obligation and the lender accelerates the obligation to pay the secured debt. In 2021, the New York Court of Appeals considered whether a lender can de-accelerate a loan and reset the statute of limitations.

The court decided four cases (with the opinion rendered in Freedom Mtge. Corp. v Engel, 37 N.Y.3d 1 (2021)), “each turning on the timeliness of a mortgage foreclosure claim.” The court held that the lender’s voluntary dismissal of a foreclosure suit constituted a revocation of the lender’s election to accelerate. Such revocation returned the parties to their pre-acceleration rights, reinstated the borrower’s right to repay via installments, and established a new statute of limitations period for any future default payments. According to the court, “[w]here the maturity of the debt has been validly accelerated by commencement of a foreclosure action,” the court opined, “the noteholder’s voluntary withdrawal of that action revokes the election to accelerate, absent the noteholder’s contemporaneous statement to the contrary.”

In the course of deciding Engel, the court also considered what constituted an “overt unequivocal act” sufficient to trigger a valid acceleration of debt and the six-year statute of limitations. Here, the court held that neither the issuance of a default letter nor the filing of complaints in prior discontinued foreclosure actions that failed to reference the pertinent modified loan were sufficient methods to validly accelerate debt.

The Act

Since the Engel decision, mortgagees in New York State have relied on their ability to voluntarily discontinue a foreclosure action – and effectively reset the statute of limitations– in order to engage distressed borrowers in loss mitigation efforts. However, the Act appears to eliminate a mortgagee’s ability to unilaterally reset the limitations period by voluntarily discontinuing a foreclosure action and deaccelerating the loan.

With the express intent of overturning the Engel decision, the Act amends provisions of New York’s Real Property Actions and Proceedings Law (“RPAPL,” N.Y. Real Prop. Acts. Law §§ 1301 et seq.), General Obligations Law (“GOL,” N.Y. Gen. Oblig. Law §§ 1-101 et seq.), and Civil Practice Law and Rules (“Rules,” N.Y. C.P.L.R. §§ 101 et seq.) relating to the rights of parties involved in foreclosure actions.

RPAPL:

Under previous law, Section 1301 of the RPAPL prohibited the commencement or maintenance of any action to recover any part of a mortgage debt while another action to recover part of the mortgage debt is already pending or after final judgment has been made for the plaintiff without leave of the court in which the first action was brought. Beyond clarifying that a foreclosure action falls within the scope of that prohibition, the Act provides that procurement of leave from the first court must be a condition precedent to commencing or maintaining the new action. Thus, failure to comply with the leave of court condition precedent may no longer be excused by finding that the prior action was “de facto discontin(ued)” or “effectively abandoned” (see U.S. Bank Trust, N.A. v. Humphrey, 173 AD3d 811, 812 (2d Dept 2019)); or that the defendant was not prejudiced thereby (see Wells Fargo Bank, N.A. v. Irizarry, 142 AD3d 610, 611 (2d Dept 2016)); nor by deeming the pre-action failure a mistake, omission, defect, or irregularity that could be overlooked or disregarded (see id.).

Moreover, failure to obtain leave is a defense to the new action. If a party brings a new action without leave of the court, the section declares that the previous action is deemed discontinued unless prior to the entry of final judgment in the original action the defendant: (a) raises the failure to comply with the condition precedent, or (b) seeks dismissal of the action based upon one of the grounds set forth in Section 3211(a)(4) of the Rules.

Section 1301 of the RPAPL is further amended to provide that if the mortgage securing the bond or note representing the debt so secured by the mortgage is adjudicated as time barred by a court of competent jurisdiction, any other action to recover any part of the same mortgage debt is equally time barred. As a result, if the statute of limitations acts to bar a foreclosure action or any other action to recover on mortgage debt, an investor or servicer cannot bring any other action to recover the same part of the mortgage debt, including another foreclosure action or an action to recover a personal judgment against the borrower on the note.

GOL:

Under Section 17-105 of the GOL, an agreement to waive the statute of limitations to foreclose on a mortgage is effective if expressly set forth in writing and signed by the party to be charged.

