Stricken language would be deleted from and underlined language would be added to present law.
Act 262 of the Regular Session
*ANS120* 02/12/2025 2:18:59 PM ANS120
State of Arkansas 1
95th General Assembly A Bill 2
Regular Session, 2025 HOUSE BILL 1466 3
4
By: Representative Achor 5
By: Senator J. Boyd 6
7
For An Act To Be Entitled 8
AN ACT TO AMEND THE FAIR MORTGAGE LENDING ACT; AND 9
FOR OTHER PURPOSES. 10
11
12
Subtitle 13
TO AMEND THE FAIR MORTGAGE LENDING ACT. 14
15
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS: 16
17
SECTION 1. Arkansas Code § 23 -39-502 is amended to read as follows: 18
23-39-502. Definitions. 19
As used in this subchapter: 20
(1) "Affiliate" means a person that directly or indirectly 21
through one (1) or more intermediaries controls, is controlled by, or is 22
under common control with the person; 23
(2)(A) "Allowable assets for liquidity" means assets that may be 24
used to satisfy liquidity requirements under this subchapter. 25
(B) "Allowable assets for liquidity" includes without 26
limitation: 27
(i) Unrestricted cash and cash equivalents; and 28
(ii) Unencumbered investment -grade assets held for 29
sale or trade; 30
(3) "Applicant" means a person that has applied to become 31
licensed under this subchapter as a loan officer, transitional loan officer, 32
mortgage broker, mortgage banker, or mortgage servicer; 33
(4) "Authorized user" means an employee, contractor, agent, or 34
other person that participates in a financial institution’s business 35
operations and is authorized to access and use a financial institution’s 36 HB1466
2 02/12/2025 2:18:59 PM ANS120
information systems and data; 1
(5) "Board of directors" means a formal body that is responsible 2
for corporate governance and compliance with this subchapter; 3
(2)(6) "Branch manager" means the individual who is in charge of 4
the business operations of one (1) or more branch offices of a mortgage 5
broker, mortgage banker, or mortgage servicer; 6
(3)(7) "Branch office" means a location that is separate and 7
distinct from the licensee's principal place of business and includes any 8
location from which business is conducted under the license or in the name of 9
the mortgage broker, mortgage banker, or mortgage servicer: 10
(A) The address of which appears on business cards, 11
stationery, or advertising used by the licensee in connection with business 12
conducted under this subchapter at the branch office; 13
(B) At which the licensee's name, advertising, promotional 14
materials, or signage suggests that mortgage loans are originated, solicited, 15
accepted, negotiated, funded, or serviced or from which mortgage loan 16
commitments or interest rate guarantee agreements are issued; or 17
(C) Which, due to the actions of any employee, associate, 18
loan officer, or transitional loan officer of the licensee, may be construed 19
by the public as a branch office of the licensee where mortgage loans are 20
originated, solicited, accepted, negotiated, funded, or serviced or from 21
which mortgage loan commitments or interest rate guarantee agreements are 22
issued; 23
(4)(8) "Commissioner" means the Securities Commissioner and 24
includes the commissioner's designees; 25
(9) "Consumer" means an individual or that individual's legal 26
representative who obtains or has obtained a financial product or service 27
from a financial institution that is to be used primarily for personal, 28
family, or household purposes; 29
(5)(A)(10)(A) “Control” means the power, directly or indirectly, 30
to direct the management or policies of a company, whether through ownership 31
of securities, by contract, or otherwise. 32
(B) A person is presumed to control a company if the 33
person: 34
(i) Is a director, general partner, or executive 35
officer of the company; 36 HB1466
3 02/12/2025 2:18:59 PM ANS120
(ii) Directly or indirectly has the right to vote 1
twenty-five percent (25%) or more of a class of a voting security of the 2
company or has the power to sell or direct the sale of twenty -five percent 3
(25%) or more of a class of voting securities of the company; 4
(iii) In the case of a limited liability company, is 5
a managing member of the limited liability company; or 6
(iv) In the case of a partnership, has the right to 7
receive upon dissolution or has contributed ten percent (10%) or more of the 8
capital of the partnership; 9
(6)(11) “Control affiliate” means a partnership, corporation, 10
trust, limited liability company, or other organization that directly or 11
indirectly controls or is controlled by the applicant; 12
(7)(12) “Control person” means an individual who directly or 13
indirectly exercises control over the applicant; 14
(13)(A) "Corporate governance" means the structure of and how 15
the licensee is managed. 16
(B) "Corporate governance" includes the corporate rules, 17
policies, processes, and practices used to oversee and manage a licensee; 18
(14)(A) "Covered institution servicer” means a nonbank mortgage 19
servicer that: 20
(i) As reported in the mortgage call report, 21
services: 22
(a) Portfolios of two thousand (2,000) or more 23
of one (1) to four (4) unit residential mortgage loans serviced or 24
subserviced for others, excluding whole loans owned; and 25
(b) Loans being interim serviced before sale 26
as of the most recent calendar year end; and 27
(ii) Operates in two (2) or more states, districts, 28
or territories of the United States either currently or as of the prior 29
calendar year end. 30
(B) "Covered institution servicer" does not include: 31
(i) A person exempt from mortgage servicer licensing 32
requirements under this subchapter; 33
(ii) A mortgage servicer that has the status of a 34
tax-exempt organization under 26 U.S.C. § 501(c)(3), as in effect on January 35
1, 2025; or 36 HB1466
4 02/12/2025 2:18:59 PM ANS120
(iii) A mortgage servicer solely owning or conducting 1
reverse mortgage servicing, or both, or the reverse mortgage portfolio 2
administered by a large mortgage servicer; 3
(15) "Customer" means a consumer who has a customer relationship 4
with a financial institution; 5
(16) "Customer information" means a record containing nonpublic 6
personal information about a customer of a financial institution, whether in 7
paper, electronic, or other form, that is handled or maintained by or on 8
behalf of a financial institution or the financial institution’s affiliates; 9
(17) "Customer relationship" means a continuing relationship 10
between a consumer and a financial institution under which the financial 11
institution provides to the consumer one (1) or more financial products or 12
services that are used primarily for personal, family, or household purposes; 13
(8)(18) "Employee" means an individual who is licensed with or 14
employed by a mortgage broker, mortgage banker, or mortgage servicer, whether 15
by employment contract, agency, or other arrangement and regardless of 16
whether the individual is treated as an employee for purposes of compliance 17
with the federal income tax laws; 18
(19) "Encryption" means the transformation of data into a form 19
that results in a low probability of assigning meaning without the use of a 20
protective process or key, consistent with current cryptographic standards 21
and accompanied by appropriate safeguards for cryptographic key material; 22
(9)(A)(20)(A) “Exempt person” means a person not required to be 23
licensed as a mortgage broker, mortgage banker, mortgage servicer, loan 24
officer, or transitional loan officer under this subchapter. 25
(B) “Exempt person” includes any of the following: 26
(i) An employee of a licensee whose responsibilities 27
are limited to clerical and administrative tasks for his or her employer and 28
who does not solicit borrowers, accept applications, or negotiate the terms 29
of loans on behalf of the employer; 30
(ii) An agency or corporate instrumentality of the 31
federal government or any state, county, or municipal government granting 32
mortgage loans under specific authority of the laws of any state or of the 33
United States; 34
(iii) A trust company or industrial loan company 35
chartered under the laws of Arkansas; 36 HB1466
5 02/12/2025 2:18:59 PM ANS120
(iv) A small-business investment corporation licensed 1
under the Small Business Investment Act of 1958, 15 U.S.C. § 661 et seq., as 2
it existed on January 1, 2011 January 1, 2025; 3
(v) A real estate investment trust as defined in 26 4
