#NYDFS

New York Passes New Removal Procedures for Officers, Directors, Trustees, and Partners of Any Entity Regulated by Department of Financial Services

January 13, 2025 By Aldys London, Gloria Han

What Happened?

On December 21, 2024, New York Governor Kathy Hochul, signed into law, S7532, which repealed the existing section of the Banking Law addressing the removal of officers, directors, and trustees of banking organizations, bank holding companies and foreign banks (“covered individuals”), and enacted a new section providing a clearer process for removing such individuals and expanding the scope of the removal authority to apply to all entities regulated by the New York Department of Financial Services (“the Department”).

Repealed Section:

The former provisions regarding the removal of covered individuals were limited to banking organizations, bank holding companies, and foreign banks.

The Superintendent of the Department (“the Superintendent”) was authorized to bring an action to the Banking Board (“the Board”) to remove an officer, director, or trustee whenever it found that such individual:

violated any law or regulation of the Superintendent of financial services, or
“continued unauthorized or unsafe practices . . . after having been ordered or warned to discontinue such practices.”

Note that the Banking Board has not existed since the Department of Financial Services was created in 2011.

The Board would then serve notice of the action to the covered individual to appear before the Board to show why they should not be removed from office. A copy of this notice would be sent to each director or trustee of the banking organization and to each person in charge of and each officer of a branch of a foreign banking corporation.

If after a three-fifths vote by the Board members the Board found that the individual committed such violations, an order would be issued to remove the individual from office.

The removal became effective upon service of the order. The order and findings were not made public, and were only disclosed to the removed individual and the directors or trustees of the banking organization involved. Any such removed individual that participated in the management of such banking organization without permission from the Superintendent would be guilty of a misdemeanor.

Newly Enacted Section:

The new provision expands the removal authority of the Superintendent to apply to all entities regulated by the Department (“covered entities”), including: banks, trust companies, limited purpose trust companies, private banks, savings banks, safe deposit companies, savings and loan associations, credit unions, investment companies, bank holding companies, foreign banking corporations, licensed lenders, licensed cashers of checks, budget planners, mortgage bankers, mortgage loan servicers, mortgage brokers, licensed transmitters of money, and student loan servicers.

The Superintendent is authorized to bring an action to remove such individuals whenever it finds reason to believe that they:

caused, facilitated, permitted, or participated in any violation by a covered entity of a law or regulation, order issued by the Superintendent or any written agreement between such covered entity or covered individual and the Superintendent;
engaged or participated in any unsafe or unsound practice in connection with any covered entity; or
engaged or participated in any willful material act or omitted to take any material act that directly contributed to the failure of a covered entity.

The notice and hearing provisions were changed to allow the Superintendent to serve a statement of charges against the covered individual and a notice of an opportunity to appear before the Superintendent to show cause why they should not be removed from office. A copy of such notice must now be sent to the affected covered entity, instead of the directors or trustees of the covered entity and persons in charge of foreign bank branches.

Additionally, the threshold for removal was changed. Instead of being removed by a three-fifths vote of a board that no longer exists, the covered individual may be removed if, after notice and hearing: (1) the Superintendent finds that the covered individual has engaged in the unlawful conduct, or (2) if the individual waives a hearing or fails to appear in person or by authorized representative.

The order of removal is effective upon service to the individual. The order must also be served to any affected covered entity along with the statement of charges. The order remains in effect until amended, replaced, or rescinded by the Superintendent or a court of competent jurisdiction. Such removed individual is prohibited from participating in the “conduct of the affairs” of any covered entity unless they receive written permission from the Superintendent. If the individual violates such prohibition, they are guilty of a misdemeanor.

Furthermore, the Superintendent is now authorized to suspend the covered individual from office for a period of 180 days pending the determination of the charges if the Superintendent has reason to believe that:

a covered entity has suffered or will probably suffer financial loss that impacts its ability to operate in a safe and sound manner;
the interests of the depositors at a covered entity have been or could be prejudiced; or
the covered individual demonstrates willful disregard for the safety and soundness of a covered entity.

The suspension may be extended for additional periods of 180 days if the hearing is not completed within the previous period due to the request of the covered individual.

Why Does it Matter?

Prior to the update, the Superintendent only had the power to remove individual officers, directors, or trustees from office in various bank organizations. The new law expands this removal power to all entities regulated by the Department.

