Alston & Bird Consumer Finance Blog

#New York

NY DFS Releases Revised Proposed Second Amendment of its Cybersecurity Regulation

By , , ,

The New York Department of Financial Services (“NY DFS”) published an updated proposed Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500) in the New York State Register on June 28, 2023, updating its previous proposed Second Amendment, which was published November 9, 2022. While the language proposed is largely similar to the previous draft, which we previously summarized, NY DFS incorporated a number of changes as a result of the 60-day comment period.

Below we outline some of the key revisions to the proposed Second Amendment of NY DFS’s Cybersecurity Regulation compared to the previously issued version from November 9, 2022:

  • Risk Assessment (§§ 500.01 & 500.09). NY DFS previously proposed (in the November 2022 draft) to revise the definition of “Risk Assessment,” which NY DFS has repeatedly emphasized is a core and gating requirement for compliance with the Cybersecurity Regulation, permitting covered entities to “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” By contrast, the newly proposed definition more formally defines the components of and inputs to the risk assessment: “Risk assessment means the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.” The revised definition omits the explicit reference to tailoring and customization currently found in § 500.09.  The removal of this language and codification of the risk assessment’s general parameters suggests that although risk assessments can and should be customized to some extent, NY DFS may expect risk assessments to address a more standard set of components that as a general framework is not open to customization.
    • In addition, NY DFS removed the requirement that Class A companies (which are generally large entities with at least $20M in gross annual revenue in each of the last two fiscal years from business operations in New York, and over 2,000 employees, on average over the last two years, or over or over $1B in gross annual revenue in each of the last two fiscal years from all business operations) use external experts to conduct a risk assessment once every three years.
  • Multi-factor Authentication (“MFA”) (§ 500.12). NY DFS continues to stress the importance of MFA in the newly revised draft of the proposed Second Amendment by broadening the requirement (relative to the current MFA requirements and proposed draft from November 2022) and bringing it in alignment with the FTC’s amended Safeguards Rule. In the revised language, MFA is explicitly required to “be utilized for any individual accessing any of the covered entity’s information systems,” (with limited exceptions, outlined below); NY DFS removed from § 500.12(a), (1) the pre-requisite that MFA be implemented based on the covered entity’s risk assessment, and (2) the option of implementing other effective controls, such as risk-based authentication. By doing so, NY DFS appears to strongly recommend MFA implementation across the board, despite retaining the limited exception if the CISO approves in writing a reasonably equivalent or more secure compensating controls (and such controls must be reviewed periodically, and at least annually).
    • For covered entities that fall under the limited exemption set forth in § 500.19(a), which are generally smaller covered entities (based on number of employees and/or annual revenue), MFA must at least be utilized for (1) remote access to the covered entity’s information systems, (2) remote access to third-party applications that are cloud-based, from which nonpublic information is accessible, and (3) all privileged accounts other than service accounts that prohibit interactive logins. As with all other covered entities, the CISO may approve, in writing, reasonably equivalent or more secure compensating controls, but such controls must be reviewed periodically, and at least annually.
  • Incident Response Plan (“IRP”) and Business Continuity and Disaster Recovery Plan (“BCDR”) (§ 500.16). NY DFS added an additional requirement that a covered entity’s IRP include requirements to address the root cause analysis of a cybersecurity event, describing how the cybersecurity event occurred, the business impact from the cybersecurity event, and remediation steps to prevent reoccurrence. NY DFS clarified that the IRP and BCDR must be tested at least annually, and must include the ability to restore the covered entities “critical data” and information systems from backup (but NY DFS does not define “critical data”). As noted in our previous summary, the concept of BCDR is new as of the Second Amendment and not currently in effect in the existing regulation.
  • Annual Certification of Compliance (§ 500.17(b)). NY DFS maintains its current requirement of an annual certification of compliance by a covered entity, but has adjusted the standard for certification from “in compliance” to a certification that the covered entity “materially complied” with the Cybersecurity Regulation during the prior calendar year.  Although NY DFS does not define material compliance, this revision should provide some flexibility for covered entities to complete the certification.  Going forward, covered entities would be presented with two options: (i) submit a written certification that it “materially complied” with the regulation (§ 500.17(b)(1)(i)(a)); or (ii) a written acknowledgment that it did not “fully comply” with the regulation (§ 500.17(b)(1)(ii)(a)), while also identifying “all sections…that the entity has not materially complied with” (§ 500.17(b)(1)(ii)(b)).  It is unclear how NY DFS intends for covered entities to parse the distinction between material compliance and a lack of full compliance, but the requirement for the covered entity to list each section with which it was not in material compliance suggests that it may expect a section-by-section analysis of material compliance for purposes of completing the certification process.
  • Penalties (§ 500.20). Interestingly, NY DFS added that it would take into consideration the extent to which the covered entity’s relevant policies and procedures are consistent with nationally-recognized cybersecurity frameworks, such as NIST, in assessing the appropriate penalty for non-compliance with the Cybersecurity Regulation.  DFS maintains its proposed amendment that a “violation” is: (1) the failure to secure or prevent unauthorized access to an individual’s or entity’s NPI due to non-compliance or (2) the “material failure to comply for any 24-hour period” with any section of the regulation.