The Act amends Section 17-105 by: (1) clarifying that the GOL is the exclusive means by which parties are enabled to postpone, cancel, reset, toll, revive or otherwise effectuate an extension of the limitations period for the commencement of an action or proceeding upon a mortgage instrument; (2) clarifying that unless effectuated in strict accordance with Section 17-105, the discontinuance of an action upon a mortgage instrument, by any means, shall not, in form or effect, function as a waiver, postponement, cancellation, resetting, tolling, or extension of the statute of limitations; and (3) codifying certain judicial rulings holding as much.

While not included or otherwise referenced in the Act, it is also worth noting that Part 419 of the New York Department of Financial Services’ mortgage loan servicer business conduct rules prohibit a mortgage servicer from requiring a homeowner to waive legal claims and defenses as a condition of a loan modification, reinstatement, forbearance or repayment plan. It is unclear whether Part 419 would be interpreted to prohibit servicers from seeking a waiver of the limitations period pursuant to Section 17-105, especially with respect to loans where the limitations period has already run. To further complicate matters, the New York legislature is currently considering a bill that would (1) create an express private right of action for violations of Part 419; (2) make compliance with Part 419’s requirements a condition precedent to commencing a foreclosure action; and (3) render failure to materially comply with Part 419 to be a defense to a foreclosure action or an action on the note, even if servicing of the loan has been transferred to a different servicer when a foreclosure action or action on the note is commenced.

Rules:

The Act amends and adds several provisions of the Rules relating to the application of the statute of limitations in actions relating to mortgage debt.

First, the Act adds Section 203(h) to the Rules, which terminates the ability of a lender or servicer to extend the statute of limitations on a foreclosure action by any form of unilateral action. No voluntary discontinuation of an action to enforce a mortgage may “in form or effect, waive, postpone, cancel, toll, extend, revive or reset the limitations period to commence an action and to interpose a claim, unless expressly prescribed by statute.” In other words, the amended section appears to prohibit a mortgagee from “de-accruing” a cause of action or otherwise effectuating a unilateral extension of the limitations period by suspending a foreclosure action – and providing loss mitigation opportunities to the borrower – once the six-year statute of limitations has begun to run after the loan is accelerated. The methods by which the statute of limitations in a mortgage foreclosure action can be waived or extended are exclusively set forth in Article 17 of the GOL (see GOL 17-105 (express written agreement to extend, waive or not plead as a defense the statute of limitations); 17-107 (unqualified payment on account of mortgage indebtedness effective to revive statute of limitations)). Accordingly, a bare stipulation of discontinuance or a lender’s unilateral decision to revoke its demand for full payment is no longer a permissible method for waiving, extending, or modifying the statute of limitations.

Second, the Act adds Section 205-a to the Rules, limiting reliance on the savings statute for time-barred claims. After termination of an action, the new section permits the original named plaintiff to commence a new action upon the same transaction or occurrence or series of transactions only if: (a) the plaintiff brings the new action within six months of the termination; and (b) the termination of the prior action occurred in any manner other than a voluntary discontinuance, a failure to obtain personal jurisdiction over the defendant, dismissal for any form of neglect, for violation of any court rules or individual part rules, failure to comply with any court scheduling orders, failure to appear for a conference or at a calendar call, failure to timely submit any order or judgment, or a final judgment upon the merits. Further, only one six-month extension will be available to the plaintiff.

Under new Section 205-a, a successor-in-interest or an assignee of the original plaintiff can only commence a new action if such party pleads and proves that the assignee is acting on behalf of the original plaintiff. Further, if the defendant has served an answer and the action has been terminated, in a new action based on the same transaction or occurrence or series of transactions (whether brought by the original plaintiff or a successor-in-interest or assignee thereof) any cause of action or defense that the defendant asserts will be considered timely “if such cause of action or defense was timely asserted in the prior action.” Section 205-a also provides that, where applicable, the original plaintiff (or a successor-in-interest acting on behalf of the original plaintiff) may only receive one six-month extension and no court shall allow the original plaintiff to receive more than one six-month extension.

