Alston & Bird Consumer Finance Blog


New York DFS to Impose Climate Change Safety and Soundness Expectations on Mortgage Lenders, Servicers, and other Regulated Organizations

What Happened?

On December 21, 2023, the New York Department of Financial Services (“NYDFS”) published an 18-page guidance document (the “Guidance”) on managing material, financial and operational risks due to climate change. The NYDFS issued the Guidance after considering feedback it received on proposed guidance it issued in December 2022 on the same topic. The Guidance applies to New York State regulated mortgage lenders and servicers, as well as New York State regulated banking organizations, licensed branches and agencies of foreign banking organizations (collectively, “Regulated Organizations”).

Why Is It Important?

The NYDFS has set forth its expectations, replete with examples, for Regulated Organizations to strategically manage climate change-related financial and operational risks and identify necessary actions proportionate to their size, business activities and risk profile.  Such expectations include:

  • Corporate Governance: An organization’s board of directors should establish a risk management framework, including its overall business strategy and risk appetite, which include climate related financial and operational risks, and holding management accountable for implementation. Such framework should be integrated within an organization’s three lines of defense – quality assurance, quality control and internal audit. Recognizing that low and moderate income (“LMI”) communities may be adversely impacted from climate change, the NYDFS expects an organization’s board of directors to direct management to “minimize and affirmatively mitigate disproportionate impacts” which could violate fair lending and other consumer finance laws. On that note, the NYDFS reminds organizations to consider opportunities to mitigate financial risk through financing or investment opportunities which enhance climate resiliency and are eligible for credit under the New York Community Reinvestment Act.
  • Internal Control and Risk Management: Regulated Organizations should also consider and incorporate climate related financial risks when identifying and mitigating all types of risks, including credit, liability, market, legal/compliance risk, and operational and strategic risk. The NYDFS defines financial risks from climate change to include physical risks from more intense weather events as well as transition risks, resulting from “economic and behavior changes driven by policy and regulation, new technology, consumer and investor preferences and changing liability risks.” The NYDFS recognizes that insurance is an important mitigant to climate change risk but cautions that the availability of such insurance in the future is not guaranteed.
  • Data Aggregation and Reporting: Regulated Organizations should establish systems to aggregate data and internally report its efforts to monitor climate related financial risk to facilitate board and senior management decision making. Such organizations also should consider developing and implementing climate scenario analyses.

What Do You Need to Do?

The NYDFS stresses that organizations should not let “uncertainty and data gaps justify inaction.” Although the NYDFS has not issued a timeline for implementation of the Guidance or begun incorporating such expectations into examinations (which will be coordinated with the prudential regulators to align with joint supervisory processes), now is the time to begin integrating climate-related financial and operational risks into your company’s organizational structure, business strategies and risk management operations.  This will help you prepare for when your organization is required to respond to the request for information which the NYDFS anticipates sending out later this year.  It is anticipated that the NYDFS will ask for information on the steps your organization has taken or will take within a specified period to manage financial and operational climate-related risks, including government structure, business strategy, risk management, operational resiliency measures, and metrics to measure risks.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation

On November 1, 2023, the New York Department of Financial Services (NYDFS) published the finalized Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500), which includes a number of significant and, for many covered entities, onerous changes to its original regulation. The finalized Second Amendment is much like the June 2023 proposed draft (which made certain revisions to the November 2022 draft). Covered entities should take note of these now-final changes that will require covered entities to review and revamp major components of their cybersecurity programs, policies, procedures, and controls to ensure they are in compliance. This is particularly important as the NYDFS continues to take on an active enforcement role following cyber events, marking itself as a leading cyber regulator in the United States.

Covered entities must notify the NYDFS of certain cybersecurity incidents, including providing notice within: (1) 72 hours after determining a cybersecurity event resulting in the “deployment of ransomware within a material part of the covered entity’s information system” occurred; and (2) 24 hours of making an extortion payment in connection with a cybersecurity event.

