Alston & Bird Consumer Finance Blog

#New York

New York State Proposes Consumer Protection Reforms through FAIR Business Practices Act

By

What Happened?

On March 13, New York state legislators introduced new legislation called the Fostering Affordability and Integrity Through Reasonable (FAIR) Business Practices Act.  The bill, supported by New York Attorney General Letitia James, aims to strengthen New York’s existing consumer protection law and would expand the law’s scope from only covering “deceptive” acts or practices to also include “unfair” and “abusive” practices.  It would apply in the consumer, as well as the small business context.

Why Is It Important?

The FAIR Act comes at a time when consumer protection at the federal level has stalled, particularly with respect to the activities of the Consumer Financial Protection Bureau (CFPB).   State attorneys general have promised to step in to address any resulting gaps in consumer protection.

The FAIR Act defines unfair and abusive acts and practices expansively, to reach conduct that could be considered unfair or abusive, but arguably not deceptive.  Additionally, it provides for enhanced civil penalties for unfair, deceptive, or abusive practices against “vulnerable persons,” including those under 18 or over 65, active duty servicemembers and veterans, physically or mentally impaired persons, and individuals with limited English proficiency.  The legislation provides for civil penalties of: (a)$5,000 per violation; or (b) for knowing or willful violations, the greater of $15,000 or three times the amount of restitution for each violation.

What To Do Now?

Businesses operating in New York can prepare for potential changes by reviewing current practices to identify those that might be considered unfair or abusive under the broader scope of the FAIR Act.  Additionally, they can:

  • Monitor the progress of this legislation and be prepared to adjust business practices accordingly, especially as state-level enforcement of consumer protection laws is likely to increase in response to reduced federal action​​​​​​​​​​​​​​​; and
  • Pay particular attention to practices that might affect “vulnerable persons” as defined in the legislation, as these could result in enhanced civil penalties.

New York Passes New Removal Procedures for Officers, Directors, Trustees, and Partners of Any Entity Regulated by Department of Financial Services

By ,

What Happened?

On December 21, 2024, New York Governor Kathy Hochul, signed into law, S7532, which repealed the existing section of the Banking Law addressing the removal of officers, directors, and trustees of banking organizations, bank holding companies and foreign banks (“covered individuals”), and enacted a new section providing a clearer process for removing such individuals and expanding the scope of the removal authority to apply to all entities regulated by the New York Department of Financial Services (“the Department”).

Repealed Section:

The former provisions regarding the removal of covered individuals were limited to banking organizations, bank holding companies, and foreign banks.

The Superintendent of the Department (“the Superintendent”) was authorized to bring an action to the Banking Board (“the Board”) to remove an officer, director, or trustee whenever it found that such individual:

  • violated any law or regulation of the Superintendent of financial services, or
  • “continued unauthorized or unsafe practices . . . after having been ordered or warned to discontinue such practices.”

Note that the Banking Board has not existed since the Department of Financial Services was created in 2011.

The Board would then serve notice of the action to the covered individual to appear before the Board to show why they should not be removed from office. A copy of this notice would be sent to each director or trustee of the banking organization and to each person in charge of and each officer of a branch of a foreign banking corporation.

If after a three-fifths vote by the Board members the Board found that the individual committed such violations, an order would be issued to remove the individual from office.

The removal became effective upon service of the order. The order and findings were not made public, and were only disclosed to the removed individual and the directors or trustees of the banking organization involved. Any such removed individual that participated in the management of such banking organization without permission from the Superintendent would be guilty of a misdemeanor.

Newly Enacted Section:

The new provision expands the removal authority of the Superintendent to apply to all entities regulated by the Department (“covered entities”), including: banks, trust companies, limited purpose trust companies, private banks, savings banks, safe deposit companies, savings and loan associations, credit unions, investment companies, bank holding companies, foreign banking corporations, licensed lenders, licensed cashers of checks, budget planners, mortgage bankers, mortgage loan servicers, mortgage brokers, licensed transmitters of money, and student loan servicers.

The Superintendent is authorized to bring an action to remove such individuals whenever it finds reason to believe that they:

  • caused, facilitated, permitted, or participated in any violation by a covered entity of a law or regulation, order issued by the Superintendent or any written agreement between such covered entity or covered individual and the Superintendent;
  • engaged or participated in any unsafe or unsound practice in connection with any covered entity; or
  • engaged or participated in any willful material act or omitted to take any material act that directly contributed to the failure of a covered entity.

The notice and hearing provisions were changed to allow the Superintendent to serve a statement of charges against the covered individual and a notice of an opportunity to appear before the Superintendent to show cause why they should not be removed from office. A copy of such notice must now be sent to the affected covered entity, instead of the directors or trustees of the covered entity and persons in charge of foreign bank branches.

Additionally, the threshold for removal was changed. Instead of being removed by a three-fifths vote of a board that no longer exists, the covered individual may be removed if, after notice and hearing: (1) the Superintendent finds that the covered individual has engaged in the unlawful conduct, or (2) if the individual waives a hearing or fails to appear in person or by authorized representative.

