23 NYCRR 201 regulation requires New York credit reporting agencies to comply with registration, cybersecurity and anti-fraud requirements.

On June 25, 2018, the New York State Department of Financial Services (NYDFS) issued 23 NYCRR 201, requiring credit reporting agencies with operations in New York to comply with requirements that include registration, cybersecurity standards, and prohibited activities related to fraud and misconduct.1 This regulation is intended to protect personal private data of New York consumers and is a response to the major data breach of a large credit reporting agency. Similarly, NYDFS recently released regulation around cybersecurity, 23 NYCRR 500, which improves the information security posture.2  


What this Means

23 NYCRR 201 requires credit reporting agencies who reported on 1,000 or more New York consumers in the past 12 months to register annually with the NYDFS, improve cybersecurity standards, and comply with rules related to fraud and misconduct.3 These agencies must register with the superintendent by September 1, 2018 and renew by February 1 of each year.4

Without registration, no individual or organization is authorized to assemble, evaluate, or maintain a consumer credit report on any New York (NY) consumer.5

Credit reporting agencies must report annually on or before July, starting in July 2019, to the superintendent with information that the superintendent requests.6 Moreover, the regulation gives the superintendent greater power over credit reporting agencies. The superintendent is authorized (1) to prescribe frequency and format of attestation reporting, (2) to inquire about credit reporting (to which credit reporting agencies must provide a written response), (3) to disclose the confidential information shared by credit reporting agencies if it is deemed necessary to carry out the superintendent’s powers and duties, and (4) to revoke or suspend registration for a period of time due to violations.7 23 NYCRR 201 also prohibits credit reporting agencies from engaging in deceptive or fraudulent behavior, reporting inaccuracies related to New Yorkers, not communicating with authorized representatives of NY consumers, and providing inaccurate or omitting information to government agencies.8

The regulation further adds that the Superintendent’s authority in 23 NYCRR 201 will be preserved. This prevents financial services regulation or other regulators from limiting the superintendent’s authority. Additionally, the regulation states if any instance of the regulation is adjudged invalid by a court, it will not invalidate the rest of the regulation.9

Finally, 23 NYCRR 201 requires credit reporting agencies to meet regulation outlined in 23 NYCRR 500 Cybersecurity Requirements but with an adjusted timeline.10 To improve the cybersecurity posture of credit reporting agencies, these institutions will be required to comply with 23 NYCRR 500.  

Upcoming 23 NYCRR 500 requirements for applicable credit reporting agencies include the following by the specified deadlines: 

By November 1, 2018: 11

  • Establish a cybersecurity program 
  • Implement and maintain written cybersecurity policy with annual approval 
  • Designate a Chief Information Security Officer (CISO) to oversee and implement the cybersecurity program 
  • Limit user access privileges to non-public information with periodic reviews 
  • Engage qualified cybersecurity personnel and provide them sufficient training 
  • Establish a written incident response plan 
  • Build capability to notify the superintendent of material cybersecurity event within 72 hours 

 By February 28, 2019: 12

  • Appoint CISO 
  • Deliver a written report on their cybersecurity program and material cybersecurity risks to the Board of Directors, or equivalent if none exists, at least annually
  • Perform annual penetration testing and bi-annual vulnerability assessments of information systems 
  • Conduct periodic risk assessments of their information systems 
  • Implement multi-factor authentication or equivalent control to prevent unauthorized access 
  • Conduct cybersecurity awareness training for all personnel 

By August 31, 2019: 13

  • Build capability to reconstruct material financial transactions and maintain those records from at least five years ago 
  • Maintain records of audit trails from at least three years 
  • Create and implement policies, procedures, and controls for secure application development 
  • Create and implement policies and procedures for secure disposal of nonpublic information on a periodic basis 
  • Create and implement policies, procedures, and controls to monitor access and activity of non-public information
  • Implement encryption and compensating controls to protect non-public information 

By December 31, 2019: 14

  • Create and implement written policies and procedures, to secure non-public information and information systems accessed by Third Party Service Providers, to address risk assessments of Third Party Service Providers, minimum cybersecurity standards for these third parties and due diligence of compliance to the standards, and periodic risk assessment of the third parties 

Key Observations and Take-aways 

The 23 NYCRR 201 is a targeted regulation aimed at credit reporting agencies for the purpose of mitigating the risk of a data breach from a cybersecurity incident and of the improper use of New York consumer information. The regulation requires the rating agencies to register and comply with increased information security requirements.  

This is the second cybersecurity regulation published by NYDFS in the past 2 years, a trend among state regulators to respond to the growing cybersecurity threat. Governor of New York Andrew Cuomo states “As the federal government weakens consumer protections, New York is strengthening them with these new standards.”15  In addition to New York, other states, Alabama, California, Georgia, Maine, Massachusetts, North Carolina and Texas, imposed rules specifically for a large credit reporting agency in response to a significant data breach.16  The sentiment of greater state regulation was echoed by Maria T. Vullo, Superintendent of Financial Services, New York Department of Financial Services; “In an era of weakened federal government oversight, strong state regulation is essential in order to safeguard our markets, ensure strong consumer protections and hold regulated entities accountable.”17


  1. “Governor Cuomo Announces Action to Protect New Yorkers’ Private Information Held by Credit Reporting Companies,” New York State Department of Financial Services, Press Release, June 25, 2018. Access at:  https://www.dfs.ny.gov/about/press/pr1806251.htm.  
  2. New York Proposes Cybersecurity Regulations for Banks, The Wall Street Journal, September 13, 2016. Access at: https://www.wsj.com/articles/new-york-proposes-cybersecurity-regulations-for-banks-1473792867. 
  3. “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” New York State Department of Financial Services – 23 NYCRR 201. Access at:  https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf201txt.pdf. 
  4. “New York Issues Cybersecurity Regulation for Credit Reporting Agencies,” ACA International, June 28, 2018. Access at: https://www.acainternational.org/news/new-york-issues-cybersecurity-regulation-for-credit-reporting-agencies. 
  5. “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” New York State Department of Financial Services 23 – NYCRR 201. Access at:  https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf201txt.pdf. 
  6. Ibid
  7. Ibid 
  8. Ibid 
  9. Ibid  
  10. “Cybersecurity Requirements for Financial Services Companies,” New York State Department of Financial Services – 23 NYCRR 500. Access at:  https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.
  11. “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” New York State Department of Financial Services 23 NYCRR 201. Access at:  https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf201txt.pdf.   
  12. Ibid 
  13. Ibid 
  14. Ibid 
  15. “Governor Cuomo Announces Action to Protect New Yorkers’ Private Information Held by Credit Reporting Companies,” New York State Department of Financial Services, Press Release, June 25, 2018. Access at:  https://www.dfs.ny.gov/about/press/pr1806251.htm.
  16. “8 States Impose New Rules on Equifax After Data Breach,” The New York Times, June 27, 2018. Access at: https://www.nytimes.com/2018/06/27/business/equifax-data-security.html 
  17. Ibid 

Newsletter Author: Venetia WooTrish MarshAnwar Ali 

Newsletter Contact Person: Venetia Woo 

Visit www.accenture.com/RegulatoryCompliance for latest insights on regulatory remediation and compliance transformation.


This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional. 

About Accenture 

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 442,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Its home page is www.accenture.com 

Copyright © 2018 Accenture. All rights reserved. 

Accenture, its logo, and High Performance Delivered are trademarks of Accenture. This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.

If you require advice or further details on any matters referred to, please contact your Accenture representative. 

Submit a Comment

Your email address will not be published. Required fields are marked *