NY regulator issues final regulation for credit reporting agencies

New rules require registration as well as compliance with the state's cybersecurity standard

NY regulator issues final regulation for credit reporting agencies

Credit reporting agencies with significant operations in New York now face stricter regulations following the Equifax data breach that exposed the private data of millions of consumers.

The New York Department of Financial Services (DFS) has issued a final regulation that requires covered agencies to register and to comply with the state’s cybersecurity standard. The final rule incorporates comments received during a public comment period.

Beginning on or before Sept. 1, all consumer credit reporting agencies that reported on 1,000 or more New York consumers in the preceding year must register with DFS. Registration for the calendar year thereafter will also be required in each successive year. Agencies must name the officers and directors responsible for compliance with the financial services, banking, and insurance laws and regulations.

The regulation authorizes the DFS superintendent to refuse to renew an agency's registration under certain circumstances.

Additionally, the rule requires agencies to make annual reports. This provides the superintendent the authority to deny, suspend, and potentially revoke an agency's authorization to do business with the state’s financial institutions and consumers in case of findings of non-compliance with certain prohibited practices, including engaging in unfair, deceptive, or predatory practices. The DFS is also authorized to examine agencies as the superintendent determines necessary.

Beginning Nov. 1, all credit reporting agencies will be required to comply with the DFS’ cybersecurity regulation. Banks, insurance companies, and other financial services institutions regulated by DFS will be required to have a cybersecurity program designed to protect consumers' private data as well as a chief information security officer to help protect data and systems, among other requirements.

 

Related stories:
Equifax names chief technology officer amid data security drive
Mulvaney promises to end CFPB 'regulation by enforcement'