The order of removal is effective upon service to the individual. The order must also be served to any affected covered entity along with the statement of charges. The order remains in effect until amended, replaced, or rescinded by the Superintendent or a court of competent jurisdiction. Such removed individual is prohibited from participating in the “conduct of the affairs” of any covered entity unless they receive written permission from the Superintendent. If the individual violates such prohibition, they are guilty of a misdemeanor.

Furthermore, the Superintendent is now authorized to suspend the covered individual from office for a period of 180 days pending the determination of the charges if the Superintendent has reason to believe that:

  • a covered entity has suffered or will probably suffer financial loss that impacts its ability to operate in a safe and sound manner;
  • the interests of the depositors at a covered entity have been or could be prejudiced; or
  • the covered individual demonstrates willful disregard for the safety and soundness of a covered entity.

The suspension may be extended for additional periods of 180 days if the hearing is not completed within the previous period due to the request of the covered individual.

Why Does it Matter?

Prior to the update, the Superintendent only had the power to remove individual officers, directors, or trustees from office in various bank organizations. The new law expands this removal power to all entities regulated by the Department.

The amended statute creates an additional penalty for individuals who caused, facilitated, permitted, or participated in the violation of the Banking Law in their positions of power of a regulated entity. Such individuals may be removed from their positions and prohibited from participating in the management of any regulated entity, until they receive written permission from the Superintendent. If they violate the prohibition, they are guilty of a misdemeanor, which can be punished by imprisonment for up to 364 days or by a fine set by the Superintendent.

What Do I Need To Do?

Entities regulated by the Department that are now covered under this section should be aware that violations of law by a licensee may also lead to the removal of certain high-level individuals within the organization. If removed, such individuals would also be prohibited from managing any regulated entity until the Superintendent provides written permission to do so. Affected entities and individuals should take care to ensure compliance with the law to avoid these new penalties.

Fannie Mae Issues Guidance in Response to New York Foreclosure Abuse Prevention Act

By

What Happened?

On March 13, 2024, Fannie Mae issued Servicing Guide Announcement (SVC-2024-02) (the “Announcement”), which announced, among other things, updates to Fannie Mae’s Loan Modification Agreement (Form 3179), with additional instructions in response to the New York Foreclosure Abuse Prevention Act (“FAPA”). Specifically, for all Loan Modification Agreements (Form 3179) sent to a borrower for signature on or after July 1, 2024, servicers are required to amend the modification agreement to insert the following as new paragraphs 5(e) and (f) for a mortgage loan secured by a property in New York:

(e) Borrower promises to pay the debt evidenced by the Note and Security Instrument.  Further, Borrower acknowledges and agrees that any election by Lender to accelerate the debt evidenced by the Note and Security Instrument and the requirement by Lender of immediate payment in full thereunder is revoked upon the first payment made under the Agreement; and, the Note and Security Instrument, as amended by the Agreement, are returned to installment status and the obligations under the Note and Security Instrument remain fully effective as if no acceleration had occurred.

(f) Borrower further agrees to execute or cause to be executed by counsel, if applicable, a stipulation (to be filed with the court in the foreclosure action), that the Lender’s election to accelerate the debt evidenced by the Note and Security Instrument and requirement of immediate payment in full thereunder is revoked upon the first payment made under the Agreement and the debt evidenced by the Note and Security Instrument is deaccelerated at that time pursuant to New York General Obligations Law § 17-105, or other applicable law.

Fannie Mae encourages servicers to implement these changes immediately but requires that servicers do so for all modification agreements sent to the borrower for signature on and after July 1, 2024. Freddie Mac does not yet appear to have issued similar guidance.

Why Is It Important?

As we previously discussed in a prior blog post, FAPA reversed judicial precedent that permitted a lender, after default, to unilaterally undo the acceleration of a mortgage and stop the running of the statute of limitations in a foreclosure action through voluntary dismissal, discontinuance of foreclosure actions, or de-acceleration letters. For more than a year following FAPA’s enactment, the mortgage industry has grappled with how to address certain of the risks created by FAPA, including whether certain language could be adopted and incorporated into servicers’ loss mitigation documents to mitigate FAPA risk.

Fannie Mae’s Announcement is significant because it represents the first piece of guidance from a federal agency or government-sponsored enterprise (i.e., Fannie Mae or Freddie Mac) that provides some clarity as to what language may be appropriate to mitigate certain of the risks engendered by the New York FAPA.

What Do I Need to Do?

Servicers of Fannie Mae-backed mortgage loans (secured by property in New York) should evaluate their loss mitigation processes and make appropriate updates to ensure compliance with the Announcement.  Servicers should also continue to monitor for additional guidance or caselaw as this issue remains in flux.

New York DFS to Impose Climate Change Safety and Soundness Expectations on Mortgage Lenders, Servicers, and other Regulated Organizations

By

What Happened?