The amended statute creates an additional penalty for individuals who caused, facilitated, permitted, or participated in the violation of the Banking Law in their positions of power of a regulated entity. Such individuals may be removed from their positions and prohibited from participating in the management of any regulated entity, until they receive written permission from the Superintendent. If they violate the prohibition, they are guilty of a misdemeanor, which can be punished by imprisonment for up to 364 days or by a fine set by the Superintendent.

What Do I Need To Do?

Entities regulated by the Department that are now covered under this section should be aware that violations of law by a licensee may also lead to the removal of certain high-level individuals within the organization. If removed, such individuals would also be prohibited from managing any regulated entity until the Superintendent provides written permission to do so. Affected entities and individuals should take care to ensure compliance with the law to avoid these new penalties.

New York DFS to Impose Climate Change Safety and Soundness Expectations on Mortgage Lenders, Servicers, and other Regulated Organizations

January 30, 2024 By Nanci Weissgold

What Happened?

On December 21, 2023, the New York Department of Financial Services (“NYDFS”) published an 18-page guidance document (the “Guidance”) on managing material, financial and operational risks due to climate change. The NYDFS issued the Guidance after considering feedback it received on proposed guidance it issued in December 2022 on the same topic. The Guidance applies to New York State regulated mortgage lenders and servicers, as well as New York State regulated banking organizations, licensed branches and agencies of foreign banking organizations (collectively, “Regulated Organizations”).

Why Is It Important?

The NYDFS has set forth its expectations, replete with examples, for Regulated Organizations to strategically manage climate change-related financial and operational risks and identify necessary actions proportionate to their size, business activities and risk profile. Such expectations include:

Corporate Governance: An organization’s board of directors should establish a risk management framework, including its overall business strategy and risk appetite, which include climate related financial and operational risks, and holding management accountable for implementation. Such framework should be integrated within an organization’s three lines of defense – quality assurance, quality control and internal audit. Recognizing that low and moderate income (“LMI”) communities may be adversely impacted from climate change, the NYDFS expects an organization’s board of directors to direct management to “minimize and affirmatively mitigate disproportionate impacts” which could violate fair lending and other consumer finance laws. On that note, the NYDFS reminds organizations to consider opportunities to mitigate financial risk through financing or investment opportunities which enhance climate resiliency and are eligible for credit under the New York Community Reinvestment Act.
Internal Control and Risk Management: Regulated Organizations should also consider and incorporate climate related financial risks when identifying and mitigating all types of risks, including credit, liability, market, legal/compliance risk, and operational and strategic risk. The NYDFS defines financial risks from climate change to include physical risks from more intense weather events as well as transition risks, resulting from “economic and behavior changes driven by policy and regulation, new technology, consumer and investor preferences and changing liability risks.” The NYDFS recognizes that insurance is an important mitigant to climate change risk but cautions that the availability of such insurance in the future is not guaranteed.
Data Aggregation and Reporting: Regulated Organizations should establish systems to aggregate data and internally report its efforts to monitor climate related financial risk to facilitate board and senior management decision making. Such organizations also should consider developing and implementing climate scenario analyses.

What Do You Need to Do?

The NYDFS stresses that organizations should not let “uncertainty and data gaps justify inaction.” Although the NYDFS has not issued a timeline for implementation of the Guidance or begun incorporating such expectations into examinations (which will be coordinated with the prudential regulators to align with joint supervisory processes), now is the time to begin integrating climate-related financial and operational risks into your company’s organizational structure, business strategies and risk management operations. This will help you prepare for when your organization is required to respond to the request for information which the NYDFS anticipates sending out later this year. It is anticipated that the NYDFS will ask for information on the steps your organization has taken or will take within a specified period to manage financial and operational climate-related risks, including government structure, business strategy, risk management, operational resiliency measures, and metrics to measure risks.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation

November 14, 2023 By Kristy Brown, Kimberly Peretti, Kate Hanniford, Ashley Miller, Lance Taubin

On November 1, 2023, the New York Department of Financial Services (NYDFS) published the finalized Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500), which includes a number of significant and, for many covered entities, onerous changes to its original regulation. The finalized Second Amendment is much like the June 2023 proposed draft (which made certain revisions to the November 2022 draft). Covered entities should take note of these now-final changes that will require covered entities to review and revamp major components of their cybersecurity programs, policies, procedures, and controls to ensure they are in compliance. This is particularly important as the NYDFS continues to take on an active enforcement role following cyber events, marking itself as a leading cyber regulator in the United States.

