On June 25, 2018, the New York Department of Financial Services (NYDFS) announced a final regulation requiring credit reporting agencies with significant operations in New York to register with the NYDFS and comply with the New York Cybersecurity Standards.
In order to protect consumers of financial services, address substandard cybersecurity practices and investigations, and safeguard the financial services market, the final regulation provides that “[e]very consumer credit reporting agency that, within the previous 12-month period, has assembled, evaluated, or maintained a consumer credit report on one thousand or more New York consumers shall register” with the DFS Superintendent subject to the registration requirements of the regulation.
Deadlines for registration vary. Generally, covered agencies must register on or before September 15, 2018, or within 15 days of the date they become subject to the regulation’s requirements. One or more officers or directors must be designated to be responsible for compliance under the rules of New York. Beginning in 2019, each consumer credit reporting agency registered in New York must report information requested by the DFS Superintendent on or before July 1 of each year. The DFS Superintendent has the authority to refuse a consumer credit reporting agency’s registration if he or she determines any “member, principal, officer or director of the applicant, is not trustworthy and competent or . . . a consumer credit reporting agency . . . has failed to comply with any minimum standard.”
The DFS Superintendent also has the authority to revoke, suspend, or deny a consumer credit reporting agency’s authorization to do business with New York financial institutions and consumers if the Superintendent finds a “registrant or any member, principal, officer, director, or controlling person of the registration” has engaged a violation under the regulation. Violations include, but are not limited to, “violat[ing] any insurance, financial service, or banking law or violat[ing] any regulation, subpoena or order of the superintendent or of another state’s insurance or banking commissioner or of any other state or federal agency with authority to regulate . . . , or has violated any law in the course of his or her dealings.” Providing “materially incorrect, materially misleading, materially incomplete or materially untrue information in the registration application” may also result in liability for the entity. Importantly, agencies “found to have committed any unfair trade practice or fraud,” or “used fraudulent, coercive or dishonest practices” are subject to disciplinary action.
Covered agencies are also prohibited from a number of practices. These prohibited practices include, engaging in any “unfair, deceptive, or abusive act or practice under section 1036 of the Dodd-Frank” Act, directly or indirectly defrauding or misleading a consumer, engaging “in any unfair, deceptive or predatory act or practice toward any consumer,” or failing to accurately report information relating to New York consumers.
Lastly, compliance with New York Cybersecurity Standards is required. Consumer credit reporting agencies subject to the regulation must be in compliance with New York Cybersecurity Standards beginning November 1, 2018. Additional compliance deadlines occur in February, August, and December of 2019.
The final regulation is available here.