Covered entities must implement additional cybersecurity controls, including expanding their use of multifactor authentication and maintaining a comprehensive asset inventory. Covered entities are also required to maintain additional (or more prescriptive) cybersecurity policies and procedures, including ensuring that their incident response plans address specific delineated issues (outlined in the Second Amendment) and maintaining business continuity and disaster recovery plan requirements (both of which must be tested annually).

The most senior levels of the covered entity (senior governing body) must have sufficient knowledge to oversee the cybersecurity program. Additionally, the highest-ranking executive and the CISO are required to sign the covered entity’s annual certification of material compliance.

A material failure (which could be a single act) to comply with any portion of the Cybersecurity Regulation for a 24-hour period is considered a violation.

The Second Amendment became effective on November 1, 2023, and covered entities generally have 180 days to come into compliance with the new requirements. There are certain requirements, however, that will be phased in over the next two years. We have outlined the material changes and the effective dates below.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation Chart

The NYDFS is providing a number of resources for covered entities, including a helpful visual overview of the implementation timeline for covered entitiesClass A companies, and small businesses (NYDFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d)). The NYDFS is also hosting a series of webinars to provide an overview of the Second Amendment; individuals can register for the webinars on the NYDFS’s website.




NY DFS Releases Revised Proposed Second Amendment of its Cybersecurity Regulation

The New York Department of Financial Services (“NY DFS”) published an updated proposed Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500) in the New York State Register on June 28, 2023, updating its previous proposed Second Amendment, which was published November 9, 2022. While the language proposed is largely similar to the previous draft, which we previously summarized, NY DFS incorporated a number of changes as a result of the 60-day comment period.

Below we outline some of the key revisions to the proposed Second Amendment of NY DFS’s Cybersecurity Regulation compared to the previously issued version from November 9, 2022:

  • Risk Assessment (§§ 500.01 & 500.09). NY DFS previously proposed (in the November 2022 draft) to revise the definition of “Risk Assessment,” which NY DFS has repeatedly emphasized is a core and gating requirement for compliance with the Cybersecurity Regulation, permitting covered entities to “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” By contrast, the newly proposed definition more formally defines the components of and inputs to the risk assessment: “Risk assessment means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.” The revised definition omits the explicit reference to tailoring and customization currently found in § 500.09.  The removal of this language and codification of the risk assessment’s general parameters suggests that although risk assessments can and should be customized to some extent, NY DFS may expect risk assessments to address a more standard set of components that as a general framework is not open to customization.
    • In addition, NY DFS removed the requirement that Class A companies (which are generally large entities with at least $20M in gross annual revenue in each of the last two fiscal years from business operations in New York, and over 2,000 employees, on average over the last two years, or over or over $1B in gross annual revenue in each of the last two fiscal years from all business operations) use external experts to conduct a risk assessment once every three years.
  • Multi-factor Authentication (“MFA”) (§ 500.12). NY DFS continues to stress the importance of MFA in the newly revised draft of the proposed Second Amendment by broadening the requirement (relative to the current MFA requirements and proposed draft from November 2022) and bringing it in alignment with the FTC’s amended Safeguards Rule. In the revised language, MFA is explicitly required to “be utilized for any individual accessing any of the covered entity’s information systems,” (with limited exceptions, outlined below); NY DFS removed from § 500.12(a), (1) the pre-requisite that MFA be implemented based on the covered entity’s risk assessment, and (2) the option of implementing other effective controls, such as risk-based authentication. By doing so, NY DFS appears to strongly recommend MFA implementation across the board, despite retaining the limited exception if the CISO approves in writing a reasonably equivalent or more secure compensating controls (and such controls must be reviewed periodically, and at least annually).
    • For covered entities that fall under the limited exemption set forth in § 500.19(a), which are generally smaller covered entities (based on number of employees and/or annual revenue), MFA must at least be utilized for (1) remote access to the covered entity’s information systems, (2) remote access to third-party applications that are cloud-based, from which nonpublic information is accessible, and (3) all privileged accounts other than service accounts that prohibit interactive logins. As with all other covered entities, the CISO may approve, in writing, reasonably equivalent or more secure compensating controls, but such controls must be reviewed periodically, and at least annually.
  • Incident Response Plan (“IRP”) and Business Continuity and Disaster Recovery Plan (“BCDR”) (§ 500.16). NY DFS added an additional requirement that a covered entity’s IRP include requirements to address the root cause analysis of a cybersecurity event, describing how the cybersecurity event occurred, the business impact from the cybersecurity event, and remediation steps to prevent reoccurrence. NY DFS clarified that the IRP and BCDR must be tested at least annually, and must include the ability to restore the covered entities “critical data” and information systems from backup (but NY DFS does not define “critical data”). As noted in our previous summary, the concept of BCDR is new as of the Second Amendment and not currently in effect in the existing regulation.
  • Annual Certification of Compliance (§ 500.17(b)). NY DFS maintains its current requirement of an annual certification of compliance by a covered entity, but has adjusted the standard for certification from “in compliance” to a certification that the covered entity “materially complied” with the Cybersecurity Regulation during the prior calendar year.  Although NY DFS does not define material compliance, this revision should provide some flexibility for covered entities to complete the certification.  Going forward, covered entities would be presented with two options: (i) submit a written certification that it “materially complied” with the regulation (§ 500.17(b)(1)(i)(a)); or (ii) a written acknowledgment that it did not “fully comply” with the regulation (§ 500.17(b)(1)(ii)(a)), while also identifying “all sections…that the entity has not materially complied with” (§ 500.17(b)(1)(ii)(b)).  It is unclear how NY DFS intends for covered entities to parse the distinction between material compliance and a lack of full compliance, but the requirement for the covered entity to list each section with which it was not in material compliance suggests that it may expect a section-by-section analysis of material compliance for purposes of completing the certification process.
  • Penalties (§ 500.20). Interestingly, NY DFS added that it would take into consideration the extent to which the covered entity’s relevant policies and procedures are consistent with nationally-recognized cybersecurity frameworks, such as NIST, in assessing the appropriate penalty for non-compliance with the Cybersecurity Regulation.  DFS maintains its proposed amendment that a “violation” is: (1) the failure to secure or prevent unauthorized access to an individual’s or entity’s NPI due to non-compliance or (2) the “material failure to comply for any 24-hour period” with any section of the regulation.

The revised proposed Second Amendment are subject to a 45-day comment period, ending August 14, 2023.

New York’s Commercial Finance Disclosure Law Set to Take Effect August 1, 2023

A&B Abstract:

New York is one of the first states that enacted laws requiring consumer-style disclosures for commercial financing transactions (the “New York Law”). Previously, the New York Department of Financial Services (“NYDFS”) issued guidance stating that compliance with the requirements would be delayed until it issued final implementing regulations. Those final regulations were published on February 1, 2023, with an effective date of August 1, 2023 (the “Final Regulations”).

The Final Regulations

The Final Regulations make a few significant changes from the proposed rules, primarily in response to public comments. For example:

  • First, New York’s law will apply only where a recipient’s business is principally managed or directed from the state of New York or where the recipient (if a natural person) is a legal resident of the state of New York. This is a change from positions taken in prior proposed versions of the rule, in which New York would have required the disclosures if either the provider or recipient was located in New York.
  • Second, the Final Regulations clarify that subsidiaries of financial institutions (in addition to the financial institutions themselves) are exempt from the law.
  • Third, the Final Regulations modify notice requirements related to transfers to adhere to UCC norms.
  • Fourth, while the Final Regulations still require broker compensation disclosures, it does not impose strict requirements on the format of those disclosures as originally proposed.
  • Finally, the Final Regulations relaxed strict signature requirements, allowing for disclosures to be provided electronically and by other reasonable means.