Covered entities must notify the NYDFS of certain cybersecurity incidents, including providing notice within: (1) 72 hours after determining a cybersecurity event resulting in the “deployment of ransomware within a material part of the covered entity’s information system” occurred; and (2) 24 hours of making an extortion payment in connection with a cybersecurity event.

Covered entities must implement additional cybersecurity controls, including expanding their use of multifactor authentication and maintaining a comprehensive asset inventory. Covered entities are also required to maintain additional (or more prescriptive) cybersecurity policies and procedures, including ensuring that their incident response plans address specific delineated issues (outlined in the Second Amendment) and maintaining business continuity and disaster recovery plan requirements (both of which must be tested annually).

The most senior levels of the covered entity (senior governing body) must have sufficient knowledge to oversee the cybersecurity program. Additionally, the highest-ranking executive and the CISO are required to sign the covered entity’s annual certification of material compliance.

A material failure (which could be a single act) to comply with any portion of the Cybersecurity Regulation for a 24-hour period is considered a violation.

The Second Amendment became effective on November 1, 2023, and covered entities generally have 180 days to come into compliance with the new requirements. There are certain requirements, however, that will be phased in over the next two years. We have outlined the material changes and the effective dates below.

The NYDFS is providing a number of resources for covered entities, including a helpful visual overview of the implementation timeline for covered entities, Class A companies, and small businesses (NYDFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d)). The NYDFS is also hosting a series of webinars to provide an overview of the Second Amendment; individuals can register for the webinars on the NYDFS’s website.

NY DFS Releases Revised Proposed Second Amendment of its Cybersecurity Regulation

July 13, 2023 By Kimberly Peretti, Kate Hanniford, Ashley Miller, Lance Taubin

The New York Department of Financial Services (“NY DFS”) published an updated proposed Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500) in the New York State Register on June 28, 2023, updating its previous proposed Second Amendment, which was published November 9, 2022. While the language proposed is largely similar to the previous draft, which we previously summarized, NY DFS incorporated a number of changes as a result of the 60-day comment period.

Below we outline some of the key revisions to the proposed Second Amendment of NY DFS’s Cybersecurity Regulation compared to the previously issued version from November 9, 2022:

Risk Assessment (§§ 500.01 & 500.09). NY DFS previously proposed (in the November 2022 draft) to revise the definition of “Risk Assessment,” which NY DFS has repeatedly emphasized is a core and gating requirement for compliance with the Cybersecurity Regulation, permitting covered entities to “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” By contrast, the newly proposed definition more formally defines the components of and inputs to the risk assessment: “Risk assessment means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.” The revised definition omits the explicit reference to tailoring and customization currently found in § 500.09. The removal of this language and codification of the risk assessment’s general parameters suggests that although risk assessments can and should be customized to some extent, NY DFS may expect risk assessments to address a more standard set of components that as a general framework is not open to customization.
- In addition, NY DFS removed the requirement that Class A companies (which are generally large entities with at least $20M in gross annual revenue in each of the last two fiscal years from business operations in New York, and over 2,000 employees, on average over the last two years, or over or over $1B in gross annual revenue in each of the last two fiscal years from all business operations) use external experts to conduct a risk assessment once every three years.
Multi-factor Authentication (“MFA”) (§ 500.12). NY DFS continues to stress the importance of MFA in the newly revised draft of the proposed Second Amendment by broadening the requirement (relative to the current MFA requirements and proposed draft from November 2022) and bringing it in alignment with the FTC’s amended Safeguards Rule. In the revised language, MFA is explicitly required to “be utilized for any individual accessing any of the covered entity’s information systems,” (with limited exceptions, outlined below); NY DFS removed from § 500.12(a), (1) the pre-requisite that MFA be implemented based on the covered entity’s risk assessment, and (2) the option of implementing other effective controls, such as risk-based authentication. By doing so, NY DFS appears to strongly recommend MFA implementation across the board, despite retaining the limited exception if the CISO approves in writing a reasonably equivalent or more secure compensating controls (and such controls must be reviewed periodically, and at least annually).
- For covered entities that fall under the limited exemption set forth in § 500.19(a), which are generally smaller covered entities (based on number of employees and/or annual revenue), MFA must at least be utilized for (1) remote access to the covered entity’s information systems, (2) remote access to third-party applications that are cloud-based, from which nonpublic information is accessible, and (3) all privileged accounts other than service accounts that prohibit interactive logins. As with all other covered entities, the CISO may approve, in writing, reasonably equivalent or more secure compensating controls, but such controls must be reviewed periodically, and at least annually.
Incident Response Plan (“IRP”) and Business Continuity and Disaster Recovery Plan (“BCDR”) (§ 500.16). NY DFS added an additional requirement that a covered entity’s IRP include requirements to address the root cause analysis of a cybersecurity event, describing how the cybersecurity event occurred, the business impact from the cybersecurity event, and remediation steps to prevent reoccurrence. NY DFS clarified that the IRP and BCDR must be tested at least annually, and must include the ability to restore the covered entities “critical data” and information systems from backup (but NY DFS does not define “critical data”). As noted in our previous summary, the concept of BCDR is new as of the Second Amendment and not currently in effect in the existing regulation.
Annual Certification of Compliance (§ 500.17(b)). NY DFS maintains its current requirement of an annual certification of compliance by a covered entity, but has adjusted the standard for certification from “in compliance” to a certification that the covered entity “materially complied” with the Cybersecurity Regulation during the prior calendar year. Although NY DFS does not define material compliance, this revision should provide some flexibility for covered entities to complete the certification. Going forward, covered entities would be presented with two options: (i) submit a written certification that it “materially complied” with the regulation (§ 500.17(b)(1)(i)(a)); or (ii) a written acknowledgment that it did not “fully comply” with the regulation (§ 500.17(b)(1)(ii)(a)), while also identifying “all sections…that the entity has not materially complied with” (§ 500.17(b)(1)(ii)(b)). It is unclear how NY DFS intends for covered entities to parse the distinction between material compliance and a lack of full compliance, but the requirement for the covered entity to list each section with which it was not in material compliance suggests that it may expect a section-by-section analysis of material compliance for purposes of completing the certification process.
Penalties (§ 500.20). Interestingly, NY DFS added that it would take into consideration the extent to which the covered entity’s relevant policies and procedures are consistent with nationally-recognized cybersecurity frameworks, such as NIST, in assessing the appropriate penalty for non-compliance with the Cybersecurity Regulation. DFS maintains its proposed amendment that a “violation” is: (1) the failure to secure or prevent unauthorized access to an individual’s or entity’s NPI due to non-compliance or (2) the “material failure to comply for any 24-hour period” with any section of the regulation.

