Legal analysts praise New York's updated fintech regs

Proposed changes to the New York State Department of Financial Services Cybersecurity Regulation for fintechs, known as 23 NYCRR Part 500, are set to go into effect later this year, according to legal analysts and financial services experts, most of whom agree the guidelines are innovative and thorough.

Amendments to New York's cybersecurity laws, published in November 2022 and later revised in June 2023 following an open comment period, cover stakeholder responsibilities, exemptions and notifications, according to recent reports.

In a recent interview with Law360 Pulse, Paul Hastings partners Dana Syracuse, and Josh Boem, who serve in the firm's fintech and global payments practice, commended the State of New York for its regulatory leadership.

"I think we're both incredibly impressed by the New York regulator," Syracuse said, "and the way [the New York State Department of Financial Services] has maintained its leading role in the fintech and digital asset space through guidance, through vetting and approval of novel products and technologies [and] through the way that they have ramped up internally in terms of hiring and really building out a regulatory body that is able to license and supervise the industry."

Boem agreed, stating, "New York's leadership in coming up with a comprehensive regulatory framework help set the tone for other regulators seeking to find ways to help ensure that digital assets and blockchain-based products and services are provided in a safe and sound way to customers by institutions that are subject to prudential supervision, robust capital requirements and that comply with robust anti-money laundering, cybersecurity and customer protection requirements."

Amended definitions, guidance

In addition to officially repealing sections of 23 NYCRR Part 500 related to audits, responsible parties and associated definitions, the NYDFS published a 92-page report, titled, Assessment of Public Comments on the Proposed Second Amendment to 23 NYCRR 500, aggregating public commentary from "banking, insurance, and other industry groups, regulated organizations, unregulated businesses, law firms, and academics."

Noting that commentators supported numerous provisions of the amendments, NYDFS officials took all feedback into consideration, proposing the following revisions:

• Definitions: Chief information security officer was added to the list of individuals responsible for cybersecurity oversight and implementation. Additional clarifications were made to risk assessments, senior governing bodies and Class A companies, which NYDFS officials noted was "intended to capture certain larger entities and it is not by itself indicative of these entities' risk exposure." Larger entities, by nature, are complicated, and would benefit from the additional controls and tools required for Class A companies, they explained, adding that "larger entities are in a better position and have increased staffing and budgets to implement the cybersecurity best practices required by the amendment as compared to smaller covered entities."

• Notifications: Time frames for notifying NYDFS were revised, replacing a 90-day period with a more general provision for promptly reacting and notifying authorities and maintaining all records for examination and review.

• Exempt individuals: Employees, representatives and agents of enterprises are considered part of a covered organization's cybersecurity program and are not required to implement their own separate program.

• General clarifications: Additional changes to language include changes to third-party provider, senior governing body, risk assessment, root cause analysis multi-factor authentication requirements and penalty assessment.

The NYDFS invited the public to comment on proposed revisions to the Second Amendment to 23 NYCRR Part 500. A copy of the proposal is available at www.dfs.ny.gov/system/files/documents/2023/06/rev_rp_23a2_text_20230628.pdf

Summarized public commentary can be viewed at www.dfs.ny.gov/system/files/documents/2023/06/rev_rp_23a2_apc_20230628.pdf

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.