Regulating all financial services and products in New York is a crucial task that falls under the jurisdiction of the New York State Department of Financial Services (NYDFS). This department is highly committed to reforming financial services and safeguarding firms and consumers against financial crimes. Since its inception, the department has been working tirelessly to ensure that all financial institutions operating in the state of New York comply with the necessary regulations and standards.
It is interesting to note that in 2011, the New York State Banking Department and the New York State Insurance Department were abolished, and their duties were transferred to the Department of Financial Services. This move was aimed at modernizing regulation by expanding its scope to include a wider variety of financial products and services. This was a significant step towards ensuring that consumers were protected against fraudulent practices and that financial firms were held accountable for their actions.
Founded in 1851, the New York State Banking Department was the oldest bank regulatory agency in the United States until its dissolution in 2011. Similarly, the New York State Insurance Department was established in 1859 and held regulatory responsibilities. The decision to merge the two departments into one entity was a strategic move that made it easier to regulate financial services and products more effectively.
Today, the New York State Department of Financial Services is responsible for regulating a wide range of financial products and services, including banking, insurance, mortgage lending, and consumer finance. The department is highly focused on ensuring that these services are provided in a safe, sound, and fair manner. It is also responsible for investigating and prosecuting financial crimes, such as money laundering, fraud, and other illegal activities.
Missions of The NYDFS
The mission of NYSDFS is to oversee financial institutions in order to maintain stability within the industry, including:
- Overseeing financial institutions to maintain stability within the industry
- Preventing financial fraud and educating consumers on financial products and services
- Promoting the growth of the financial industry in New York while prioritizing the safety of consumers and their providers
- Encouraging financial institutions to uphold high standards of public responsibility, business practice, conduct, and ethics to ensure reliability and soundness
- Implementing regulations to combat financial crimes
- Conducting audits to ensure compliance with regulations
Attention to Organizations Under NYSDFS Supervision
Starting from January 1, 2017, financial institutions operating under the New York Banking Law are obligated to comply with anti-terrorism transaction monitoring and filtering program regulations developed by the New York Department of Financial Services (NYDFS). Therefore, it is necessary for financial institutions to establish a risk-based Anti-Money Laundering program in order to fulfill their responsibilities.
The obligations of businesses are:
- Examination of customer transactions with a risk-based approach.
- Compliance with applicable Bank Secrecy Act and AML laws and regulations.
- Creating an enhanced AML control program to detect organized crime, such as money laundering and terrorist financing. (Internal Controls)
- Checking customers on the Office of Foreign Assets Control (OFAC) sanction lists.
- Reporting detecting money-laundering activities to authorized units.
- Monitoring customer transactions to combat money laundering and terrorist financing.
- Employing an AML compliance officer or money laundering reporting officer.
NYDFS Cybersecurity Regulation
The NYDFS Cybersecurity Regulation, implemented by the New York Department of Financial Services, is a set of rules designed to improve cybersecurity practices in financial organizations operating in New York. It mandates that organizations establish a comprehensive cybersecurity policy and designate a Chief Information Security Officer to actively manage cybersecurity risks and safeguard their clients' sensitive information. The regulations were announced on February 16th, 2017, and went into effect on March 1, 2017, after two rounds of feedback from the industry and the public.
The NYDFS Cybersecurity Regulation is divided into four phases, with each phase outlining specific cybersecurity requirements that covered organizations must meet. It requires organizations to conduct regular cybersecurity risk assessments and implement adequate cybersecurity controls to mitigate identified risks. This helps to ensure that organizations are continuously monitoring potential threats and taking necessary measures to prevent cyber attacks.
The first phase of the NYDFS Cybersecurity Regulation went into effect on February 15, 2018, and required covered organizations to develop a comprehensive cybersecurity policy that included an incident response plan with data breach notifications within 72 hours. The policy must address concerns in alignment with industry best practices and ISO 27001 standards, and it must cover information security, access controls, disaster recovery planning, systems, and network security, customer data privacy, and regular risk assessments.
As of March 1, 2018, the second phase of the NYDFS Cybersecurity Regulation mandates that CISOs must create a yearly report outlining their organization's cybersecurity policies and procedures, security risks, and the effectiveness of current cybersecurity measures. Covered institutions must continuously evaluate vulnerabilities and develop proactive responses to threats.
Phase three of the NYDFS Cybersecurity Regulation went into effect on September 3, 2018, and requires covered institutions to have a comprehensive cybersecurity program in place that contains several key elements, including an audit trail that reflects threat detection and response activities, written documentation of procedures, standards, and guidelines for in-house applications as well as procedures for evaluating third-party applications, detailed data retention policy documentation, including how non-public personal information is disposed, and encryption and other robust security control measures.
As per the NYDFS Cybersecurity Regulation, which became effective on March 1, 2019, covered institutions are obligated to establish policies concerning third parties that may be granted access to systems and files governed by the regulation. This is the final requirement of the regulation. Covered financial institutions are required to develop a written policy for third-party security that details the risk assessment of third-party service providers, the covered financial institution's security requirements of third-party service providers that must be met in order to conduct business with that entity, processes for evaluating the effectiveness of a third-party service provider's security practices, and periodic assessments of third-party policies and controls.
In short, the NYDFS Cybersecurity Regulation is a critical step in creating a more secure financial industry in New York. By enforcing the implementation of comprehensive cybersecurity policies and risk management practices, this regulation helps to protect both organizations and their clients from the devastating effects of cyber attacks.