Legal Update

Sep 12, 2018

Stricter Regulations for Consumer Credit Reporting Agencies Compiling Information on New York Consumers

Click for PDF

Seyfarth Synopsis: The New York State Department of Financial Services (“DFS”) has promulgated stricter regulations for consumer credit reporting agencies (“CCRAs”) compiling information on New York consumers, including, but not limited to, registering with the Superintendent of DFS by September 15, 2018.

Registration Requirements for CCRAs

DFS has issued regulations requiring, among other things, that all “consumer credit reporting agencies” (or “CCRAs”) that reported on 1,000 or more New York consumers in any twelve month period between June 1, 2018 and September 1, 2018 to register with the DFS Superintendent on or before September 15, 2018. CCRAs are defined as “a consumer reporting agency that regularly engages in the practice of assembling or evaluating and maintaining, for the purposes of furnishing consumer credit reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, and credit account information from persons who furnish that information regularly and in the ordinary course of business.” According to DFS, the underlying reasons for the new regulations include the failure of CCRAs to safeguard and maintain accurate consumer data and accurately investigate consumer disputes of alleged inaccuracies.

What is a CCRA?: Determining Whether Registration is Required

The new regulations only apply to CCRAs, which are defined as:

a consumer reporting agency that regularly engages in the practice of assembling or evaluating and maintaining, for the purpose of furnishing consumer credit reports to third parties bearing on a consumer's credit worthiness, credit standing, or credit capacity, and credit account information from persons who furnish that information regularly and in the ordinary course of business.

The definition of CCRA incorporates the definition of "consumer reporting agency,” which is defined separately as:

any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.

Under these definitions, and because this definition is similar to the definition of a consumer reporting agency as defined by the Fair Credit Reporting Act, background screeners are likely to be deemed “consumer reporting agencies.”

Whether a consumer reporting agency qualifies as a CCRA who is required to register under the regulations, however, will depend on a few factors:

1. Do the CRA’s reports include information “bearing on a consumer’s credit worthiness, credit standing, or credit capacity”? The registration requirement does not apply to providers of reports that only contain criminal or non-credit information.

2. If the CRA’s reports contain information “bearing on a consumer’s credit worthiness, credit standing, or credit capacity,” is that information assembled, evaluated and maintained? The regulations only apply to those consumer reporting agencies that regularly engage in the practice of assembling or evaluating, and “maintaining” credit information for the purposes of furnishing consumer reports.

3. If the CRA’s reports contain information “bearing on a consumer’s credit worthiness, credit standing, or credit capacity,” is that information “credit account information from persons who furnish that information regularly and in the ordinary course of business”? While the regulation is unclear, it suggests that it would require registration for CRAs who maintain credit account information from furnishers regularly in the ordinary course of business.

Revocation and Suspension of a Registration

DFS may refuse to renew, revoke, or may suspend for a period, a CCRA’s registration if the DFS Superintendent finds that the applicant or any member, principal, officer or director of the applicant, has, among other things:

• Violated any insurance, financial service, or banking laws or violated any regulation, subpoena or order of the DFS Superintendent or of another state’s insurance or banking commissioner or of any other state or federal agency with authority to regulate CCRAs, or has violated any law in the course of his or her dealings in such capacity;

• Provided materially incorrect, materially misleading, materially incomplete or materially untrue information in the registration application;

• Failed to comply with the requirements of the regulation, including but not limited to, the cybersecurity regulation (discussed in more detail below);

• Used fraudulent, coercive or dishonest practices;

• Improperly withheld, misappropriated or converted any monies or properties received in this course of business in New York or elsewhere;

• Admitted or been found to have committed any unfair trade practice or fraud; or

• Had a CCRA registration, or its equivalent, denied, suspended or revoked in any other state, province, district or territory.

Before refusing to renew the registration of any CCRA, the DFS Superintendent shall give notice to the CCRA and shall hold, or cause to be held, a hearing not less than 15 days after giving notice to the CCRA.

CCRAs are subject to examinations by DFS as often as the DFS Superintendent determines is necessary, and prohibits agencies from the following, unless preempted by federal law:

• Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer;

• Engaging in any unfair, deceptive or predatory act or practice toward any consumer;

• Misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a credit report for a New York consumer;

• Engaging in any unfair, deceptive, or abusive act or practice in violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act;

• Failing to comply with the provisions of federal law relating to the accuracy of the information in any consumer report relating to a New York consumer;

• Refusing to communicate with an authorized representative of a New York consumer who provides a written authorization signed by the consumer, provided that the CCRA may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer, and provided further that the authorized representative is not a credit repair organization, or associated with a credit repair organization;

• Making any false statement or making any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the DFS Superintendent or another governmental agency.

Cybersecurity Regulation

Additionally, every CCRA must comply with DFS’s cybersecurity regulation, beginning on November 1, 2018 (pursuant to the time table included in the final regulation, which runs through December 31, 2019) and require:

• banks, insurance companies, and other financial services institutions regulated by DFS to have a cybersecurity program designed to protect consumers’ private data;

• a written policy or policies that are approved by the board or a senior officer; and

• a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York's financial services industry.

DFS’s cybersecurity regulation also requires the protection of data from third-party vendors and the filing with DFS of an annual certification of compliance.

CCRA Registration With DFS

DFS has developed an online registration form that is available via its secure portal, requiring CCRAs to establish a portal account and request access to the registration form via the “Ask for Apps” section of the portal. Once DFS has approved the request for access, CCRAs can return to the portal homepage to access and complete the registration form. The form will require CCRAs to provide information such as the companies’ name, address, executive officers, and certificate of incorporation or similar document, and require companies to disclose information concerning their past conduct. Additional instructions will be provided as part of the online registration process.

Thereafter, on or before July first of each year (beginning in 2019), every registered CCRA shall report to the DFS Superintendent information as may be requested by the DFS Superintendent. The DFS Superintendent also may require the filing of quarterly or other statements, which shall be in such form and contain such matters as the DFS Superintendent shall prescribe. All such information shall be deemed confidential and not subject to disclosure, unless determined otherwise by the DFS Superintendent.