The revised proposed Second Amendment are subject to a 45-day comment period, ending August 14, 2023.

CFPB Issues Preemption Determination that State Commercial Financing Disclosure Laws Are Not Preempted By TILA

By ,

A&B Abstract:

The Consumer Financial Protection Bureau (CFPB) recently announced that it issued a final preemption determination concluding that certain state disclosure laws applicable to commercial financing transactions in California, New York, Utah, and Virginia are not preempted by the federal Truth in Lending Act (TILA). As covered in a previous post, we note that the California, Utah, and Virginia laws have already gone into effect, and New York’s is set to become effective on August 1, 2023.

State Commercial Lending Laws

After examining the state disclosure laws in California, New York, Utah, and Virginia, the CFPB recently affirmed that there is no conflict with TILA because the state laws extend disclosure protections to businesses seeking commercial financing, which are beyond the scope of TILA’s statutory consumer credit protections.  Specifically, the CFPB determined that TILA only preempts state laws under conflict preemption, which the CFPB interprets to mean that TILA preempts state laws only if they are “inconsistent” with TILA.

In California, New York, and Utah, state laws require lenders to issue disclosures in certain commercial financing transactions, the purpose of which is generally defined to mean primarily for other than personal, family, or household purposes.  This is in contrast to TILA’s application to consumer credit, which is extended primarily for personal, family, or household purposes.  In December 2022, the CFPB made a preliminary determination that New York’s commercial financing disclosure law was not preempted by TILA because the state law regulates commercial financial transactions rather than consumer-purpose transactions.

In Virginia, disclosures are required in connection with “sales-based financing,” which is defined generally as a transaction in which the financing is repaid by the recipient based on a percentage of sales or revenue.  “Recipient” means a person whose principal place of business is in Virginia and that applies for sales-based financing and is made a specific offer of sales-based financing by a sales-based financing provider.  Based on these definitions, it appears that the Virginia law would not apply to a consumer credit transaction.  However, the CFPB generally noted that, to the extent state law could apply to a consumer credit transaction, there would still be no inconsistency with TILA.

Accordingly, the CFPB found that the four states’ commercial financing disclosure laws are not inconsistent with and, therefore, not preempted by the federal TILA.

Takeaway

As states continue to propose and enact similar laws requiring disclosures in commercial financing transactions, an argument that federal law preempts such state laws is unlikely to succeed.  Thus, companies should monitor ongoing state regulatory trends in commercial financing transactions to ensure compliance with the consumer-style disclosure requirements that may apply.

