Earlier this year, the South Dakota Department of Labor and Regulation’s Division of Banking (“Division”) issued notices to South Dakota licensees through the Nationwide Multistate Licensing System (“NMLS”) informing them that the Division would require each licensee to upload a current version of its Information Security Policy as part of the annual license renewal process. These notices were issued to Money Lender, Money Transmitter, Mortgage Broker, Mortgage Lender, and Non-Residential Mortgage Lender licensees and make clear that the updated version of each licensee’s Information Security Policy should cover the Federal Trade Commission’s (“FTC”) recently amended Safeguards Rule, relevant portions of which became effective on June 9, 2023. Please see our Legal Update covering the FTC Safeguards Rule for details on those updates to the Safeguards Rule.
According to the NMLS Annual Renewal Checklist Instructions (“Checklist Instructions”) for these South Dakota license types, failure to upload an updated policy will prevent renewal of the South Dakota license. Regulators have informed us that placing the license item on accounts prior to the renewal period enables South Dakota to ensure companies are amending their filing to update the record and provide an updated policy prior to renewals. All policies must be updated by November 1, 2023.
South Dakota regulators and the Checklist Instructions confirm that the Division of Banking will begin conducting cyber-security examinations using the CSBS Non-Bank Cyber Security Work Program, which we covered in a Legal Update last October, to ensure that non-bank licensees comply with the amended FTC Safeguards Rule. In the Checklist Instructions, South Dakota regulators have stated that, for consumer lender/servicer licensees, South Dakota will cite a failure to safeguard consumer information as a violation. For commercial lender/servicer licensees, if the FTC Safeguards Rule would not apply, the Checklist Instructions state that South Dakota would not cite a violation; however, the Division will recommend that the licensee implement “appropriate measures” as a best business practice. The Checklist Instructions do not include additional detail regarding what might constitute “appropriate measures” for these licensees.