Third, the Act amends Section 213(4) of the Rules to clarify that in any action where the statute of limitations is raised as a defense – and if that defense is based on a claim that the indebtedness was accelerated prior to or through commencement of a prior action – a plaintiff will be estopped from asserting that a mortgage instrument was not validly accelerated prior to or by way of commencement of a prior action. An exception exists if the prior action “was dismissed based on an expressed judicial determination, made upon a timely interposed defense, that the instrument was not validly accelerated.”

Further, in any quiet title action seeking cancellation and discharge of record of a mortgage instrument, a defendant will be estopped from asserting that the applicable statute of limitations period for commencement of an action has not expired because instrument was not validly accelerated prior to or by way of commencement of a prior action, “unless the prior action was dismissed based on an expressed judicial determination, made upon a timely interposed defense, that the instrument was not validly accelerated.”

Finally, the Act amends Section 3217 of the Rules, by adding a new Subsection (e), which clarifies that if the statute of limitations is raised as a defense in an action, and if the defense rests on a claim that the instrument was accelerated prior to or by virtue of the commencement of a prior action, the plaintiff cannot stop the tolling of the statute of limitations by asserting that the instrument was not validly accelerated unless the prior action was dismissed based on an express judicial determination regarding invalid acceleration.

Takeaway

In light of the Act’s curtailment of a servicer’s or investor’s ability to unilaterally suspend a foreclosure action, we recommend that mortgagees carefully review their pending mortgage foreclosure actions in New York state. At a minimum, the Act removes the ability of a holder or servicer in New York state to voluntarily discontinue a foreclosure action after acceleration of the indebtedness triggers the running of the statute of limitations.

Whether this will interfere with servicers’ contractual rights and ability – and obligations under the CFPB rules and New York Part 419 – to offer meaningful loss mitigation opportunities to borrowers remains to be seen. At least one judge thinks so. In a recent Order to Show Cause, a New York Supreme Court judge concluded that the Act violates the Contracts Clause of the U.S. Constitution and included an invitation for the New York Attorney General to weigh in.

Illinois Proposes Rules Implementing Its Community Reinvestment Act for Banks, Mortgage Lenders, and Credit Unions

By

A&B ABstract:

The Illinois Department of Financial and Professional Regulation (“IDFPR”) has issued a notice of proposed rules to implement the newly passed Illinois Community Reinvestment Act (“ILCRA”), aimed at serving the credit needs of low- and moderate-income communities and individuals.  The proposal includes a separate set of rules applicable to state-chartered banks, non-depository mortgage lenders, and credit unions.  Each set of proposed rules address topics that include, among other things, performance tests and ratings by institution size or business model, assessment area delineation, data collection and reporting, and examination procedures. The IDFPR is soliciting comments from interested stakeholders through March 16, 2023 and will be holding three public hearings related to the rules.

What’s New?

The proposal outlines CRA responsibilities and performance evaluation measures for banks and would subject them to a CRA examination by the IDFPR, in addition to their federal CRA examinations.  The rules themselves, however, are essentially the same as under the federal CRA.

Under the ILCRA, non-depository mortgage lenders and credit unions are subject to CRA requirements.  As described in the proposal, credit unions and non-depository mortgage lenders would be subject to a CRA evaluation based on a testing framework that looks similar to the current federal CRA framework, meaning that the IDFPR will examine these institutions under tests that look similar to the current federal CRA tests depending on their operations and asset sizes.

Credit Unions

The proposal’s requirements for Illinois-chartered credit unions look comparable to those for banks under the current federal CRA and the proposal.  Akin to banks, credit unions would have CRA responsibilities in delineated assessment areas, which are communities based on where credit unions have their main offices, branches, and deposit-taking ATMs.  These responsibilities take the form of lending, investment, and service tests based on asset size thresholds and then add resultant evaluation elections depending on asset size.  Additionally, the proposal provides an alternative evaluation framework for wholesale and limited purpose credit unions, involving a community development test, and strategic plan evaluation option.  The lending test includes home mortgage, small business, and small farm loans, though it also adds potential consumer loans, such as motor vehicle, credit card, home equity, other secured, and other unsecured loans, depending on the credit union’s loan portfolio.  Credit unions would also have data collection, reporting, and disclosure requirements, though those requirements are reduced for small credit unions.

