AR
Arkansas House Bill HB1466

Arkansas 2025 Regular Session

Arkansas House Bill HB1466 Compare Versions

OldNewDifferences
11 Stricken language would be deleted from and underlined language would be added to present law.
2-Act 262 of the Regular Session
32 *ANS120* 02/12/2025 2:18:59 PM ANS120
43 State of Arkansas 1
54 95th General Assembly A Bill 2
65 Regular Session, 2025 HOUSE BILL 1466 3
76 4
87 By: Representative Achor 5
98 By: Senator J. Boyd 6
109 7
1110 For An Act To Be Entitled 8
1211 AN ACT TO AMEND THE FAIR MORTGAGE LENDING ACT; AND 9
1312 FOR OTHER PURPOSES. 10
1413 11
1514 12
1615 Subtitle 13
1716 TO AMEND THE FAIR MORTGAGE LENDING ACT. 14
1817 15
1918 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS: 16
2019 17
2120 SECTION 1. Arkansas Code § 23 -39-502 is amended to read as follows: 18
2221 23-39-502. Definitions. 19
2322 As used in this subchapter: 20
2423 (1) "Affiliate" means a person that directly or indirectly 21
2524 through one (1) or more intermediaries controls, is controlled by, or is 22
2625 under common control with the person; 23
2726 (2)(A) "Allowable assets for liquidity" means assets that may be 24
2827 used to satisfy liquidity requirements under this subchapter. 25
2928 (B) "Allowable assets for liquidity" includes without 26
3029 limitation: 27
3130 (i) Unrestricted cash and cash equivalents; and 28
3231 (ii) Unencumbered investment -grade assets held for 29
3332 sale or trade; 30
3433 (3) "Applicant" means a person that has applied to become 31
3534 licensed under this subchapter as a loan officer, transitional loan officer, 32
3635 mortgage broker, mortgage banker, or mortgage servicer; 33
3736 (4) "Authorized user" means an employee, contractor, agent, or 34
3837 other person that participates in a financial institution’s business 35
3938 operations and is authorized to access and use a financial institution’s 36 HB1466
4039
4140 2 02/12/2025 2:18:59 PM ANS120
4241 information systems and data; 1
4342 (5) "Board of directors" means a formal body that is responsible 2
4443 for corporate governance and compliance with this subchapter; 3
4544 (2)(6) "Branch manager" means the individual who is in charge of 4
4645 the business operations of one (1) or more branch offices of a mortgage 5
4746 broker, mortgage banker, or mortgage servicer; 6
4847 (3)(7) "Branch office" means a location that is separate and 7
4948 distinct from the licensee's principal place of business and includes any 8
5049 location from which business is conducted under the license or in the name of 9
5150 the mortgage broker, mortgage banker, or mortgage servicer: 10
5251 (A) The address of which appears on business cards, 11
5352 stationery, or advertising used by the licensee in connection with business 12
5453 conducted under this subchapter at the branch office; 13
5554 (B) At which the licensee's name, advertising, promotional 14
5655 materials, or signage suggests that mortgage loans are originated, solicited, 15
5756 accepted, negotiated, funded, or serviced or from which mortgage loan 16
5857 commitments or interest rate guarantee agreements are issued; or 17
5958 (C) Which, due to the actions of any employee, associate, 18
6059 loan officer, or transitional loan officer of the licensee, may be construed 19
6160 by the public as a branch office of the licensee where mortgage loans are 20
6261 originated, solicited, accepted, negotiated, funded, or serviced or from 21
6362 which mortgage loan commitments or interest rate guarantee agreements are 22
6463 issued; 23
6564 (4)(8) "Commissioner" means the Securities Commissioner and 24
6665 includes the commissioner's designees; 25
6766 (9) "Consumer" means an individual or that individual's legal 26
6867 representative who obtains or has obtained a financial product or service 27
6968 from a financial institution that is to be used primarily for personal, 28
7069 family, or household purposes; 29
7170 (5)(A)(10)(A) “Control” means the power, directly or indirectly, 30
7271 to direct the management or policies of a company, whether through ownership 31
7372 of securities, by contract, or otherwise. 32
7473 (B) A person is presumed to control a company if the 33
7574 person: 34
7675 (i) Is a director, general partner, or executive 35
7776 officer of the company; 36 HB1466
7877
7978 3 02/12/2025 2:18:59 PM ANS120
8079 (ii) Directly or indirectly has the right to vote 1
8180 twenty-five percent (25%) or more of a class of a voting security of the 2
8281 company or has the power to sell or direct the sale of twenty -five percent 3
8382 (25%) or more of a class of voting securities of the company; 4
8483 (iii) In the case of a limited liability company, is 5
8584 a managing member of the limited liability company; or 6
8685 (iv) In the case of a partnership, has the right to 7
8786 receive upon dissolution or has contributed ten percent (10%) or more of the 8
8887 capital of the partnership; 9
8988 (6)(11) “Control affiliate” means a partnership, corporation, 10
9089 trust, limited liability company, or other organization that directly or 11
9190 indirectly controls or is controlled by the applicant; 12
9291 (7)(12) “Control person” means an individual who directly or 13
9392 indirectly exercises control over the applicant; 14
9493 (13)(A) "Corporate governance" means the structure of and how 15
9594 the licensee is managed. 16
9695 (B) "Corporate governance" includes the corporate rules, 17
9796 policies, processes, and practices used to oversee and manage a licensee; 18
9897 (14)(A) "Covered institution servicer” means a nonbank mortgage 19
9998 servicer that: 20
10099 (i) As reported in the mortgage call report, 21
101100 services: 22
