In light of the recent Equifax cyber attack, New York's top financial regulator, the New York State Department of Financial Services (DFS), has proposed a powerful new regulation (23 NYCRR §201) to regulate consumer credit reporting agencies. This expansion of authority comes as DFS, which does not currently regulate consumer credit reporting agencies, seeks to strengthen the protections offered by its first-in-the-nation Cybersecurity Regulation.

The Proposed Regulation is unprecedented in that it requires consumer credit reporting agencies that report on consumers located in New York state to register with DFS. Further, the Proposed Regulation contains its own reporting requirements and anti-fraud provisions. Most significantly, however, the Proposed Regulation subjects credit reporting agencies operating within New York to DFS's Cybersecurity Regulation, which is contained in 23 NYCRR §500.

The Proposed Regulation is fairly complex and will likely change through the comment and review period required under New York state law. This article provides an overview of the Proposed Regulation and the regulatory and enforcement implications for entities that fall under DFS's jurisdiction. In short, the Proposed Regulation goes well beyond cybersecurity and holds credit reporting agencies to high standards of consumer protection.

|

Objectives and Authority

In preparing the Proposed Regulation, DFS recognized that consumer credit reporting agencies play a central role in the provision of nearly every type of financial service offered in New York. The recent cyber intrusion involving Equifax highlights the vulnerabilities of consumer credit reporting agencies and the corresponding danger to consumers.

What is unique about the Proposed Regulation is that it goes well beyond cybersecurity in its consumer protections. Specifically, the Proposed Regulation's stated motivation includes the failure of consumer credit reporting agencies to: (1) safeguard consumer data; (2) maintain accurate consumer credit data; and (3) appropriately investigate consumer disputes of alleged inaccuracies in credit reports. 23 NYCRR §201.0. These issues directly pertain to consumer protection, for which DFS has a history of advocating.

The Proposed Regulation was issued, in part, pursuant to the Financial Services Law, which is often viewed as DFS's “gap authority”. The Proposed Regulation is intended to further the Financial Service Law's legislative objections, which are to ensure the safe and sound operation of the financial system and adequate protection of consumers of financial services. DFS likely views credit reporting agencies, which were not previously regulated, as a regulatory gap in the marketplace in need of enhanced supervision.

The Proposed Regulation was also issued pursuant to Dodd-Frank §1036, which prohibits unfair, deceptive or abusive acts or practices (UDAAP). Dodd-Frank Wall Street Reform and Consumer Protection Act, 12 U.S.C. §5531. As a state banking regulator, DFS is expressly permitted to enforce UDAAP, which it has done in the past—albeit sparingly. 12 U.S.C. §5552(a)(1); see Final Consent Judgment, Lawsky v. Condor Capital, 154 F. Supp. 3d 9 (S.D.N.Y. 2015) (No. 14 Civ. 2863).

Finally, the Proposed Regulation was issued pursuant to DFS's supervisory authority under the Banking Law. DFS has supervisory and regulatory authority to ensure that all New York state chartered and licensed financial institutions are operating in a “safe and sound” manner. N.Y. Banking Law §10.

|

Regulation of Consumer Credit Reporting Agencies

Who is Covered by the Proposed Regulation? The Proposed Regulation applies to consumer credit reporting agencies that service consumers in New York or otherwise do business within New York. The Proposed Regulation defines consumer credit reporting agencies as any person who regularly engages in the practice of assembling and evaluating consumer credit information for the purpose of furnishing consumer credit reports to third parties bearing on a consumer's “credit worthiness, credit standing, or credit capacity, public record information and credit account information from persons who furnish that information regularly and in the ordinary course of business.” 23 NYCRR §201.01(d).

Registration Requirement. The Proposed Regulation requires that every consumer credit reporting agency that assembles, evaluates, or maintains consumer credit reports on one or more consumers in New York state register with DFS. 23 NYCRR §201.02. It will therefore be unlawful to not only act as a consumer credit reporting agency in New York without registering, but also to pay a fee or compensation to an unlicensed consumer credit reporting agency, or transmit information about a New York consumer to an unregistered consumer credit reporting agency. §201.03. Thus, even consumer credit reporting agencies that have a minor stake in New York will be at risk of significant penalties if they fail to register.