U.S.C. § 856, as it existed on January 1, 2011 January 1, 2025; 5
(vi) A state or federally chartered bank, an 6
operating subsidiary of a state -chartered bank regulated by the State Bank 7
Department, a savings bank, a savings and loan association, or a credit 8
union, the accounts of which are insured by the Federal Deposit Insurance 9
Corporation or the National Credit Union Administration; 10
(vii) An agricultural loan organization that is 11
subject to licensing, supervision, or auditing by the United States Farm 12
Service Agency, Commodity Credit Corporation, Rural Development Housing and 13
Community Facilities Programs United States Department of Agriculture Rural 14
Development, United States Farm Credit Administration, or the United States 15
Department of Agriculture; 16
(viii) A nonprofit corporation that: 17
(a) Qualifies as a nonprofit entity under § 18
501(c)(3) of the Internal Revenue Code; 19
(b) Is not primarily in the business of 20
soliciting or brokering mortgage loans; and 21
(c) Makes or services mortgage loans to 22
promote home ownership or home improvements for the disadvantaged; 23
(ix)(a) A licensed real estate agent or broker who 24
is performing those activities subject to the regulation of the Arkansas Real 25
Estate Commission. 26
(b) Notwithstanding subdivision (9)(B)(ix)(a) 27
subdivision (20)(B)(ix)(a) of this section, "exempt person" does not include 28
a real estate agent or broker who receives compensation of any kind in 29
connection with the referral, placement, or origination of a mortgage loan; 30
(x) A person who engages in seller -financed 31
transactions or who as a seller of real property receives mortgages, deeds of 32
trust, or other security instruments on real estate as security for a 33
purchase money obligation if: 34
(a) The person does not receive from or hold 35
on behalf of the borrower any funds for the payment of insurance or taxes on 36 HB1466
6 02/12/2025 2:18:59 PM ANS120
the real property; and 1
(b) The seller does not sell the liens or 2
mortgages in the secondary market other than to affiliated or subsidiary 3
persons; 4
(xi) An individual or husband and wife married 5
couple who provide funds for investment in loans secured by a lien on real 6
property on his or her or their own account and who do not: 7
(a) Charge a fee or cause a fee to be paid for 8
any service other than the normal and scheduled rates for escrow, title 9
insurance, and recording services; and 10
(b) Collect funds to be used for the payment 11
of any taxes or insurance premiums on the property securing the loans; 12
(xii) An attorney licensed in Arkansas rendering 13
legal services to his or her client, when the conduct that would subject the 14
attorney to the jurisdiction of this subchapter is ancillary to the provision 15
of the legal services offered; 16
(xiii) A person performing any act under order of 17
any court; 18
(xiv) A person acting as a mortgage broker, mortgage 19
banker, or mortgage servicer for any person located in Arkansas, if the 20
mortgage broker, mortgage banker, or mortgage servicer has no office or 21
employee in Arkansas and the real property that is the subject of the 22
mortgage is located outside of Arkansas; 23
(xv) An officer or employee of an exempt person 24
described in subdivisions (9)(B)(ii) -(xiv) subdivisions (20)(B)(ii) -(xiv) of 25
this section if acting in the scope of employment for the exempt person; and 26
(xvi) A manufactured or modular home retailer and 27
its employees if: 28
(a) The manufactured or modular home retailer 29
or its employees perform only administrative or clerical tasks on behalf of a 30
person required to be licensed under this subchapter; or 31
(b) The manufactured or modular home retailer 32
and its employees: 33
(1) Do not receive compensation or 34
financial gain for engaging in loan officer activities that exceeds the 35
amount of compensation or financial gain that could be received in a 36 HB1466
7 02/12/2025 2:18:59 PM ANS120
comparable cash transaction for a manufactured home; 1
(2) Disclose to the consumer in writing 2
any corporate affiliation with a mortgage banker; 3
(3) Provide referral information for at 4
least one (1) unaffiliated creditor if the manufactured or modular home 5
retailer has a corporate affiliation with a mortgage banker and the mortgage 6
banker offers a recommendation; and 7
(4)(A) Do not directly negotiate loan 8
terms with the consumer or lender. 9
(B) As used in subdivision 10
(9)(B)(xvi)(b)(4)(A) subdivision (20)(B)(xvi)(b)(4)(A) of this section, “loan 11
terms” includes rates, fees, and other costs; 12
(21) "External audit" means a formal report prepared by an 13
independent certified public accountant expressing an opinion on whether 14
financial statements are: 15
(A) Presented fairly, in all material aspects, according 16
to the applicable financial reporting framework; and 17
(B) Inclusive of an evaluation of the adequacy of a 18
company’s internal control structure; 19
(22) "Financial institution" means a mortgage broker, mortgage 20
banker, or mortgage servicer licensed under this subchapter; 21
(23)(A) "Financial product or service" means a product or 22
service that a financial holding company could offer by engaging in a 23
financial activity under section 4(k) of the Bank Holding Company Act of 24
1956, 12 U.S.C. § 1843(k), as it existed on January 1, 2025. 25
(B) "Financial product or service" includes a financial 26
institution’s evaluation or brokerage of information that a financial 27
institution collects in connection with a request or an application from a 28
consumer for a financial product or service; 29
(24) "Information security program" means the administrative, 30
technical, or physical safeguards a financial institution uses to access, 31
collect, distribute, process, protect, store, use, transmit, dispose of, or 32
otherwise handle customer information; 33
(25) "Information system" means a discrete set of electronic 34
information resources organized for the collection, processing, maintenance, 35
use, sharing, dissemination, or disposition of electronic information, 36 HB1466
8 02/12/2025 2:18:59 PM ANS120
including any specialized system, such as industrial controls system or a 1
process controls system, a telephone switching and private branch exchange 2
system, and an environmental control system, that contain customer 3
information or that is connected to a system that contains customer 4
information; 5
(26) "Interim serviced before sale" means the activity of 6
collecting a limited number of contractual mortgage payments immediately 7
after origination on loans held for sale but before the loans have been sold 8
into the secondary market; 9
(27) "Internal audit" means the internal activity of performing 10
independent, objective assurance, and consulting to evaluate and improve the 11
effectiveness of company operations, risk management, internal controls, and 12
governance processes; 13
(28)(A) "Key individual" means an individual who is ultimately 14
responsible for establishing or directing policies and procedures of a 15
licensee. 16
(B) "Key individual" includes without limitation: 17
(i) An executive officer; 18
(ii) A manager; 19
(iii) A director; 20
(iv) A trustee; or 21
(v) A control person; 22
(10)(29) “Licensee” means a loan officer, transitional loan 23
officer, mortgage broker, mortgage banker, or mortgage servicer that is 24
licensed under this subchapter; 25
(11)(A)(30)(A) "Loan officer" means an individual other than an 26
exempt person described in subdivision (9) subdivision (20) of this section 27
who in exchange for compensation as an employee of or who otherwise receives 28
compensation or remuneration from a mortgage broker or a mortgage banker: 29
(i) Solicits or offers to solicit an application for 30
a mortgage loan; 31
(ii) Accepts or offers to accept an application for 32
a mortgage loan; 33
(iii) Negotiates or offers to negotiate the terms or 34
conditions of a mortgage loan; 35
(iv) Issues or offers to issue a mortgage loan 36 HB1466
9 02/12/2025 2:18:59 PM ANS120
commitment or interest rate guarantee agreement; or 1
(v) Provides or offers to provide modification of a 2
mortgage loan. 3
(B) “Loan officer” does not include: 4
(i) An individual who performs clerical or 5
administrative tasks in the processing of a mortgage loan at the direction of 6
and subject to the supervision and instruction of a licensed loan officer; 7
