DFS Flexes Enforcement and Regulatory Muscles in Equifax Hack Scandal
In this Outside Counsel column, Marlon Paz and Andrew Jacobson provide an overview of proposed DFS regulation and the regulatory and enforcement implications for entities that fall under DFS's jurisdiction.
November 03, 2017 at 02:30 PM
18 minute read
In light of the recent Equifax cyber attack, New York's top financial regulator, the New York State Department of Financial Services (DFS), has proposed a powerful new regulation (23 NYCRR §201) to regulate consumer credit reporting agencies. This expansion of authority comes as DFS, which does not currently regulate consumer credit reporting agencies, seeks to strengthen the protections offered by its first-in-the-nation Cybersecurity Regulation.
The Proposed Regulation is unprecedented in that it requires consumer credit reporting agencies that report on consumers located in New York state to register with DFS. Further, the Proposed Regulation contains its own reporting requirements and anti-fraud provisions. Most significantly, however, the Proposed Regulation subjects credit reporting agencies operating within New York to DFS's Cybersecurity Regulation, which is contained in 23 NYCRR §500.
The Proposed Regulation is fairly complex and will likely change through the comment and review period required under New York state law. This article provides an overview of the Proposed Regulation and the regulatory and enforcement implications for entities that fall under DFS's jurisdiction. In short, the Proposed Regulation goes well beyond cybersecurity and holds credit reporting agencies to high standards of consumer protection.
|Objectives and Authority
In preparing the Proposed Regulation, DFS recognized that consumer credit reporting agencies play a central role in the provision of nearly every type of financial service offered in New York. The recent cyber intrusion involving Equifax highlights the vulnerabilities of consumer credit reporting agencies and the corresponding danger to consumers.
What is unique about the Proposed Regulation is that it goes well beyond cybersecurity in its consumer protections. Specifically, the Proposed Regulation's stated motivation includes the failure of consumer credit reporting agencies to: (1) safeguard consumer data; (2) maintain accurate consumer credit data; and (3) appropriately investigate consumer disputes of alleged inaccuracies in credit reports. 23 NYCRR §201.0. These issues directly pertain to consumer protection, for which DFS has a history of advocating.
The Proposed Regulation was issued, in part, pursuant to the Financial Services Law, which is often viewed as DFS's “gap authority”. The Proposed Regulation is intended to further the Financial Service Law's legislative objections, which are to ensure the safe and sound operation of the financial system and adequate protection of consumers of financial services. DFS likely views credit reporting agencies, which were not previously regulated, as a regulatory gap in the marketplace in need of enhanced supervision.
The Proposed Regulation was also issued pursuant to Dodd-Frank §1036, which prohibits unfair, deceptive or abusive acts or practices (UDAAP). Dodd-Frank Wall Street Reform and Consumer Protection Act, 12 U.S.C. §5531. As a state banking regulator, DFS is expressly permitted to enforce UDAAP, which it has done in the past—albeit sparingly. 12 U.S.C. §5552(a)(1); see Final Consent Judgment, Lawsky v. Condor Capital, 154 F. Supp. 3d 9 (S.D.N.Y. 2015) (No. 14 Civ. 2863).
Finally, the Proposed Regulation was issued pursuant to DFS's supervisory authority under the Banking Law. DFS has supervisory and regulatory authority to ensure that all New York state chartered and licensed financial institutions are operating in a “safe and sound” manner. N.Y. Banking Law §10.
|Regulation of Consumer Credit Reporting Agencies
Who is Covered by the Proposed Regulation? The Proposed Regulation applies to consumer credit reporting agencies that service consumers in New York or otherwise do business within New York. The Proposed Regulation defines consumer credit reporting agencies as any person who regularly engages in the practice of assembling and evaluating consumer credit information for the purpose of furnishing consumer credit reports to third parties bearing on a consumer's “credit worthiness, credit standing, or credit capacity, public record information and credit account information from persons who furnish that information regularly and in the ordinary course of business.” 23 NYCRR §201.01(d).
Registration Requirement. The Proposed Regulation requires that every consumer credit reporting agency that assembles, evaluates, or maintains consumer credit reports on one or more consumers in New York state register with DFS. 23 NYCRR §201.02. It will therefore be unlawful to not only act as a consumer credit reporting agency in New York without registering, but also to pay a fee or compensation to an unlicensed consumer credit reporting agency, or transmit information about a New York consumer to an unregistered consumer credit reporting agency. §201.03. Thus, even consumer credit reporting agencies that have a minor stake in New York will be at risk of significant penalties if they fail to register.
Additionally, the Proposed Regulation confers direct responsibility on the consumer credit reporting agencies' officers or directors who are named in the registration application to be “responsible for the business entity's compliance” with the Financial Services Law, Banking Law, and Insurance Law. Here, DFS imparts responsibility, and potential liability, onto corporate executives for their company's misconduct. DFS has long been the industry leader in its attempts to hold executives individually responsible for corporate misconduct.
