Thursday, December 14, 2017

Risk Management Principles


Chairman and Managing Director

A number of years ago I coined the term “Mortgage Risk Management,” in order to differentiate managing mortgage risk from the many other types of risk management. At that time, risk management was associated mostly with such areas as pharmaceutical companies, stock brokers, and information technology firms. My view was that mortgage loan originations and mortgage servicing present a unique set of risks to consumers, loan originators, mortgage servicers, and those industries and individuals that depend on the foregoing for their financial well-being. The term became popular and is in now in commonplace use.

But I also realized that managing mortgage risk would require a strong commitment on the part of companies, because regulatory oversight would fluctuate, often prey to the prevailing politics, and that meant companies had to build out an environment where managing risk could be joined to complying with the regulations themselves. I felt that a company could be successful in managing its mortgage risk if it developed a “Culture of Compliance.”[i] I wrote articles on the Culture of Compliance and gave numerous talks on this subject. In due course, the term was picked up by regulators and made a feature of everyday parlance.

I think consumers, mortgage loan originators, and regulators read my articles and attend my lectures because I strive to give everyone a fair shake. I call it like I see it, without fear of whether some view or another is stepping on somebody’s sacred political toes. Sometimes there really is a right and a wrong, irrespective of the controversy surrounding a regulatory mandate.

My standard is simple: doing all we can to protect the consumer is the only way to protect the viability of the mortgage loan originator and mortgage servicer in the long run.

And the only effective way to ensure that the originator or servicer is protected is to manage its risk. That is the basis for the formation of our firm so many years ago. Lenders Compliance Group®, which has grown to a national mortgage risk management firm over the years, has never lost its original mission to not only provide comprehensive risk management to mortgage industry participants but also offer ways and means to help build a Culture of Compliance for our clients.

Every loan originator and mortgage servicer should be a consumer advocate. Consumers will flock to the companies that present the very best standards of ethics and reliability. If any originating or servicing entity waits for a regulatory agency to tell it what to do on behalf of consumer financial protection, it has already lost the right to expect the consumer’s loyalty.

Friday, October 6, 2017

Construction to Permanent Disclosures

Managing Director

Recently, we have seen an uptick in inquiries from some of our clients, colleagues, and requests from media, regarding disclosures for construction to permanent loans. In the inquiries, the specific facts dictated our responses. However, we can point out that Regulation Z permits a creditor to disclose the construction phase and permanent phase of a residential construction loan either as one transaction or as separate transactions. This aspect of the disclosure process seems to cause some confusion, so I would like to dispel with some of the more salient concerns expressed by lenders involved in originating these loan products.

What is the basic structure of construction to permanent mortgage loan transactions?

For the most part, they have two distinct phases that make them similar to two separate transactions. First, the construction period usually involves several disbursements of funds, at times and in amounts often unknown at the beginning of the period. The consumer generally pays only accrued interest until construction is completed. Second, unless the obligation is paid at the time the construction is completed, the loan converts to permanent financing in which the loan amount is amortized just as in a standard mortgage transaction.

So far, so good!

But on July 7, 2017, the CFPB amended Regulation Z to clarify that, for construction-permanent financing transactions, the creditor is required to disclose a Loan Estimate only for the transaction for which it received an application. So, for instance, if the creditor receives an application for construction financing only, the creditor is only required to provide a Loan Estimate for the construction transaction. If the creditor receives applications for separate construction and permanent financing transactions at the same time, then the creditor must provide the Loan Estimate disclosures as either a combined disclosure or separately for each phase of the transaction.

Therefore, the special disclosure rule permits the creditor to give either (A) one combined disclosure for both the construction financing and the permanent financing or (B) a separate set of disclosures for the two phases. The rule is applicable whether the consumer was initially obligated to accept construction only or for both construction and permanent financing. But, if the consumer is obligated on both phases and the creditor chooses to give two sets of disclosures, both sets must be given to the consumer initially, because both transactions would be consummated at that time.

Another issue that seems to perplex construction-permanent loan originators is the allocation of fees.

