Alert

June 25, 2018

New York Requires Credit Reporting Agencies to Register with DFS and Comply with State's Cybersecurity Regulation

Today, the New York Department of Financial Services issued a final regulation requiring "consumer credit reporting agencies" to register annually with the DFS, be subject to examination by the DFS, and comply with certain new rules. The final regulation adds certain due process requirements and makes a few other wording adjustments, but the requirements are largely unchanged from the proposed regulation.

The final regulation requires all consumer credit reporting agencies that have assembled, evaluated, or maintained a credit report on a consumer who is a resident of New York within the prior 12 months to register with the DFS, on or before September 15, 2018, and renew their registration annually. Consumer credit reporting agencies also will be made subject to certain reporting requirements and potential examination by the DFS. Under the regulation, the DFS is given the authority to deny or revoke a registration and thereby prohibit the consumer credit reporting agency from issuing reports on New York consumers, and no New York regulated financial institutions may pay any fee or compensation or transmit any information regarding New York consumers to an unregistered credit reporting agency.

In addition, the regulation subjects consumer credit reporting agencies to New York's cybersecurity regulation, which requires the establishment of a Chief Information Security Officer and certain written policies, procedures, and controls designed to protect data. Compliance with the cybersecurity regulation will be by a schedule of compliance, beginning February 28, 2019.

Our thanks to Becki Kuehn with Hudson Cook, LLP, for providing this summary. If you have questions, please feel free to contact Becki at rkuehn@hudco.com.

  Final Regulation