(ii) An underwriter if the individual performs no 8
activities under subdivision (11)(A) subdivision (30)(A) of this section; or 9
(iii) An individual who is solely involved in 10
extensions of credit relating to timeshare plans, as that term is defined in 11
11 U.S.C. § 101(53D), as it existed on January 1, 2011 January 1, 2025; 12
(12)(31) "Make a mortgage loan" means to close a mortgage loan, 13
to advance funds, to offer to advance funds, or to make a commitment to 14
advance funds to a borrower under a mortgage loan; 15
(13)(A)(32)(A) "Managing principal" means a person who meets the 16
requirements of § 23 -39-508 and who agrees to be primarily responsible for 17
the operations of a licensed mortgage broker, mortgage banker, or mortgage 18
servicer. 19
(B) "Managing principal" includes a qualifying individual; 20
(14)(33) "Mortgage banker" means a person who engages in the 21
business of making mortgage loans for compensation or other gain; 22
(15)(34) "Mortgage broker" means a person who for compensation 23
or other gain or in the expectation of compensation or other gain and, 24
regardless of whether the acts are done directly or indirectly, through 25
contact by telephone, by electronic means, by mail, or in person with the 26
borrowers or potential borrowers: 27
(A) Accepts or offers to accept an application for a 28
mortgage loan; 29
(B) Solicits or offers to solicit an application for a 30
mortgage loan; 31
(C) Negotiates or offers to negotiate the terms or 32
conditions of a mortgage loan; or 33
(D) Issues or offers to issue mortgage loan commitments or 34
interest rate guarantee agreements to borrowers; 35
(35) "Mortgage call report" means a quarterly or annual report 36 HB1466
10 02/12/2025 2:18:59 PM ANS120
of residential real estate loan origination, servicing, and financial 1
information completed by a company licensed through the Nationwide Multistate 2
Licensing System and Registry; 3
(16)(36)(A) "Mortgage loan" means a loan primarily for personal, 4
family, or household use that is secured by a mortgage, deed of trust, 5
reverse mortgage, or other equivalent consensual security interest 6
encumbering: 7
(A)(i) A dwelling as defined in section 1602(w) of 8
the Truth in Lending Act, 15 U.S.C. § 1601 et seq., as it existed on January 9
1, 2011 January 1, 2025; or 10
(B)(ii) Residential real estate upon which is 11
constructed or intended to be constructed a dwelling . 12
(B) "Mortgage loan" includes a residential mortgage loan ; 13
(17)(A)(37)(A) “Mortgage servicer” means : 14
(i) An entity performing the routine administration 15
of a residential mortgage loan on behalf of an owner of the related mortgage 16
under the terms of a servicing contract; or 17
(ii) a A person that receives or has the right to 18
receive from or on behalf of a borrower: 19
(i)(a) Funds or credits in payment for a 20
mortgage loan; or 21
(ii)(b) The taxes or insurance associated with 22
a mortgage loan. 23
(B) In the case of a home equity conversion mortgage or a 24
reverse mortgage, "mortgage servicer" includes a person that makes a payment 25
to the borrower; 26
(38) "Mortgage servicing rights" means the contractual right to 27
service residential mortgage loans on behalf of the owner of the associated 28
mortgage in exchange for specified compensation according to a servicing 29
contract; 30
(39) "Multifactor authentication" means authentication through 31
verification of at least two (2) of the following types of authentication 32
factors: 33
(A) Knowledge factors, including without limitation a 34
password; 35
(B) Possession factors, including without limitation a 36 HB1466
11 02/12/2025 2:18:59 PM ANS120
token; or 1
(C) Inherence factors, including without limitation 2
biometric characteristics; 3
(40)(A) "Nonpublic personal information" means: 4
(i) Personally identifiable financial information; 5
and 6
(ii) A list, description, or other grouping of 7
consumers, and publicly available information pertaining to a consumer, that 8
is derived using personally identifiable financial information that is not 9
publicly available. 10
(B) "Nonpublic personal information" includes without 11
limitation a list of individuals’ names and street addresses that is derived 12
in whole or in part using personally identifiable financial information that 13
is not publicly available. 14
(C) "Nonpublic personal information" does not include: 15
(i) Publicly available information except as 16
included on a list described in subdivision (40)(A)(ii) of this section; 17
(ii) A list, description, or other grouping of 18
consumers, and publicly available information pertaining to the list, 19
description, or other grouping of consumers, that is derived without using 20
personally identifiable financial information that is not publicly available; 21
or 22
(iii) A list of individuals’ names and addresses 23
that contains only publicly available information and is not: 24
(a) Derived, in whole or in part, using 25
personally identifiable financial information that is not publicly available; 26
and 27
(b) Disclosed in a manner that indicates that 28
any of the individuals on the list is a consumer of a financial institution; 29
(41)(A) "Notification event" means acquisition of unencrypted 30
customer information without the authorization of the customer to which the 31
information pertains. 32
(B) For purposes of subdivision (41)(A) of this section: 33
(i) Customer information is considered unencrypted 34
if the encryption key was accessed by an unauthorized person; and 35
(ii) Unauthorized acquisition is presumed to include 36 HB1466
12 02/12/2025 2:18:59 PM ANS120
unauthorized access to unencrypted customer information unless a financial 1
institution has reliable evidence showing that there has not been, or could 2
not reasonably have been, unauthorized acquisition of the customer 3
information; 4
(42) "Operating liquidity" means the funds necessary to perform 5
normal business operations, including payment of rent, salaries, interest 6
expense, and other typical expenses associated with operating an entity; 7
(18)(43) "Operating subsidiary" means a separate corporation, 8
limited liability company, or similar entity in which a national or state 9
bank, savings and loan association, or credit union, the accounts of which 10
are insured by the Federal Deposit Insurance Corporation or the National 11
Credit Union Administration, maintains more than fifty percent (50%) voting 12
rights, a controlling interest, or otherwise controls the subsidiary and no 13
other party controls more than fifty percent (50%) of the voting rights or a 14
controlling interest in the subsidiary; 15
(44) "Penetration testing" means a test methodology in which 16
assessors attempt to circumvent or defeat the security features of an 17
information system by attempting penetration of databases or controls from 18
outside or inside a financial institution’s information system; 19
(19)(45) "Person" means an individual, partnership, limited 20
liability company, limited partnership, corporation, association, or other 21
group engaged in joint business activities, however organized; 22
(46)(A) "Personally identifiable financial information" means 23
information: 24
(i) A consumer provides to a financial institution 25
to obtain a financial product or service from a financial institution; 26
(ii) About a consumer resulting from a transaction 27
involving a financial product or service between a financial institution and 28
a consumer; or 29
(iii) A financial institution otherwise obtains 30
about a consumer in connection with providing a financial product or service 31
to that consumer. 32
(B) "Personally identifiable financial information" 33
includes: 34
(i) Information a consumer provides to a financial 35
institution on an application to obtain a loan, credit card, or other 36 HB1466
13 02/12/2025 2:18:59 PM ANS120
financial product or service; 1
(ii) Account balance information, payment history, 2
overdraft history, and credit or debit card purchase information; 3
(iii) The fact that an individual is or has been a 4
financial institution's customer or has obtained a financial product or 5
service from a financial institution; 6
(iv) Information about a financial institution’s 7
consumer if the information is disclosed in a manner that indicates that the 8
individual is or has been the financial institution’s consumer; 9