The following outline may help to clarify the fee allocation structure involved in this loan product. When using this special disclosure rule to disclose as multiple transactions, must allocate fees and charges between the construction and permanent phases of the transaction.

Here is a set of basic fee allocation structures:
  • If a creditor discloses a construction-permanent loan as multiple transactions, the creditor must allocate to the construction transaction finance charges and points and fees that would not be imposed but for the construction financing. An example would be where a creditor must include inspection and handling fees for the staged disbursement of construction loan proceeds in the disclosures for the construction phase (viz., not in the disclosures for the permanent phase).
  • If a creditor charges separate amounts for finance charges and points and fees for the construction phase and the permanent phase, the creditor must allocate the amounts to the phase for which they are charged.
  • If a creditor charges an origination fee for construction financing only but charges a higher origination fee for construction-permanent financing, the creditor must allocate the difference between the two to the permanent phase.
  • The creditor must allocate to the permanent financing all other finance charges and points and fees.
  • The creditor may allocate in any manner it chooses any fees and charges not used to compute the finance charge or points and fees. Thus, a creditor may allocate in any manner it chooses a reasonable appraisal fee paid to an independent, third-party appraiser. 

There is also this important nuance: if the construction phase consists of a series of advances under an agreement to extend credit up to a certain amount, Regulation Z provides some disclosure flexibility. In this particular case, the creditor may disclose the construction phase as one or more than one transaction – so, it may disclose each advance as a separate transaction or all of the advances as one transaction – and also disclose the permanent financing as a separate transaction.

Preparing these disclosures is a complicated task, suitable only for compliance professionals. If you need assistance regarding construction to permanent finance transactions, with respect to reviewing your policies, procedures, disclosures, and loan flow process, please contact or email us. There is no initial consultation fee. We're glad to help!

Wednesday, August 16, 2017

Mortgage Regulators Conference – A Synopsis

Director/Agency Relations
Lenders Compliance Group

Recently, I attended the annual meeting of the American Association of Mortgage Regulators Association (AARMR), held in San Antonio, Texas, on August 1, 2017.

The meeting is an important event in the calendar of state and federal banking regulators, as it is largely devoted to regulatory compliance involving banks and nonbanks.

As the former Deputy Commissioner of the Connecticut Banking Department, I have attended these conferences for many years. Of course, as our Director of Agency Relations, I take a particular interest in this event because it enhances my understanding of key issues that may be facing the mortgage banking community in general and our clients in particular.

I would like to share some of the “take-aways” that I have surmised from this valuable AARMR regulatory conference. 

To be sure, I think that it will be helpful to understand the mission statement of AARMR, which is:

“To promote the exchange of information and education of licensing, supervision and regulation of the residential mortgage industry, ensure the ability to provide effective supervision for a safe and sound industry meeting the needs of the local financial markets and protect the rights of consumers.”

This conference provides an opportunity for regulators and industry to discuss current issues and to come away with a better understanding of regulatory concerns as well as those of the industry. It is worth noting that the meeting attendees include not only regulators from most of the states but also legal and regulatory compliance folks as well as a variety of mortgage lenders and mortgage brokers of all sizes.

One of the most compelling and interesting presentations had to do with the industry’s need for clarity and consistency in mortgage supervision and enforcement.

I am offering the following synopsis with the hope that you may obtain a better understanding of some of these mortgage industry concerns, as presented by certain panel discussions relating to challenges in the areas of licensing, advertising, reporting, disclosures, “desk drawer” policies, and the need for collaboration in producing a standard cybersecurity policy.

Please let us know your thoughts, questions or concerns. 

We welcome your feedback!

 Contact Us

 Email Us

Some of the challenges and opportunities presented by the industry are summarized below.

Monday, June 26, 2017

Third-Party Relationships: Compliance Risk

Managing Director
Lenders Compliance Group

I am often asked if there are significant compliance risks involving third parties in mortgage banking. The answer is: without a doubt! In providing some insight, I will just mention three of the many types of third parties that pose such risks: mortgage brokers, mortgage lenders, and mortgage servicers.

