Banking and Finance Law Daily New York proposes registration, reporting, and cybersecurity requirements for credit reporting agencies
Tuesday, September 19, 2017

New York proposes registration, reporting, and cybersecurity requirements for credit reporting agencies

By Lisa M. Goolik, J.D.

In response to the Equifax data security breach, New York Governor Andrew M. Cuomo has directed the state’s Department of Financial Services to issue a proposed rule that would require credit reporting agencies to register with New York, report annually to the state’s Superintendent of Financial Services, refrain from certain prohibited practices, and comply with the state’s cybersecurity requirements.

"A person's credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security," Cuomo said. "Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation."

Registration requirements. The proposed rule would require consumer credit reporting agencies (CRAs) that maintain credit reports on any consumer located New York to register annually with the New York Superintendent of Financial Services, beginning Sept. 1, 2018. Registrants would be subject to examination, and the superintendent may refuse to issue or renew a registration if, in the superintendent’s judgment, the CRA or any member, principal, officer, or director of the applicant, is not "trustworthy and competent" to act as a CRA, or if it has failed to comply with "any minimum standard."

Prohibited practices. The proposed rule prohibits CRAs from:

  1. directly or indirectly employing any scheme, device, or artifice to defraud or mislead a consumer;
  2. engaging in any unfair, deceptive, or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York
  3. engaging in any unfair, deceptive, or abusive act or practice in violation of the Dodd-Frank Act;
  4. including inaccurate information in any consumer report relating to a consumer located in New York;
  5. refusing to communicate with an authorized representative of a consumer located in New York who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer; and
  6. making any false statement or omitting any material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.

Cybersecurity requirements. The proposal would also require CRAs to comply with New York’s cybersecurity requirements on a phased-in schedule, starting April 4, 2018. "The data breach at Equifax demonstrates the necessity of strong state regulation like New York's first-in-the-nation cybersecurity actions," said Financial Services Superintendent Maria T. Vullo. "This is one necessary action of several that DFS will take to protect New York’s markets, consumers and sensitive information from criminals."

Annual reporting. CRAs would be required to report annually, beginning July 1, 2019, any information requested by the superintendent. The proposed rule also authorizes the superintendent to require quarterly or other statements.

Companies: Equifax

MainStory: TopStory ConsumerCredit CyberPrivacyFeed DoddFrankAct IdentityTheft NewYorkNews Privacy UDAAP

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More