(v) Information that a consumer provides to a 10
financial institution or that a financial institution or a financial 11
institution’s agent otherwise obtains in connection with collecting on or 12
servicing a credit account; 13
(vi) Information a financial institution collects 14
through an internet cookie or an information collecting device from a 15
computer server; and 16
(vii) Information from a consumer report. 17
(C) "Personally identifiable financial information" does 18
not include: 19
(i) A list of names and addresses of customers of an 20
entity that is not a financial institution; and 21
(ii) Information that does not identify a consumer, 22
including aggregate information or blind data that does not contain personal 23
identifiers such as account numbers, names, or addresses; 24
(20)(47) "Principal place of business" means a stationary 25
construction consisting of at least one (1) enclosed room or building in 26
which negotiations of mortgage loan transactions of others may be conducted 27
in private or in which the primary business functions of the licensee are 28
conducted; 29
(48)(A) "Publicly available information" means information that 30
a financial institution has a reasonable basis to believe is lawfully made 31
available to the public from: 32
(i) Federal, state, or local government records; 33
(ii) Widely distributed media; or 34
(iii) Disclosures to the public that are required to 35
be made by federal, state, or local law. 36 HB1466
14 02/12/2025 2:18:59 PM ANS120
(B) "Publicly available information" includes without 1
limitation: 2
(i) Information in government records, including 3
information in government real estate records and security interest filings; 4
and 5
(ii)(a) Information from widely distributed media, 6
including information from a telephone book, television or radio program, 7
newspaper, or website that is available to the public on an unrestricted 8
basis. 9
(b) A website is not restricted under 10
subdivision (48)(B)(ii)(a) of this section merely because an internet service 11
provider or a site operator requires a fee or a password, so long as access 12
is available to the public. 13
(C) For purposes of this subdivision (48), a financial 14
institution has a reasonable basis to believe that: 15
(i) Information is lawfully made available to the 16
public if the financial institution has taken steps to determine: 17
(a) That the information is of the type that 18
is available to the public; and 19
(b) Whether an individual can direct that the 20
information not be made available to the public and, if so, that the 21
financial institution’s consumer has not directed that the information not be 22
made available to the public; 23
(ii) Mortgage information is lawfully made available 24
to the public if the financial institution determines that the information is 25
of the type included on the public record in the jurisdiction where the 26
mortgage would be recorded; and 27
(iii) An individual’s telephone number is lawfully 28
made available to the public if the financial institution has located the 29
telephone number in a telephone directory or the consumer has informed the 30
financial institution that the telephone number is not unlisted; 31
(49) "Qualified individual" means an individual designated by a 32
financial institution to oversee, implement, and enforce the financial 33
institution’s information security program; 34
(50) "Residential mortgage loans serviced" means a specific 35
portfolio or portfolios of residential mortgage loans for which a licensee is 36 HB1466
15 02/12/2025 2:18:59 PM ANS120
contractually responsible to the owner or owners of the mortgage loans for 1
the defined servicing activities; 2
(21)(51) "Reverse mortgage" means a nonrecourse loan that pays a 3
homeowner loan proceeds drawn from accumulated home equity; 4
(52) "Risk management assessment" means the functional 5
evaluations performed under the risk management program and reports provided 6
to a board of directors under a relevant governance protocol; 7
(53) "Risk management program" means the policies and procedures 8
designed to identify, measure, monitor, and mitigate risk sufficient for the 9
level of sophistication of a covered institution servicer; 10
(54) "Security event" means an event resulting in unauthorized 11
access to, or disruption or misuse of: 12
(A) An information system or information stored on the 13
information system; or 14
(B) Customer information held in physical form; 15
(55) "Service provider" means a person or entity that receives, 16
maintains, processes, or otherwise is permitted access to customer 17
information through its provision of services directly to a financial 18
institution that is subject to this subchapter; 19
(56) "Servicing liquidity" means the financial resources 20
necessary to manage liquidity risk arising from servicing functions required 21
in acquiring and financing mortgage servicing rights, hedging costs, and 22
margin calls associated with the mortgage servicing rights asset and 23
financing facilities and advances or costs of advance financing for 24
principal, interest, taxes, insurance, and any other servicing related 25
advances; 26
(22)(57) "Sponsor" means a mortgage broker or mortgage banker 27
licensed under this subchapter that has assumed the responsibility for and 28
agrees to supervise the actions of a loan officer or transitional loan 29
officer; 30
(58) "Tangible net worth" means the total equity less: 31
(A) The receivables due from related entities; 32
(B) Goodwill and other intangibles; and 33
(C) Pledged assets; 34
(23)(59) "Transitional loan officer" means an individual who, in 35
exchange for compensation as an employee of, or who otherwise receives 36 HB1466
16 02/12/2025 2:18:59 PM ANS120
compensation or remuneration from, a mortgage broker or a mortgage banker, is 1
authorized to act as a loan officer subject to a transitional loan officer 2
license; 3
(24)(60) "Transitional loan officer license" means a license 4
that: 5
(A) Is issued to an individual who is employed and 6
sponsored by a mortgage banker or mortgage broker licensed under this 7
subchapter; 8
(B) Is limited to a term of no more than one hundred 9
twenty (120) days; and 10
(C) Is not subject to reapplication, renewal, or extension 11
by the commissioner; and 12
(25)(61) "Unique identifier" means a number or other identifier 13
assigned by protocols established by the automated licensing system approved 14
by the commissioner; and 15
(62) "Whole loans" mean those loans in which a mortgage and the 16
underlying credit risk is owned and held on the balance sheet of an entity 17
with all ownership rights . 18
19
SECTION 2. Arkansas Code § 23 -39-504 is amended to read as follows: 20
23-39-504. Rulemaking authority Authority. 21
(a) The Securities Commissioner may adopt any rules that he or she 22
deems necessary to: 23
(1) Carry out the provisions of this subchapter; 24
(2) Provide for the protection of the borrowing public; and 25
(3) Provide any requirements necessary for the State of Arkansas 26
to participate in a multistate automated licensing system; and 27
(4) Instruct mortgage brokers, mortgage bankers, mortgage 28
servicers, loan officers, and transitional loan officers in interpreting this 29
subchapter. 30
(b) The commissioner may: 31
(1) If risk is determined by a formal review of a specific 32
covered institution servicer to be extremely high, order or direct the 33
covered institution servicer to satisfy additional conditions necessary to 34
ensure that the covered institution servicer will continue to operate in a 35
safe and sound manner and be able to continue to service loans in compliance 36 HB1466
17 02/12/2025 2:18:59 PM ANS120
with state law or rule and federal law or regulations; 1
(2) If risk is determined by a formal review of a specific 2
covered institution servicer to be extremely low, provide notice that all or 3
part of this subchapter is not applicable to the covered institution 4
servicer; and 5
(3) If economic, environmental, or societal events are 6
determined to be of severity to warrant a temporary suspension of all or 7
certain sections of this subchapter, provide public notice of the temporary 8
suspension. 9
10
SECTION 3. Arkansas Code § 23 -39-505(f), concerning the surety bond 11
under the Fair Mortgage Lending Act, is amended to read as follows: 12
(f)(1) Each mortgage broker, mortgage banker, and mortgage servicer 13