Information Reporting Requirements. The Proposed Regulation contains seemingly stringent, but at times uncertain, information reporting requirements. For example, on or before July 1 of each year, beginning in the year 2019, consumer credit reporting agencies are required to report to DFS on certain information requested by the Superintendent. DFS can require quarterly or other statements; however, the Proposed Regulation is fairly vague in terms of what type of reporting is actually required. §201.04(a). The Proposed Regulation also permits DFS to issue information requests, which must be answered under penalty of perjury. §201.04(b). Aside from DFS's standard investigative subpoena power, which is broad, this will undoubtedly be a strong enforcement mechanism, since refusing to comply with a DFS information request could subject a consumer credit reporting agency to revocation of its license to do business in New York.
Revocation and Suspension of Registration. Consumer credit reporting agencies are required to renew their registration with DFS each year. §201.02(d). DFS can refuse to renew registration if the applicant or any member, principal, officer, or direct is not deemed “trustworthy and competent to act.” §201.02(e).
In addition, DFS can outright revoke or suspend registrations. §201.05. As DFS has done on the banking side, the threat of a revocation or suspension of a license will likely be a strong tool in deterring misconduct. While revocation or suspension might seem extreme, DFS has threatened to pursue this path in the past. See, e.g., Order Pursuant to Banking Law §39, In the Matter of Standard Chartered Bank, NY Branch, New York State Department of Financial Services (Aug. 6, 2012). Consumer credit reporting agencies should not take this sanction lightly.
|Anti-Fraud Provisions—Enforcement Potential
The enforcement potential of the Proposed Regulation resides in its anti-fraud provisions, which are housed in §201.06. A consumer credit reporting agency is prohibited from (1) directly or indirectly employing a scheme, device or artifice to defraud or mislead a consumer; (2) engaging in any unfair, deceptive or predatory acts or practices towards consumers, or misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a credit report; (3) engaging in UDAAP under Dodd-Frank; and (4) including inaccurate information in any consumer report relating to a consumer located in New York. 23 NYCRR §201.06.
There are two provisions within the Proposed Regulation that have strong enforcement potential. First, §201.06(6) prohibits a consumer credit reporting agency from making “any false statement” or “omission of a material fact” in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by DFS or another governmental agency. What this provision means is that if a consumer credit reporting agency refuses to cooperate with a DFS enforcement investigation, or otherwise provides false information, then that company could be subject to further enforcement liability beyond the original basis for the investigation.
Second, the Proposed Regulation gives DFS the authority to bring enforcement actions against consumer credit reporting agencies for misconduct that is totally unrelated to cybersecurity. This is especially pertinent given that the Equifax hacking scandal provided one of the impetuses for this regulation. The message that DFS is conveying is clear: consumer credit reporting agencies operating within New York must protect themselves (and their customers) from cyber-threats and they better not defraud consumers in their other business areas.
|Applicability of DFS's Cybersecurity Regulation
The final, and perhaps most significant, aspect of the Proposed Regulation is that consumer credit reporting agencies are now subject to DFS's powerful Cybersecurity Regulation, 23 NYCRR 500. Specifically, consumer credit reporting agencies operating in New York are deemed “Covered Entities” under the Cybersecurity Regulation and must therefore abide by its robust reporting and cybersecurity prevention requirements. 23 NYCRR §201.07(a).
|Conclusion and Overall Impact of Regulation
DFS has staked out a large imprint in both the cybersecurity and consumer protection arenas. We fully expect that DFS will continue to push the boundaries when it comes to protecting New York's consumers in the future.
Marlon Paz is a partner at Seward & Kissel and former senior staff member at the SEC. Andrew Jacobson is an associate at the firm and former enforcement attorney with the New York State Department of Financial Services.
In light of the recent Equifax cyber attack,
The Proposed Regulation is unprecedented in that it requires consumer credit reporting agencies that report on consumers located in
The Proposed Regulation is fairly complex and will likely change through the comment and review period required under
Objectives and Authority
In preparing the Proposed Regulation, DFS recognized that consumer credit reporting agencies play a central role in the provision of nearly every type of financial service offered in
What is unique about the Proposed Regulation is that it goes well beyond cybersecurity in its consumer protections. Specifically, the Proposed Regulation's stated motivation includes the failure of consumer credit reporting agencies to: (1) safeguard consumer data; (2) maintain accurate consumer credit data; and (3) appropriately investigate consumer disputes of alleged inaccuracies in credit reports.
