Since being created in 2011, NYDFS has issued several groundbreaking regulations, including the first comprehensive U.S. regulations for cybersecurity and cryptocurrency, and imposed billions of dollars of fines. In 2023, we expect NYDFS to issue several new regulations and industry guidance that will significantly impact the financial services market. NYDFS will also likely continue its aggressive use of its investigatory and enforcement authority. In particular, we expect NYDFS’s priorities in 2023 to include cybersecurity, consumer protection issues such as fair lending and consumer fees, the cryptocurrency market, anti-money laundering (AML) and sanctions, and enhanced oversight of commercial financing.
Cybersecurity: amendments to NYDFS regulation and continued enforcement
NYDFS was the first U.S. financial services regulator—federal or state—to develop and issue a comprehensive cybersecurity regulation. Since NYDFS finalized its regulation in 2017, other regulators have adopted many of the regulation’s principles, and NYDFS initiated several enforcement actions, resulting in significant penalties and other costs to regulated institutions.
In November 2022, NYDFS published its first proposed amendments to its cybersecurity regulation. The proposed amendments are based in significant part on issues identified in NYDFS’s cybersecurity examinations, investigations, and enforcement actions and are designed to, among other things:
- Increase cybersecurity accountability at the Board and C-Suite levels;
- Enact additional controls meant to prevent or mitigate the spread of cyberattacks, including stricter multifactor authentication and encryption standards;
- Require more robust risk assessments and incident response capability; and
- Impose new monitoring and training requirements.
The proposed amendments would also create new, heightened cybersecurity standards for “Class A companies,” which are NYDFS-regulated entities that, together with all of their affiliates, have either (a) 2,000 or more employees or (b) $1 billion or more in gross annual revenue averaged over the last three fiscal years. The proposed amendments would also expand NYDFS’s ability to assess penalties for cybersecurity incidents and violations of the regulation. NYDFS has already assessed multimillion-dollar fines against companies for violations of its existing cybersecurity regulations, and these amendments would increase the risk of large fines for noncompliance.
NYDFS will likely aim to finalize these amendments in 2023. It has already conducted pre-proposal industry outreach and incorporated some of that feedback into the November proposal, which indicates that the agency is positioned to issue new final amendments relatively quickly. NYDFS will also continue to evaluate regulated institutions’ cybersecurity compliance through regular supervisory examinations and targeted investigations. Institutions should consider conducting a comprehensive review of their cybersecurity programs to assess their effectiveness and compliance with the existing NYDFS regulation, and, because it is very likely that NYDFS will ultimately adopt most of the requirements included in the proposed amendments, evaluate steps needed to come into compliance with the upcoming amendments.
Fair Lending Investigations and New Rules for Non-Bank Mortgage Lenders
NYDFS’s recent public actions demonstrate that it is increasingly relying on data analysis to drive its fair lending supervision and enforcement. In October 2022, NYDFS announced the third in a series of enforcement actions involving indirect auto lending, alleging a bank violated fair lending laws by charging higher interest rate “markups” to protected class borrowers. We expect that the Department’s fair lending examiners will continue to scrutinize auto lenders’ “markups,” which may lead to additional enforcement actions in 2023.
NYDFS is also closely scrutinizing fair lending issues in the New York mortgage market. In December 2022, NYDFS published a report detailing its statistical findings from its analysis of potential redlining in Rochester and Syracuse and on Long Island. The report followed a similar report NYDFS previously published on potential redlining in Buffalo. Collectively, those reports indicate that NYDFS is focused on identifying potential disparities in mortgage lending.
NYDFS’s initial report on mortgage lending in Buffalo was the impetus for legislation that will impose new obligations on non-bank mortgage lenders operating in New York. The legislation extends the scope of New York’s Community Reinvestment Act (CRA) to these non-banks. Historically, New York’s CRA has required banks to meet the credit needs of the communities in which they do business, including in particular low- and moderate-income neighborhoods and consumers. The new legislation extends this obligation to non-bank mortgage lenders. NYDFS is currently drafting a proposed regulation to implement this new requirement, and we expect it will publish this proposed regulation in 2023. This will impose complicated new obligations on non-bank mortgage lenders, and subject those lenders to new examinations to evaluate CRA compliance. Non-bank mortgage lenders operating in New York should consider preparing for these new examinations, including by reviewing and updating compliance management programs and in appropriate cases conducting statistical analyses of their portfolios.