shall post a surety bond in an amount: 14
(A) Based upon loan activity during the previous year; 15
(B) Not less than one hundred thousand dollars ($100,000); 16
and 17
(C) As prescribed by rule or order of the commissioner. 18
(2) The surety bond shall : 19
(A) be Be in a form satisfactory to the commissioner ; and 20
(B) Run to the State of Arkansas for benefit of a claimant 21
against the licensee to secure the faithful performance of the obligations of 22
the licensee under this subchapter . 23
(3)(A) A party having a claim against a licensee may bring suit 24
directly on the surety bond of the licensee under this subsection or the 25
commissioner may bring suit on behalf of a claimant in one (1) action or in 26
successive actions. 27
(B) A consumer claim shall be given priority in recovering 28
from the surety bond. 29
(C) Every bond shall provide for suit on the bond by any 30
person who has a cause of action under this subchapter. 31
(4) The aggregate liability of the surety shall not exceed the 32
principal sum of the bond. 33
(5) A surety bond shall cover claims for at least five (5) years 34
after the licensee ceases to provide mortgage services in this state or 35
longer if required by the commissioner. 36 HB1466
18 02/12/2025 2:18:59 PM ANS120
(6)(A) A surety bond shall remain in effect until cancellation. 1
(B) The cancellation of a surety bond shall occur only 2
after sixty (60) days' written notice to the commissioner. 3
(C) The cancellation of a surety bond shall not affect 4
liability incurred or accrued during the sixty -day period under subdivision 5
(f)(6)(B) of this section. 6
(7)(A) If an action is commenced on a licensee's surety bond, 7
the commissioner may require the filing of a new surety bond. 8
(B) If a new surety bond is required under subdivision 9
(f)(7)(A) of this section, the licensee shall file a replacement surety bond 10
in the required amount specified under subdivision (f)(1)(B) of this section 11
within thirty (30) days. 12
(C) Immediately upon recovery of an action on the surety 13
bond, the licensee shall file a new surety bond. 14
15
SECTION 4. Arkansas Code § 23 -39-505(g), concerning audited financial 16
statements under the Fair Mortgage Lending Act, is amended to read as 17
follows: 18
(g)(1) An applicant filing for licensure as a mortgage banker or 19
mortgage servicer shall file with the commissioner as part of his or her 20
application audited financial statements that reflect that the applicant has 21
a net worth of at least twenty -five thousand dollars ($25,000) and are:. 22
(1) Prepared by an independent certified public accountant: 23
(2) Prepared according to: 24
(A) Generally accepted accounting principles as 25
promulgated by the Financial Accounting Standards Board; or 26
(B) International financial reporting standards 27
promulgated by the International Financial Reporting Standards Foundation and 28
the International Accounting Standards Board; 29
(3) Accompanied by an opinion acceptable to the commissioner; 30
and 31
(4) For purposes of complying with subdivision (g)(1) of this 32
section, the financial statement shall be: 33
(A) Determined according to: 34
(i) Generally accepted accounting principles as 35
promulgated by the Financial Accounting Standards Board; or 36 HB1466
19 02/12/2025 2:18:59 PM ANS120
(ii) The international financial reporting standards 1
promulgated by the International Financial Reporting Standards Foundation and 2
the International Accounting Standards Board; and 3
(B) Accompanied by an opinion acceptable to the 4
commissioner; 5
(C) Dated within fifteen (15) months preceding the date on 6
which the application is filed. 7
8
SECTION 5. Arkansas Code § 23 -39-505, concerning qualifications for a 9
license under the Fair Mortgage Lending Act, is amended to add additional 10
subsections to read as follows: 11
(p)(1) An applicant filing for licensure as a mortgage servicer but 12
that does not operate as a covered institution servicer shall file with the 13
commissioner as part of his or her application audited financial statements 14
that reflect that the applicant has a net worth of at least one hundred 15
thousand dollars ($100,000). 16
(2) For the purposes of complying with subdivision (p)(1) of 17
this section, the financial statement shall be: 18
(A) Determined according to: 19
(i) Generally accepted accounting principles as 20
promulgated by the Financial Accounting Standards Board; or 21
(ii) The international financial reporting standards 22
promulgated by the International Financial Reporting Standards Foundation and 23
the International Accounting Standards Board; 24
(B) Accompanied by an opinion acceptable to the 25
commissioner; and 26
(C) Dated within fifteen (15) months preceding the date on 27
which the application is filed. 28
(3)(A) An applicant applying to service Arkansas residential 29
mortgage loans may apply to the commissioner to waive or adjust one (1) or 30
more of the net worth requirements under subdivision (p)(1) or subdivision 31
(p)(2) of this section. 32
(B)(i) In reviewing a request to waive or adjust one (1) 33
or more of the net worth requirements under subdivision (p)(1) or subdivision 34
(p)(2) of this section, the commissioner may consider the number and types of 35
loans being serviced and whether the licensee has a positive net worth and 36 HB1466
20 02/12/2025 2:18:59 PM ANS120
adequate operating reserves. 1
(ii) As used in this subdivision (p)(3)(B), 2
“operating reserves” means the funds set aside in anticipation of future 3
payments or obligations and are included in servicing liquidity. 4
(q)(1) An applicant filing for licensure as a mortgage servicer that 5
operates as a covered institution servicer shall file with the commissioner 6
as part of his or her application proof that the applicant is in compliance 7
with: 8
(A) The Federal Housing Finance Agency's Eligibility 9
Requirements for Enterprise Single -Family Seller/Servicers for minimum 10
capital ratio; and 11
(B) The net worth and servicing liquidity requirements, 12
whether or not the mortgage servicer is approved for government -sponsored 13
enterprise servicing. 14
(2) For the purposes of complying with subdivision (q)(1) of 15
this section, the financial data shall be: 16
(A) Determined according to: 17
(i) Generally accepted accounting principles as 18
promulgated by the Financial Accounting Standards Board; or 19
(ii) The international financial reporting standards 20
promulgated by the International Financial Reporting Standards Foundation and 21
the International Accounting Standards Board; 22
(B) Accompanied by an opinion acceptable to the 23
commissioner; and 24
(C) Dated within fifteen (15) months preceding the date on 25
which the application is filed. 26
27
SECTION 6. Arkansas Code § 23 -39-506(f), concerning audited financial 28
statements under the Fair Mortgage Lending Act, is amended to read as 29
follows: 30
(f)(1) A mortgage banker or a mortgage servicer shall submit audited 31
financial statements to the commissioner within ninety (90) days after the 32
end of the mortgage banker's or mortgage servicer's fiscal year. 33
(2) The audited financial statements submitted to the 34
commissioner under subdivision (f)(1) of this section shall: 35
(A) Reflect that the mortgage banker or mortgage servicer 36 HB1466
21 02/12/2025 2:18:59 PM ANS120
has a net worth of at least twenty -five thousand dollars ($25,000); and 1
(B) Comply with the requirements of § 23 -39-505(g)(1)-(3). 2
(3)(A) Failure to timely submit audited financial statements to 3
the commissioner shall result in a late fee of two hundred fifty dollars 4
($250). 5
(B) All or part of the late fee may be waived by the 6
commissioner for good cause. 7
8
SECTION 7. Arkansas Code § 23 -39-506, concerning license renewal under 9
the Fair Mortgage Lending Act, is amended to add additional subsections to 10
read as follows: 11
(g)(1) A mortgage servicer subject to § 23 -39-505(p) or § 23-39-505(q) 12
shall submit audited financial statements to the commissioner within ninety 13
(90) days after the end of the mortgage servicer's fiscal year. 14
(2) The audited financial statements submitted to the 15
commissioner under subdivision (g)(1) of this section shall reflect that the 16
mortgage servicer has a net worth that remains in compliance with § 23-39-17
505(p) or § 23-39-505(q), as applicable. 18
(3)(A) A licensee servicing Arkansas residential mortgage loans, 19