New York’s Commercial Finance Disclosure Law Set to Take Effect August 1, 2023

By ,

A&B Abstract:

New York is one of the first states that enacted laws requiring consumer-style disclosures for commercial financing transactions (the “New York Law”). Previously, the New York Department of Financial Services (“NYDFS”) issued guidance stating that compliance with the requirements would be delayed until it issued final implementing regulations. Those final regulations were published on February 1, 2023, with an effective date of August 1, 2023 (the “Final Regulations”).

The Final Regulations

The Final Regulations make a few significant changes from the proposed rules, primarily in response to public comments. For example:

  • First, New York’s law will apply only where a recipient’s business is principally managed or directed from the state of New York or where the recipient (if a natural person) is a legal resident of the state of New York. This is a change from positions taken in prior proposed versions of the rule, in which New York would have required the disclosures if either the provider or recipient was located in New York.
  • Second, the Final Regulations clarify that subsidiaries of financial institutions (in addition to the financial institutions themselves) are exempt from the law.
  • Third, the Final Regulations modify notice requirements related to transfers to adhere to UCC norms.
  • Fourth, while the Final Regulations still require broker compensation disclosures, it does not impose strict requirements on the format of those disclosures as originally proposed.
  • Finally, the Final Regulations relaxed strict signature requirements, allowing for disclosures to be provided electronically and by other reasonable means.

Takeaways

New York is among a growing list of states, which include California, Utah, and Virginia, that have enacted laws requiring consumer-style disclosures for commercial financing transactions. As we covered in a previous post, the New York Law has many similarities to the California law that became effective on December 9, 2022. However, New York’s Final Regulations apply to commercial financing transactions of $2.5 million or less, whereas the California regulations apply only to transactions of $500,000 or less. And, as covered in another prior post, Utah also requires registration and disclosures for certain commercial financing transactions of $1 million or less as of January 1, 2023. Notable as well, Virginia has enacted somewhat similar laws applicable to sales-based financing which apply to transactions on or after July 1, 2022. In general, these disclosure laws require specifically formatted lender statements, including the order of the content and respective font sizes. New York has not provided model forms.

While the California, Utah, and Virginia laws have already gone into effect, we expect additional states will also promulgate similar requirements in the future.

Merrily the State CRAs Roll Along

By

A&B ABstract:

While we wait on the final interagency rule from the Federal Reserve, OCC, and FDIC, Illinois and New York are continuing along with their state Community Reinvestment Acts (CRA).

Illinois CRA Developments

Illinois announced that it would hold public hearings, two on March 2, 2023 and a third on March 8, 2023, to discuss revisions to its proposed rulemaking.  The comment period was extended to March 16 to accommodate these hearings and invite further public engagement on their final rule.  The Illinois final rule, unlike the federal final rule, will not only apply to state-chartered banks, but also to state-licensed nonbank lenders and state-chartered credit unions.  To that end, the three hearings are split among the three groups: the Bank Community Reinvestment hearing at 10 a.m. C.T. on March 2, the Mortgage Community Reinvestment hearing at 2 p.m. C.T. on March 2, and the Credit Union Community Reinvestment hearing will be at 1 p.m. C.T. on March 8.  The hearings are to be conducted in person, with dial-in and WebEx accessibility.  The IDFPR published the details for interested attendees in the Illinois Register here.

New York CRA Developments

New York, meanwhile, has updated the New York CRA regulations with additional data collection and reporting obligations in connection with minority- and women-owned businesses (“MWBEs”).  New York revised its CRA statute effective January 2020 to underscore its commitment to serving MWBEs as well as low- and moderate-income communities.  In furtherance to that revision, New York’s Department of Financial Services will now collect data concerning whether a loan or investment benefits MWBEs, in a manner consistent with fair lending laws.  This record collection will enable institutions serving these communities to receive CRA consideration for their activities in their state CRA examinations.  The NY CRA was amended in 2021 to apply to both state-chartered banks and state-licensed non-depository lenders.