Let’s be clear at the outset: managing third-party risk is critical for providers of consumer financial products and services. This is because financial institutions (“FI”) can be and often are themselves held liable for the practices of third parties acting on their behalf. Where there is contact with the public by third parties, directly or indirectly, on behalf of the FI the risk is substantively greater. From the point of view of technological factors, service providers may be integrated into an FI’s business operations. As such, this can lead to enforcement actions in which certain violations of consumer protection laws are alleged against the service provider and the FI itself!

It is the case that regulators have affirmed their intention to hold companies strictly liable for conduct of their agents. The legal principal invoked is usually the theory of “vicarious liability.” Just a few years ago, in October 2015, the Department of Housing and Urban Development (“HUD”) proposed rules to formally codify third-party liability standards under the Fair Housing Act, including strict vicarious liability for acts of an institution’s agents, as well as direct liability for negligently failing to correct and end discriminatory practices by those agents.[i]

Consider the risk posed by mortgage brokers. For many years, an area that has seen a lot of fair lending enforcement and class action litigation has been the wholesale mortgage lending industry. Since mortgage lenders close loans originated by independent mortgage brokers, regulators and private litigants have brought enforcement actions and lawsuits alleging that lenders have failed to monitor and control discretionary mortgage broker pricing and product selection practices. In these cases, it has been alleged, under the disparate impact theory, that the mortgage lenders have violated the Equal Credit Opportunity Act (ECOA) due to pricing disparities disfavoring racial and ethnic minorities.

In fact, since 2010 there have been several Department of Justice (DOJ) and Consumer Financial Protection Bureau (CFPB) enforcement actions, as well as lawsuits filed by cities, against wholesale mortgage lenders under this theory.[ii]

Most of the mortgage pricing fair lending enforcement actions to date have focused on conduct that predates April 2011, when regulations by the Federal Reserve on loan originator compensation first took effect. I have written extensively on the features of the loan originator compensation requirements that went into effect on April 6, 2011, if you are interested in reading more about these rules.[iii] The loan originator compensation regulations prohibit compensation to mortgage loan originators based on, among other things, discretionary loan pricing or product steering by a broker based on a financial incentive to a product not in the consumer’s interest.[iv]

Although these changes in the law have reduced pricing’s influence on fair lending risk, they have certainly not eliminated the risk entirely. For instance, in December 2015, the DOJ brought an enforcement action against Sage Bank in Massachusetts relating to disparities in revenue earned on retail mortgage loans to minority borrowers compared to that on mortgage loans to non-minority borrowers. What is notable about this action is that it was the first pricing discrimination enforcement action that focused on loans made after the loan originator compensation rules took effect in 2011. Obviously, it demonstrated that regulators are continuing to focus on mortgage pricing discrimination issues.

But fair lending is not the only compliance risk associated with wholesale lending. Other risks include Unfair, Deceptive, or Abusive Acts or Practices (referred to collectively, “UDAAP”) and related areas. In fact, the CFPB issued guidance on UDAAP in its Supervision and Examination Manual of October 2012.[v] With the benefit of time, litigation, guidance, and examinations, among other things, we can say that these risks arise because mortgage brokers play a key role in marketing, discussing product benefits and terms with applicants and guiding their product choices, providing disclosures, completing applications, and gathering documentation in support of the loan applications. It stands to prudent reasoning that, in addition to fair lending, oversight of an FI’s mortgage broker network is critical for mitigating UDAAP risk and managing other compliance requirements.