other than a covered institution servicer, may apply to the commissioner to 20
waive or adjust one (1) or more of the net worth requirements. 21
(B) In considering a request to waive or adjust one (1) or 22
more of the net worth requirements, the commissioner shall consider the 23
number and types of loans being serviced and whether the licensee has a 24
positive net worth and adequate operating reserves. 25
(C) For purposes of this section, “operating reserves” 26
means the funds set aside in anticipation of future payments or obligations 27
and are included in liquidity. 28
(4)(A) Failure to timely submit audited financial statements to 29
the commissioner shall result in a late fee of two hundred fifty dollars 30
($250). 31
(B) All or part of the late fee may be waived by the 32
commissioner for good cause. 33
(h) A covered institution servicer shall remain in compliance with the 34
requirements of § 23 -39-505(q) and § 23-39-519. 35
36 HB1466
22 02/12/2025 2:18:59 PM ANS120
SECTION 8. Arkansas Code Title 23, Chapter 39, Subchapter 5, is 1
amended to add additional sections to read as follows: 2
23-39-519. Prudential standards for covered institution servicers — 3
Financial condition. 4
(a) A covered institution servicer shall meet or exceed the minimum 5
financial requirements of the Federal Housing Finance Agency's Eligibility 6
Requirements for Enterprise Single -Family Seller/Servicers in order to 7
maintain the capital and servicing liquidity as required by this section and 8
§ 23-39-505(q). 9
(b) All financial data shall be determined according to generally 10
accepted accounting principles or the international financial reporting 11
standards promulgated by the International Financial Reporting Standards 12
Foundation and the International Accounting Standards Board. 13
(c) A covered institution servicer that meets the Federal Housing 14
Finance Agency's Eligibility Requirements for Enterprise Single -Family 15
Seller/Servicers for capital, net worth ratio, and servicing liquidity, 16
whether or not the servicer is approved for government -sponsored enterprises 17
servicing, or Federal National Mortgage Association servicing, or Federal 18
Home Loan Mortgage Corporation servicing, satisfies the requirements of 19
subsection (a) and subsection (b) of this section. 20
(d)(1) A covered institution servicer shall maintain written policies 21
and procedures implementing the capital and servicing liquidity requirements. 22
(2) The policies and procedures under subdivision (d)(1) of this 23
section shall include a sustainable written methodology for satisfying the 24
requirements of subsection (a) of this section and be available to the 25
Securities Commissioner upon request. 26
(e)(1) A covered institution servicer under this subchapter shall: 27
(A) Maintain sufficient allowable assets for liquidity in 28
addition to the amounts required for servicing liquidity to cover normal 29
business operations; and 30
(B) Have in place sound cash management and business 31
operating plans that match the size and sophistication of the covered 32
institution servicer to ensure normal business operations. 33
(2)(A) The management or key individual of a covered institution 34
servicer shall develop, establish, and implement plans, policies, and 35
procedures for maintaining operating liquidity sufficient for the ongoing 36 HB1466
23 02/12/2025 2:18:59 PM ANS120
needs of the covered institution servicer. 1
(B) The plans, policies, and procedures under subdivision 2
(e)(2)(A) of this section shall: 3
(i) Contain sustainable, written methodologies for 4
maintaining sufficient operating liquidity; and 5
(ii) Be available to the commissioner upon request. 6
7
23-39-520. Corporate governance for covered institution servicers. 8
(a) A covered institution servicer shall establish and maintain a 9
board of directors who are responsible for the oversight of the covered 10
institution servicer. 11
(b) For a covered institution servicer that is not approved to service 12
loans by a government -sponsored enterprise, the Federal National Mortgage 13
Association and the Federal Home Loan Mortgage Corporation, or the Government 14
National Mortgage Association, or when these federal agencies have granted 15
approval for a board alternative, a covered institution servicer may 16
establish a similar body constituted to exercise oversight and fulfill the 17
board of directors’ responsibilities under subsection (c) of this section. 18
(c) The board of directors shall be responsible for: 19
(1) Establishing a written corporate governance framework, 20
including appropriate internal controls designed to monitor corporate 21
governance and assess compliance with the corporate governance framework, 22
available to the Securities Commissioner upon request; 23
(2) Monitoring and ensuring the covered institution servicer's 24
compliance with the corporate governance framework and this subchapter; and 25
(3) Accurate and timely regulatory reporting, including without 26
limitation the requirements for filing the mortgage call report. 27
(d)(1) The board of directors shall establish internal audit 28
requirements that are appropriate for the size, complexity, and risk profile 29
of the covered institution servicer, with appropriate independence to provide 30
a reliable evaluation of the covered institution servicer’s internal control 31
structure, risk management, and governance. 32
(2) Internal audit requirements established by the board of 33
directors and the results of internal audits shall be made available to the 34
commissioner upon request. 35
(e)(1) A covered institution servicer shall receive an external audit, 36 HB1466
24 02/12/2025 2:18:59 PM ANS120
including audited financial statements and audit reports, conducted by an 1
independent certified public accountant annually. 2
(2) The external audit required under subdivision (e)(1) of this 3
section shall: 4
(A) Be available to the commissioner upon request; and 5
(B) Include at a minimum: 6
(i) Annual financial statements including a balance 7
sheet, statement of operations income statement and cash flows, notes, and 8
supplemental schedules, prepared according to generally accepted accounting 9
principles; 10
(ii) An assessment of the internal control 11
structure; 12
(iii) A computation of tangible net worth; 13
(iv) Validation of mortgage servicing rights 14
valuation and reserve methodology, if applicable; 15
(v) Verification of adequate fidelity and errors and 16
omissions insurance; and 17
(vi) Testing of controls related to risk management 18
activities, including compliance and stress testing, if applicable. 19
(f)(1) A covered institution servicer shall establish a risk 20
management program under the oversight of the board of directors that is 21
available to the commissioner upon request that identifies, measures, 22
monitors, and controls risk sufficient for the level of sophistication of the 23
covered institution servicer. 24
(2) The risk management program required under subdivision 25
(f)(1) of this section shall: 26
(A) Have appropriate processes and models in place to 27
measure, monitor, and mitigate financial risks and changes to the risk 28
profile of the covered institution servicer and assets being serviced; and 29
(B) Be scaled to the complexity of the covered institution 30
servicer, but be sufficiently robust to manage risks in several areas, 31
including without limitation: 32
(i) Credit risk, including the potential that a 33
borrower or counterparty will fail to perform on an obligation; 34
(ii) Servicing liquidity risk, including the 35
potential that the covered institution servicer will be unable to meet the 36 HB1466
25 02/12/2025 2:18:59 PM ANS120
covered institution servicer's obligations as the obligations come due 1
because of an inability to liquidate assets or obtain adequate funding or 2
that it cannot easily unwind or offset specific exposures; 3
(iii) Operational risk, including the risk resulting 4
from inadequate or failed internal processes, people, and systems or from 5
external events; 6
(iv) Market risk, including the risk to the covered 7
institution servicer’s condition resulting from adverse movements in market 8
rates or prices; 9
(v) Compliance risk, including the risk of 10
regulatory sanctions, fines, penalties, or losses resulting from failure to 11
comply with laws, rules, regulations, or other supervisory requirements 12