Takeaway

It remains to be seen whether Illinois or New York will issue anything further before the prudential regulators come out with the much-anticipated final CRA rule.  Conventional wisdom would anticipate their waiting, but with potential legal challenges to the final CRA rule under consideration by certain banking trade groups, the states may be ready to continue moving forward independently for now and synching back up again once the final federal CRA rules are in effect.

New York Foreclosure Abuse Prevention Act Curtails Servicers’ Options

By , , ,

A&B ABstract:

Effective on approval by Governor Kathy Hochul on December 30, 2022, New York Assembly Bill 7737b – the Foreclosure Abuse Prevention Act (the “Act”) became law.  The Act is signifcant because it reverses judicial precedent that permitted a lender, after default, to undo the acceleration of a mortgage and stop the running of the statute of limitations in a foreclosure action through voluntary dismissal, discontinuance of foreclosure actions, or de-acceleration letters. Notably, the Act applies both prospectively and to any foreclosure action filed prior to its effective date that had not been resolved through a final judgment and order of sale. Further, unlike other provisions of New York law, the Act applies to all properties (and not only those that are owner-occupied). Public reaction has been mixed as to whether the measure will benefit consumers – but, regardless, it changes the rules of the game for lenders and servicers in New York State.

Background

Existing New York law establishes a six-year statute of limitations for the commencement of a mortgage foreclosure action, triggered when the borrower defaults on the obligation and the lender accelerates the obligation to pay the secured debt. In 2021, the New York Court of Appeals considered whether a lender can de-accelerate a loan and reset the statute of limitations.

The court decided four cases (with the opinion rendered in Freedom Mtge. Corp. v Engel, 37 N.Y.3d 1 (2021)), “each turning on the timeliness of a mortgage foreclosure claim.” The court held that the lender’s voluntary dismissal of a foreclosure suit constituted a revocation of the lender’s election to accelerate. Such revocation returned the parties to their pre-acceleration rights, reinstated the borrower’s right to repay via installments, and established a new statute of limitations period for any future default payments. According to the court, “[w]here the maturity of the debt has been validly accelerated by commencement of a foreclosure action,” the court opined, “the noteholder’s voluntary withdrawal of that action revokes the election to accelerate, absent the noteholder’s contemporaneous statement to the contrary.”

In the course of deciding Engel, the court also considered what constituted an “overt unequivocal act” sufficient to trigger a valid acceleration of debt and the six-year statute of limitations. Here, the court held that neither the issuance of a default letter nor the filing of complaints in prior discontinued foreclosure actions that failed to reference the pertinent modified loan were sufficient methods to validly accelerate debt.

The Act

Since the Engel decision, mortgagees in New York State have relied on their ability to voluntarily discontinue a foreclosure action – and effectively reset the statute of limitations– in order to engage distressed borrowers in loss mitigation efforts. However, the Act appears to eliminate a mortgagee’s ability to unilaterally reset the limitations period by voluntarily discontinuing a foreclosure action and deaccelerating the loan.

With the express intent of overturning the Engel decision, the Act amends provisions of New York’s Real Property Actions and Proceedings Law (“RPAPL,” N.Y. Real Prop. Acts. Law §§ 1301 et seq.), General Obligations Law (“GOL,” N.Y. Gen. Oblig. Law §§ 1-101 et seq.), and Civil Practice Law and Rules (“Rules,” N.Y. C.P.L.R. §§ 101 et seq.) relating to the rights of parties involved in foreclosure actions.