Additionally, the Proposed Regulation confers direct responsibility on the consumer credit reporting agencies' officers or directors who are named in the registration application to be “responsible for the business entity's compliance” with the Financial Services Law, Banking Law, and Insurance Law. Here, DFS imparts responsibility, and potential liability, onto corporate executives for their company's misconduct. DFS has long been the industry leader in its attempts to hold executives individually responsible for corporate misconduct.

Information Reporting Requirements. The Proposed Regulation contains seemingly stringent, but at times uncertain, information reporting requirements. For example, on or before July 1 of each year, beginning in the year 2019, consumer credit reporting agencies are required to report to DFS on certain information requested by the Superintendent. DFS can require quarterly or other statements; however, the Proposed Regulation is fairly vague in terms of what type of reporting is actually required. §201.04(a). The Proposed Regulation also permits DFS to issue information requests, which must be answered under penalty of perjury. §201.04(b). Aside from DFS's standard investigative subpoena power, which is broad, this will undoubtedly be a strong enforcement mechanism, since refusing to comply with a DFS information request could subject a consumer credit reporting agency to revocation of its license to do business in New York.

Revocation and Suspension of Registration. Consumer credit reporting agencies are required to renew their registration with DFS each year. §201.02(d). DFS can refuse to renew registration if the applicant or any member, principal, officer, or direct is not deemed “trustworthy and competent to act.” §201.02(e).

In addition, DFS can outright revoke or suspend registrations. §201.05. As DFS has done on the banking side, the threat of a revocation or suspension of a license will likely be a strong tool in deterring misconduct. While revocation or suspension might seem extreme, DFS has threatened to pursue this path in the past. See, e.g., Order Pursuant to Banking Law §39, In the Matter of Standard Chartered Bank, NY Branch, New York State Department of Financial Services (Aug. 6, 2012). Consumer credit reporting agencies should not take this sanction lightly.

|

Anti-Fraud Provisions—Enforcement Potential

The enforcement potential of the Proposed Regulation resides in its anti-fraud provisions, which are housed in §201.06. A consumer credit reporting agency is prohibited from (1) directly or indirectly employing a scheme, device or artifice to defraud or mislead a consumer; (2) engaging in any unfair, deceptive or predatory acts or practices towards consumers, or misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a credit report; (3) engaging in UDAAP under Dodd-Frank; and (4) including inaccurate information in any consumer report relating to a consumer located in New York. 23 NYCRR §201.06.

There are two provisions within the Proposed Regulation that have strong enforcement potential. First, §201.06(6) prohibits a consumer credit reporting agency from making “any false statement” or “omission of a material fact” in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by DFS or another governmental agency. What this provision means is that if a consumer credit reporting agency refuses to cooperate with a DFS enforcement investigation, or otherwise provides false information, then that company could be subject to further enforcement liability beyond the original basis for the investigation.

Second, the Proposed Regulation gives DFS the authority to bring enforcement actions against consumer credit reporting agencies for misconduct that is totally unrelated to cybersecurity. This is especially pertinent given that the Equifax hacking scandal provided one of the impetuses for this regulation. The message that DFS is conveying is clear: consumer credit reporting agencies operating within New York must protect themselves (and their customers) from cyber-threats and they better not defraud consumers in their other business areas.

|

Applicability of DFS's Cybersecurity Regulation

The final, and perhaps most significant, aspect of the Proposed Regulation is that consumer credit reporting agencies are now subject to DFS's powerful Cybersecurity Regulation, 23 NYCRR 500. Specifically, consumer credit reporting agencies operating in New York are deemed “Covered Entities” under the Cybersecurity Regulation and must therefore abide by its robust reporting and cybersecurity prevention requirements. 23 NYCRR §201.07(a).

|

Conclusion and Overall Impact of Regulation

DFS has staked out a large imprint in both the cybersecurity and consumer protection arenas. We fully expect that DFS will continue to push the boundaries when it comes to protecting New York's consumers in the future.

Marlon Paz is a partner at Seward & Kissel and former senior staff member at the SEC. Andrew Jacobson is an associate at the firm and former enforcement attorney with the New York State Department of Financial Services.


