understanding nydfs enforcement actions and their impact on financial firms

The New York Department of Financial Services (NYDFS) takes enforcement actions against financial firms that fail to comply with regulations. These actions can have significant consequences.

NYDFS enforcement actions can result in fines, penalties, and even the revocation of a firm's license to operate in New York. The agency has the authority to impose these penalties.

In 2019, NYDFS imposed a $35 million fine on a financial firm for violating cybersecurity regulations. This highlights the importance of compliance with NYDFS regulations.

Financial firms must be aware of NYDFS enforcement actions and take steps to prevent non-compliance. Regular audits and risk assessments can help firms identify potential issues before they become problems.

The NYDFS has been cracking down on cryptocurrency companies for failing to meet cybersecurity standards. They found that RHC, a cryptocurrency company, had adopted its parent company's cybersecurity program without ensuring it addressed RHC's specific risks.

The NYDFS was particularly concerned about RHC's lack of policies and procedures governing data governance, IT asset control, and incident response. They also claimed that RHC didn't have a Chief Information Security Officer who reported to the RHC Board annually, as required by law.

RHC ultimately paid a $1.2 million fine for these alleged violations, highlighting the importance of having a robust cybersecurity program in place.

Discover more: Nydfs Requirements

RHC's BSA and AML policies and procedures were found to be lacking, leading to a $30 million civil penalty and ongoing oversight by an Independent Consultant.

The NYDFS settlement requires RMC to review and improve its BSA and AML policies and procedures, as well as its compliance with other regulations.

RMC's organizational structure, management oversight, and staffing of the compliance function were also deemed inadequate.

The Independent Consultant will report to the NYDFS and review RMC's proposed measures to improve BSA/AML compliance and transaction monitoring.

Here are some specific areas where RMC needs to improve:

RHC's cybersecurity program was found to have governance deficiencies similar to those of its BSA/AML Program. NYDFS believed RHM's policies and procedures did not adequately address RHC's specific risks and operations.

RHC relied solely on its parent company's (RHM) cybersecurity program, which is not necessarily improper, but NYDFS claimed it was inadequate. RHM's procedures allegedly did not require an RHC Chief Information Security Officer to report annually to the RHC Board.

NYDFS found several alleged deficiencies in RHC's cybersecurity program, including inadequate policies and procedures for data governance, IT asset control, business continuity planning, and incident response. RHC had not conducted a risk assessment as required by the Cybersecurity Regulation.

RHC improperly filed its 2019 Certification of Compliance due to the alleged deficiencies in its cybersecurity program. NYDFS claimed RHC's new Business Continuity and Disaster Recovery Plan still had inadequate detail on critical systems and security.

Here are some key areas where RHC's cybersecurity program was found to be deficient:

Relying solely on an affiliate's cybersecurity program can be a problem if it doesn't address the specific risks of your own business. In the case of RHC, NYDFS found that its parent company's policies and procedures didn't adequately address the operations and risks specific to RHC's cryptocurrency business.

RHM's procedures allegedly didn't require an RHC Chief Information Security Officer to report to the RHC Board annually, as required by law. This is a key requirement under Virtual Currency Regulation Section 200.16(d) and Cybersecurity Regulation Section 500.04(b).

RHC's cybersecurity program was found to be deficient in several areas, including data governance, IT asset control, business continuity planning, and incident response. NYDFS claimed that RHC didn't have adequate policies and procedures in place to address these critical areas.

RHC was also found to have failed to conduct a required risk assessment in 2019. This is a crucial step in identifying and mitigating potential cybersecurity threats.

RHC's new Business Continuity and Disaster Recovery Plan, implemented in November 2020, still didn't meet the required standards. It lacked detail on critical systems and security, internal and external communications, data backup, and training and testing.

Readers also liked: Action Required

The NYDFS has been actively enforcing regulations through settlements. One notable example is the $250 million settlement with Citigroup in 2014 for violating anti-money laundering and consumer protection laws.

The NYDFS has also taken action against banks for failing to maintain adequate cybersecurity measures. In 2016, the regulator fined Bank of America $1 billion for its handling of a massive data breach.

The NYDFS has been particularly focused on ensuring that financial institutions have adequate cybersecurity measures in place. This includes regular risk assessments and penetration testing to identify vulnerabilities.

In 2017, the NYDFS fined Wells Fargo $1 billion for its role in the fake accounts scandal, which involved the creation of millions of unauthorized customer accounts.

The regulator has also taken action against banks for failing to maintain accurate records and failing to report suspicious transactions.