applicable to a covered institution servicer; 13
(vi) Legal risk, including the potential that 14
actions against the covered institution servicer that result in unenforceable 15
contracts, lawsuits, legal sanctions, or adverse judgments can disrupt or 16
otherwise negatively affect the operations or condition of the covered 17
institution servicer; and 18
(vii) Reputation risk, including the risk to 19
earnings and capital arising from negative publicity regarding the covered 20
institution servicer’s business practices. 21
(g)(1) A covered institution servicer shall conduct a risk management 22
assessment on an annual basis concluding with a formal report to the board of 23
directors and be available to the commissioner upon request. 24
(2) Evidence of risk management activities throughout the year 25
shall be maintained and made part of the report, including findings of issues 26
and the response to address the findings made in the report. 27
28
23-39-521. Standards for safeguarding customer information. 29
(a) A financial institution shall develop, implement, and maintain a 30
comprehensive information security program. 31
(b) The information security program under subsection (a) of this 32
section shall: 33
(1) Be written in one (1) or more readily accessible parts; and 34
(2) Contain administrative, technical, and physical safeguards 35
that are appropriate to the financial institution’s size and complexity, the 36 HB1466
26 02/12/2025 2:18:59 PM ANS120
nature and scope of the financial institution’s activities, and the 1
sensitivity of any customer information at issue. 2
(c) The information security program shall include the information 3
required under § 23-39-522. 4
5
23-39-522. Information security program required elements. 6
(a) In order for a financial institution to develop, implement, and 7
maintain an information security program, the financial institution shall 8
comply with this section. 9
(b)(1) A financial institution shall designate a qualified individual 10
responsible for overseeing and implementing the financial institution’s 11
information security program and enforcing an information security program. 12
(2)(A) The qualified individual may be employed by the financial 13
institution, an affiliate, or a service provider. 14
(B) If a financial institution designates an individual 15
employed by an affiliate or a service provider, the financial institution 16
shall: 17
(i) Retain responsibility for compliance with this 18
section; 19
(ii) Designate a senior member of the financial 20
institution’s personnel to be responsible for direction and oversight of the 21
qualified individual; and 22
(iii) Require the service provider or affiliate to 23
maintain an information security program that protects the financial 24
institution in accordance with the requirements of this section. 25
(c)(1) A financial institution shall base the financial institution’s 26
information security program on a risk assessment that: 27
(A) Identifies reasonably foreseeable internal and 28
external risks to the security, confidentiality, and integrity of customer 29
information that could result in the unauthorized disclosure, misuse, 30
alteration, destruction, or other compromise of the information; and 31
(B) Assesses the sufficiency of any safeguards in place to 32
control these risks. 33
(2) The risk assessment shall be written and include: 34
(A) Criteria for the evaluation and categorization of 35
identified security risks or threats the financial institution faces; 36 HB1466
27 02/12/2025 2:18:59 PM ANS120
(B) Criteria for the assessment of the confidentiality, 1
integrity, and availability of the financial institution’s information 2
systems and customer information, including the adequacy of the existing 3
controls in the context of the identified risks or threats the financial 4
institution faces; and 5
(C) Requirements describing how identified risks will be 6
mitigated or accepted based on the risk assessment and how the information 7
security program will address the risks. 8
(3) A financial institution shall periodically perform 9
additional risk assessments that: 10
(A) Reexamine the reasonably foreseeable internal and 11
external risks to the security, confidentiality, and integrity of customer 12
information that could result in the unauthorized disclosure, misuse, 13
alteration, destruction, or other compromise of the customer information; and 14
(B) Reassess the sufficiency of any safeguards in place to 15
control these risks. 16
(d) A financial institution shall design and implement safeguards to 17
control the risks the financial institution identifies through the risk 18
assessment as required under subsection (c) of this section, including 19
without limitation: 20
(1) Implementing and periodically reviewing access controls, 21
including technical and, as appropriate, physical controls, to: 22
(A) Authenticate and permit access only to authorized 23
users to protect against the unauthorized acquisition of customer 24
information; and 25
(B) Limit authorized users’ access only to customer 26
information that the authorized user needs to perform the authorized user’s 27
duties and functions, or in the case of customers, to access the customer’s 28
own customer information; 29
(2) Identifying and managing the data, personnel, devices, 30
systems, and facilities that enable the financial institution to achieve 31
business purposes according to the financial institution's relative 32
importance to business objectives and the financial institution’s risk 33
strategy; 34
(3)(A) Protecting by encryption all customer information held or 35
transmitted by the financial institution both in transit over external 36 HB1466
28 02/12/2025 2:18:59 PM ANS120
networks and at rest. 1
(B) To the extent the financial institution determines 2
that encryption of customer information, either in transit over external 3
networks or at rest, is infeasible, the financial institution may instead 4
secure the customer information using effective alternative compensating 5
controls reviewed and approved by the financial institution’s qualified 6
individual; 7
(4) Adopting secure development practices for in -house developed 8
applications utilized by the financial institution for transmitting, 9
accessing, or storing customer information and procedures for evaluating, 10
assessing, or testing the security of externally developed applications the 11
financial institution utilizes to transmit, access, or store customer 12
information; 13
(5) Implementing multifactor authentication for an individual 14
accessing an information system, unless the financial institution’s qualified 15
individual has approved in writing the use of reasonably equivalent or more 16
secure access controls; 17
(6) Developing, implementing, and maintaining procedures for the 18
secure disposal of customer information in any format no later than two (2) 19
years after the last date the customer information is used in connection with 20
the provision of a financial product or service to the customer, unless the 21
customer information is: 22
(A) Necessary for business operations or for other 23
legitimate business purposes; 24
(B) Otherwise required to be retained by state law or 25
rule, or federal law or regulation; or 26
(C) Where targeted disposal is not reasonably feasible due 27
to the manner in which the information is maintained; 28
(7) Periodically reviewing the financial institution’s data 29
retention policy to minimize the unnecessary retention of data; 30
(8) Adopting procedures for change management; and 31
(9) Implementing policies, procedures, and controls designed to 32
monitor and log the activity of authorized users and detect unauthorized 33
access or use of, or tampering with, customer information by these users. 34
(e)(1) A financial institution shall regularly test or otherwise 35
monitor the effectiveness of the safeguards' key controls, systems, and 36 HB1466
29 02/12/2025 2:18:59 PM ANS120
procedures of the safeguards' required under this section, including those to 1
detect actual and attempted attacks on, or intrusions into, information 2
systems. 3
(2)(A) For information systems, monitoring and testing shall 4
include continuous monitoring or periodic penetration testing and 5
vulnerability assessments. 6
(B) Absent effective continuous monitoring or other 7
systems to detect, on an ongoing basis, changes in information systems that 8