When we move from a consideration of risks associated with mortgage brokers to those posed by mortgage lenders the risk profile is neither better nor worse, but, as the saying goes, it is different. Much risk tends to congregate around fair lending in secondary market transactions. For instance, in the case Adkins v. Morgan Stanley, plaintiffs alleged that the policies and procedures of Morgan Stanley, which had purchased loans from subprime loan originator New Century Mortgage Company, had created a disparate impact on African-American borrowers. If as alleged, this would be a violation of the Fair Housing Act (FHA), ECOA, and state law.[vi] Although the court dismissed the ECOA claims as time-barred, it allowed the FHA claims to proceed, holding that plaintiffs’ allegations were sufficient to state a claim of disparate impact discrimination. In the ruling, the court stated that the FHA expressly applies to secondary market purchasing of mortgage loans. It further emphasized allegations relating to Morgan Stanley’s warehouse lending commitments, on-site due diligence of New Century loans, demand for loans with alleged “high-risk” features, and instructions to originate no-documentation loans when it appeared that the applicant could not afford the loan. In its conclusion, the court noted that the evidence was sufficient to support claims that Morgan Stanley’s policies “set the terms and conditions on which it would purchase loans from New Century” and that these terms and conditions had resulted in a disparate impact when they caused New Century to issue toxic loans to the plaintiffs.

In the case In re Johnson, a Chapter 13 debtor alleged that a loan originator had targeted minority borrowers for predatory loans, and that the purchasers and assignees “were involved in this enterprise of selling toxic loans and targeting vulnerable minorities” because the loans were originated with securitization as the ultimate goal.[vii] Although the court dismissed the complaints on the ground that the plaintiff had not alleged sufficient facts to support the claims, it did not summarily reject the proposition that a secondary market purchaser could be held liable under ECOA or the FHA.[viii]

My point is that fair lending scrutiny of not only mortgage lenders, but also their investors, will likely increase in the coming years as new Home Mortgage Disclosure Act (HMDA) reporting requirements, finalized in October 2015, will provide greater insight into the role of investors in the loan origination process.

Thursday, June 15, 2017

Third Party Relationships: Risk Management Guidance - Frequently Asked Questions

Managing Director
Lenders Compliance Group of Companies

On June 7, 2017, the Office of the Comptroller of the Currency (OCC) published a Frequently Asked Questions (“FAQ”), meant to supplement its Bulletin 2013­29 (“Third­Party Relationships: Risk Management Guidance,” October 30, 2013).

The FAQ, OCC Bulletin 2017-21, is entitled “Frequently Asked Questions to Supplement OCC Bulletin 2013­29” (“Supplement”).

This issuance is to be reviewed by Chief Executive Officers and Chief Risk Officers of All National Banks and Federal Savings Associations, Technology Service Providers, Department and Division Heads, all Examining Personnel, and other interested parties. Community Banks should note that the Supplement addresses questions from national banks and federal savings associations (collectively, “banks”) regarding guidance in OCC Bulletin 2013­29. The Supplement and OCC Bulletin 2013­29 are applicable to all banks.[i]

The Supplement provides the following information:
  • defines third party relationships and provides guidance on conducting due diligence and ongoing monitoring of service providers;
  • provides insight on how to adjust risk management practices specific to each relationship;
  • discusses ways to structure third party risk management processes;
  • discusses advantages and disadvantages to collaboration between multiple banks when managing third party relationships;
  • outlines bank-specific requirements when using collaborative arrangements;
  • provides information-sharing forums that offer resources to help banks monitor cyber threats;
  • discusses how to determine whether a fintech relationships is a “critical activity” and covers risks associated with engaging a start-up fintech company;
  • addresses ways in which banks and fintech companies can partner together to serve underbanked populations;
  • covers criteria to consider when entering into a marketplace lending arrangement with a nonbank entity;
  • clarifies whether OCC Bulletin 2013-29 applies when a bank engages a third party to provide mobile payments options to consumers;
  • outlines the OCC’s compliance management requirements;
  • discusses banks’ rights to access interagency technology service provider reports; and
  • answers whether a bank can rely on the accuracy of a third party’s risk management report.

It is my considered view that nonbanks should carefully review the Supplement and, where possible, adopt its guidance, in addition to any other guidance provided by the Consumer Financial Protection Bureau (CFPB) or state banking departments.[ii]

We have placed this Synopsis along with the Supplement on the Vendors Compliance Group website.[iii]

This review of the Supplement will set forth the questions asked and summarize the answers provided. A detailed reading of the Supplement is suggested. This Synopsis is meant to provide an overview of the Supplement; however, I highly advise a thorough reading of the actual Supplement. For further guidance, I recommend that you contact a compliance professional who is familiar with the processes involved in review of service provider and third party vendor due diligence.