102101 (a) Portfolios of two thousand (2,000) or more 23
103102 of one (1) to four (4) unit residential mortgage loans serviced or 24
104103 subserviced for others, excluding whole loans owned; and 25
105104 (b) Loans being interim serviced before sale 26
106105 as of the most recent calendar year end; and 27
107106 (ii) Operates in two (2) or more states, districts, 28
108107 or territories of the United States either currently or as of the prior 29
109108 calendar year end. 30
110109 (B) "Covered institution servicer" does not include: 31
111110 (i) A person exempt from mortgage servicer licensing 32
112111 requirements under this subchapter; 33
113112 (ii) A mortgage servicer that has the status of a 34
114113 tax-exempt organization under 26 U.S.C. § 501(c)(3), as in effect on January 35
115114 1, 2025; or 36 HB1466
116115
117116 4 02/12/2025 2:18:59 PM ANS120
118117 (iii) A mortgage servicer solely owning or conducting 1
119118 reverse mortgage servicing, or both, or the reverse mortgage portfolio 2
120119 administered by a large mortgage servicer; 3
121120 (15) "Customer" means a consumer who has a customer relationship 4
122121 with a financial institution; 5
123122 (16) "Customer information" means a record containing nonpublic 6
124123 personal information about a customer of a financial institution, whether in 7
125124 paper, electronic, or other form, that is handled or maintained by or on 8
126125 behalf of a financial institution or the financial institution’s affiliates; 9
127126 (17) "Customer relationship" means a continuing relationship 10
128127 between a consumer and a financial institution under which the financial 11
129128 institution provides to the consumer one (1) or more financial products or 12
130129 services that are used primarily for personal, family, or household purposes; 13
131130 (8)(18) "Employee" means an individual who is licensed with or 14
132131 employed by a mortgage broker, mortgage banker, or mortgage servicer, whether 15
133132 by employment contract, agency, or other arrangement and regardless of 16
134133 whether the individual is treated as an employee for purposes of compliance 17
135134 with the federal income tax laws; 18
136135 (19) "Encryption" means the transformation of data into a form 19
137136 that results in a low probability of assigning meaning without the use of a 20
138137 protective process or key, consistent with current cryptographic standards 21
139138 and accompanied by appropriate safeguards for cryptographic key material; 22
140139 (9)(A)(20)(A) “Exempt person” means a person not required to be 23
141140 licensed as a mortgage broker, mortgage banker, mortgage servicer, loan 24
142141 officer, or transitional loan officer under this subchapter. 25
143142 (B) “Exempt person” includes any of the following: 26
144143 (i) An employee of a licensee whose responsibilities 27
145144 are limited to clerical and administrative tasks for his or her employer and 28
146145 who does not solicit borrowers, accept applications, or negotiate the terms 29
147146 of loans on behalf of the employer; 30
148147 (ii) An agency or corporate instrumentality of the 31
149148 federal government or any state, county, or municipal government granting 32
150149 mortgage loans under specific authority of the laws of any state or of the 33
151150 United States; 34
152151 (iii) A trust company or industrial loan company 35
153152 chartered under the laws of Arkansas; 36 HB1466
154153
155154 5 02/12/2025 2:18:59 PM ANS120
156155 (iv) A small-business investment corporation licensed 1
157156 under the Small Business Investment Act of 1958, 15 U.S.C. § 661 et seq., as 2
158157 it existed on January 1, 2011 January 1, 2025; 3
159158 (v) A real estate investment trust as defined in 26 4
160159 U.S.C. § 856, as it existed on January 1, 2011 January 1, 2025; 5
161160 (vi) A state or federally chartered bank, an 6
162161 operating subsidiary of a state -chartered bank regulated by the State Bank 7
163162 Department, a savings bank, a savings and loan association, or a credit 8
164163 union, the accounts of which are insured by the Federal Deposit Insurance 9
165164 Corporation or the National Credit Union Administration; 10
166165 (vii) An agricultural loan organization that is 11
167166 subject to licensing, supervision, or auditing by the United States Farm 12
168167 Service Agency, Commodity Credit Corporation, Rural Development Housing and 13
169168 Community Facilities Programs United States Department of Agriculture Rural 14
170169 Development, United States Farm Credit Administration, or the United States 15
171170 Department of Agriculture; 16
172171 (viii) A nonprofit corporation that: 17
173172 (a) Qualifies as a nonprofit entity under § 18
174173 501(c)(3) of the Internal Revenue Code; 19
175174 (b) Is not primarily in the business of 20
176175 soliciting or brokering mortgage loans; and 21
177176 (c) Makes or services mortgage loans to 22
178177 promote home ownership or home improvements for the disadvantaged; 23
179178 (ix)(a) A licensed real estate agent or broker who 24
180179 is performing those activities subject to the regulation of the Arkansas Real 25
181180 Estate Commission. 26
182181 (b) Notwithstanding subdivision (9)(B)(ix)(a) 27
183182 subdivision (20)(B)(ix)(a) of this section, "exempt person" does not include 28
184183 a real estate agent or broker who receives compensation of any kind in 29
185184 connection with the referral, placement, or origination of a mortgage loan; 30
186185 (x) A person who engages in seller -financed 31
187186 transactions or who as a seller of real property receives mortgages, deeds of 32
