fire wheel


Data disposition under cybersecurity regulations

Hot topics in auto finance: Data privacy under 23 NYCRR 500

Data privacy is an increasingly important topic among consumers and regulatory bodies alike. Many jurisdictions have passed data privacy regulations—including the New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (23 NYCCR 500)—that impact the auto finance industry.

New York leads the way with cybersecurity mandated requirements

As data privacy breaches continue to make headlines, many regulatory bodies are implementing cybersecurity regulations. Auto finance companies are wise to consider their cybersecurity-mandated requirements and programs.

The NYDFS became one of the first regulatory bodies to introduce minimum standards to protect financial institutions' data systems, including consumers' sensitive personal information. The first compliance deadline under the NYDFS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) went into effect in August 2017. Meanwhile, other cybersecurity regulations must be met throughout 2018, including developing policies and procedures for the secure disposal of non-public information as part of a financial services company’s business practices.

Back to top

New York stepped into the void and took decisive action to ensure appropriate minimum standards protecting financial institutions' data systems, including consumers' sensitive personal information. These new protections, which include encryption, access controls, and audit trails, add crucial tools to the regulation’s prior requirements in protecting the institutions and consumers, said [NYDFS] Superintendent Vullo.1

Rethink retention programs

One of the more complex sections of the regulation relates to Section 500.13 of the 23 NYCRR 500 outlining requirements for periodic disposal of certain NPI no longer required to be retained. Besides the impact on existing business processes, technologies, and systems, this requirement needs to be reconciled with other existing data retention regulatory requirements.

Many covered entities and their third-party service providers intentionally or unintentionally retain records and data well beyond required regulatory retention periods, if not indefinitely.

To date, few regulators have established mandates demanding financial institutions to limit how long they retain NPI data and records. Covered entities often align their policies with other retention practices to limit the complexity of retaining and disposing of records and data while mitigating against risks of non-compliance with existing regulatory requirements or existing legal holds.

Back to top

Making the case for disposition

For years, many firms have contemplated adopting a program of defensible disposition of records. Yet, without a regulatory mandate, the costs and challenges associated with implementing such a program were considered too high and the risk of premature deletion overrode the perceived benefits of regularly scheduled disposition. With the new 23 NYCRR 500 regulation in place, firms will need to undertake the costs and challenges—and in doing so, they are likely to realize additional benefits.

Adding to the complexity of building a defensible data collection, retention, and destruction program, many other jurisdictions are implementing similar regulations. Compliance officers must weigh the requirements for each jurisdiction separately as data associated with different consumers/data subjects may be subject to different regulation. In particular, auto finance companies should be considering the effect of the EU's General Data Protection Regulation and the California Consumer Privacy Act.

Back to top

road through mountains

Next steps for auto finance captives

Auto finance captives may be subject to many different regulations in many different jurisdictions, including simultaneous obligations under both international, US federal, and state regulatory regimes.

How do you establish a program of defensible records disposition? Focus your efforts on a plan that includes the following steps:

  • Identify and confirm disposition policy
  • Convert policy to technical specifications
  • Design a defensible disposition solution
  • Execute analytics solution
  • Implement disposition

Given the level of NPI collected—and potentially unwittingly retained—from dealers, the original equipment manufacturer parent, marketing and remarketing campaigns, as well as third parties, regulatory requirements are neither trivial nor a one-time task to complete. To address longer-term needs, auto finance companies should consider budgeting for a large-scale effort around record retention and disposition now.

Back to top


"Should NY's strict cybersecurity rule be a model for the country?", Rachel Witkowski, American Banker, August 17, 2018.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?