September 18, 2019

September 18, 2019

Subscribe to Latest Legal News and Analysis

September 17, 2019

Subscribe to Latest Legal News and Analysis

September 16, 2019

Subscribe to Latest Legal News and Analysis

NYDFS Adopts Regulation Requiring Registration Of Consumer Credit Reporting Agencies, Compliance With Cybersecurity Regulation

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.

The new regulation became effective upon the publication of a Notice of Adoption by the NYDFS in the State Register on July 3, 2018.  Its definitions of “consumer credit report”  and “consumer credit reporting agency” closely track the definitions of, respectively, the terms “consumer report” and “consumer reporting agency” in the FCRA.  However, the term “consumer credit report” is limited to “a consumer report…bearing on a consumer’s credit worthiness, credit standing, or credit capacity.”  Similarly, the term “consumer credit reporting agency” is limited to “a consumer reporting agency that regularly engages in the practice of assembling or evaluating and maintaining [information from furnishers] for the purpose of furnishing consumer credit reports to third parties.”  The term “New York consumer” is defined as “an individual who is a resident of New York State as reflected in the most recent information in the possession of a [CCRA].”

Registration.  A CCRA must register with the NYDFS if “within the previous 12-month period, [it] has assembled, evaluated, or maintained a consumer credit report on one thousand or more New York consumers.”  Every CCRA “that is required to register…at any time between June 1, 2018 and September 1, 2018” must register by September 15, 2018.  Registration must be renewed by February 1, 2019 for the 2019 calendar year and by February 1 of each year thereafter.

The regulation prohibits a CCRA that is required to be registered and has not done so from engaging in the business of a CCRA in New York by furnishing a consumer credit report on a New York consumer to any individual or entity.  It also prohibits any “regulated person” from paying “any fee or other compensation” or transmitting any information about a New York resident to a CCRA that is required to be registered and has not done so.  A “regulated person” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

Prohibited Practices.  A CCRA that is required to be registered is prohibited from engaging in various practices including engaging in any “unfair, deceptive, or predatory act or practice toward any consumer that is prohibited by any federal law, or by any New York State law that is not preempted by federal law,” or engaging in “any unfair, deceptive, or abusive act or practice in violation of section 1036 of the [Dodd-Frank Act].”

Cybersecurity.  A CCRA that is required to be registered must comply with specified provisions of the NYDFS cybersecurity regulation.  Except for the provisions that have a February 28, 2019 compliance date, a CCRA must comply with the specified provisions of the cybersecurity regulation by November 1, 2018.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

James Kim, Ballard Spahr Law Firm, Los Angeles, Financial Law Litigation Attorney
Of Counsel

Mr. Kim advises companies and individuals in matters involving financial regulation and litigation, and the myriad of federal consumer financial laws, such as Title X of Dodd-Frank (UDAAP), TILA, RESPA, EFTA, and the FDCPA. He has represented clients in examinations and investigations with the Consumer Financial Protection Bureau (CFPB), Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), U.S. Department of Justice (DOJ), U.S. Securities and Exchange Commission (SEC), and various state and local agencies. His practice focuses on...

646-346-8089
Culhane, Ballard, Partner
Partner

John L. Culhane, Jr., is known for his work advising on interstate direct and indirect consumer and residential mortgage loan and leasing programs, through both traditional brick-and-mortar facilities and e-commerce. Before joining Ballard Spahr, Mr. Culhane was associate counsel with Mellon Bank, N.A.; associate counsel with Bank of America NT&SA; and senior attorney (section chief) with the National Credit Union Administration, the federal agency regulating federal credit unions.

Mr. Culhane addresses issues involving licensing, advertising and marketing, application processing, privacy, disclosure, pricing, substantive terms, servicing, collection, portfolio sales, and securitization. His regulatory practice includes preparing clients for banking agency and CFPB compliance examinations and assisting in the defense of attorney general investigations and banking agency and CFPB enforcement actions. His clients have ranged from a multibillion-dollar bank holding company, to one of the nation's largest residential mortgage lenders, to a leading provider of financial institution forms and documentation. Mr. Culhane is a member of the firm's Fair Lending Task Force.

215-864-8535