Non-depository Mortgage Lenders

Under the proposal, non-depository mortgage lenders licensed pursuant to the Residential Mortgage License Act of 1987 which made 50 or more HMDA-reportable home mortgage loans in the previous calendar year will have CRA responsibilities.  There are a number of key aspects of the proposal specific to mortgage lenders that differ from the rules for credit unions and banks:

  • In contrast to banks or credit unions, CRA activities would be assessed state-wide, not based on delineated assessment areas.
  • The proposal outlines that mortgage lenders would be subject to lending and service tests, but not an investment test. Instead, the proposal states that a mortgage lender that warrants a satisfactory rating can be considered for an outstanding rating based on its level of qualified investments and community development loans, which is essentially the traditional CRA investment test.
  • Importantly, and in contrast to the lending test evaluations of banks or credit unions, mortgage lender performance criteria for the lending test explicitly includes not only the portfolio of loans’ geographic distribution, borrower characteristics, and innovative or flexible lending practices, but also (i) loss mitigation efforts, (ii) fair lending performance, and (iii) contribution to the loss of affordable housing units. These are new areas not contained in the federal CRA, either.
  • Finally, mortgage lenders will also have data collection and reporting requirements, which would include “additional data fields beyond what is required under HMDA.” These data fields are not specified in the proposal.

What’s Surprising?

The proposed regulations implementing ILCRA, as applicable to Illinois-chartered banks, largely mirror the federal CRA regulations applicable to state-chartered institutions.  But those federal CRA regulations are on the precipice of a major overhaul.  As proposed by the interagency Notice of Proposed Rulemaking to the federal CRA, where a bank will have CRA responsibilities, the substance of those responsibilities, the measurement of those responsibilities, and the record keeping and reporting of those responsibilities are slated for significant change under a completely new framework.  Whether those changes will be finalized as currently proposed by the three prudential banking regulators remains to be seen, but the fact that the IDFPR’s suggested framework for bank compliance with the ILCRA is based on a likely soon-to-be outdated set of regulations is surprising.  The proposal does note that the ILCRA regulations are intended to follow the federal standards.  Accordingly, there could be a revision in the works sooner-than-later should the federal CRA regulations change contemporaneously with or soon after the ILCRA regulations are finalized.

Takeaway

Compliance with the ILCRA as proposed would be relatively easy to plan for and implement because it generally applies the current and 28-year-old federal CRA regulations to Illinois banks, non-depository mortgage lenders, and credit unions, as relevant to the type of financial institution.  However, these Illinois financial institutions would be wise to monitor the federal CRA modernization efforts with an eye to the future.  As the ILCRA proposal comment window is open, affected stakeholders should consider voicing any concerns with their future CRA responsibilities.

New York Amends Disclosure Requirements for Telemarketers

By ,

A&B Abstract:

New York Governor Kathy Hochul signed legislation in December designed to limit unwanted telemarking calls by providing consumers the option to be added to a company’s do-not-call list at the outset of a call. The new law takes effect March 6, 2023.

Updated Requirements for New York Telemarketers:

The new legislation (S.8450-B/A.8319-C) amends New York General Business Law § 399-z as it relates to telemarketers.  New York currently regulates telemarketers, defined generally as entities that engage in solicitation by telephone call or electronic messaging text to a customer located in New York or that control or supervise such entities.  The law requires certain disclosures to be made at the time of the call.

The law is amended by the legislation to require telemarketers to give customers the option to be added to the company’s do-not-call list at the beginning of telemarketing sales calls, right after providing the telemarketer’s name and solicitor’s name. Currently, the law requires telemarketers to inform customers that they may request to be added to the company’s do-not-call list, but it does not specify when this disclosure must be made.

