New York State’s Department of Financial Services (DFS) recently unveiled two new divisions with broad enforcement authority focused on consumer protection, financial enforcement, and cybersecurity. Financial service providers should take note as New York and other states continue to shore up their enforcement capabilities.
Consumer Protection and Financial Enforcement
The highly touted Consumer Protection and Financial Enforcement (CPFE) division of the DFS was launched on April 29, 2019. The CPFE’s debut marks the latest DFS action to solidify the department’s position as “a leader in financial services regulation.”
Heralded by Superintendent Linda Lacewell as a “powerhouse,” the CPFE is tasked with broad responsibility, specifically: (1) protecting and educating consumers; (2) combating consumer fraud; (3) ensuring that DFS-regulated entities serve the public in compliance with state and federal law; (4) developing investigative leads and intelligence in the banking, insurance, and financial services arenas, with a particular focus on cybersecurity events; and (5) developing and directing supervisory, regulatory, and enforcement policy regarding financial crimes.
The department created its new mega group by merging its enforcement operation with the division that conducts DFS’s civil and criminal investigations (formerly known as the Financial Frauds and Consumer Protection, or FFCP). The CPFE’s creation follows DFS’s pronouncement last year that it was prepared to step in to “fill voids” in areas where consumer and market protections are rolled back at the federal level. The announcement also follows the news that the Consumer Finance Protection Bureau (CFPB) will adjust its focus from enforcement to “preventing harm.” The CFPB’s shift in approach was announced by Kathleen L. Kraninger during her first policy address as the CFPB’s new director on April 17, 2019. Director Kraninger expressed the “hope that our emphasis on prevention will mean that we need our enforcement tool less often.”
The CPFE division will be headed by Katherine A. Lemire, who is expected to draw on her decade of prosecutorial experience at the federal (Assistant U.S. Attorney in the Southern District of New York) and state (Assistant District Attorney in the New York County District Attorney’s Office) levels. During her time in the Manhattan U.S. Attorney’s office, Ms. Lemire’s work included the prosecution of disgraced political donor Norman Hsu—sentenced to over 24 years in prison—and the corruption conviction of City Council Member Miguel Martinez. Referred to by the NY Daily News as a “legal Howitzer,” Ms. Lemire also served as special counsel to Raymond Kelly, former commissioner of the New York Police Department.
Upon entering the private sector, Ms. Lemire founded an international compliance and investigative services firm. As part of a 2017 roundtable discussion on “How to Conduct Internal Investigations Efficiently and Effectively,” the new CPFE head shared the following insights on effectively working with government investigators to “narrow the scope” of subpoena requests in order to minimize client costs and business disruption:
Remember that prosecutors are people too . . . they can be reasonable. If confronted with a very broad subpoena seeking, for example, a large swath of documents over the course of years, it may make sense to call the prosecutor and find out whether you may narrow the scope of responsive documents. Often, prosecutors will provide specifics regarding the target of the investigation, and work with you to produce documents in a time-efficient manner. Prosecutors typically have investigative priorities, and if you can provide a proposed schedule for document/materials production, they will often work with you so that they can get what they need the most in a rapid fashion. Relatedly, you may be able to spare yourself producing materials that are not within the actual scope of materials needed. While they are the “expert” in the investigation, you are the “expert” in your business—prosecutors may be asking for materials they do not actually need, and with some education from you, you may be able to narrow the scope of the investigation.
The unveiling of its new “mini CFPB” marks yet another recent DFS milestone, highlights of which include over $3billion in fines imposed as a result of investigations into foreign exchange trade rigging and the issuance of “whistleblower” guidance to all DFS-regulated entities. The whistleblower guidance is especially significant in light of the department’s position that “a robust whistleblowing program is an essential element of a comprehensive compliance program for regulated financial service companies.” In addition, although not intended to provide a “one size fits all” model, the guidance sets forth 10 “important principles and practices” of an “effective whistleblowing program”:
- Whistleblower reporting channels that are independent, well-publicized, easy to access, and consistent;
- Strong protections to guard whistleblower anonymity;
- Procedures to identify and manage potential conflicts of interest;
- Adequate staff training on how to receive and act upon whistleblower complaints, as well as manage investigations, referrals, and escalations;
- Procedures to investigate allegations of wrongdoing;
- Procedures to ensure valid complaints are followed-up appropriately;
- Protections against whistleblower retaliation;
- Confidential process;
- Appropriate internal and external oversight of the whistleblowing function;
- Culture of top-down support for the whistleblowing function.
On May 22, 2019, the department launched a new Cybersecurity division, advertised as the “first of its kind at a banking or insurance regulator,” which will focus on “protecting consumers and industries from cyber threats.” The emergence of DFS’s new Cybersecurity division follows the department’s signature enactment, its 2018 cybersecurity law (23 NYCRR 500) upon which the Federal Trade Commission has “primarily based” its latest proposed information security program requirements. See 16 C.F.R. pt. 314: Standards for Safeguarding Customer Information; Request for Public Comment. The new division’s emergence “builds upon DFS’ nation-leading efforts to protect consumers and financial markers from cyberattacks” and also follows the March 1, 2019 deadline by which all DFS-regulated institutions were required to submit comprehensive risk-based cybersecurity programs for protecting consumers’ private data.
Justin Herring will head the new Cybersecurity division, joining DFS from the New Jersey U.S. Attorney’s Office, where he served as chief of the Cyber Crimes Unit and also worked as a member of the U.S. Attorney’s Economic Crimes Unit. The DFS signaled its intention to continue its efforts to combat cyber crime by “hiring additional experts as necessary,” in addition to utilizing and developing its personnel’s existing subject-matter expertise.
According to the DFS announcement, the role of the new cybersecurity division will be to “enforce the Department’s cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’ cybersecurity regulations, and conduct cyber-related investigations in coordination with the Consumer Protection and Enforcement Division.”