Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, September 19, 2017

New York proposes registration, reporting, and cybersecurity requirements for credit reporting agencies

By Lisa M. Goolik, J.D.

In response to the Equifax data security breach, New York Governor Andrew M. Cuomo has directed the state’s Department of Financial Services to issue a proposed rule that would require credit reporting agencies to register with New York, report annually to the state’s Superintendent of Financial Services, refrain from certain prohibited practices, and comply with the state’s cybersecurity requirements.

"A person's credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security," Cuomo said. "Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation."

Registration requirements. The proposed rule would require consumer credit reporting agencies (CRAs) that maintain credit reports on any consumer located New York to register annually with the New York Superintendent of Financial Services, beginning Sept. 1, 2018. Registrants would be subject to examination, and the superintendent may refuse to issue or renew a registration if, in the superintendent’s judgment, the CRA or any member, principal, officer, or director of the applicant, is not "trustworthy and competent" to act as a CRA, or if it has failed to comply with "any minimum standard."

Prohibited practices. The proposed rule prohibits CRAs from:

  1. directly or indirectly employing any scheme, device, or artifice to defraud or mislead a consumer;
  2. engaging in any unfair, deceptive, or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York
  3. engaging in any unfair, deceptive, or abusive act or practice in violation of the Dodd-Frank Act;
  4. including inaccurate information in any consumer report relating to a consumer located in New York;
  5. refusing to communicate with an authorized representative of a consumer located in New York who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer; and
  6. making any false statement or omitting any material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.

Cybersecurity requirements. The proposal would also require CRAs to comply with New York’s cybersecurity requirements on a phased-in schedule, starting April 4, 2018. "The data breach at Equifax demonstrates the necessity of strong state regulation like New York's first-in-the-nation cybersecurity actions," said Financial Services Superintendent Maria T. Vullo. "This is one necessary action of several that DFS will take to protect New York’s markets, consumers and sensitive information from criminals."

Annual reporting. CRAs would be required to report annually, beginning July 1, 2019, any information requested by the superintendent. The proposed rule also authorizes the superintendent to require quarterly or other statements.

Companies: Equifax

MainStory: TopStory ConsumerCredit CyberPrivacyFeed DoddFrankAct IdentityTheft NewYorkNews Privacy UDAAP

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.