Takeaway:

Telemarketers doing business in New York should update their procedures and scripts to comply with this new requirement by March 6, 2023, as each violation of this rule can incur a fine of up to $11,000.

HELOCs On the Rise: Is Your Servicing CMS Ready?

By ,

A&B ABstract:

The Consumer Financial Protection Bureau (“CFPB” or “Bureau”) has moved to clarify its regulatory authority at a time when the economic climate is ripe for a resurgence in HELOC lending. In an amicus brief filed by the CFPB on November 30, 2022 (the “Amicus Brief”), the Bureau acknowledged that its Mortgage Servicing Rules, which, in 2013, amended Regulation X, RESPA’s implementing regulation, and Regulation Z, TILA’s implementing regulation, do not apply to home equity lines of credit (“HELOCs”).  This is consistent with the Bureau’s guidance in the preamble to the CFPB Mortgage Servicing Rules under RESPA, wherein the Bureau recognized that HELOCs have a different risk profile, and are serviced differently, than first-lien mortgage loans, and that many of the rules under Regulation X would be “irrelevant to HELOCs” and “would substantially overlap” with the longstanding protections under TILA and Regulation Z that apply to HELOCs.

During this past refinance boom, consumers refinanced mortgage loans at record rates. Moreover, according to a recent report by the Federal Reserve, consumers are sitting on nearly 30 trillion dollars in home equity.  HELOCs allow consumers the opportunity to extract equity from their homes without losing the low interest rate on their first-lien loan. Generally, a HELOC is a revolving line of credit that is secured by a subordinate mortgage on the borrower’s residence that typically has a draw period of 5 or 10 years.  At the end of the draw period, the outstanding loan payment converts to a repayment period of 5 to 25 years with interest and principal payments required that fully amortize the balance.

Issues to Consider in Servicing HELOCs

Servicing HELOCs raise unique issues given the open-end nature of the loan, the typical second lien position, and the different regulatory requirements.  HELOC servicers will need to ensure their compliance management systems (“CMS”) are robust enough to account for a potential uptick in HELOC lending. Among many other issues, servicers will want to ensure their operations comply with several regulatory requirements, including:

Offsets: In the Amicus Brief, the CFPB argues that HELOCs accessible by a credit card are subject to the provisions of TILA and Regulation Z that prohibit card issuers from using deposit account funds to offset indebtedness arising out of a credit card transaction.

Disclosures: Long before the CFPB Mortgage Servicing Rules, TILA and Regulation Z contained disclosures applicable to HELOCs. As a result, the provisions of the CFPB Mortgage Servicing Rules under Regulation Z governing periodic billing statements, adjustable-rate mortgage (ARM) interest rate adjustment notices, and payment crediting provisions do not apply to HELOCs as these provisions are specifically limited to closed-end consumer credit transactions. However, the payoff statement requirements under Regulation Z are applicable both to HELOCs and closed-end consumer credit transactions secured by a dwelling. In addition to certain account-opening disclosures, a HELOC creditor (or its servicer) must make certain subsequent disclosures to the borrower, either annually (e.g., an annual statement) or upon the occurrence of a specific trigger event, such as the addition of a credit access device, a change in terms or change in billing cycle, or a notice to restrict credit. It is also worth noting that Regulation Z’s mortgage transfer notice (commonly referred to as the Section 404 notice) applicable when a loan is transferred, sold or assigned to a third party, applies to HELOCs. In contrast, RESPA’s servicing transfer notice does not apply to HELOCs.

Periodic Statements: TILA and Regulation Z contain a different set of periodic statement requirements, predating the CFPB Mortgage Servicing Rules, which are applicable to HELOCs. Under TILA, a servicer must comply with the open-end periodic statement requirements. That is true even if the HELOC has an open-end draw period followed by a closed-end repayment period, during which no further draws are permitted. Such statements can be complex given that principal repayment and interest accrual vary based on draws; there will be a conversion to scheduled amortization after the draw period ends; and balloon payments may be required at maturity, resulting in the need for servicing system adjustments.