188187 trust, or other security instruments on real estate as security for a 33
189188 purchase money obligation if: 34
190189 (a) The person does not receive from or hold 35
191190 on behalf of the borrower any funds for the payment of insurance or taxes on 36 HB1466
192191
193192 6 02/12/2025 2:18:59 PM ANS120
194193 the real property; and 1
195194 (b) The seller does not sell the liens or 2
196195 mortgages in the secondary market other than to affiliated or subsidiary 3
197196 persons; 4
198197 (xi) An individual or husband and wife married 5
199198 couple who provide funds for investment in loans secured by a lien on real 6
200199 property on his or her or their own account and who do not: 7
201200 (a) Charge a fee or cause a fee to be paid for 8
202201 any service other than the normal and scheduled rates for escrow, title 9
203202 insurance, and recording services; and 10
204203 (b) Collect funds to be used for the payment 11
205204 of any taxes or insurance premiums on the property securing the loans; 12
206205 (xii) An attorney licensed in Arkansas rendering 13
207206 legal services to his or her client, when the conduct that would subject the 14
208207 attorney to the jurisdiction of this subchapter is ancillary to the provision 15
209208 of the legal services offered; 16
210209 (xiii) A person performing any act under order of 17
211210 any court; 18
212211 (xiv) A person acting as a mortgage broker, mortgage 19
213212 banker, or mortgage servicer for any person located in Arkansas, if the 20
214213 mortgage broker, mortgage banker, or mortgage servicer has no office or 21
215214 employee in Arkansas and the real property that is the subject of the 22
216215 mortgage is located outside of Arkansas; 23
217216 (xv) An officer or employee of an exempt person 24
218217 described in subdivisions (9)(B)(ii) -(xiv) subdivisions (20)(B)(ii) -(xiv) of 25
219218 this section if acting in the scope of employment for the exempt person; and 26
220219 (xvi) A manufactured or modular home retailer and 27
221220 its employees if: 28
222221 (a) The manufactured or modular home retailer 29
223222 or its employees perform only administrative or clerical tasks on behalf of a 30
224223 person required to be licensed under this subchapter; or 31
225224 (b) The manufactured or modular home retailer 32
226225 and its employees: 33
227226 (1) Do not receive compensation or 34
228227 financial gain for engaging in loan officer activities that exceeds the 35
229228 amount of compensation or financial gain that could be received in a 36 HB1466
230229
231230 7 02/12/2025 2:18:59 PM ANS120
232231 comparable cash transaction for a manufactured home; 1
233232 (2) Disclose to the consumer in writing 2
234233 any corporate affiliation with a mortgage banker; 3
235234 (3) Provide referral information for at 4
236235 least one (1) unaffiliated creditor if the manufactured or modular home 5
237236 retailer has a corporate affiliation with a mortgage banker and the mortgage 6
238237 banker offers a recommendation; and 7
239238 (4)(A) Do not directly negotiate loan 8
240239 terms with the consumer or lender. 9
241240 (B) As used in subdivision 10
242241 (9)(B)(xvi)(b)(4)(A) subdivision (20)(B)(xvi)(b)(4)(A) of this section, “loan 11
243242 terms” includes rates, fees, and other costs; 12
244243 (21) "External audit" means a formal report prepared by an 13
245244 independent certified public accountant expressing an opinion on whether 14
246245 financial statements are: 15
247246 (A) Presented fairly, in all material aspects, according 16
248247 to the applicable financial reporting framework; and 17
249248 (B) Inclusive of an evaluation of the adequacy of a 18
250249 company’s internal control structure; 19
251250 (22) "Financial institution" means a mortgage broker, mortgage 20
252251 banker, or mortgage servicer licensed under this subchapter; 21
253252 (23)(A) "Financial product or service" means a product or 22
254253 service that a financial holding company could offer by engaging in a 23
255254 financial activity under section 4(k) of the Bank Holding Company Act of 24
256255 1956, 12 U.S.C. § 1843(k), as it existed on January 1, 2025. 25
257256 (B) "Financial product or service" includes a financial 26
258257 institution’s evaluation or brokerage of information that a financial 27
259258 institution collects in connection with a request or an application from a 28
260259 consumer for a financial product or service; 29
261260 (24) "Information security program" means the administrative, 30
262261 technical, or physical safeguards a financial institution uses to access, 31
263262 collect, distribute, process, protect, store, use, transmit, dispose of, or 32
264263 otherwise handle customer information; 33
265264 (25) "Information system" means a discrete set of electronic 34
266265 information resources organized for the collection, processing, maintenance, 35
267266 use, sharing, dissemination, or disposition of electronic information, 36 HB1466
268267
269268 8 02/12/2025 2:18:59 PM ANS120
270269 including any specialized system, such as industrial controls system or a 1
271270 process controls system, a telephone switching and private branch exchange 2
272271 system, and an environmental control system, that contain customer 3
273272 information or that is connected to a system that contains customer 4
274273 information; 5
275274 (26) "Interim serviced before sale" means the activity of 6
276275 collecting a limited number of contractual mortgage payments immediately 7
277276 after origination on loans held for sale but before the loans have been sold 8
278277 into the secondary market; 9
279278 (27) "Internal audit" means the internal activity of performing 10