In light of the recent Equifax cyber attack, New York's top financial regulator, the New York State Department of Financial Services (DFS), has proposed a powerful new regulation (23 NYCRR §201) to regulate consumer credit reporting agencies. This expansion of authority comes as DFS, which does not currently regulate consumer credit reporting agencies, seeks to strengthen the protections offered by its first-in-the-nation Cybersecurity Regulation.

The Proposed Regulation is unprecedented in that it requires consumer credit reporting agencies that report on consumers located in New York state to register with DFS. Further, the Proposed Regulation contains its own reporting requirements and anti-fraud provisions. Most significantly, however, the Proposed Regulation subjects credit reporting agencies operating within New York to DFS's Cybersecurity Regulation, which is contained in 23 NYCRR §500.

The Proposed Regulation is fairly complex and will likely change through the comment and review period required under New York state law. This article provides an overview of the Proposed Regulation and the regulatory and enforcement implications for entities that fall under DFS's jurisdiction. In short, the Proposed Regulation goes well beyond cybersecurity and holds credit reporting agencies to high standards of consumer protection.

|

Objectives and Authority

In preparing the Proposed Regulation, DFS recognized that consumer credit reporting agencies play a central role in the provision of nearly every type of financial service offered in New York. The recent cyber intrusion involving Equifax highlights the vulnerabilities of consumer credit reporting agencies and the corresponding danger to consumers.

What is unique about the Proposed Regulation is that it goes well beyond cybersecurity in its consumer protections. Specifically, the Proposed Regulation's stated motivation includes the failure of consumer credit reporting agencies to: (1) safeguard consumer data; (2) maintain accurate consumer credit data; and (3) appropriately investigate consumer disputes of alleged inaccuracies in credit reports. 23 NYCRR §201.0. These issues directly pertain to consumer protection, for which DFS has a history of advocating.

The Proposed Regulation was issued, in part, pursuant to the Financial Services Law, which is often viewed as DFS's “gap authority”. The Proposed Regulation is intended to further the Financial Service Law's legislative objections, which are to ensure the safe and sound operation of the financial system and adequate protection of consumers of financial services. DFS likely views credit reporting agencies, which were not previously regulated, as a regulatory gap in the marketplace in need of enhanced supervision.

The Proposed Regulation was also issued pursuant to Dodd-Frank §1036, which prohibits unfair, deceptive or abusive acts or practices (UDAAP). Dodd-Frank Wall Street Reform and Consumer Protection Act, 12 U.S.C. §5531. As a state banking regulator, DFS is expressly permitted to enforce UDAAP, which it has done in the past—albeit sparingly. 12 U.S.C. §5552(a)(1); see Final Consent Judgment, Lawsky v. Condor Capital , 154 F. Supp. 3d 9 (S.D.N.Y. 2015) (No. 14 Civ. 2863).

Finally, the Proposed Regulation was issued pursuant to DFS's supervisory authority under the Banking Law. DFS has supervisory and regulatory authority to ensure that all New York state chartered and licensed financial institutions are operating in a “safe and sound” manner. N.Y. Banking Law §10.

|

Regulation of Consumer Credit Reporting Agencies

Who is Covered by the Proposed Regulation? The Proposed Regulation applies to consumer credit reporting agencies that service consumers in New York or otherwise do business within New York. The Proposed Regulation defines consumer credit reporting agencies as any person who regularly engages in the practice of assembling and evaluating consumer credit information for the purpose of furnishing consumer credit reports to third parties bearing on a consumer's “credit worthiness, credit standing, or credit capacity, public record information and credit account information from persons who furnish that information regularly and in the ordinary course of business.” 23 NYCRR §201.01(d).

Registration Requirement. The Proposed Regulation requires that every consumer credit reporting agency that assembles, evaluates, or maintains consumer credit reports on one or more consumers in New York state register with DFS. 23 NYCRR §201.02. It will therefore be unlawful to not only act as a consumer credit reporting agency in New York without registering, but also to pay a fee or compensation to an unlicensed consumer credit reporting agency, or transmit information about a New York consumer to an unregistered consumer credit reporting agency. §201.03. Thus, even consumer credit reporting agencies that have a minor stake in New York will be at risk of significant penalties if they fail to register.

