Press Release

August 22, 2018

Contact: Richard Loconte, 212-709-1691


Online Registration Allows Credit Reporting Agencies to Comply with Final DFS Regulation Protecting Consumers from the Threat of Data Breaches

Credit Reporting Agencies Must Register with DFS by September 15, 2018

Financial Services Superintendent Maria T. Vullo today announced that the Department of Financial Services has launched an online registration form for credit reporting agencies to comply with the final DFS regulation requiring credit reporting agencies with significant New York operations to register with DFS by September 15, 2018.  DFS issued the final regulation in June 2018 to protect New Yorkers’ private information from the threat of data breaches such as the Equifax breach that exposed the personal private data of millions of Americans.

“In the face of lax federal government oversight, New York has led the nation in protecting consumers and safeguarding the financial services industry from the threat of data breaches and other cyber-attacks,” said Superintendent Vullo. “This online registration process is an important step as DFS continues to take steps to promote strong, modern state regulation and to ensure that the sensitive data of consumers remains safe.”

Under the new regulation, all consumer credit reporting agencies that reported on 1,000 or more New York consumers in the preceding year must register annually with DFS beginning on or before September 15, 2018, and by February 1 of each successive year for the calendar year thereafter. The registration form requires credit reporting agencies to provide information about their business practices and must identify an agency's officers and directors who will be responsible for compliance with the financial services, banking, and insurance laws and regulations.  The regulation also prohibits credit reporting agencies from engaging in harmful conduct, subjects agencies to examination by DFS, and requires agencies to make annual reports to DFS.

In addition, under the DFS final regulation, every credit reporting agency must comply with DFS’s cybersecurity regulation, beginning on November 1, 2018, according to the time table included in the final regulation. DFS's cybersecurity regulation requires financial services companies regulated by DFS to have a cybersecurity program designed to protect consumers' private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York's financial services industry. DFS's cybersecurity regulation also requires the protection of data from third-party vendors and the filing with DFS of an annual certification of compliance.

Additional information about the registration process and the registration form can be found here.