If you have questions, please contact us at:


1)      What is a third party relationship?

OCC Bulletin 2013­29 defines a third­ party relationship as any business arrangement between the bank and another entity, by contract or otherwise.

Wednesday, April 12, 2017

Legal Entity Identifiers and HMDA 2018: Questions and Answers

Jonathan Foxx
Managing Director

The Legal Entity Identifier (“LEI”) is a unique 20-character code that identifies distinct legal entities which engage in financial transactions. The LEI is a global standard, designed to be non-proprietary data that is freely accessible to all. Many financial institutions have not obtained a Legal Entity Identifier (LEI).

A financial institution must provide with the following information in its HMDA submission on or after January 1, 2018:

 i.  Its name;
ii.  The calendar year the data submission covers pursuant to paragraph (a)(1)(i) of this section or calendar quarter and year the data submission covers pursuant to paragraph (a)(1)(ii) of this section;
iii. The name and contact information of a person who may be contacted with questions about the institution's submission;
iv.  Its appropriate Federal agency;
v.  The total number of entries contained in the submission;
vi.  Its Federal Taxpayer Identification number; and
vii. Its Legal Entity Identifier (LEI) as described in § 1003.4(a)(1)(i)(A)

[Emphasis added. See 5(a)(3)(vii)—Legal Entity Identifier (LEI)]

For purposes of the submission requirement, “appropriate Federal agency” means the appropriate agency for the financial institution as determined pursuant to § 304(h)(2) of the Home Mortgage Disclosure Act [12 U.S.C. 2803(h)(2)] or a financial institution subject to the Consumer Financial Protection Bureau's (“Bureau”) supervisory authority under § 1025(a) of the Consumer Financial Protection Act of 2010 [12 U.S.C. 5515(a)].

If your financial institution needs an LEI, the GMEI Utility is endorsed by the Global LEI Foundation and also has a search function. There are some frequently asked questions on their website and we provide below a few highlights derived from that resource.
-     Who can register the financial institution? You must currently be an employee of the financial institution you are registering and also authorized by the financial institution to register for an LEI. Alternatively, financial institutions may use a third party through an assisted registration process. The person registering the financial institution will need a user account, which may be created here.
-     What information is needed to register? The basic information listed in the ISO 17422, such as the financial institution’s legal name, registered address, headquarters address, legal form, and so forth.
-    What is the cost? The GMEI Utility charges $200 for each registration request plus a $19 surcharge. To maintain and keep the LEI registration active, the fee for each registration is $100 plus a $19 surcharge. For more information, visit the FAQs specific to payment.
Once payment is processed, the GMEI will validate the financial institution using public sources. Once this process is complete, it takes about three business days for an LEI to be issued in the GMEI database. Overall, the GMEI Utility’s FAQs state that most requests are “cleared” within three to five business days.

It is advisable to review the CFPB’s HMDA implementation webpage for more information.

Frequently Asked Questions

Q: Why do we need an LEI?

A: The Bureau has taken the position that an LEI could improve the ability to identify a financial institution reporting data and correlate it to its corporate configuration. In addition, the Bureau has stated that “facilitating identification of a financial institution's corporate family could help data users identify possible discriminatory lending patterns and assist in identifying market activity and risks by related companies.” By facilitating identification, this requirement apparently is also meant to help data users identify whether financial institutions are serving the housing needs of their communities. [§ 1003.5(a)(3)]

Q: Should we be getting our LEI as soon as possible? Can we get an LEI before we have to start using it, or do we have to use it as soon as we obtain it?

A: We recommend that you obtain your LEI by the first or second quarter of 2017. There is no reason to delay. We don’t anticipate the price to change. However, you must have an LEI for all loans submitted for HMDA on or after January 1, 2018.

Q: Do you anticipate the Uniform Loan Identifier ("ULI") to be calculated by Loan Origination Systems?