280279 independent, objective assurance, and consulting to evaluate and improve the 11
281280 effectiveness of company operations, risk management, internal controls, and 12
282281 governance processes; 13
283282 (28)(A) "Key individual" means an individual who is ultimately 14
284283 responsible for establishing or directing policies and procedures of a 15
285284 licensee. 16
286285 (B) "Key individual" includes without limitation: 17
287286 (i) An executive officer; 18
288287 (ii) A manager; 19
289288 (iii) A director; 20
290289 (iv) A trustee; or 21
291290 (v) A control person; 22
292291 (10)(29) “Licensee” means a loan officer, transitional loan 23
293292 officer, mortgage broker, mortgage banker, or mortgage servicer that is 24
294293 licensed under this subchapter; 25
295294 (11)(A)(30)(A) "Loan officer" means an individual other than an 26
296295 exempt person described in subdivision (9) subdivision (20) of this section 27
297296 who in exchange for compensation as an employee of or who otherwise receives 28
298297 compensation or remuneration from a mortgage broker or a mortgage banker: 29
299298 (i) Solicits or offers to solicit an application for 30
300299 a mortgage loan; 31
301300 (ii) Accepts or offers to accept an application for 32
302301 a mortgage loan; 33
303302 (iii) Negotiates or offers to negotiate the terms or 34
304303 conditions of a mortgage loan; 35
305304 (iv) Issues or offers to issue a mortgage loan 36 HB1466
306305
307306 9 02/12/2025 2:18:59 PM ANS120
308307 commitment or interest rate guarantee agreement; or 1
309308 (v) Provides or offers to provide modification of a 2
310309 mortgage loan. 3
311310 (B) “Loan officer” does not include: 4
312311 (i) An individual who performs clerical or 5
313312 administrative tasks in the processing of a mortgage loan at the direction of 6
314313 and subject to the supervision and instruction of a licensed loan officer; 7
315314 (ii) An underwriter if the individual performs no 8
316315 activities under subdivision (11)(A) subdivision (30)(A) of this section; or 9
317316 (iii) An individual who is solely involved in 10
318317 extensions of credit relating to timeshare plans, as that term is defined in 11
319318 11 U.S.C. § 101(53D), as it existed on January 1, 2011 January 1, 2025; 12
320319 (12)(31) "Make a mortgage loan" means to close a mortgage loan, 13
321320 to advance funds, to offer to advance funds, or to make a commitment to 14
322321 advance funds to a borrower under a mortgage loan; 15
323322 (13)(A)(32)(A) "Managing principal" means a person who meets the 16
324323 requirements of § 23 -39-508 and who agrees to be primarily responsible for 17
325324 the operations of a licensed mortgage broker, mortgage banker, or mortgage 18
326325 servicer. 19
327326 (B) "Managing principal" includes a qualifying individual; 20
328327 (14)(33) "Mortgage banker" means a person who engages in the 21
329328 business of making mortgage loans for compensation or other gain; 22
330329 (15)(34) "Mortgage broker" means a person who for compensation 23
331330 or other gain or in the expectation of compensation or other gain and, 24
332331 regardless of whether the acts are done directly or indirectly, through 25
333332 contact by telephone, by electronic means, by mail, or in person with the 26
334333 borrowers or potential borrowers: 27
335334 (A) Accepts or offers to accept an application for a 28
336335 mortgage loan; 29
337336 (B) Solicits or offers to solicit an application for a 30
338337 mortgage loan; 31
339338 (C) Negotiates or offers to negotiate the terms or 32
340339 conditions of a mortgage loan; or 33
341340 (D) Issues or offers to issue mortgage loan commitments or 34
342341 interest rate guarantee agreements to borrowers; 35
343342 (35) "Mortgage call report" means a quarterly or annual report 36 HB1466
344343
345344 10 02/12/2025 2:18:59 PM ANS120
346345 of residential real estate loan origination, servicing, and financial 1
347346 information completed by a company licensed through the Nationwide Multistate 2
348347 Licensing System and Registry; 3
349348 (16)(36)(A) "Mortgage loan" means a loan primarily for personal, 4
350349 family, or household use that is secured by a mortgage, deed of trust, 5
351350 reverse mortgage, or other equivalent consensual security interest 6
352351 encumbering: 7
353352 (A)(i) A dwelling as defined in section 1602(w) of 8
354353 the Truth in Lending Act, 15 U.S.C. § 1601 et seq., as it existed on January 9
355354 1, 2011 January 1, 2025; or 10
356355 (B)(ii) Residential real estate upon which is 11
357356 constructed or intended to be constructed a dwelling . 12
358357 (B) "Mortgage loan" includes a residential mortgage loan ; 13
359358 (17)(A)(37)(A) “Mortgage servicer” means : 14
360359 (i) An entity performing the routine administration 15
361360 of a residential mortgage loan on behalf of an owner of the related mortgage 16
362361 under the terms of a servicing contract; or 17
363362 (ii) a A person that receives or has the right to 18
364363 receive from or on behalf of a borrower: 19
365364 (i)(a) Funds or credits in payment for a 20
366365 mortgage loan; or 21
367366 (ii)(b) The taxes or insurance associated with 22
368367 a mortgage loan. 23
369368 (B) In the case of a home equity conversion mortgage or a 24
370369 reverse mortgage, "mortgage servicer" includes a person that makes a payment 25
371370 to the borrower; 26
372371 (38) "Mortgage servicing rights" means the contractual right to 27
373372 service residential mortgage loans on behalf of the owner of the associated 28
374373 mortgage in exchange for specified compensation according to a servicing 29
