On June 25, 2018, New York State announced adoption of final Department of Financial Services (DFS) regulations that require consumer credit reporting agencies to register with the DFS. Our blog post on the regulations as proposed last fall can be found here.

There were some clarifying changes to the requirements but the basic objectives of registration, reporting, abiding by certain parameters of behavior and complying with the DFS cybersecurity regulations remain the same.

The final registration regulations are applicable to every consumer credit reporting agency that within the previous 12 month period has assembled, evaluated or maintained a consumer report on 1,000 or more “New York consumers.” The 1,000 consumer report/12 month threshold is new. The class of New York consumers to whom it is applicable is defined as individuals who are listed as New York residents as reflected in the most recent information in the consumer credit reporting agency’s possession.

Other requirements in the final regulation include the following:

  • Those consumer credit reporting agencies meeting the thresholds noted above between June 1, 2018, and September 1, 2018, must register on or before September 15, 2018; a consumer credit reporting agency meeting the thresholds after that have 15 days to register once it meets the thresholds
  • Registrations will need to be renewed annually by February 1
  • The DFS Superintendent may refuse to renew a registration if in the Superintendent’s judgment, the agency or any of its members, principals, officers or directors are “not trustworthy and competent to act as or in connection with a consumer credit reporting agency” but only after notice and opportunity for a hearing
  • Registered consumer credit reporting agencies will be required to submit to examination by the DFS
  • By July 1 of each year, each registered consumer credit reporting agency must file an information report with the DFS; reports also might be requested quarterly
  • Entities regulated by the DFS are prohibited from providing information on a New York consumer, or paying a fee or compensation, to a registered consumer credit reporting agency that is otherwise required to be registered
  • After notice and hearing, the DFS may suspend or revoke a registration on several grounds, including violating laws or regulations, engaging in fraudulent, coercive or dishonest practices or misappropriating or converting monies received in the course of business
  • Generally prohibited acts and practices for New York consumers include directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer, or engaging in unfair, deceptive or predatory acts or practices, all as are otherwise prohibited by federal law or any other New York State law not otherwise preempted by federal law

As in the proposal, the final rule also requires that registered consumer credit reporting agencies comply with the DFS cybersecurity regulations, which include development of a cybersecurity program designed to protect consumers’ private data, establishment of written cybersecurity policies approved by the board or a senior officer and appointment of a Chief Information Security Officer to help protect data and systems. The final regulation allows a phase-in of these obligations.