RPAPL:

Under previous law, Section 1301 of the RPAPL prohibited the commencement or maintenance of any action to recover any part of a mortgage debt while another action to recover part of the mortgage debt is already pending or after final judgment has been made for the plaintiff without leave of the court in which the first action was brought. Beyond clarifying that a foreclosure action falls within the scope of that prohibition, the Act provides that procurement of leave from the first court must be a condition precedent to commencing or maintaining the new action. Thus, failure to comply with the leave of court condition precedent may no longer be excused by finding that the prior action was “de facto discontin(ued)” or “effectively abandoned” (see U.S. Bank Trust, N.A. v. Humphrey, 173 AD3d 811, 812 (2d Dept 2019)); or that the defendant was not prejudiced thereby (see Wells Fargo Bank, N.A. v. Irizarry, 142 AD3d 610, 611 (2d Dept 2016)); nor by deeming the pre-action failure a mistake, omission, defect, or irregularity that could be overlooked or disregarded (see id.).

Moreover, failure to obtain leave is a defense to the new action. If a party brings a new action without leave of the court, the section declares that the previous action is deemed discontinued unless prior to the entry of final judgment in the original action the defendant: (a) raises the failure to comply with the condition precedent, or (b) seeks dismissal of the action based upon one of the grounds set forth in Section 3211(a)(4) of the Rules.

Section 1301 of the RPAPL is further amended to provide that if the mortgage securing the bond or note representing the debt so secured by the mortgage is adjudicated as time barred by a court of competent jurisdiction, any other action to recover any part of the same mortgage debt is equally time barred. As a result, if the statute of limitations acts to bar a foreclosure action or any other action to recover on mortgage debt, an investor or servicer cannot bring any other action to recover the same part of the mortgage debt, including another foreclosure action or an action to recover a personal judgment against the borrower on the note.

GOL:

Under Section 17-105 of the GOL, an agreement to waive the statute of limitations to foreclose on a mortgage is effective if expressly set forth in writing and signed by the party to be charged.

The Act amends Section 17-105 by: (1) clarifying that the GOL is the exclusive means by which parties are enabled to postpone, cancel, reset, toll, revive or otherwise effectuate an extension of the limitations period for the commencement of an action or proceeding upon a mortgage instrument; (2) clarifying that unless effectuated in strict accordance with Section 17-105, the discontinuance of an action upon a mortgage instrument, by any means, shall not, in form or effect, function as a waiver, postponement, cancellation, resetting, tolling, or extension of the statute of limitations; and (3) codifying certain judicial rulings holding as much.

While not included or otherwise referenced in the Act, it is also worth noting that Part 419 of the New York Department of Financial Services’ mortgage loan servicer business conduct rules prohibit a mortgage servicer from requiring a homeowner to waive legal claims and defenses as a condition of a loan modification, reinstatement, forbearance or repayment plan. It is unclear whether Part 419 would be interpreted to prohibit servicers from seeking a waiver of the limitations period pursuant to Section 17-105, especially with respect to loans where the limitations period has already run. To further complicate matters, the New York legislature is currently considering a bill that would (1) create an express private right of action for violations of Part 419; (2) make compliance with Part 419’s requirements a condition precedent to commencing a foreclosure action; and (3) render failure to materially comply with Part 419 to be a defense to a foreclosure action or an action on the note, even if servicing of the loan has been transferred to a different servicer when a foreclosure action or action on the note is commenced.

Rules:

The Act amends and adds several provisions of the Rules relating to the application of the statute of limitations in actions relating to mortgage debt.

First, the Act adds Section 203(h) to the Rules, which terminates the ability of a lender or servicer to extend the statute of limitations on a foreclosure action by any form of unilateral action. No voluntary discontinuation of an action to enforce a mortgage may “in form or effect, waive, postpone, cancel, toll, extend, revive or reset the limitations period to commence an action and to interpose a claim, unless expressly prescribed by statute.” In other words, the amended section appears to prohibit a mortgagee from “de-accruing” a cause of action or otherwise effectuating a unilateral extension of the limitations period by suspending a foreclosure action – and providing loss mitigation opportunities to the borrower – once the six-year statute of limitations has begun to run after the loan is accelerated. The methods by which the statute of limitations in a mortgage foreclosure action can be waived or extended are exclusively set forth in Article 17 of the GOL (see GOL 17-105 (express written agreement to extend, waive or not plead as a defense the statute of limitations); 17-107 (unqualified payment on account of mortgage indebtedness effective to revive statute of limitations)). Accordingly, a bare stipulation of discontinuance or a lender’s unilateral decision to revoke its demand for full payment is no longer a permissible method for waiving, extending, or modifying the statute of limitations.

