Last Week, This Morning

October 27, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

New York DFS Issues Guidance on Managing Cybersecurity Risks Related to Third-Party Service Providers

On October 21, the New York Department of Financial Services issued guidance to financial services companies on managing cybersecurity risks related to third-party service providers in accordance with the state's cybersecurity regulation (Part 500). The DFS notes in the guidance that, during its examinations and investigations of covered entities' information security policies and procedures, it has identified weaknesses with regard to how covered entities monitor, assess, and manage third-party service provider cybersecurity risk. The DFS also notes that some covered entities outsource critical cybersecurity compliance obligations to third-party service providers without the appropriate oversight, stating that covered entities may not delegate responsibility for compliance with the cybersecurity regulation to an affiliate or a third-party service provider.

The guidance does not impose new requirements on covered entities. It clarifies requirements for managing third-party service providers under the cybersecurity regulation and recommends industry best practices to mitigate common cybersecurity risks associated with those providers. The best practices address the selection of third-party service providers and considerations when performing due diligence on those providers, contract provisions that covered entities should consider incorporating into their agreements with third-party service providers, ongoing monitoring and oversight of third-party service providers, and termination of the third-party service provider relationship.

Amicus Brief(ly): Third-party risk management remains an important element of a company's compliance management system, with or without the Consumer Financial Protection Bureau watching, because when companies integrate third-party technology and services into their operations, they add a layer of risk that they do not fully control. The New York guidance focuses on cybersecurity risks, given the increasing industry reliance on cloud-based software to function. We commend readers to the best practices described in the guidance for useful tips about effective oversight of vendors, not just to satisfy regulator expectations but to ensure a risk management program that is designed to avoid expensive compliance mistakes caused by the vendors' services.

New Jersey Adopts Rules Requiring Foreign Language Disclosures by Consumer Reporting Agencies

Effective October 20, the New Jersey Department of Law and Public Safety, Division of Consumer Affairs, adopted new rules to implement Senate Bill 3452, enacted in 2019, which regulates disclosure requirements for consumer reporting agencies. Section 56:11-34 of the New Jersey Statutes, as amended by S.B. 3452, requires consumer reporting agencies that compile and maintain files on consumers on a nationwide basis to disclose a consumer's credit file and other information upon a consumer's request in Spanish or at least the 10 languages other than English and Spanish that the director of the DCA determines are most frequently spoken as a first language by New Jersey consumers. The amendments also require these consumer reporting agencies to provide notice, in any language determined by the director, in a clear and conspicuous location on their websites, of the availability of this credit file and other information in languages other than English.

As the agency stated in its notice of the proposed rules, the U.S. District Court for the District of New Jersey issued an opinion on March 27, 2024, in Consumer Data Industry Association v. Platkin that severed the portion of the amended statute that required that the disclosure be made in at least 10 languages other than English and Spanish. After receiving comments from the CDIA and considering the federal district court's opinion, the translation requirements that New Jersey law imposes on state agencies, the languages in which federal agencies generally make significant documents available to the public, and data from the U.S. Census Bureau's American Community Survey, the DCA concluded that it is appropriate to require consumer reporting agencies to make the credit file and other information available to consumers in English, Spanish, and the six languages that are determined by the director of the DCA to be the first language of a significant number of consumers in the state based on the American Community Survey or a comparable data set. Consumer reporting agencies must check the list of languages, which must be posted on the DCA's website, at least once per calendar year and make consumer reports available in the languages included in the updated list by June 30 of the following year. Consumer reporting agencies must provide notice, in Spanish and the six other languages, in a clear and conspicuous location on their websites, of the availability of the information subject to disclosure in languages other than English. Consumer reporting agencies must also check the DCA's list of languages at least once per calendar year and update their websites to include any languages that have been added to that list by June 30 of the following year.

The new rules expire on January 16, 2026.

Amicus Brief(ly): The comments addressed in this rulemaking from the CDIA reflect the unmistakable conclusion that this translation requirement will be a burden for the nationwide consumer reporting agencies. (It does not apply unless the consumer reporting agency maintains consumer files on a nationwide basis.) But in its responses, the DCA makes clear its position that the burden is not "undue" because New Jersey law requires state agencies to translate documents into Spanish and six other languages, and the documents that a private consumer reporting agency would have to translate are of "comparable importance" to the documents that the state has to translate. The DCA also refers several times to the CDIA v. Platkin litigation on these issues, where the federal district court held that the New Jersey statutory requirement for consumer reporting agencies to provide FCRA credit file disclosures in 12 or more languages was not preempted by the FCRA (among other things). The result is a final rule that requires the translation of English-language disclosures into seven languages commonly spoken in New Jersey. While the rule is set to expire in January of 2026, we do not expect this new rule to actually expire. New Jersey has a review-and-readoption procedure for regulations that it undertakes on a seven-year basis for the chapters of its Administrative Code, and it appears that the chapter where this new rule landed is up for readoption this coming January.