375374 contract; 30
376375 (39) "Multifactor authentication" means authentication through 31
377376 verification of at least two (2) of the following types of authentication 32
378377 factors: 33
379378 (A) Knowledge factors, including without limitation a 34
380379 password; 35
381380 (B) Possession factors, including without limitation a 36 HB1466
382381
383382 11 02/12/2025 2:18:59 PM ANS120
384383 token; or 1
385384 (C) Inherence factors, including without limitation 2
386385 biometric characteristics; 3
387386 (40)(A) "Nonpublic personal information" means: 4
388387 (i) Personally identifiable financial information; 5
389388 and 6
390389 (ii) A list, description, or other grouping of 7
391390 consumers, and publicly available information pertaining to a consumer, that 8
392391 is derived using personally identifiable financial information that is not 9
393392 publicly available. 10
394393 (B) "Nonpublic personal information" includes without 11
395394 limitation a list of individuals’ names and street addresses that is derived 12
396395 in whole or in part using personally identifiable financial information that 13
397396 is not publicly available. 14
398397 (C) "Nonpublic personal information" does not include: 15
399398 (i) Publicly available information except as 16
400399 included on a list described in subdivision (40)(A)(ii) of this section; 17
401400 (ii) A list, description, or other grouping of 18
402401 consumers, and publicly available information pertaining to the list, 19
403402 description, or other grouping of consumers, that is derived without using 20
404403 personally identifiable financial information that is not publicly available; 21
405404 or 22
406405 (iii) A list of individuals’ names and addresses 23
407406 that contains only publicly available information and is not: 24
408407 (a) Derived, in whole or in part, using 25
409408 personally identifiable financial information that is not publicly available; 26
410409 and 27
411410 (b) Disclosed in a manner that indicates that 28
412411 any of the individuals on the list is a consumer of a financial institution; 29
413412 (41)(A) "Notification event" means acquisition of unencrypted 30
414413 customer information without the authorization of the customer to which the 31
415414 information pertains. 32
416415 (B) For purposes of subdivision (41)(A) of this section: 33
417416 (i) Customer information is considered unencrypted 34
418417 if the encryption key was accessed by an unauthorized person; and 35
419418 (ii) Unauthorized acquisition is presumed to include 36 HB1466
420419
421420 12 02/12/2025 2:18:59 PM ANS120
422421 unauthorized access to unencrypted customer information unless a financial 1
423422 institution has reliable evidence showing that there has not been, or could 2
424423 not reasonably have been, unauthorized acquisition of the customer 3
425424 information; 4
426425 (42) "Operating liquidity" means the funds necessary to perform 5
427426 normal business operations, including payment of rent, salaries, interest 6
428427 expense, and other typical expenses associated with operating an entity; 7
429428 (18)(43) "Operating subsidiary" means a separate corporation, 8
430429 limited liability company, or similar entity in which a national or state 9
431430 bank, savings and loan association, or credit union, the accounts of which 10
432431 are insured by the Federal Deposit Insurance Corporation or the National 11
433432 Credit Union Administration, maintains more than fifty percent (50%) voting 12
434433 rights, a controlling interest, or otherwise controls the subsidiary and no 13
435434 other party controls more than fifty percent (50%) of the voting rights or a 14
436435 controlling interest in the subsidiary; 15
437436 (44) "Penetration testing" means a test methodology in which 16
438437 assessors attempt to circumvent or defeat the security features of an 17
439438 information system by attempting penetration of databases or controls from 18
440439 outside or inside a financial institution’s information system; 19
441440 (19)(45) "Person" means an individual, partnership, limited 20
442441 liability company, limited partnership, corporation, association, or other 21
443442 group engaged in joint business activities, however organized; 22
444443 (46)(A) "Personally identifiable financial information" means 23
445444 information: 24
446445 (i) A consumer provides to a financial institution 25
447446 to obtain a financial product or service from a financial institution; 26
448447 (ii) About a consumer resulting from a transaction 27
449448 involving a financial product or service between a financial institution and 28
450449 a consumer; or 29
451450 (iii) A financial institution otherwise obtains 30
452451 about a consumer in connection with providing a financial product or service 31
453452 to that consumer. 32
454453 (B) "Personally identifiable financial information" 33
455454 includes: 34
456455 (i) Information a consumer provides to a financial 35
457456 institution on an application to obtain a loan, credit card, or other 36 HB1466
458457
459458 13 02/12/2025 2:18:59 PM ANS120
460459 financial product or service; 1
461460 (ii) Account balance information, payment history, 2
462461 overdraft history, and credit or debit card purchase information; 3
463462 (iii) The fact that an individual is or has been a 4
464463 financial institution's customer or has obtained a financial product or 5
465464 service from a financial institution; 6
466465 (iv) Information about a financial institution’s 7
467466 consumer if the information is disclosed in a manner that indicates that the 8