Second, the Act adds Section 205-a to the Rules, limiting reliance on the savings statute for time-barred claims. After termination of an action, the new section permits the original named plaintiff to commence a new action upon the same transaction or occurrence or series of transactions only if: (a) the plaintiff brings the new action within six months of the termination; and (b) the termination of the prior action occurred in any manner other than a voluntary discontinuance, a failure to obtain personal jurisdiction over the defendant, dismissal for any form of neglect, for violation of any court rules or individual part rules, failure to comply with any court scheduling orders, failure to appear for a conference or at a calendar call, failure to timely submit any order or judgment, or a final judgment upon the merits. Further, only one six-month extension will be available to the plaintiff.

Under new Section 205-a, a successor-in-interest or an assignee of the original plaintiff can only commence a new action if such party pleads and proves that the assignee is acting on behalf of the original plaintiff. Further, if the defendant has served an answer and the action has been terminated, in a new action based on the same transaction or occurrence or series of transactions (whether brought by the original plaintiff or a successor-in-interest or assignee thereof) any cause of action or defense that the defendant asserts will be considered timely “if such cause of action or defense was timely asserted in the prior action.” Section 205-a also provides that, where applicable, the original plaintiff (or a successor-in-interest acting on behalf of the original plaintiff) may only receive one six-month extension and no court shall allow the original plaintiff to receive more than one six-month extension.

Third, the Act amends Section 213(4) of the Rules to clarify that in any action where the statute of limitations is raised as a defense – and if that defense is based on a claim that the indebtedness was accelerated prior to or through commencement of a prior action – a plaintiff will be estopped from asserting that a mortgage instrument was not validly accelerated prior to or by way of commencement of a prior action. An exception exists if the prior action “was dismissed based on an expressed judicial determination, made upon a timely interposed defense, that the instrument was not validly accelerated.”

Further, in any quiet title action seeking cancellation and discharge of record of a mortgage instrument, a defendant will be estopped from asserting that the applicable statute of limitations period for commencement of an action has not expired because instrument was not validly accelerated prior to or by way of commencement of a prior action, “unless the prior action was dismissed based on an expressed judicial determination, made upon a timely interposed defense, that the instrument was not validly accelerated.”

Finally, the Act amends Section 3217 of the Rules, by adding a new Subsection (e), which clarifies that if the statute of limitations is raised as a defense in an action, and if the defense rests on a claim that the instrument was accelerated prior to or by virtue of the commencement of a prior action, the plaintiff cannot stop the tolling of the statute of limitations by asserting that the instrument was not validly accelerated unless the prior action was dismissed based on an express judicial determination regarding invalid acceleration.

Takeaway

In light of the Act’s curtailment of a servicer’s or investor’s ability to unilaterally suspend a foreclosure action, we recommend that mortgagees carefully review their pending mortgage foreclosure actions in New York state. At a minimum, the Act removes the ability of a holder or servicer in New York state to voluntarily discontinue a foreclosure action after acceleration of the indebtedness triggers the running of the statute of limitations.

Whether this will interfere with servicers’ contractual rights and ability – and obligations under the CFPB rules and New York Part 419 – to offer meaningful loss mitigation opportunities to borrowers remains to be seen. At least one judge thinks so. In a recent Order to Show Cause, a New York Supreme Court judge concluded that the Act violates the Contracts Clause of the U.S. Constitution and included an invitation for the New York Attorney General to weigh in.