may create vulnerabilities, the financial institution shall conduct: 9
(i) Annual penetration testing of a financial 10
institution’s information systems determined each given year based on 11
relevant identified risks according to the risk assessment; and 12
(ii) Vulnerability assessments, including a systemic 13
scan or review of an information system reasonably designed to identify 14
publicly known security vulnerabilities in the financial institution’s 15
information systems based on the risk assessment, at least every six (6) 16
months, and whenever there are: 17
(a) Material changes to the financial 18
institution’s operations or business arrangements; and 19
(b) Circumstances the financial institution 20
knows or has reason to know may have a material impact on the financial 21
institution’s information security program. 22
(f) A financial institution shall implement policies and procedures to 23
ensure that personnel are able to enact the financial institution’s 24
information security program by: 25
(1) Providing the financial institution’s personnel with 26
security awareness training that is updated as necessary to reflect risks 27
identified by the risk assessment; 28
(2) Utilizing qualified information security personnel employed 29
by the financial institution or an affiliate or a service provider sufficient 30
to manage the financial institution’s information security risks and to 31
perform or oversee the information security program; 32
(3) Providing information security personnel with security 33
updates and training sufficient to address relevant security risks; and 34
(4) Verifying that key information security personnel take steps 35
to maintain current knowledge of changing information security threats and 36 HB1466
30 02/12/2025 2:18:59 PM ANS120
countermeasures. 1
(g) A financial institution shall oversee service providers by: 2
(1) Taking reasonable steps to select and retain service 3
providers that are capable of maintaining appropriate safeguards for the 4
customer information at issue; 5
(2) Requiring the financial institution’s service providers by 6
contract to implement and maintain the safeguards referenced under 7
subdivision (g)(1) of this section; and 8
(3) Periodically assessing the financial institution’s service 9
providers based on the risk they present and the continued adequacy of their 10
safeguards. 11
(h) A financial institution shall evaluate and adjust the financial 12
institution’s information security program to reflect: 13
(1) The results of the testing and monitoring required by 14
subsection (e) of this section; 15
(2) Any material change to the financial institution’s 16
operations or business arrangements or other circumstances; 17
(3) The results of risk assessments performed under subdivision 18
(c)(3) of this section; and 19
(4) Any other circumstances that the financial institution knows 20
or has reason to know may have a material impact on the financial 21
institution's information security program. 22
(i)(1) A financial institution shall establish a written incident 23
response plan designed to promptly respond to, and recover from, any security 24
event materially affecting the confidentiality, integrity, or availability of 25
customer information in the financial institution’s control. 26
(2) The incident response plan under subdivision (i)(1) of this 27
section shall address: 28
(A) The goals of the incident response plan; 29
(B) The internal processes for responding to a security 30
event; 31
(C) The definition of clear roles, responsibilities, and 32
levels of decision-making authority; 33
(D) External and internal communications and information 34
sharing; 35
(E) Identification of requirements for the remediation of 36 HB1466
31 02/12/2025 2:18:59 PM ANS120
any identified weaknesses in information systems and associated controls; 1
(F) Documentation and reporting regarding security events 2
and related incident response activities; and 3
(G) The evaluation and revision as necessary of the 4
incident response plan following a security event. 5
(j)(1) The financial institution’s qualified individual shall report 6
in writing at least annually, to the financial institution’s board of 7
directors or equivalent governing body. 8
(2) If a board of directors or equivalent governing body does 9
not exist, the report required under subdivision (j)(1) of this section shall 10
be timely presented to a senior officer responsible for the financial 11
institution’s information security program. 12
(3) The report required under subdivision (j)(1) of this section 13
shall include: 14
(A) The overall status of the information security program 15
and the financial institution’s compliance with this section and associated 16
rules; and 17
(B) Material matters related to the information security 18
program, addressing issues such as risk assessment, risk management and 19
control decisions, service provider arrangements, results of testing, 20
security events or violations and management’s responses to security events 21
or violations, and recommendations for changes in the information security 22
program. 23
(k) A financial institution shall provide notice to the Securities 24
Commissioner about notification events according to subdivisions (l)(1) and 25
(2) of this section. 26
(l)(1) Upon discovery of a notification event as described in 27
subdivision (l)(3) of this section, if the notification event involves the 28
information of any consumers in this state, the financial institution shall 29
notify the commissioner as soon as possible and no later forty -five (45) days 30
after discovery of the notification event. 31
(2) The notice required under subdivision (l)(1) of this section 32
shall: 33
(A) Be made in a format specified by the commissioner; and 34
(B) Include the following information: 35
(i) The name and contact information of the 36 HB1466
32 02/12/2025 2:18:59 PM ANS120
reporting financial institution; 1
(ii)(a) A description of the types of information 2
that were involved in the notification event. 3
(b) If the information is possible to 4
determine under subdivision (l)(2)(B)(ii)(a) of this section, the notice 5
required under subdivision (l)(1) of this section shall contain the date or 6
date range of the notification event; 7
(iii) The number of consumers affected or 8
potentially affected by the notification event; 9
(iv) A general description of the notification 10
event; and 11
(v)(a) Whether a law enforcement official has 12
provided the financial institution with a written determination that 13
notifying the public of the notification event would impede a criminal 14
investigation or cause damage to national security, and a means for the 15
commissioner to contact the law enforcement official. 16
(b) A law enforcement official under 17
subdivision (l)(2)(B)(v)(a) of this section may request an initial delay of 18
up to thirty (30) days following the date when notice was provided to the 19
commissioner. 20
(c) The delay under subdivision 21
(l)(2)(B)(v)(b) of this section may be extended for an additional period of 22
up to sixty (60) days if the law enforcement official seeks an extension in 23
writing. 24
(d) An additional delay beyond the delay under 25
subdivision (l)(2)(B)(v)(b) of this section may be permitted only if the 26
State Securities Department determines that public disclosure of a 27
notification event continues to impede a criminal investigation or cause 28
damage to national security. 29
(3)(A) A notification event under this section shall be treated 30
as discovered as of the first day on which the notification event is known to 31
the financial institution. 32
(B) The financial institution under subdivision (l)(3)(A) 33
of this section shall be deemed to have knowledge of a notification event if 34
the notification event is known to a person, other than the person committing 35
the notification event, who is the financial institution’s employee, officer, 36 HB1466
33 02/12/2025 2:18:59 PM ANS120
or other agent. 1
(m) A financial institution shall establish a written plan addressing 2
business continuity and disaster recovery. 3
4
23-39-523. Exceptions. 5
This subchapter does not apply to a financial institution that 6
maintains customer information concerning fewer than five thousand (5,000) 7
consumers. 8
9
10
APPROVED: 3/12/25 11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36