The Dangers of Regulatory Creep – Do New York DFS Cybersecurity Regulations Apply to Federally Chartered Financial Institutions?

In February 2017, the New York State Department of Financial Services (“DFS”) finalized a new set of cybersecurity regulations that governs New York’s banking, insurance, and financial services industries. Entities in those industries are required to develop and implement cybersecurity programs tailored to their individual risk levels. See Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R.§ 500.02.

On their face, the requirements apply only to “Covered Entities,” which the regulations define as those “operating or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s Banking Law, Insurance Law, or Financial Services Law. See § 500.01(c). Because the regulations limit Covered Entities to those required to register (or be licensed) with the State, many federally chartered financial institutions may have concluded that the regulations do not apply to them. This is because, as entities “organized under federal law or the laws of a state other than New York,” they are exempt from the Banking Law’s registration requirement. See N.Y. Banking Law § 590(1)(e).

But that may not be the case. Critically, Banking Law § 590 exempts entities organized under federal law or the laws of another state only from the Banking Law’s registration requirement, not from other regulations issued by the State of New York. Any such “exempt organization” that does not register with the state must still “notif[y] the superintendent that it is acting as [for example] a mortgage servicer in this state and compl[y] with any regulation applicable to mortgage loan servicers.” N.Y. Banking Law § 590(2)(b-1). In this regard, such “exempt mortgage servicers” are listed as “exempt” on the DFS “Who We Supervise” webpage. Many such organizations have thus seen the word “exempt” next to their names and ended their inquiry there. That, however, is only the beginning of the analysis.

Because DFS’s new cybersecurity regulations expressly apply to non-exempt mortgage loan servicers licensed pursuant to the Banking Law, those regulations should also apply more broadly to all mortgage loan servicers operating in New York (under § 590(2)(b-1)), even if they are exempt entities not required to register. Exempt entities may not have been the intended target of the regulations, but the possibility that federal and out-of-state banks, credit unions, and trust companies could nonetheless be subject to New York’s cybersecurity regulations via Banking Law § 590 has sown significant confusion in the industry.

This is a prime example of regulatory creep in relation to cybersecurity: a set of administrative rules giving rise to unintended consequences, because of their broad industry reach. DFS may (or may not) have intended to include exempt entities under the umbrella of the new regulations, but any definitive answer on the subject will have to come out of guidance from DFS, amendment of the regulations, enforcement, or legal challenges to the regulations. It is unclear whether federal preemption forbids DFS from regulating federally chartered financial institutions in this regard, but it is certain that few such institutions would like to be the test case on the subject.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2017 Harter Secrest & Emery LLP