The revised proposed Second Amendment are subject to a 45-day comment period, ending August 14, 2023.

New York’s Commercial Finance Disclosure Law Set to Take Effect August 1, 2023

April 4, 2023 By Stephen Ornstein, Josh Dhyani

A&B Abstract:

New York is one of the first states that enacted laws requiring consumer-style disclosures for commercial financing transactions (the “New York Law”). Previously, the New York Department of Financial Services (“NYDFS”) issued guidance stating that compliance with the requirements would be delayed until it issued final implementing regulations. Those final regulations were published on February 1, 2023, with an effective date of August 1, 2023 (the “Final Regulations”).

The Final Regulations

The Final Regulations make a few significant changes from the proposed rules, primarily in response to public comments. For example:

First, New York’s law will apply only where a recipient’s business is principally managed or directed from the state of New York or where the recipient (if a natural person) is a legal resident of the state of New York. This is a change from positions taken in prior proposed versions of the rule, in which New York would have required the disclosures if either the provider or recipient was located in New York.
Second, the Final Regulations clarify that subsidiaries of financial institutions (in addition to the financial institutions themselves) are exempt from the law.
Third, the Final Regulations modify notice requirements related to transfers to adhere to UCC norms.
Fourth, while the Final Regulations still require broker compensation disclosures, it does not impose strict requirements on the format of those disclosures as originally proposed.
Finally, the Final Regulations relaxed strict signature requirements, allowing for disclosures to be provided electronically and by other reasonable means.

Takeaways

New York is among a growing list of states, which include California, Utah, and Virginia, that have enacted laws requiring consumer-style disclosures for commercial financing transactions. As we covered in a previous post, the New York Law has many similarities to the California law that became effective on December 9, 2022. However, New York’s Final Regulations apply to commercial financing transactions of $2.5 million or less, whereas the California regulations apply only to transactions of $500,000 or less. And, as covered in another prior post, Utah also requires registration and disclosures for certain commercial financing transactions of $1 million or less as of January 1, 2023. Notable as well, Virginia has enacted somewhat similar laws applicable to sales-based financing which apply to transactions on or after July 1, 2022. In general, these disclosure laws require specifically formatted lender statements, including the order of the content and respective font sizes. New York has not provided model forms.

While the California, Utah, and Virginia laws have already gone into effect, we expect additional states will also promulgate similar requirements in the future.