468467 individual is or has been the financial institution’s consumer; 9
469468 (v) Information that a consumer provides to a 10
470469 financial institution or that a financial institution or a financial 11
471470 institution’s agent otherwise obtains in connection with collecting on or 12
472471 servicing a credit account; 13
473472 (vi) Information a financial institution collects 14
474473 through an internet cookie or an information collecting device from a 15
475474 computer server; and 16
476475 (vii) Information from a consumer report. 17
477476 (C) "Personally identifiable financial information" does 18
478477 not include: 19
479478 (i) A list of names and addresses of customers of an 20
480479 entity that is not a financial institution; and 21
481480 (ii) Information that does not identify a consumer, 22
482481 including aggregate information or blind data that does not contain personal 23
483482 identifiers such as account numbers, names, or addresses; 24
484483 (20)(47) "Principal place of business" means a stationary 25
485484 construction consisting of at least one (1) enclosed room or building in 26
486485 which negotiations of mortgage loan transactions of others may be conducted 27
487486 in private or in which the primary business functions of the licensee are 28
488487 conducted; 29
489488 (48)(A) "Publicly available information" means information that 30
490489 a financial institution has a reasonable basis to believe is lawfully made 31
491490 available to the public from: 32
492491 (i) Federal, state, or local government records; 33
493492 (ii) Widely distributed media; or 34
494493 (iii) Disclosures to the public that are required to 35
495494 be made by federal, state, or local law. 36 HB1466
496495
497496 14 02/12/2025 2:18:59 PM ANS120
498497 (B) "Publicly available information" includes without 1
499498 limitation: 2
500499 (i) Information in government records, including 3
501500 information in government real estate records and security interest filings; 4
502501 and 5
503502 (ii)(a) Information from widely distributed media, 6
504503 including information from a telephone book, television or radio program, 7
505504 newspaper, or website that is available to the public on an unrestricted 8
506505 basis. 9
507506 (b) A website is not restricted under 10
508507 subdivision (48)(B)(ii)(a) of this section merely because an internet service 11
509508 provider or a site operator requires a fee or a password, so long as access 12
510509 is available to the public. 13
511510 (C) For purposes of this subdivision (48), a financial 14
512511 institution has a reasonable basis to believe that: 15
513512 (i) Information is lawfully made available to the 16
514513 public if the financial institution has taken steps to determine: 17
515514 (a) That the information is of the type that 18
516515 is available to the public; and 19
517516 (b) Whether an individual can direct that the 20
518517 information not be made available to the public and, if so, that the 21
519518 financial institution’s consumer has not directed that the information not be 22
520519 made available to the public; 23
521520 (ii) Mortgage information is lawfully made available 24
522521 to the public if the financial institution determines that the information is 25
523522 of the type included on the public record in the jurisdiction where the 26
524523 mortgage would be recorded; and 27
525524 (iii) An individual’s telephone number is lawfully 28
526525 made available to the public if the financial institution has located the 29
527526 telephone number in a telephone directory or the consumer has informed the 30
528527 financial institution that the telephone number is not unlisted; 31
529528 (49) "Qualified individual" means an individual designated by a 32
530529 financial institution to oversee, implement, and enforce the financial 33
531530 institution’s information security program; 34
532531 (50) "Residential mortgage loans serviced" means a specific 35
533532 portfolio or portfolios of residential mortgage loans for which a licensee is 36 HB1466
534533
535534 15 02/12/2025 2:18:59 PM ANS120
536535 contractually responsible to the owner or owners of the mortgage loans for 1
537536 the defined servicing activities; 2
538537 (21)(51) "Reverse mortgage" means a nonrecourse loan that pays a 3
539538 homeowner loan proceeds drawn from accumulated home equity; 4
540539 (52) "Risk management assessment" means the functional 5
541540 evaluations performed under the risk management program and reports provided 6
542541 to a board of directors under a relevant governance protocol; 7
543542 (53) "Risk management program" means the policies and procedures 8
544543 designed to identify, measure, monitor, and mitigate risk sufficient for the 9
545544 level of sophistication of a covered institution servicer; 10
546545 (54) "Security event" means an event resulting in unauthorized 11
547546 access to, or disruption or misuse of: 12
548547 (A) An information system or information stored on the 13
549548 information system; or 14
550549 (B) Customer information held in physical form; 15
551550 (55) "Service provider" means a person or entity that receives, 16
552551 maintains, processes, or otherwise is permitted access to customer 17
553552 information through its provision of services directly to a financial 18
554553 institution that is subject to this subchapter; 19
555554 (56) "Servicing liquidity" means the financial resources 20
556555 necessary to manage liquidity risk arising from servicing functions required 21
557556 in acquiring and financing mortgage servicing rights, hedging costs, and 22