A: We do anticipate that many LOSs will offer to provide this number. However, it is very possible that they may leave this to the vendor collecting your HMDA data. Some concern has been raised about commercial or consumer systems needing such a programming solution. It is our understanding that the Bureau is evaluating this requirement with respect to a compliance effective date for calculating and verifying the ULI and ensuring it has not been previously used.

Monday, January 30, 2017

Production Incentives: Protecting the Consumer, plus Compliance Checklist for Production Incentives

Jonathan Foxx
Managing Director

Production incentives have been around since the dawn of modern capitalism. They are not going anywhere. Incentives have been called sales incentives, sales bonuses, compensation bonuses, and take into account any additional remuneration that tends to be transactionally based. All such incentives can be grouped into business objectives where a transaction may be tied to certain benchmarks, met by employees or service providers, the achievement of which leads to an increase in wage or reward for the party achieving the stated goal. For the sake of discussion, let’s call forms of such economic inducement, collectively, as “incentives.”

Typical incentives include cross-selling, where sales or referrals of new products or services are pitched to existing consumers; sales of products or services to new customers; sales at higher prices where pricing discretion exists; quotas for customer calls completed; and collections benchmarks.

Some of these incentives are very complex in the way they are achieved and applied, whether optionally or required. The incentive challenge is one of the usual conundrums arising when money and capital formation meet: the opportunity for harm to the consumer. Obviously, incentives offer a way to further enhance revenue for the seller of services and products. Indeed, in our market economy, an incentive can reveal the economic interest of market participants in a particular service or product, which is extrapolated from consumers’ responses to the offerings. Like so much in finance, incentives are not inherently good or bad, but how they are applied makes them so!

The Consumer Financial Protection Bureau (“Bureau”) has decided to weigh in with guidance on production incentives. I am going to provide my reading of the Bureau’s most recent bulletin on this topic, entitled “Detecting and Preventing Consumer Harm from Production Incentives” (Bulletin 2016-03, November 28, 2016, hereinafter “Bulletin”). It is an interesting read, because it endeavors not only to compile guidance that the Bureau had provided in other contexts but also draws on the Bureau’s supervisory and enforcement experience in which incentives contributed to substantial consumer harm. Importantly, the Bulletin offers some actions that supervised entities should take to mitigate risks posed by incentives.

This White Paper article is an adjunct to an earlier published web article (December 2016), with further elaboration herein, plus now including a "Compliance Checklist for Production Incentives," which provides some helpful guidelines to creating production incentive plans. The full White Paper, Article, and Compliance Checklist may be downloaded from our firm's website at


The most obvious risk of incentives to the consumer is a sales program that includes an enhanced economic motivation for employees or service providers to pursue overly aggressive marketing, sales, servicing, or collections tactics. These kinds of incentives are and always have been features of sales tactics that do not meet regulatory scrutiny. Consequently, it is the case that the Bureau has taken enforcement action against financial institutions that have expected or required employees to open accounts or enroll consumers in services without consent or where employees or service providers have misled consumers into purchasing products the consumers did not want, were unaware would harm them financially, or came with an unexpected ongoing periodic fee.

One or more regulatory violations may be triggered as a result of such incentives. To name but a few of the more salient regulatory frameworks that can be violated, impermissible incentives can cause violations of unfair, deceptive, and/or abusive acts or practices (UDAAP) (Dodd-Frank Act, §§ 1031 & 1036(a), codified at 12 USC §§ 5531 & 5536(a), the Electronic Fund Transfer Act (EFTA), as implemented by Regulation E (15 USC § 1693 et seq.; 12 CFR Part 1005); the Fair Credit Reporting Act, as implemented by Regulation V (15 USC § 1681-1681x; 12 CFR Part 1022); the Truth in Lending Act (TILA), as implemented by Regulation Z (15 USC § 1601 et seq.; 12 CFR Part 1026); and the Fair Debt Collection Practices Act (15 USC § 1692-1692p). And to this the Bureau itself notes that violations can stir up public enforcement, supervisory actions, private litigation, reputational harm, and potential alienation of existing and future customers.

