NY DFS

New York Department of Financial Services Issues Updated Proposed Cybersecurity Regulation

 

On December 28, 2016, the New York State Department of Financial Services (“DFS“) announced that it has updated its proposed first‑in‑the‑nation cybersecurity regulation. The proposed regulation, which will be effective March 1, 2017, will require banks, insurance companies and other financial services institutions regulated by DFS to adopt a cybersecurity program by assessing its specific risk profile and designing a program to address these risks accordingly.

According to the DFS, “This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”

Among the changes made, the definition of “Exemptions” has been expanded to provide:

  • that “Covered Entities” that have less than the specified number of employees, gross annual revenue or year‑end total assets shall be exempt from the requirements of enumerated sections;
  • an exemption for an employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity;
  • an exemption from enumerated sections for a Covered Entity that does not directly or indirectly operate, maintain, utilize or control any “Information Systems” and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess “Nonpublic Information“;
  • a requirement that Covered Entities that qualify for an exemption file a “Notice of Exemption”; and that a Covered Entity that ceases to qualify for an exemption must comply with all applicable requirements of the proposed rule.

The updated proposed regulation will be finalized following a 30-day notice and public comment period. Press Release. DFS Assessment of Public Comments. DFS Summary. Proposed Regulation (As Revised).

NY DFS Adopts Final Anti-Terrorism and Anti-Money Laundering Regulation

On June 30, 2016, the New York Department of Financial Services (“NY DFS”) adopted a final anti-terrorism and anti-money laundering regulation (the “Final Regulation”) that requires institutions subject to regulation by the NY DFS to maintain programs to monitor and filter transactions for potential Bank Secrecy Act (“BSA”) and anti-money laundering (“AML”) violations and prevent transactions with sanctioned entities.

Of particular significance is that under the Final Regulation, which will be effective January 1, 2017, relevant regulated NY DFS institutions are required to review their transaction-monitoring and filtering programs and ensure that they are reasonably designed to comply with risk-based safeguards. These institutions also must adopt (at the institution’s option) an annual board resolution or senior officer compliance finding to certify compliance with the Final Regulation beginning April 15, 2018. The resolution or finding must state that documents, reports, certifications and opinions of officers and other relevant parties have been reviewed by the board of directors or senior official to certify compliance with the Final Regulation.

The proposed version of the Final Regulation, which was issued on December 1, 2015, included a much more draconian requirement that a senior financial executive annually deliver an unqualified certificate to the NY DFS that his or her institution “has sufficient systems in place to detect, weed out, and prevent illicit transactions” and that he or she has reviewed the compliance programs of the regulated Institution, or caused them to be reviewed, and that such programs comply with all of the requirements of the proposed regulation. The provisions of the proposed regulation are discussed in the December 22, 2015 Orrick Alert.

The NY DFS noted in its announcement of the Final Regulation that: “The risk-based rule adopted by DFS today takes into consideration comments that were submitted by the financial services industry and others during the extended comment period for the previously-proposed regulation, which ended March 31, 2016.”

Institutions must maintain supporting data for the certification, for review by NY DFS, for five years.

The key requirements of the Final Regulation include the following:

Annual Board Resolution or Senior Officer Compliance Finding

To ensure compliance with the requirements, each regulated institution shall adopt and submit to the Superintendent a board resolution or senior officer compliance finding by April 15 of each year. Each regulated institution shall maintain for examination by DFS all records, schedules and data supporting adoption of the board resolution or senior officer compliance finding for a period of five years.

Maintain a Transaction Monitoring Program

Each relevant regulated institution shall maintain a reasonably designed program for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting. The system, which may be manual or automated.

Maintain a Watch List Filtering Program

Each relevant regulated institution shall maintain a reasonably designed filtering program for the purpose of interdicting transactions that are prohibited by federal economic and trade sanctions.