On December 21, 2023, the New York Department of Financial Services (“NYDFS”) published an 18-page guidance document (the “Guidance”) on managing material, financial and operational risks due to climate change. The NYDFS issued the Guidance after considering feedback it received on proposed guidance it issued in December 2022 on the same topic. The Guidance applies to New York State regulated mortgage lenders and servicers, as well as New York State regulated banking organizations, licensed branches and agencies of foreign banking organizations (collectively, “Regulated Organizations”).

Why Is It Important?

The NYDFS has set forth its expectations, replete with examples, for Regulated Organizations to strategically manage climate change-related financial and operational risks and identify necessary actions proportionate to their size, business activities and risk profile.  Such expectations include:

  • Corporate Governance: An organization’s board of directors should establish a risk management framework, including its overall business strategy and risk appetite, which include climate related financial and operational risks, and holding management accountable for implementation. Such framework should be integrated within an organization’s three lines of defense – quality assurance, quality control and internal audit. Recognizing that low and moderate income (“LMI”) communities may be adversely impacted from climate change, the NYDFS expects an organization’s board of directors to direct management to “minimize and affirmatively mitigate disproportionate impacts” which could violate fair lending and other consumer finance laws. On that note, the NYDFS reminds organizations to consider opportunities to mitigate financial risk through financing or investment opportunities which enhance climate resiliency and are eligible for credit under the New York Community Reinvestment Act.
  • Internal Control and Risk Management: Regulated Organizations should also consider and incorporate climate related financial risks when identifying and mitigating all types of risks, including credit, liability, market, legal/compliance risk, and operational and strategic risk. The NYDFS defines financial risks from climate change to include physical risks from more intense weather events as well as transition risks, resulting from “economic and behavior changes driven by policy and regulation, new technology, consumer and investor preferences and changing liability risks.” The NYDFS recognizes that insurance is an important mitigant to climate change risk but cautions that the availability of such insurance in the future is not guaranteed.
  • Data Aggregation and Reporting: Regulated Organizations should establish systems to aggregate data and internally report its efforts to monitor climate related financial risk to facilitate board and senior management decision making. Such organizations also should consider developing and implementing climate scenario analyses.

What Do You Need to Do?

The NYDFS stresses that organizations should not let “uncertainty and data gaps justify inaction.” Although the NYDFS has not issued a timeline for implementation of the Guidance or begun incorporating such expectations into examinations (which will be coordinated with the prudential regulators to align with joint supervisory processes), now is the time to begin integrating climate-related financial and operational risks into your company’s organizational structure, business strategies and risk management operations.  This will help you prepare for when your organization is required to respond to the request for information which the NYDFS anticipates sending out later this year.  It is anticipated that the NYDFS will ask for information on the steps your organization has taken or will take within a specified period to manage financial and operational climate-related risks, including government structure, business strategy, risk management, operational resiliency measures, and metrics to measure risks.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation

By , , , ,

On November 1, 2023, the New York Department of Financial Services (NYDFS) published the finalized Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500), which includes a number of significant and, for many covered entities, onerous changes to its original regulation. The finalized Second Amendment is much like the June 2023 proposed draft (which made certain revisions to the November 2022 draft). Covered entities should take note of these now-final changes that will require covered entities to review and revamp major components of their cybersecurity programs, policies, procedures, and controls to ensure they are in compliance. This is particularly important as the NYDFS continues to take on an active enforcement role following cyber events, marking itself as a leading cyber regulator in the United States.

Covered entities must notify the NYDFS of certain cybersecurity incidents, including providing notice within: (1) 72 hours after determining a cybersecurity event resulting in the “deployment of ransomware within a material part of the covered entity’s information system” occurred; and (2) 24 hours of making an extortion payment in connection with a cybersecurity event.

Covered entities must implement additional cybersecurity controls, including expanding their use of multifactor authentication and maintaining a comprehensive asset inventory. Covered entities are also required to maintain additional (or more prescriptive) cybersecurity policies and procedures, including ensuring that their incident response plans address specific delineated issues (outlined in the Second Amendment) and maintaining business continuity and disaster recovery plan requirements (both of which must be tested annually).

The most senior levels of the covered entity (senior governing body) must have sufficient knowledge to oversee the cybersecurity program. Additionally, the highest-ranking executive and the CISO are required to sign the covered entity’s annual certification of material compliance.

A material failure (which could be a single act) to comply with any portion of the Cybersecurity Regulation for a 24-hour period is considered a violation.

The Second Amendment became effective on November 1, 2023, and covered entities generally have 180 days to come into compliance with the new requirements. There are certain requirements, however, that will be phased in over the next two years. We have outlined the material changes and the effective dates below.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation Chart

The NYDFS is providing a number of resources for covered entities, including a helpful visual overview of the implementation timeline for covered entitiesClass A companies, and small businesses (NYDFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d)). The NYDFS is also hosting a series of webinars to provide an overview of the Second Amendment; individuals can register for the webinars on the NYDFS’s website.