The New York Department of Financial Services (“NYDFS”) published the latest draft of its Proposed Second Amendment to its landmark Cybersecurity Regulation (23 NYCRR 500) on November 9, 2022. The proposed second amendment comes after an initial comment period on an earlier-released draft amendment released on July 29, 2022. NYDFS is accepting comments on the proposed second amendment through January 9, 2023.
Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.
He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.
Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.
Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.
On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (the “Updated Advisory”). The Updated Advisory updates and supersedes an earlier OFAC Advisory released on October 1, 2020, and is directed toward not only organizations victimized by ransomware attacks, but also financial institutions, cyber insurance firms, and forensic and incident-response firms that assist organizations victimized by ransomware attacks.
The Updated Advisory is largely consistent with the previous version released in October 2020, restating the U.S. government’s opposition to ransomware victims making payments to cyber threat actors and making clear OFAC’s commitment to bringing enforcement actions in connection with such payments when they constitute U.S. sanctions violations. However, the Updated Advisory adds important new guidance on “the proactive steps companies can take to mitigate [sanctions enforcement] risks,” including implementing strong cybersecurity practices before an attack; and promptly reporting a ransomware attack to, and engaging in timely and ongoing cooperation with, law enforcement or other relevant agencies. Taking these steps would constitute “mitigating factors” in any OFAC enforcement action resulting from sanctions violations in connection with ransomware payments.
In conjunction with the new Advisory, OFAC for the first time designated for sanctions a Russian cryptocurrency exchange, SUEX OTC, that OFAC alleges has been involved in facilitating numerous ransomware payments for malicious cyber actors. As a result of this designation, U.S. persons (that is, all individual U.S. citizens and permanent residents, U.S.-incorporated entities and their branch offices, and anyone physically within the United States) are now prohibited from engaging in or facilitating virtually all transactions with or involving SUEX OTC.…
On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”). Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.
In addition, the FTC is proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.” Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.
Proposed Revisions to the Safeguards Rule’s Information Security Program Requirements
The Safeguards Rule establishes requirements for the information security programs of all financial institutions subject to FTC jurisdiction. The Rule, which first went into effect in 2003, requires financial institutions to develop, implement, and maintain a comprehensive information security program. As currently drafted, the Safeguards Rule has few prescriptive requirements, but instead generally directs financial institutions to take reasonable steps to protect customer information.
The FTC’s proposed revisions would add substantially more detail to these requirements. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposed changes is “to better protect consumers and provide more certainty for business.” The new requirements are primarily based on the cybersecurity regulations issued by New York Department of Financial Services (“NYSDFS”), and the insurance data security model law issued by the National Association of Insurance Commissioners.
Continue Reading FTC Proposes to Add Detailed Cybersecurity Requirements to the GLBA Safeguards Rule
Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”. Its most famous use is its role as the architecture of the cryptocurrency Bitcoin, however it has many other potential uses in the financial sector, for instance in trading, clearing and settlement, as well as various middle- and back-office functions. Its transformative capability also extends far beyond the financial sector, including in smart contracts and the storage of health records to name just a few.
A blockchain is a shared immutable digital ledger that records transactions / documents / information in a block which is then added to a chain of other blocks on a de-centralised network. Blockchain technology operates through a peer network, where transactions must be verified by participants before they can be added to the chain.
Notwithstanding its tremendous capabilities, in order for the technology to unfold its full potential there needs to be careful consideration as to how the technology can comply with new European privacy legislation, namely the General Data Protection Regulation (the “GDPR”) which came into force on 25 May 2018. This article explores some of the possible or “perceived” challenges blockchain technology faces when it comes to compliance with the GDPR.
Continue Reading The GDPR and Blockchain
As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500). Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.
Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced. That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).
On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website. The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers. Some highlights below:…
Continue Reading New York DFS Publishes FAQs on New Cybersecurity Regulations
The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) and the Financial Industry Regulatory Authority, Inc. (“FINRA”) (a private self-regulatory organization overseen by OCIE), recently released their 2017 examination priorities. It is no surprise to find cybersecurity listed as an examination priority again this year.
OCIE and FINRA have repeatedly recognized…
For those considering submitting comments on the federal advance notice of proposed rulemaking (ANPR) on enhanced cyber risk management standards, you’ve been granted an extension. The agencies involved—the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation—announced that they will extend the…
On January 6, 2016, the Federal Trade Commission issued its staff report on big data, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, following up on the FTC’s workshop on big data in September 2014 and seminar on alternative scoring products in March 2014. The report provides an overview of the characteristics and lifecycle of big data, summarizes the benefits and risks of big data, and outlines considerations for companies using big data, including potentially relevant laws such as the Fair Credit Reporting Act, equal opportunity laws, and laws prohibiting unfair and deceptive acts or practices.
The report serves as a helpful resource for a company in evaluating the potential uses, benefits, risks, and compliance requirements for big data. While many companies that already use big data will be familiar with the laws analyzed in the report and how to comply with them, new or emerging companies or companies that do not regularly work with consumer protection or financial services laws should read the report with care to develop an understanding of the legal framework applicable to the use of big data.
Continue Reading The FTC Staff Report on Big Data
Recently, a jury in the U.S. District Court for Oregon awarded a plaintiff $18.58 million in compensatory and punitive damages for Equifax’s violations of the Fair Credit Reporting Act (FCRA). The plaintiff was a co-signor to a loan that was denied by a bank due to the plaintiff’s credit report, which was a “mixed file” that…
Last week, the Government Accountability Office (GAO) agreed to review the Consumer Financial Protection Bureau’s (CFPB) collection and analysis of consumer credit records in response to a request from Senator Mike Crapo (R-ID). In a letter to the GAO Comptroller General, Sen. Crapo requested that the GAO investigate “CFPB’s data collection to determine its purpose…