New York is among a growing list of states, which include California, Utah, and Virginia, that have enacted laws requiring consumer-style disclosures for commercial financing transactions. As we covered in a previous post, the New York Law has many similarities to the California law that became effective on December 9, 2022. However, New York’s Final Regulations apply to commercial financing transactions of $2.5 million or less, whereas the California regulations apply only to transactions of $500,000 or less. And, as covered in another prior post, Utah also requires registration and disclosures for certain commercial financing transactions of $1 million or less as of January 1, 2023. Notable as well, Virginia has enacted somewhat similar laws applicable to sales-based financing which apply to transactions on or after July 1, 2022. In general, these disclosure laws require specifically formatted lender statements, including the order of the content and respective font sizes. New York has not provided model forms.

While the California, Utah, and Virginia laws have already gone into effect, we expect additional states will also promulgate similar requirements in the future.

New York Foreclosure Abuse Prevention Act Curtails Servicers’ Options

A&B ABstract:

Effective on approval by Governor Kathy Hochul on December 30, 2022, New York Assembly Bill 7737b – the Foreclosure Abuse Prevention Act (the “Act”) became law.  The Act is signifcant because it reverses judicial precedent that permitted a lender, after default, to undo the acceleration of a mortgage and stop the running of the statute of limitations in a foreclosure action through voluntary dismissal, discontinuance of foreclosure actions, or de-acceleration letters. Notably, the Act applies both prospectively and to any foreclosure action filed prior to its effective date that had not been resolved through a final judgment and order of sale. Further, unlike other provisions of New York law, the Act applies to all properties (and not only those that are owner-occupied). Public reaction has been mixed as to whether the measure will benefit consumers – but, regardless, it changes the rules of the game for lenders and servicers in New York State.


Existing New York law establishes a six-year statute of limitations for the commencement of a mortgage foreclosure action, triggered when the borrower defaults on the obligation and the lender accelerates the obligation to pay the secured debt. In 2021, the New York Court of Appeals considered whether a lender can de-accelerate a loan and reset the statute of limitations.

The court decided four cases (with the opinion rendered in Freedom Mtge. Corp. v Engel, 37 N.Y.3d 1 (2021)), “each turning on the timeliness of a mortgage foreclosure claim.” The court held that the lender’s voluntary dismissal of a foreclosure suit constituted a revocation of the lender’s election to accelerate. Such revocation returned the parties to their pre-acceleration rights, reinstated the borrower’s right to repay via installments, and established a new statute of limitations period for any future default payments. According to the court, “[w]here the maturity of the debt has been validly accelerated by commencement of a foreclosure action,” the court opined, “the noteholder’s voluntary withdrawal of that action revokes the election to accelerate, absent the noteholder’s contemporaneous statement to the contrary.”

In the course of deciding Engel, the court also considered what constituted an “overt unequivocal act” sufficient to trigger a valid acceleration of debt and the six-year statute of limitations. Here, the court held that neither the issuance of a default letter nor the filing of complaints in prior discontinued foreclosure actions that failed to reference the pertinent modified loan were sufficient methods to validly accelerate debt.

The Act

Since the Engel decision, mortgagees in New York State have relied on their ability to voluntarily discontinue a foreclosure action – and effectively reset the statute of limitations– in order to engage distressed borrowers in loss mitigation efforts. However, the Act appears to eliminate a mortgagee’s ability to unilaterally reset the limitations period by voluntarily discontinuing a foreclosure action and deaccelerating the loan.

With the express intent of overturning the Engel decision, the Act amends provisions of New York’s Real Property Actions and Proceedings Law (“RPAPL,” N.Y. Real Prop. Acts. Law §§ 1301 et seq.), General Obligations Law (“GOL,” N.Y. Gen. Oblig. Law §§ 1-101 et seq.), and Civil Practice Law and Rules (“Rules,” N.Y. C.P.L.R. §§ 101 et seq.) relating to the rights of parties involved in foreclosure actions.


