Credit unions on high alert after DFS amendment proposal impacts mortgage servicers

By William J. Mellin,
President & CEO,
and Mitchell Pollack, Esq.

On June 28, the Department of Financial Services proposed a second amendment to 23 NYCRR Part 500. This new amendment affects cybersecurity requirements for financial services companies and updates the regulatory minimum standards for cybersecurity programs in an effort to reduce relevant risks and keep pace with technological advances.

As an Association that embodies state and federally chartered credit unions, we must be cognizant of the impact that state-issued regulations may have on our federally chartered partners. Although entities organized under federal law are exempt from registration requirements with DFS, this proposed amendment leads to the question of whether federal credit unions must also report cybersecurity incidents to DFS.

In short, the answer is likely “yes.” Credit unions operating in New York must notify the superintendent electronically in the form set forth on the department’s website as promptly as possible, but in no event later than 72 hours from a determination that a cybersecurity event has occurred at the covered entity, its affiliates, or a third-party service provider.

A federal credit union operating in New York does not have to register with DFS, but New York Banking Law requires that any credit union operating in New York — and acting as a mortgage loan servicer in the state — must notify the superintendent and comply with any regulations applicable to mortgage loan servicers. Since mortgage loan servicers will have to comply with the cybersecurity requirements, those federal credit unions who are also acting as mortgage loan servicers in New York must also comply. While the exempt entities may have not been an intended target, as written, this new regulation may ensnare them as well.

When a credit union reports a cybersecurity incident, it is required to notify the superintendent electronically by using the DFS form posted on its website. It is also required to submit a written certification by April 15 of each year confirming that the credit union has complied with all material state cybersecurity requirements. If this is not possible, credit unions must acknowledge the failure to do so, identify the extent of the noncompliance, and provide a remediation timeline. Visit the DFS Cybersecurity Resource Center for more information.

Stay tuned.

Questions related to our advocacy initiatives can be directed to the Association’s director of governmental affairs, Michael Colello, at or (800) 342-9835 ext. 8207.

Leave a Reply