The Proposed Regulation was issued, in part, pursuant to the Financial Services Law, which is often viewed as DFS's “gap authority”. The Proposed Regulation is intended to further the Financial Service Law's legislative objections, which are to ensure the safe and sound operation of the financial system and adequate protection of consumers of financial services. DFS likely views credit reporting agencies, which were not previously regulated, as a regulatory gap in the marketplace in need of enhanced supervision.
The Proposed Regulation was also issued pursuant to Dodd-Frank §1036, which prohibits unfair, deceptive or abusive acts or practices (UDAAP). Dodd-Frank Wall Street Reform and Consumer Protection Act,
Finally, the Proposed Regulation was issued pursuant to DFS's supervisory authority under the Banking Law. DFS has supervisory and regulatory authority to ensure that all
Regulation of Consumer Credit Reporting Agencies
Who is Covered by the Proposed Regulation? The Proposed Regulation applies to consumer credit reporting agencies that service consumers in
Registration Requirement. The Proposed Regulation requires that every consumer credit reporting agency that assembles, evaluates, or maintains consumer credit reports on one or more consumers in
Additionally, the Proposed Regulation confers direct responsibility on the consumer credit reporting agencies' officers or directors who are named in the registration application to be “responsible for the business entity's compliance” with the Financial Services Law, Banking Law, and Insurance Law. Here, DFS imparts responsibility, and potential liability, onto corporate executives for their company's misconduct. DFS has long been the industry leader in its attempts to hold executives individually responsible for corporate misconduct.
Information Reporting Requirements. The Proposed Regulation contains seemingly stringent, but at times uncertain, information reporting requirements. For example, on or before July 1 of each year, beginning in the year 2019, consumer credit reporting agencies are required to report to DFS on certain information requested by the Superintendent. DFS can require quarterly or other statements; however, the Proposed Regulation is fairly vague in terms of what type of reporting is actually required. §201.04(a). The Proposed Regulation also permits DFS to issue information requests, which must be answered under penalty of perjury. §201.04(b). Aside from DFS's standard investigative subpoena power, which is broad, this will undoubtedly be a strong enforcement mechanism, since refusing to comply with a DFS information request could subject a consumer credit reporting agency to revocation of its license to do business in
Revocation and Suspension of Registration. Consumer credit reporting agencies are required to renew their registration with DFS each year. §201.02(d). DFS can refuse to renew registration if the applicant or any member, principal, officer, or direct is not deemed “trustworthy and competent to act.” §201.02(e).
In addition, DFS can outright revoke or suspend registrations. §201.05. As DFS has done on the banking side, the threat of a revocation or suspension of a license will likely be a strong tool in deterring misconduct. While revocation or suspension might seem extreme, DFS has threatened to pursue this path in the past. See, e.g., Order Pursuant to Banking Law §39, In the Matter of
Anti-Fraud Provisions—Enforcement Potential
The enforcement potential of the Proposed Regulation resides in its anti-fraud provisions, which are housed in §201.06. A consumer credit reporting agency is prohibited from (1) directly or indirectly employing a scheme, device or artifice to defraud or mislead a consumer; (2) engaging in any unfair, deceptive or predatory acts or practices towards consumers, or misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a credit report; (3) engaging in UDAAP under Dodd-Frank; and (4) including inaccurate information in any consumer report relating to a consumer located in
There are two provisions within the Proposed Regulation that have strong enforcement potential. First, §201.06(6) prohibits a consumer credit reporting agency from making “any false statement” or “omission of a material fact” in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by DFS or another governmental agency. What this provision means is that if a consumer credit reporting agency refuses to cooperate with a DFS enforcement investigation, or otherwise provides false information, then that company could be subject to further enforcement liability beyond the original basis for the investigation.
Second, the Proposed Regulation gives DFS the authority to bring enforcement actions against consumer credit reporting agencies for misconduct that is totally unrelated to cybersecurity. This is especially pertinent given that the Equifax hacking scandal provided one of the impetuses for this regulation. The message that DFS is conveying is clear: consumer credit reporting agencies operating within
Applicability of DFS's Cybersecurity Regulation
The final, and perhaps most significant, aspect of the Proposed Regulation is that consumer credit reporting agencies are now subject to DFS's powerful Cybersecurity Regulation,
Conclusion and Overall Impact of Regulation
DFS has staked out a large imprint in both the cybersecurity and consumer protection arenas. We fully expect that DFS will continue to push the boundaries when it comes to protecting
Marlon Paz is a partner at
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllBusiness Unusual: Recent Applications of New York's Business Judgment Rule
6 minute readThe Changing Landscape of NY Courts' Jurisdiction Over Out-of-State Corporations
14 minute readTrending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 3Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 4Greenberg Traurig Initiates String of Suits Following JPMorgan Chase's 'Infinite Money Glitch'
- 5Data-Driven Legal Strategies
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250