Under previous law, Section 1301 of the RPAPL prohibited the commencement or maintenance of any action to recover any part of a mortgage debt while another action to recover part of the mortgage debt is already pending or after final judgment has been made for the plaintiff without leave of the court in which the first action was brought. Beyond clarifying that a foreclosure action falls within the scope of that prohibition, the Act provides that procurement of leave from the first court must be a condition precedent to commencing or maintaining the new action. Thus, failure to comply with the leave of court condition precedent may no longer be excused by finding that the prior action was “de facto discontin(ued)” or “effectively abandoned” (see U.S. Bank Trust, N.A. v. Humphrey, 173 AD3d 811, 812 (2d Dept 2019)); or that the defendant was not prejudiced thereby (see Wells Fargo Bank, N.A. v. Irizarry, 142 AD3d 610, 611 (2d Dept 2016)); nor by deeming the pre-action failure a mistake, omission, defect, or irregularity that could be overlooked or disregarded (see id.).

Moreover, failure to obtain leave is a defense to the new action. If a party brings a new action without leave of the court, the section declares that the previous action is deemed discontinued unless prior to the entry of final judgment in the original action the defendant: (a) raises the failure to comply with the condition precedent, or (b) seeks dismissal of the action based upon one of the grounds set forth in Section 3211(a)(4) of the Rules.

Section 1301 of the RPAPL is further amended to provide that if the mortgage securing the bond or note representing the debt so secured by the mortgage is adjudicated as time barred by a court of competent jurisdiction, any other action to recover any part of the same mortgage debt is equally time barred. As a result, if the statute of limitations acts to bar a foreclosure action or any other action to recover on mortgage debt, an investor or servicer cannot bring any other action to recover the same part of the mortgage debt, including another foreclosure action or an action to recover a personal judgment against the borrower on the note.


Under Section 17-105 of the GOL, an agreement to waive the statute of limitations to foreclose on a mortgage is effective if expressly set forth in writing and signed by the party to be charged.

The Act amends Section 17-105 by: (1) clarifying that the GOL is the exclusive means by which parties are enabled to postpone, cancel, reset, toll, revive or otherwise effectuate an extension of the limitations period for the commencement of an action or proceeding upon a mortgage instrument; (2) clarifying that unless effectuated in strict accordance with Section 17-105, the discontinuance of an action upon a mortgage instrument, by any means, shall not, in form or effect, function as a waiver, postponement, cancellation, resetting, tolling, or extension of the statute of limitations; and (3) codifying certain judicial rulings holding as much.

While not included or otherwise referenced in the Act, it is also worth noting that Part 419 of the New York Department of Financial Services’ mortgage loan servicer business conduct rules prohibit a mortgage servicer from requiring a homeowner to waive legal claims and defenses as a condition of a loan modification, reinstatement, forbearance or repayment plan. It is unclear whether Part 419 would be interpreted to prohibit servicers from seeking a waiver of the limitations period pursuant to Section 17-105, especially with respect to loans where the limitations period has already run. To further complicate matters, the New York legislature is currently considering a bill that would (1) create an express private right of action for violations of Part 419; (2) make compliance with Part 419’s requirements a condition precedent to commencing a foreclosure action; and (3) render failure to materially comply with Part 419 to be a defense to a foreclosure action or an action on the note, even if servicing of the loan has been transferred to a different servicer when a foreclosure action or action on the note is commenced.


The Act amends and adds several provisions of the Rules relating to the application of the statute of limitations in actions relating to mortgage debt.

First, the Act adds Section 203(h) to the Rules, which terminates the ability of a lender or servicer to extend the statute of limitations on a foreclosure action by any form of unilateral action. No voluntary discontinuation of an action to enforce a mortgage may “in form or effect, waive, postpone, cancel, toll, extend, revive or reset the limitations period to commence an action and to interpose a claim, unless expressly prescribed by statute.” In other words, the amended section appears to prohibit a mortgagee from “de-accruing” a cause of action or otherwise effectuating a unilateral extension of the limitations period by suspending a foreclosure action – and providing loss mitigation opportunities to the borrower – once the six-year statute of limitations has begun to run after the loan is accelerated. The methods by which the statute of limitations in a mortgage foreclosure action can be waived or extended are exclusively set forth in Article 17 of the GOL (see GOL 17-105 (express written agreement to extend, waive or not plead as a defense the statute of limitations); 17-107 (unqualified payment on account of mortgage indebtedness effective to revive statute of limitations)). Accordingly, a bare stipulation of discontinuance or a lender’s unilateral decision to revoke its demand for full payment is no longer a permissible method for waiving, extending, or modifying the statute of limitations.

