The newly confirmed Superintendent of the New York Department of Financial Services (DFS), Linda Lacewell, told the New York Law Journal recently that she plans to use her position to further strengthen the agency's work protecting consumers. Superintendent Lacewell has indicated this effort is a response, in part, to the shift away from financial services enforcement by the federal Consumer Financial Protection Bureau. "Where CFPB steps down, DFS has to step up," she told the Wall Street Journal.

The new Superintendent has moved to reorganize the Department in some respects to facilitate this focus, and has begun or continued several investigations aimed at protecting consumers from improper conduct. These steps build on the significant consumer protection record of the Department's first two Superintendents, Benjamin Lawsky and Maria Vullo.

Given DFS' broad powers of supervision and enforcement, Superintendent Lacewell has many tools at hand to execute on this policy objective. This article will review some of the central mechanisms available to the Superintendent for this purpose.

Enforcement Authority That Serves To Protect Consumers

DFS reaches its eighth birthday in October of this year. When the state legislature created the agency in 2011 by combining two of the nation's oldest regulatory bodies (the New York State Banking and Insurance Departments), it also empowered DFS with additional enforcement authority to protect consumers under the new Financial Services Law (FSL). This included FSL §408, which is designed to police intentional fraud and other misconduct in connection with the offering or sale of virtually any "financial product or service" impacting New York consumers. Frequently referred to as DFS "gap authority," §408 reaches any entity without regard to whether it is licensed by the Department and provides for a civil enforcement action and penalties. The FSL also provided an additional mechanism to protect consumers from injurious conduct by giving the Superintendent power (in §309) to seek an injunction to restrain any violation of the Financial Services, Banking or Insurance Laws, including authority to obtain a temporary restraining order.

These provisions of the FSL augment the already robust enforcement powers DFS gained when it assumed responsibility for enforcing the Banking and Insurance Laws. For example, under the Banking Law the Superintendent may issue an order "in his or her discretion" requiring a licensed institution to discontinue any "unsafe or unsound" practice. Established law treats the term "unsafe and unsound" practice quite broadly and, unsurprisingly, banking regulators regularly view it that way.

Similarly, following notice and a hearing, the Superintendent may impose a civil monetary penalty against a licensed entity for any violation of the Banking Law, regulations issued under that law, licensing requirements, or any other written agreement entered into with the Department. The Banking Law structures such penalties to accrue on a per day basis; at the highest level of intent, each discrete violation can accrue a daily penalty of up to $250,000.

Although its penalty structure is considered to be less severe than that of the Banking Law, the Insurance Law also contains a number of provisions designed to protect consumers from insidious market conduct. Section 2405, for example, prohibits a variety of "unfair and deceptive acts," while §2601 forbids "unfair claim settlement practices." Penalties under the insurance law can reach as high as $2,500 per violation. The law has been construed such that violations may be based on the number of solicitations or communications with consumers; a mass marketing campaign thus may amount to tens or even hundreds of thousands of individual violations. At $2,500 each, penalties could be very steep.

Superintendent Lacewell also announced that protecting consumers' data privacy, as well as fighting cybercrime, will remain top DFS priorities. DFS created a new cybersecurity division, headed by a former federal prosecutor, which will be responsible both for the supervision of cybersecurity at licensed institutions, as well as enforcement of DFS' first-in-the-nation mandatory cybersecurity regulations. These regulations provide for a civil monetary penalty of up to $1,000 per violation. Penalties for deficiencies under the cybersecurity requirements also might be levied through other provisions of applicable law, such as the aforementioned "safety and soundness" obligation. Following the recent data breach activity that affected Capital One, and possibly impacted a DFS licensee as well (UniCredit Bank S.p.A.), Superintendent Lacewell described this conduct as "just the most recent breach threatening the financial security and privacy of our consumers."

The new Superintendent has also made use of other important tools available to protect consumers, such as the federal Consumer Financial Protection Act (12 U.S.C. §5552(a)(1)) (CFPA). Enacted in 2010 as part of the comprehensive Dodd-Frank legislation, this statute provides state banking regulators (and others) with authority to bring a federal civil lawsuit for injunctive relief, restitution, and other remedies for unfair, deceptive or abusive practices. DFS was the first state banking regulator ever to use this authority, commencing an action in 2014 against a payday lender for improper conduct. DFS continues to use this powerful mechanism to protect New York consumers, having recently commenced an action under the CFPA (jointly with the New York Attorney General) against a company that allegedly engaged in offering predatory subprime home loans.

Finally, in April of this year, the state legislature granted DFS additional powers to regulate loan servicers that administer student loans held by New Yorkers. A proposed regulation issued under this new law requires servicers (among other things) to provide clear information to borrowers concerning fees, terms and conditions of loans; apply payments in a manner that serves the borrower's best interest; and provide timely and substantive responses to consumer complaints. Sober enforcement of this new regulation, once implemented, is to be expected.

DFS Investigative Authority

The Superintendent's investigative authority is very broad and sourced in several places. Chief among them is the investigative power provided by FSL §§308 and 404, which authorize the Superintendent to issue subpoenas and take testimony from any person or entity without regard to whether they are licensed by DFS. While this subpoena power generally is subject to the limitations of the CPLR, in any challenge to a subpoena a state court judge is likely to give DFS significant leeway in seeking evidence that furthers its regulatory mission. Other provisions of law empowering the Superintendent to conduct investigations include Banking Law §37 and Insurance Law §308, each of which permit the Superintendent to seek reports, documents and other information from certain licensed entities.

A former prosecutor, Superintendent Lacewell has wasted no time in commencing investigations aimed at remediating alleged consumer harms. It has been reported in the media that DFS is investigating:

• First American Financial corporation, a title insurer, for a data breach involving 885 million records relating to mortgage deals;
• the payroll advance industry, including Earnin, a salary-advance phone app, for possible violations of New York's payday lending restrictions;
• Intuit, for allegations of deceptive practices in connection with the offering of services for free on-line filing of tax returns with the IRS;
• Facebook, for allegations that its analytics software used by millions of app developers improperly shared sensitive personal health and financial information collected by these apps (such as ovulation or fitness data) with Facebook; and
• Financial firms that advertise on Facebook, to determine whether such advertising violates laws prohibiting discrimination on the basis of race, age or gender.

And, as noted above, DFS joined forces with the Attorney General to seek relief against Vision Property Management for alleged violations of the CFPA and state laws in connection with alleged predatory consumer lending. DFS also resolved a long-running investigation of Equifax arising out of its massive data breach in another enforcement action, which included findings Equifax made inaccurate or misleading representations to consumers in violation of FSL §408.

Other Powers

The Superintendent possesses other notable powers that aid enforcement of the Banking, Insurance and Financial Services statutes. For example, the Superintendent retains significant discretion in the first instance to grant or deny a new application for a DFS license. The Superintendent also possesses authority to suspend or revoke the license of a regulated entity under appropriate circumstances, generally following notice and a hearing. Although this power has been used sparingly since the inception of DFS, given its severity it remains the thermonuclear equivalent of a sanction for a regulated entity.

What Lies Ahead?

As with any regulatory agency, it is difficult to predict the precise direction DFS will take in the future, and agencies often must respond to developments in a regulated industry or, worse, dire circumstances like the 2008 financial crisis. While other areas traditionally associated with DFS, such as anti-money laundering and countering terrorist financing, will no doubt remain a staple of the agency's work, a more sustained focus on investigations with a consumer nexus should be expected.

Matthew L. Levine formerly served as Executive Deputy Superintendent for Enforcement at DFS and as a federal prosecutor, and is now a compliance consultant at Guidepost Solutions.