Maryland OFR Issues Advisory on 2026 License and Registration Renewal Process

On October 20, the Maryland Office of Financial Regulation issued an advisory that provides information about the 2026 license and registration renewal process, which begins on November 1, 2025. Of note in the advisory, licensees must submit renewal requests by December 31, 2025, but the OFR strongly recommends that licensees submit their license renewal requests by December 17, 2025, to avoid interruption in their ability to do business in Maryland after December 31, 2025. If licensees submit their renewal requests by December 17, they can take advantage of a statutory safe harbor and can continue to do business after December 31 while they await responses to their renewal applications. Licensees that submit renewal requests between December 18 and December 31 are not covered by the safe harbor and must stop doing business in Maryland after December 31 if their renewal requests have not been approved by that date.

The advisory also reminds licensees that Maryland no longer issues paper licenses, Maryland no longer requires separate licenses for each branch office, a licensee must be in good standing with the Maryland Department of Assessments and Taxation to renew its license, and auto-renewals are available for certain Maryland license types.

Finally, the advisory provides answers to some frequently asked questions for mortgage loan originators and mortgage lenders regarding continuing education requirements.

Amicus Brief(ly): The most useful information in this guidance document from the OFR is the admonition to get those renewal applications in early to avoid having the authority to do business lapse. The next, which is at least as useful at original application as it is in a renewal, is to make sure the renewal application is complete - the state will not start to process the application if it is not complete. This is not complicated guidance, but it underscores that the OFR expects licensees to submit their applications in good order and in a timely manner if licensees want to avoid a costly disruption in their licensing status. We have time, but to avoid the automatic expiration of a license, it will be good to gather the required information and submit applications before December 17.

Nevada Adopts Rules Establishing Requirements for Mortgage Company Employees to Conduct Business at Remote Location

The Nevada Department of Business and Industry, Division of Mortgage Lending, amended its rules, effective October 16, related to requirements governing certain employees of a mortgage company who may be authorized to conduct business at a remote location. Existing Nevada law authorizes an employee of a mortgage company, including a mortgage loan originator employed by or associated with the mortgage company, to conduct the business of the mortgage company at a remote location if authorized by the mortgage company. Existing law prohibits: (1) an employee from interacting with a customer in person at the residence of the employee unless a license has been issued for that residence; and (2) the maintenance of physical records at a remote location.

Section 2 of the new rules establishes: (1) the circumstances under which a mortgage company may authorize certain employees to conduct the business of the mortgage company at a remote location; and (2) certain requirements with which the mortgage company and such employees must comply. Section 2 prohibits a mortgage company from authorizing a qualified employee designated to act on behalf of the mortgage company to conduct the business of the mortgage company at a remote location. Section 2 also prohibits a mortgage company from authorizing any other employee to conduct the business of the mortgage company at a remote location unless: (1) information systems and customer information of the mortgage company are accessed only in accordance with a comprehensive written security plan; (2) any interaction or conversation with a customer complies with all federal and state privacy and security requirements; (3) the employee is associated with a branch office of the mortgage company and designates the address of the principal office of the mortgage company or the branch office with which the employee is associated; and (4) the mortgage company supervises the employee at all times and establishes policies and procedures relating to the supervision and training of such employees.

Section 3 of the new rules requires a mortgage company that authorizes an employee to conduct the business of the mortgage company at a remote location to develop, implement, and maintain a data security program that satisfies certain requirements. Section 3 also requires a mortgage company to take certain actions in the event of a security breach.

Section 4 of the new rules requires the Commissioner of Mortgage Lending to provide written notice to a mortgage company if the commissioner determines that supervision of the remote employee by the mortgage company does not comply with certain requirements and requires the mortgage company to take certain actions in response to the commissioner's notice. Section 4 also subjects a mortgage company to certain discipline or other action by the commissioner if the company fails to take corrective action.

Amicus Brief(ly): Since the pandemic, increasing numbers of workers who can do their work remotely have chosen to do so. And those workers, in many cases, have answered return-to-office directives from their employers by looking for other opportunities. As a result, some state regulators have taken to writing regulations that allow certain work functions to happen outside of a licensed office without tripping branch office license requirements. These Nevada rules look like most of the others, requiring supervision of remote employees from the licensed office, training, policies, and procedures that specifically address remote work, protection of sensitive customer information, and more. It is a sensible reflection of the times and a welcome reprieve from a commute for employees.

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.