The New York Department of Financial Services has implemented new regulation, which requires registration of consumer credit reporting agencies and compliance with cybersecurity.
The new legislation requires “consumer credit reporting agencies” (CCRAs) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.
The new regulation became effective upon the publication of a Notice of Adoption by the NYDFS in the State Register on July 3, 2018.
NYDFS said it has been monitoring the practices of consumer credit reporting agencies, looking into the failure of consumer credit reporting agencies to safeguard consumer data; the failure of consumer credit reporting agencies to maintain accurate consumer credit data; and the failure of consumer credit reporting agencies to appropriately investigate consumer disputes of alleged inaccuracies in credit reports.
A CCRA must now register with the NYDFS if ‘within the previous 12-month period, [it] has assembled, evaluated, or maintained a consumer credit report on one thousand or more New York consumers.’
Every CCRA “that is required to register, at any time between June 1, 2018 and September 1, 2018, must register by September 15, 2018.
The regulation prohibits a CCRA that is required to be registered and has not done so from engaging in the business of a CCRA in New York by furnishing a consumer credit report on a New York consumer to any individual or entity.
It also prohibits any ‘regulated person’ from paying ‘any fee or other compensation’ or transmitting any information about a New York resident to a CCRA that is required to be registered and has not done so.
A CCRA that is required to be registered is also prohibited from engaging in various practices including engaging in any “unfair, deceptive, or predatory act or practice toward any consumer that is prohibited by any federal law, or by any New York State law that is not preempted by federal law,” or engaging in “any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd-Frank Act.”
In addition, a CCRA that is required to be registered must comply with specified provisions of the NYDFS cybersecurity regulation. Except for the provisions that have a February 28, 2019 compliance date, a CCRA must comply with the specified provisions of the cybersecurity regulation by November 1, 2018.
Copyright © 2018 RegTech Analyst
Copyright © 2018 RegTech Analyst