The New York Department of Financial Services (DFS) issued new regulations requiring every consumer credit reporting agency that “assembles, evaluates, or maintains a consumer credit report on any consumers located in New York State register with the Superintendent of the Department of Financial Services.”
As a result of credit reporting agencies’ new status of having to register with DFS, those agencies are subject to annual reporting and enforcement by DFS.
It also deems credit reporting agencies to be covered entities under the NY DFS Cybersecurity Regulations, with transition periods for compliance—October 1, 2018, April 1, 2019, and October 1, 2019. This means that a consumer credit reporting agency is required to have policies and procedures in place to assess and respond to cyber risks, as well as certify to DFS that it has implemented a cybersecurity program just like financial institutions.