Financial Services Law

New York DFS Set to Regulate Cybersecurity

Why it matters

Stating that the New York Department of Financial Services believes cybersecurity to be one of the most critical issues facing the financial world today, the agency sent a letter to state and federal regulators outlining potential new cybersecurity regulation requirements. The proposed regulations would require regulated entities to adopt cybersecurity policies with respect to their own operations as as well third-party service providers. The regulations would also require regulation entities to appoint a chief information security officer, conduct an annual security audit and immediately notify DFS of significant cybersecurity incidents.

In addition to outlining proposed regulations, the letter may signal DFS's expectations with respect to cybersecurity programs, even absent formal rulemaking.

Detailed discussion

Seeking regulatory convergence for potential new cybersecurity regulations, the New York Department of Financial Services (DFS), which regulates banks and insurance companies in the state, reached out to other financial services regulators in the financial services industry, including the Office of the Comptroller of the Currency, the Federal Reserve Board of Governors, the Securities and Exchange Commission, the Consumer Financial Protection Bureau, and the National Credit Union Administration, among others.

The announcement follows multiple DFS surveys concerning regulated banks and insurers to gain insight about their cybersecurity programs, costs, and future plans.

Encouraging other regulators to provide feedback and insight, the DFS set out the key regulatory proposals currently under consideration.

Cybersecurities Policies. Covered entities would be required to implement and maintain written cybersecurity policies and procedures addressing 12 areas: information security; data governance and classification; access controls and identity management; business continuity and disaster recovery planning and resources; capacity and performance planning; systems operations and availability concerns; systems and network security; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third-party service provider management; and incident response, including by setting clearly defined roles and decision-making authority.

Third-Party Providers. With regard to third-party service provider management, the DFS said that the written policies and procedures in this area would be required to include "internal requirements for minimum preferred terms to be included in contracts with third-party service providers." Provisions would cover topics such as the use of encryption to protect sensitive data in transit and at rest, the indemnification of the entity in the event of a cybersecurity incident that results in loss, and representations and warranties by the third-party vendor concerning information security.

Multifactor Authentication. In the letter, the DFS emphasized the importance of multifactor authentication: "The Department believes that any regulation that establishes cyber security program requirements for covered entities should also address the use of multi-factor authentication as it applies to (i) customer access to web applications that captures or displays confidential information; (ii) privileged access to database servers that allow access to confidential information; and (iii) any access to internal systems or data from an external network."

Other Requirements. The proposal contemplates that each covered entity would be required to designate a qualified employee to serve as Chief Information Security Officer, conduct annual testing and audits, and would need to immediately notify the DFS of any cybersecurity incident "that has a reasonable likelihood of materially affecting the normal operation of the entity."

To read the letter from the DFS, click here.

back to top

Eleventh Circuit's Surcharge Ruling Sets up Possible Supreme Court Showdown

Why it matters

Setting the stage for a possible visit to the U.S. Supreme Court, the Eleventh Circuit Court of Appeals ruled that Florida's prohibition on imposing a surcharge on credit card purchases while simultaneously permitting a discount for cash runs afoul of the First Amendment. The divided panel reached the opposite conclusion of the Second Circuit, where the court held last month that New York's anti-surcharge statute did not violate the First Amendment. Unlike the Second Circuit panel—which determined that the law only regulated conduct and not speech—the Eleventh Circuit said Florida's law targeted "expression alone" and could fairly be called a "surcharges-are-fine-just-don't-call-them-that law." A dissenting opinion agreed with the Second Circuit's finding that the law targeted conduct when a merchant added an additional amount to a credit card purchase and not the description of the amount. The newly created circuit split is likely to expand, as similar suits are now pending before the Fifth Circuit (where a federal district court upheld Texas's law) and the Ninth Circuit (an appeal of a California court's determination the law was unconstitutional on First Amendment grounds).

Detailed discussion

In March 2013, family-run hobby shop Dana's Railroad Supply posted a sign indicating that customers would be subject to a fee for using credit cards to make purchases. Not long after, the business received a cease and desist letter from the Florida Attorney General demanding that Dana's refrain from practices that violated the state's no-surcharge law.

Together with three other recipients of such letters, Dana's filed suit in Florida federal court. Each of the businesses charged lower prices for customers paying with cash and higher prices for those using credit cards, telling the court they wished to express the price differential as an additional amount for credit card use rather than a lesser amount for cash payment.

Pursuant to Section 501.0117(1)-(2) of the Florida Statutes, a "seller or lessor in a sales or lease transaction" can be convicted of a second-degree misdemeanor for imposing "a surcharge on the buyer or lessee for electing to use a credit card," while allowing "the offering of a discount for the purpose of inducing payment by cash."