Billing Error Resolution: Instead of having to comply with the Regulation X requirements for notices of error, HELOCs are subject to Regulation Z’s billing error resolution requirements.

Crediting of Payments: A creditor may credit a payment to the consumer’s account, including a HELOC, as of the date of receipt, except when a delay in crediting does not result in a finance or other charge, or except as otherwise provided in 12 C.F.R. § 1026.10(a).

Restrictions on Servicing Fees: Regulation Z restricts certain new servicing fees that may be imposed, where such fees are not provided for in the contract, because the credit may not, by contract or otherwise, change any term except as provided in 12 C.F.R § 1026.40.  With the CFPB’s increased focus on fees, this provision may be an area of focus for the Bureau and state regulators.

Restriction on Changing the APR: The creditor may not, by contract or otherwise, change the APR of a HELOC unless such change is based on an index that is not under the creditor’s control and such index is available to the general public.  However, this requirement does not prohibit rate changes which are specifically set forth in the agreement, such as stepped-rate plans or preferred-rate provisions.

Terminating, Suspending or Reducing a Line of Credit: TILA and Regulation Z restrict the ability of the creditor to prohibit additional extensions of credit or reduce the credit limit applicable to an agreement under those circumstances set forth in 12 C.F.R § 1026.40.  Similarly, TILA and Regulation Z impose restrictions on when the creditor may terminate and accelerate the loan balance.

Rescission: Similar to closed-end loans, the consumer will have a right of rescission on a HELOC; however, the right extends beyond just the initial account opening. During the servicing of a HELOC, the consumer has a right of rescission whenever (i) credit is extended under the plan, or (ii) the credit limit is increased. But there is no right of rescission when credit extensions are made in accordance with the existing credit limit under the plan. If rescission applies, the notice and procedural requirements set forth in TILA and Regulation Z must be followed.

Default: Loss mitigation and default recovery actions may be limited by the firstien loan. That’s because default or acceleration of the first-lien loan immediately triggers loss mitigation and default recovery to protect the second-lien loan.  The protection of the second-lien loan may involve advancing monthly payments on the first-lien loan.  Foreclosure pursued against the first-lien loan will trigger second lien to participate and monitor for protection and recovery. Even though not applicable to HELOCs, some servicers may consider complying with loss mitigation provisions as guidelines or best practices.

ECOA and FCRA: Terminating, suspending, or reducing the credit limit on a HELOC based on declining property values could raise redlining risk, which is a form of illegal disparate treatment in which a lender provides unequal access to credit or unequal terms of credit because of a prohibited characteristic of the residents of the area in which the credit seeker resides or will reside or in which the residential property to be mortgaged is located. Thus, lenders and servicers should have policies and procedures in place to ensure that actions to reduce, terminate or suspend HELOCs are carried out in a non-discriminatory manner.  Relatedly, the CFPB’s authority under the Dodd-Frank Act to prohibit unfair, deceptive or abusive acts or practices will similarly prohibit certain conduct in connection with the servicing of HELOCs that the CFPB may consider to be harmful to consumers.  It is also important to remember that ECOA requires that a creditor notify an applicant of action taken within 30 days after taking adverse action on an existing account, where the adverse action includes a termination of an account, an unfavorable change in the terms of an account, or a refusal to increase the amount of credit available to an applicant who has made an application for an increase.  Similar to ECOA, FCRA also requires the servicer to provide the consumer with an adverse action notice in certain circumstances.

State Law Considerations: And let’s not forget state law issues. While most of the CFPB’s Mortgage Servicing Rules do not apply to HELOCs, many state provisions may cover HELOCs.  As most HELOCs are subordinate-lien loans, second lien licensing law obligations arise. Also, sourcing, processing and funding draw requests could implicate loan originator and/or money transmitter licensing obligations. Also, at least one state prohibits a licensee from servicing a usurious loan.  For HELOCs, the issue is not only the initial rate but also the adjusted rate (assuming it is an ARM).  There may also be state-specific disclosure obligations, as well as restrictions on product terms (such as balloon payments or lien releases), fees, or credit line access devices, to name a few.

