The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.

The new regulation became effective upon the publication of a Notice of Adoption by the NYDFS in the State Register on July 3, 2018.  Its definitions of “consumer credit report”  and “consumer credit reporting agency” closely track the definitions of, respectively, the terms “consumer report” and “consumer reporting agency” in the FCRA.  However, the term “consumer credit report” is limited to “a consumer report…bearing on a consumer’s credit worthiness, credit standing, or credit capacity.”  Similarly, the term “consumer credit reporting agency” is limited to “a consumer reporting agency that regularly engages in the practice of assembling or evaluating and maintaining [information from furnishers] for the purpose of furnishing consumer credit reports to third parties.”  The term “New York consumer” is defined as “an individual who is a resident of New York State as reflected in the most recent information in the possession of a [CCRA].”

Registration.  A CCRA must register with the NYDFS if “within the previous 12-month period, [it] has assembled, evaluated, or maintained a consumer credit report on one thousand or more New York consumers.”  Every CCRA “that is required to register…at any time between June 1, 2018 and September 1, 2018” must register by September 15, 2018.  Registration must be renewed by February 1, 2019 for the 2019 calendar year and by February 1 of each year thereafter.

The regulation prohibits a CCRA that is required to be registered and has not done so from engaging in the business of a CCRA in New York by furnishing a consumer credit report on a New York consumer to any individual or entity.  It also prohibits any “regulated person” from paying “any fee or other compensation” or transmitting any information about a New York resident to a CCRA that is required to be registered and has not done so.  A “regulated person” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

Prohibited Practices.  A CCRA that is required to be registered is prohibited from engaging in various practices including engaging in any “unfair, deceptive, or predatory act or practice toward any consumer that is prohibited by any federal law, or by any New York State law that is not preempted by federal law,” or engaging in “any unfair, deceptive, or abusive act or practice in violation of section 1036 of the [Dodd-Frank Act].”

Cybersecurity.  A CCRA that is required to be registered must comply with specified provisions of the NYDFS cybersecurity regulation.  Except for the provisions that have a February 28, 2019 compliance date, a CCRA must comply with the specified provisions of the cybersecurity regulation by November 1, 2018.