558557 margin calls associated with the mortgage servicing rights asset and 23
559558 financing facilities and advances or costs of advance financing for 24
560559 principal, interest, taxes, insurance, and any other servicing related 25
561560 advances; 26
562561 (22)(57) "Sponsor" means a mortgage broker or mortgage banker 27
563562 licensed under this subchapter that has assumed the responsibility for and 28
564563 agrees to supervise the actions of a loan officer or transitional loan 29
565564 officer; 30
566565 (58) "Tangible net worth" means the total equity less: 31
567566 (A) The receivables due from related entities; 32
568567 (B) Goodwill and other intangibles; and 33
569568 (C) Pledged assets; 34
570569 (23)(59) "Transitional loan officer" means an individual who, in 35
571570 exchange for compensation as an employee of, or who otherwise receives 36 HB1466
572571
573572 16 02/12/2025 2:18:59 PM ANS120
574573 compensation or remuneration from, a mortgage broker or a mortgage banker, is 1
575574 authorized to act as a loan officer subject to a transitional loan officer 2
576575 license; 3
577576 (24)(60) "Transitional loan officer license" means a license 4
578577 that: 5
579578 (A) Is issued to an individual who is employed and 6
580579 sponsored by a mortgage banker or mortgage broker licensed under this 7
581580 subchapter; 8
582581 (B) Is limited to a term of no more than one hundred 9
583582 twenty (120) days; and 10
584583 (C) Is not subject to reapplication, renewal, or extension 11
585584 by the commissioner; and 12
586585 (25)(61) "Unique identifier" means a number or other identifier 13
587586 assigned by protocols established by the automated licensing system approved 14
588587 by the commissioner; and 15
589588 (62) "Whole loans" mean those loans in which a mortgage and the 16
590589 underlying credit risk is owned and held on the balance sheet of an entity 17
591590 with all ownership rights . 18
592591 19
593592 SECTION 2. Arkansas Code § 23 -39-504 is amended to read as follows: 20
594593 23-39-504. Rulemaking authority Authority. 21
595594 (a) The Securities Commissioner may adopt any rules that he or she 22
596595 deems necessary to: 23
597596 (1) Carry out the provisions of this subchapter; 24
598597 (2) Provide for the protection of the borrowing public; and 25
599598 (3) Provide any requirements necessary for the State of Arkansas 26
600599 to participate in a multistate automated licensing system; and 27
601600 (4) Instruct mortgage brokers, mortgage bankers, mortgage 28
602601 servicers, loan officers, and transitional loan officers in interpreting this 29
603602 subchapter. 30
604603 (b) The commissioner may: 31
605604 (1) If risk is determined by a formal review of a specific 32
606605 covered institution servicer to be extremely high, order or direct the 33
607606 covered institution servicer to satisfy additional conditions necessary to 34
608607 ensure that the covered institution servicer will continue to operate in a 35
609608 safe and sound manner and be able to continue to service loans in compliance 36 HB1466
610609
611610 17 02/12/2025 2:18:59 PM ANS120
612611 with state law or rule and federal law or regulations; 1
613612 (2) If risk is determined by a formal review of a specific 2
614613 covered institution servicer to be extremely low, provide notice that all or 3
615614 part of this subchapter is not applicable to the covered institution 4
616615 servicer; and 5
617616 (3) If economic, environmental, or societal events are 6
618617 determined to be of severity to warrant a temporary suspension of all or 7
619618 certain sections of this subchapter, provide public notice of the temporary 8
620619 suspension. 9
621620 10
622621 SECTION 3. Arkansas Code § 23 -39-505(f), concerning the surety bond 11
623622 under the Fair Mortgage Lending Act, is amended to read as follows: 12
624623 (f)(1) Each mortgage broker, mortgage banker, and mortgage servicer 13
625624 shall post a surety bond in an amount: 14
626625 (A) Based upon loan activity during the previous year; 15
627626 (B) Not less than one hundred thousand dollars ($100,000); 16
628627 and 17
629628 (C) As prescribed by rule or order of the commissioner. 18
630629 (2) The surety bond shall : 19
631630 (A) be Be in a form satisfactory to the commissioner ; and 20
632631 (B) Run to the State of Arkansas for benefit of a claimant 21
633632 against the licensee to secure the faithful performance of the obligations of 22
634633 the licensee under this subchapter . 23
635634 (3)(A) A party having a claim against a licensee may bring suit 24
636635 directly on the surety bond of the licensee under this subsection or the 25
637636 commissioner may bring suit on behalf of a claimant in one (1) action or in 26
638637 successive actions. 27
639638 (B) A consumer claim shall be given priority in recovering 28
640639 from the surety bond. 29
641640 (C) Every bond shall provide for suit on the bond by any 30
642641 person who has a cause of action under this subchapter. 31
643642 (4) The aggregate liability of the surety shall not exceed the 32
644643 principal sum of the bond. 33
645644 (5) A surety bond shall cover claims for at least five (5) years 34
646645 after the licensee ceases to provide mortgage services in this state or 35
647646 longer if required by the commissioner. 36 HB1466
648647
649648 18 02/12/2025 2:18:59 PM ANS120
650649 (6)(A) A surety bond shall remain in effect until cancellation. 1
651650 (B) The cancellation of a surety bond shall occur only 2
652651 after sixty (60) days' written notice to the commissioner. 3
653652 (C) The cancellation of a surety bond shall not affect 4