The AG moved for summary judgment, and after a rational-basis review of the law, a federal district court granted the motion. The plaintiffs appealed to the Eleventh Circuit Court of Appeals, where a divided panel reversed.

"Tautologically speaking, surcharges and discounts are nothing more than two sides of the same coin; a surcharge is simply a 'negative' discount, and a discount is a 'negative' surcharge," the majority wrote. "As a result, a merchant who offers the same product at two prices—a lower price for customers paying cash and a higher price for those using credit cards—is allowed to offer a discount for cash while a simple slip of the tongue calling the same price difference a surcharge runs the risk of being fined and imprisoned."

The First Amendment "prevents staking citizens' liberty on such distinctions in search of a difference," the court said. "Florida's no-surcharge law directly targets speech to indirectly affect commercial behavior. It does so by discriminating on the basis of the speech's content, the identity of the speaker, and the message being expressed. Because the at-best plausible justifications on which the no-surcharge law rest provide no firm anchor, the law crumbles under any level of heightened First Amendment scrutiny. We, therefore, must strike down Section 501.0117 as an unconstitutional abridgement of free speech."

Finding that the cease and desist letters from the Florida Attorney General were sufficient to establish standing for the plaintiffs to challenge the law, the court considered the facial validity of the statute under the First Amendment.

Unlike the Second Circuit Court of Appeals, which found that an anti-surcharge law in New York survived constitutional scrutiny because it regulated conduct and not speech, the Eleventh Circuit said the statute only regulated speech.

"[M]erchants can engage in dual-pricing so long as they offer only cash discounts, while credit-card surcharges are verboten," the majority wrote. "In order to violate the statute, a defendant must communicate the price difference to a customer and that communication must denote the relevant price difference as a credit-card surcharge. Calling Section 501.0117 a 'no-surcharge law,' then, is something of a misnomer. That statute targets expression alone. More accurately it should be called a 'surcharges-are-fine-just-don't-call-them-that law.'"

Florida's statute governs how to express relative values and imposes criminal liability for making the "wrong choice" between "equally plausible alternative descriptions of an objective reality," the court added. "Given our abhorrence of putting citizens of a free society to such 'choices,' laws that restrict speech in this fashion must overcome the robust protections of the First Amendment."

The court acknowledged that economic consequences might flow from how a cash or credit price difference is characterized, but as "a legal matter, potential incident effect, whether intended by the legislature or not, does not alter the fact that the no-surcharge law directly restricts speech."

Applying heightened scrutiny to the statute, the court found it failed to pass muster, depriving "the marketplace of ideas of the full range of public sentiment," and imposing "a direct and substantial burden on disfavored speech" by silencing it. "The no-surcharge law is content based: it applies only to how a merchant may frame the price difference between cash and credit-card payments," the court said.

Such a viewpoint-based restriction on speech warrants the greatest level of First Amendment protection, the majority said, and simply because some modicum of economic conduct was implicated did not permit the law to unconstitutionally restrict speech.

The Attorney General's asserted governmental interests failed to change the majority's mind. A generalized interest in consumer protection was "formulated too abstractly," the court said, while preventing bait-and-switch tactics, providing advance notice to consumers, and leveling the playing field among merchants could all be better served by direct regulation of actual pricing behavior.

"The available less strict-restrictive alternatives are legion," the court said. "What Florida cannot do, as a Constitution matter, is what its no-surcharge law does: abridge protected speech."

In a footnote, the majority distinguished the Second Circuit decision as "a combination of Pullman abstention and a narrow reading of the relevant statutory text and legislative history, both of which differ from Section 501.0117's."

A dissenting opinion argued that the majority neglected to consider the statute's definition of surcharge, which includes the limiting words "imposed at the time of a sale." That language demonstrates the law was intended to regulate conduct, such as when a customer goes to pay for an item with a credit card and is charged more than expected.

"The merchant can speak in any way he chooses so long as he does not ambush the credit-card-using customer with a higher price at the register," the dissent said. "What matters is when, from the customer's perspective, the merchant adds the additional amount to the price because a credit card is used, not how the merchant describes it."

To read the opinion in Dana's Railroad Supply v. Attorney General, State of Florida, click here.

back to top

Tweaking FAQs on Brokered Deposits, FDIC Seeks Public Input

Why it matters

The Federal Deposit Insurance Corporation (FDIC) is proposing to update its Frequently Asked Questions (FAQs) on identifying, accepting, and reporting brokered deposits, and is requesting public comment on the proposed changes. In January 2015, the FDIC issued FIL-2-2015 with a series of FAQs intended to help bankers identify brokered deposits. Since the FAQs were issued, the FDIC has received numerous inquiries, prompting its participation in a number of calls and meetings with bankers, banking trade groups and other interested parties. In an effort to provide further clarification, the FDIC proposes several adjustments to its earlier FAQs and is asking for public comment. With its proposed revisions, the regulator emphasizes that brokered deposit determinations are very fact-specific and influenced by a number of factors. "Thus, the FDIC always views these determinations on a case-by-case basis." "As such, the FDIC intends these FAQs as a starting point for institutions to begin their analysis of whether a particular product or program is determined to involve brokered deposits." Comments on the revised FAQs will be accepted until December 28.