Takeaway

The servicing of HELOCs involve many of the same aspects as servicing first-lien residential mortgage loans.  However, because of the open-end credit line features and the typical second-lien position, there are several unique aspects to servicing HELOCs.  And, because there are no industry standard HELOC agreements, the terms of the HELOC (e.g., the length of draw and amortization periods, interest-only payment features, balloon, credit access, etc.) can vary greatly.  The economic climate is poised for a resurgence in home equity lending.  Now is the time to ensure your CMS is up to the task.

 

CSBS Releases Cybersecurity Programs to Help Nonbank Financial Services Institutions Improve Cybersecurity Posture

By , , ,

A&B ABstract

On August 9, 2022, the Conference of State Bank Supervisors (CSBS) released two cybersecurity tools for nonbank financial services institutions to help them prepare for state cybersecurity examinations and, ultimately, improve cybersecurity maturity and protect financial institution infrastructure. These tools are designed to address key aspects of the Uniform Rating System for Information Technology; namely, Audit, Management, Development and Acquisition, and Support and Delivery. The CSBS also outlined the key documents that state examiners are likely request during examinations to help ensure nonbank financial services institutions are prepared to respond to examination questions.

CSBS Cybersecurity Tools

Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program (the “Programs”) are a set of cybersecurity questions used by state examiners to assess the ability of nonbank financial services companies to comply with applicable cybersecurity and data protection requirements. While these Programs are optional resources, the CSBS encourages nonbank financial services institutions to leverage these Programs as prescriptive guidance in implementing and maintaining a compliant cybersecurity program.

The Baseline Nonbank Cybersecurity Exam Program is intended for small nonbank financial services institutions, whereas the Enhanced version is used by state examiners evaluating larger more complex nonbank financial services institutions (the distinction between which institutions fall under the Baseline vs the Enhanced Program are not specified). Both Programs cover four overarching areas of the Uniform Rating System for Information Technology (URSIT) – (1) Audit, (2) Management, (3) Development and Acquisition, and (4) Support and Delivery. Specifically, the examination covers a wide range of topics, such as executive oversight of the cybersecurity program, details on the institution’s network security, vendor management, cyber insurance, malware protection controls, patch management procedures, asset inventory, business continuity management and incident response plan.  The examination questions, where relevant, cite to the FTC Safeguards Rule, as amended (16 CFR § 314) which became effective January 10, 2022 (with the exception of a limited number of sections that are not enforceable until December 9, 2022).

The CSBS also provides a Document Request List, outlining key artifacts that state examiners may request (and have requested during past examinations) to help support the institutions’ response to the examination questions. Key artifacts include core policies and procedures, written information security programs, risk assessment(s), materials presented to the board/senior management discussing cybersecurity, vulnerability assessments, and patch deployment confirmation.

These Programs, according to CSBS’s Senior Vice President of Nonbank Supervision, Chuck Cross, are intended to streamline supervisory clarity and create a more resilient financial system. These Programs are a part of CSBS’ larger initiative to equip the industry with the necessary tools to protect the critical infrastructure of financial institutions; for example, it previously provided nonbanks with a Ransomware Self-Assessment Tool and a Cybersecurity 101 Guide for executives.

Takeaway

Through the Programs, CSBS has provided nonbank financial services institutions the ability to more adequately prepare for regulatory examinations by outlining core questions and artifacts. However, the cybersecurity regulations applicable to financial institutions continue to evolve, both on the federal and state level, requiring additional resources and expertise. It is also unclear how widely adopted these Programs will be by state regulators, particularly state regulators that have developed their own comprehensive cybersecurity examination questions (such as the New York Department of Financial Services), and there will likely continue to be differences across state regulatory examinations.

We will continue monitoring the guidance issued by CSBS and other financial industry participants and regulators with respect to the evolving cybersecurity compliance landscape.