Additionally, the Proposed Regulation confers direct responsibility on the consumer credit reporting agencies' officers or directors who are named in the registration application to be “responsible for the business entity's compliance” with the Financial Services Law, Banking Law, and Insurance Law. Here, DFS imparts responsibility, and potential liability, onto corporate executives for their company's misconduct. DFS has long been the industry leader in its attempts to hold executives individually responsible for corporate misconduct.

Information Reporting Requirements. The Proposed Regulation contains seemingly stringent, but at times uncertain, information reporting requirements. For example, on or before July 1 of each year, beginning in the year 2019, consumer credit reporting agencies are required to report to DFS on certain information requested by the Superintendent. DFS can require quarterly or other statements; however, the Proposed Regulation is fairly vague in terms of what type of reporting is actually required. §201.04(a). The Proposed Regulation also permits DFS to issue information requests, which must be answered under penalty of perjury. §201.04(b). Aside from DFS's standard investigative subpoena power, which is broad, this will undoubtedly be a strong enforcement mechanism, since refusing to comply with a DFS information request could subject a consumer credit reporting agency to revocation of its license to do business in New York.

Revocation and Suspension of Registration. Consumer credit reporting agencies are required to renew their registration with DFS each year. §201.02(d). DFS can refuse to renew registration if the applicant or any member, principal, officer, or direct is not deemed “trustworthy and competent to act.” §201.02(e).

In addition, DFS can outright revoke or suspend registrations. §201.05. As DFS has done on the banking side, the threat of a revocation or suspension of a license will likely be a strong tool in deterring misconduct. While revocation or suspension might seem extreme, DFS has threatened to pursue this path in the past. See, e.g., Order Pursuant to Banking Law §39, In the Matter of Standard Chartered Bank, NY Branch, New York State Department of Financial Services (Aug. 6, 2012). Consumer credit reporting agencies should not take this sanction lightly.

|

Anti-Fraud Provisions—Enforcement Potential

The enforcement potential of the Proposed Regulation resides in its anti-fraud provisions, which are housed in §201.06. A consumer credit reporting agency is prohibited from (1) directly or indirectly employing a scheme, device or artifice to defraud or mislead a consumer; (2) engaging in any unfair, deceptive or predatory acts or practices towards consumers, or misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a credit report; (3) engaging in UDAAP under Dodd-Frank; and (4) including inaccurate information in any consumer report relating to a consumer located in New York. 23 NYCRR §201.06.

There are two provisions within the Proposed Regulation that have strong enforcement potential. First, §201.06(6) prohibits a consumer credit reporting agency from making “any false statement” or “omission of a material fact” in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by DFS or another governmental agency. What this provision means is that if a consumer credit reporting agency refuses to cooperate with a DFS enforcement investigation, or otherwise provides false information, then that company could be subject to further enforcement liability beyond the original basis for the investigation.

Second, the Proposed Regulation gives DFS the authority to bring enforcement actions against consumer credit reporting agencies for misconduct that is totally unrelated to cybersecurity. This is especially pertinent given that the Equifax hacking scandal provided one of the impetuses for this regulation. The message that DFS is conveying is clear: consumer credit reporting agencies operating within New York must protect themselves (and their customers) from cyber-threats and they better not defraud consumers in their other business areas.

|

Applicability of DFS's Cybersecurity Regulation

The final, and perhaps most significant, aspect of the Proposed Regulation is that consumer credit reporting agencies are now subject to DFS's powerful Cybersecurity Regulation, 23 NYCRR 500. Specifically, consumer credit reporting agencies operating in New York are deemed “Covered Entities” under the Cybersecurity Regulation and must therefore abide by its robust reporting and cybersecurity prevention requirements. 23 NYCRR §201.07(a).

|

Conclusion and Overall Impact of Regulation

DFS has staked out a large imprint in both the cybersecurity and consumer protection arenas. We fully expect that DFS will continue to push the boundaries when it comes to protecting New York's consumers in the future.

Marlon Paz is a partner at Seward & Kissel and former senior staff member at the SEC. Andrew Jacobson is an associate at the firm and former enforcement attorney with the New York State Department of Financial Services.