Although not meant to be comprehensive, here are some impermissible incentives that surely trigger regulatory violations:
  • Opening Accounts: sales goals that encourage employees, either directly or indirectly, to open accounts or enroll consumers in services without their knowledge or consent, which may result in improperly incurred fees, improper collections activities, and/or negative effects on consumer credit scores;
  • Benchmarks: sales benchmarks that encourage employees or service providers to market a product deceptively to consumers who may not benefit from or even qualify for it;
  • Terms or Conditions: paying compensation based on the terms or conditions of transactions (such as interest rate) that encourages employees or service providers to overcharge consumers, to place them in less favorable products than they qualify for, or to sell them more credit or services than they had requested or needed;
  • Tiered Compensation: paying more compensation for some types of transactions than for others that were or could have been offered to meet consumer needs, which could lead employees or service providers to steer consumers to transactions not in their interests; and 
  • Quotas: unrealistic quotas to sign consumers up for financial services may incentivize employees to achieve this result without actual consent or by means of deception.

Thursday, January 12, 2017

Cybersecurity Guidelines – “First-in-the-Nation” Regulation

President & Managing Director


On December 28, 2016, the New York Department of Financial Services (DFS) announced that it had revised its proposed cybersecurity regulations in response to public comments that they would be too burdensome, particularly on smaller institutions. The proposed rules, which were initially announced on September 13, 2016, and set to take effect on January 1, 2017, were billed as a “first-in-the-nation regulation” to protect New York residents from cyberattacks.

The “Cybersecurity Requirements for Financial Services Companies (“Regulation”) is promulgated through Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, and takes effect upon publication in the State Register.[i]

These guidelines would require banks, insurers and other financial services companies regulated by the DFS to set up a cybersecurity program aimed at protecting consumer information from cyberattacks. The revised regulation eases certain reporting and encryption requirements, and exempts small institutions from complying with certain sections of the rule.

The Regulation, as revised, is set to take effect on March 1, 2017. There is a transitional period, which is 180 days from the effective date of March 1st, with implementation timeframes layered in as exceptions granted for certain requirements, from 12 months to 18 months to 24 months. Covered entities will be required to annually prepare and submit to the DFS a Certification of Compliance[ii] with the New York State Department of Financial Services Cybersecurity Regulations, commencing February 15, 2018.

In this article, I will provide a high-level overview of these guidelines. This outline is not meant to be comprehensive. However, I will hit on several salient areas of interest. Expect these requirements to become a model for examination and enforcement in most other states. Lenders Compliance Group has provided risk assessments for cybersecurity, information security, and information technology based on the Federal Financial Institutions Examination Council's (FFIEC) procedures. So, my firm has experience in cybersecurity risk assessments. Given that familiarity, we now are providing an overlay for the DFS cybersecurity requirements that are promulgated in the Regulation.

Cybersecurity Program

Each covered entity – that is, any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York State Banking Law, the Insurance Law or the Financial Services Law – must maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s Information Systems.

The Regulation defines a “cybersecurity event” as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system. For purposes of this regulation, an information system is a “discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information,” as well as any specialized system such as industrial and process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

A risk assessment must be conducted by the covered entity and the cybersecurity program must be based on that risk assessment and also be designed to perform the following core cybersecurity functions:
  1. identify and assess internal and external cybersecurity risks that may threaten the security or integrity of all electronic information that is not publicly available information, known as Nonpublic Information (“NPI”), stored on the covered entity’s information systems;
  2. use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the NPI stored on those information systems, from unauthorized access, use or other malicious acts;
  3. detect cybersecurity events;
  4. respond to identified or detected cybersecurity events to mitigate any negative effects;
  5. recover from cybersecurity events and restore normal operations and services; and
  6. fulfill applicable regulatory reporting obligations. 
With respect to covered entities that have affiliates, the requirements of the Regulation permit adoption of a cybersecurity program maintained by an affiliate, provided that the affiliate’s cybersecurity program covers the covered entity’s information systems and NPI and meets the requirements of the Regulation. An affiliate is any Person that controls, is controlled by or is under common control with another Person. For purposes of the Regulation, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a Person, whether through the ownership of stock of such Person or otherwise.