Detailed discussion

The Federal Deposit Insurance Corporation (FDIC) started 2015 by releasing new Frequently Asked Questions (FAQs) for brokered deposits, addressing issues such as the definition of a "deposit broker" and when the "primary purpose" exception applies. While the FDIC acknowledged that brokered deposits "can be a suitable funding source when properly managed as part of an overall, prudent funding strategy," the agency expressed concern about the overuse and improper management of brokered deposits, particularly when banks use them to fund "unsound or rapid expansion of loan and investment portfolios."

But by August, industry groups were already expressing concern about perceived changes made by the FDIC via its FAQs. In a letter from the American Bankers Association, the Clearing House Association, and the Institute of International Bankers, the groups explained that the FDIC's definition of brokered deposits in the FAQs appeared to capture "a much broader universe of deposits as brokered than Congress intended."

As a result of the continued questions and in an effort to provide further clarification, the FDIC is proposing several adjustments to its earlier FAQs and is asking for public comment. In its proposed revisions, the FDIC has added citations to its earlier studies, reports, regulations and advisory opinions. The agency also emphasizes that the FAQs do not alter the definition of "brokered deposits" or what constitutes a "deposit broker."

A significant change in the proposed revisions relates to the question of whether insurance agents, lawyers, or accountants that refer clients to a bank are considered to be deposit brokers. The response has been completely rewritten, changing from an unequivocal "yes" to now state "it depends." The response further states that the agency "recognizes that within a community, there are many business professionals that conduct banking business with a particular insured financial institution, and due to that banking allegiance, often refer their customers to a particular financial institution on an informal basis for deposit products. The deposits produced by those types of informal deposit referrals would generally not be considered brokered."

It also clarifies that a more formal, programmatic arrangement—such as where the professional entered into a written contract with the bank for referrals or the professional receives a fee from the bank—would be considered brokered deposits.

In a new follow-up question, the FDIC provided an example of when the deposits in a programmatic arrangement to refer depositors would not be considered a brokered deposit, where bank customers or employees of subsidiaries earn bonuses (cash, merchandise, or a higher interest rate on a deposit) for referring depositors. The "FDIC might determine that the program is sufficiently limited in scope that it is not deemed to be a brokered deposit arrangement," the agency explained, after considering factors such as whether the program is designed to drive deposit growth or just a "small recognition" of loyalty to the bank.

Addressing another area of industry concern, the agency stated: "The FDIC does not believe that dual employees or contractors should be classified as deposit brokers in all situations." The FAQs then provide examples of situations when contractors and dual employees would not be considered deposit brokers. For instance, a broker-dealer affiliate of an insured depository institution where employees of the affiliate are also employees of the insured depository institution who refers a client to the bank—and is paid a fee, part of which is paid as a sales commission—would be considered to have facilitated the placement of deposits. But a dual employee who merely performed back-office administrative work—and was not involved in facilitating the placement of deposits—would not qualify as a deposit broker.

The agency also changed some of the commentary to answer whether the primary purpose exception applies to companies that sell or distribute general purpose prepaid cards. While the answer remained "no," the FDIC explained that after the funds are collected from cardholders, they may be placed into a custodial account at an insured depository institution and accessed by cardholders through the use of their cards. The general purpose prepaid card and the deposit accounts are inseparable, according to the amended FAQs, and because of this relationship, prepaid card companies are not covered by the primary purpose exception and prepaid card companies qualify as deposit brokers.

The FDIC also clarified that federal or state agency funds disbursed to beneficiaries of government programs through debit or prepaid cards would not be classified as brokered deposits. "[T]he primary purpose of the federal or state agency is simply to discharge the government's legal obligations to the beneficiaries," the agency explained, and "not to provide the beneficiaries with a deposit-placement service or to assist the insured depository institution in expanding its deposit base."

In another significant change, the FDIC discussed how institutions should respond if they cease to be well capitalized. Reversing course from the prior answer—to close brokered deposit accounts that are not time deposits—the FAQs advise banks to contact their primary financial regulator to establish an appropriate supervisory plan. "The goal of any supervisory plan regarding brokered deposits would be to not disrupt an institution's operations as it attempts to improve its capital category," the FDIC wrote.

The FDIC will accept comments on the amended FAQs until December 28.

To read the "track changes" version of the FAQs, click here.

To read the "clean" version of the FAQs, click here.

back to top