Overdraft and non-sufficient funds fees
NYDFS is now conducting specific analyses of banks’ overdraft and non-sufficient funds (NSF) fee practices in its routine consumer compliance examinations. In July 2022, NYDFS issued guidance to banks that characterized three practices relating to overdraft and NSF fees as potentially unfair or deceptive:
- So called “authorize positive, settle negative” transactions, where consumers are charged an overdraft fee in circumstances in which they had a sufficient positive balance at the time that the transaction was authorized, but a subsequent transaction lowers the consumer’s available balance to below the amount of the original charge when the original transaction is presented for settlement;
- Charging “double fees” for overdraft protection transfers that are insufficient to prevent the actual overdraft, resulting in one fee being charged for the overdraft protection transfer and a second fee for the overdraft; and
- Charging multiple NSF fees on a single transaction when an institution re-presents a debit entry for payment that has been previously declined.
NYDFS conducts regular consumer compliance examinations of New York banks and is using those examinations to review whether banks charge fees in the circumstances described in its July guidance. If NYDFS identifies that a bank charges such fees, it will likely require remediation and may downgrade the bank’s consumer compliance examination rating. In circumstances where NYDFS believes there are significant violations, it may also refer the bank to its enforcement unit. This could lead to public enforcement actions and civil penalties.
Banks should be evaluating whether they charge fees in the circumstances described in the July guidance, and considering steps—such as revising policies and procedures and proactively assessing whether NYDFS may believe remediation is required—to prepare for examiners to evaluate these practices in regularly scheduled consumer compliance examinations.
Continued scrutiny of developments in the cryptocurrency market
NYDFS was also the first U.S. financial regulator to establish a regulatory framework for virtual currency. To engage in virtual currency business activity in New York, entities must obtain a “BitLicense” or be chartered as a bank or trust company.
In the last six months, NYDFS has taken a series of public actions relating to cryptocurrency. These include:
- June 2022 guidance requiring stablecoins issued by entities regulated by NYDFS to be fully backed by reserves that are held in custody with U.S. depository institutions or approved asset custodians. The guidance also requires monthly audits of these stablecoin reserves.
- December 2022 guidance requiring banks regulated by NYDFS to obtain prior approval before commencing cryptocurrency-related activity.
- January 2023 enforcement action against a major cryptocurrency exchange that included a $50 million fine and also required the company to invest $50 million in strengthening its compliance program.
- January 2023 guidance relating to custody of cryptocurrency and disclosures concerning the custodial relationship with customers.
We expect NYDFS to continue to issue new rules and guidance to the cryptocurrency industry in 2023. NYDFS will likely focus on regulated entities’ capitalization requirements and broader consumer protection issues, such as enhanced disclosures and consumer complaint resolution requirements. NYDFS has also increased its capacity to conduct supervisory examinations of BitLicensees in the past year, and we expect more comprehensive examinations to lead, in at least certain circumstances, to additional public enforcement actions.
AML and sanctions enforcement
In 2022, NYDFS continued its practice of assessing large fines on financial institutions for violations of anti-money laundering laws and sanctions regulations. Historically, NYDFS has primarily focused its AML and sanctions enforcement efforts on the banks, including in many cases foreign banks with U.S. branches. Although this continued in 2022, with NYDFS entering into a public consent order with a foreign bank that included a significant fine, NYDFS also expanded its AML and sanctions efforts to companies holding BitLicenses, with two major consent orders in the last six months that included a total of over $100 million in fines and remediation. With ever increasing focus on AML and sanctions compliance from both regulators and prosecutors, all institutions regulated by NYDFS should be assessing AML and sanctions compliance.
Detailed new requirements for commercial financing
NYDFS will likely finalize two significant regulations in 2023 that will collectively impose detailed new disclosure and data collection requirements on many commercial lenders operating in New York.
In 2021, as we discussed previously, New York enacted legislation to require detailed, consumer-style disclosures for commercial financing transactions of $2.5 million or less. The effective date of those disclosure requirements was delayed as NYDFS wrote a rule to implement the requirements. NYDFS issued that final rule on February 1, 2023, and we will be publishing an in-depth analysis of the rule in the coming days.
NYDFS is also likely to finalize a new rule in 2023 that will require New York banks to collect detailed demographic and financial data, including whether the applicant is a minority- or women-owned business, when accepting business credit applications. As described in our previous client alert, on October 26, 2022, the New York Department of Financial Services issued a revised proposed rule that, when finalized, will require New York banks to collect detailed demographic and financial data, including whether the applicant is a minority- or women-owned business, when accepting business credit applications. The Consumer Financial Protection Bureau (CFPB) is expected to finalize a similar rule in March to require commercial lenders to collect and report data about applicants and borrowers. The New York rule will, however, be broader and impose more complex obligations on banks. We expect NYDFS to finalize its rule soon after the CFPB rule is final.
Preparing for 2023
Institutions should expect NYDFS’s aggressive regulatory and enforcement agenda to continue in 2023. Accordingly, institutions should review their policies, procedures and controls to ensure compliance with existing New York requirements and in preparation for the several new regulations that will become effective in 2023. Institutions should conduct their own individualized assessments that take into account NYDFS’s recent enforcement actions and publicly stated priorities.