Second, the Act adds Section 205-a to the Rules, limiting reliance on the savings statute for time-barred claims. After termination of an action, the new section permits the original named plaintiff to commence a new action upon the same transaction or occurrence or series of transactions only if: (a) the plaintiff brings the new action within six months of the termination; and (b) the termination of the prior action occurred in any manner other than a voluntary discontinuance, a failure to obtain personal jurisdiction over the defendant, dismissal for any form of neglect, for violation of any court rules or individual part rules, failure to comply with any court scheduling orders, failure to appear for a conference or at a calendar call, failure to timely submit any order or judgment, or a final judgment upon the merits. Further, only one six-month extension will be available to the plaintiff.

Under new Section 205-a, a successor-in-interest or an assignee of the original plaintiff can only commence a new action if such party pleads and proves that the assignee is acting on behalf of the original plaintiff. Further, if the defendant has served an answer and the action has been terminated, in a new action based on the same transaction or occurrence or series of transactions (whether brought by the original plaintiff or a successor-in-interest or assignee thereof) any cause of action or defense that the defendant asserts will be considered timely “if such cause of action or defense was timely asserted in the prior action.” Section 205-a also provides that, where applicable, the original plaintiff (or a successor-in-interest acting on behalf of the original plaintiff) may only receive one six-month extension and no court shall allow the original plaintiff to receive more than one six-month extension.

Third, the Act amends Section 213(4) of the Rules to clarify that in any action where the statute of limitations is raised as a defense – and if that defense is based on a claim that the indebtedness was accelerated prior to or through commencement of a prior action – a plaintiff will be estopped from asserting that a mortgage instrument was not validly accelerated prior to or by way of commencement of a prior action. An exception exists if the prior action “was dismissed based on an expressed judicial determination, made upon a timely interposed defense, that the instrument was not validly accelerated.”

Further, in any quiet title action seeking cancellation and discharge of record of a mortgage instrument, a defendant will be estopped from asserting that the applicable statute of limitations period for commencement of an action has not expired because instrument was not validly accelerated prior to or by way of commencement of a prior action, “unless the prior action was dismissed based on an expressed judicial determination, made upon a timely interposed defense, that the instrument was not validly accelerated.”

Finally, the Act amends Section 3217 of the Rules, by adding a new Subsection (e), which clarifies that if the statute of limitations is raised as a defense in an action, and if the defense rests on a claim that the instrument was accelerated prior to or by virtue of the commencement of a prior action, the plaintiff cannot stop the tolling of the statute of limitations by asserting that the instrument was not validly accelerated unless the prior action was dismissed based on an express judicial determination regarding invalid acceleration.


In light of the Act’s curtailment of a servicer’s or investor’s ability to unilaterally suspend a foreclosure action, we recommend that mortgagees carefully review their pending mortgage foreclosure actions in New York state. At a minimum, the Act removes the ability of a holder or servicer in New York state to voluntarily discontinue a foreclosure action after acceleration of the indebtedness triggers the running of the statute of limitations.

Whether this will interfere with servicers’ contractual rights and ability – and obligations under the CFPB rules and New York Part 419 – to offer meaningful loss mitigation opportunities to borrowers remains to be seen. At least one judge thinks so. In a recent Order to Show Cause, a New York Supreme Court judge concluded that the Act violates the Contracts Clause of the U.S. Constitution and included an invitation for the New York Attorney General to weigh in.