654653 liability incurred or accrued during the sixty -day period under subdivision 5
655654 (f)(6)(B) of this section. 6
656655 (7)(A) If an action is commenced on a licensee's surety bond, 7
657656 the commissioner may require the filing of a new surety bond. 8
658657 (B) If a new surety bond is required under subdivision 9
659658 (f)(7)(A) of this section, the licensee shall file a replacement surety bond 10
660659 in the required amount specified under subdivision (f)(1)(B) of this section 11
661660 within thirty (30) days. 12
662661 (C) Immediately upon recovery of an action on the surety 13
663662 bond, the licensee shall file a new surety bond. 14
664663 15
665664 SECTION 4. Arkansas Code § 23 -39-505(g), concerning audited financial 16
666665 statements under the Fair Mortgage Lending Act, is amended to read as 17
667666 follows: 18
668667 (g)(1) An applicant filing for licensure as a mortgage banker or 19
669668 mortgage servicer shall file with the commissioner as part of his or her 20
670669 application audited financial statements that reflect that the applicant has 21
671670 a net worth of at least twenty -five thousand dollars ($25,000) and are:. 22
672671 (1) Prepared by an independent certified public accountant: 23
673672 (2) Prepared according to: 24
674673 (A) Generally accepted accounting principles as 25
675674 promulgated by the Financial Accounting Standards Board; or 26
676675 (B) International financial reporting standards 27
677676 promulgated by the International Financial Reporting Standards Foundation and 28
678677 the International Accounting Standards Board; 29
679678 (3) Accompanied by an opinion acceptable to the commissioner; 30
680679 and 31
681680 (4) For purposes of complying with subdivision (g)(1) of this 32
682681 section, the financial statement shall be: 33
683682 (A) Determined according to: 34
684683 (i) Generally accepted accounting principles as 35
685684 promulgated by the Financial Accounting Standards Board; or 36 HB1466
686685
687686 19 02/12/2025 2:18:59 PM ANS120
688687 (ii) The international financial reporting standards 1
689688 promulgated by the International Financial Reporting Standards Foundation and 2
690689 the International Accounting Standards Board; and 3
691690 (B) Accompanied by an opinion acceptable to the 4
692691 commissioner; 5
693692 (C) Dated within fifteen (15) months preceding the date on 6
694693 which the application is filed. 7
695694 8
696695 SECTION 5. Arkansas Code § 23 -39-505, concerning qualifications for a 9
697696 license under the Fair Mortgage Lending Act, is amended to add additional 10
698697 subsections to read as follows: 11
699698 (p)(1) An applicant filing for licensure as a mortgage servicer but 12
700699 that does not operate as a covered institution servicer shall file with the 13
701700 commissioner as part of his or her application audited financial statements 14
702701 that reflect that the applicant has a net worth of at least one hundred 15
703702 thousand dollars ($100,000). 16
704703 (2) For the purposes of complying with subdivision (p)(1) of 17
705704 this section, the financial statement shall be: 18
706705 (A) Determined according to: 19
707706 (i) Generally accepted accounting principles as 20
708707 promulgated by the Financial Accounting Standards Board; or 21
709708 (ii) The international financial reporting standards 22
710709 promulgated by the International Financial Reporting Standards Foundation and 23
711710 the International Accounting Standards Board; 24
712711 (B) Accompanied by an opinion acceptable to the 25
713712 commissioner; and 26
714713 (C) Dated within fifteen (15) months preceding the date on 27
715714 which the application is filed. 28
716715 (3)(A) An applicant applying to service Arkansas residential 29
717716 mortgage loans may apply to the commissioner to waive or adjust one (1) or 30
718717 more of the net worth requirements under subdivision (p)(1) or subdivision 31
719718 (p)(2) of this section. 32
720719 (B)(i) In reviewing a request to waive or adjust one (1) 33
721720 or more of the net worth requirements under subdivision (p)(1) or subdivision 34
722721 (p)(2) of this section, the commissioner may consider the number and types of 35
723722 loans being serviced and whether the licensee has a positive net worth and 36 HB1466
724723
725724 20 02/12/2025 2:18:59 PM ANS120
726725 adequate operating reserves. 1
727726 (ii) As used in this subdivision (p)(3)(B), 2
728727 “operating reserves” means the funds set aside in anticipation of future 3
729728 payments or obligations and are included in servicing liquidity. 4
730729 (q)(1) An applicant filing for licensure as a mortgage servicer that 5
731730 operates as a covered institution servicer shall file with the commissioner 6
732731 as part of his or her application proof that the applicant is in compliance 7
733732 with: 8
734733 (A) The Federal Housing Finance Agency's Eligibility 9
735734 Requirements for Enterprise Single -Family Seller/Servicers for minimum 10
736735 capital ratio; and 11
737736 (B) The net worth and servicing liquidity requirements, 12
738737 whether or not the mortgage servicer is approved for government -sponsored 13
739738 enterprise servicing. 14
740739 (2) For the purposes of complying with subdivision (q)(1) of 15
741740 this section, the financial data shall be: 16
742741 (A) Determined according to: 17
743742 (i) Generally accepted accounting principles as 18
744743 promulgated by the Financial Accounting Standards Board; or 19
745744 (ii) The international financial reporting standards 20
746745 promulgated by the International Financial Reporting Standards Foundation and 21
747746 the International Accounting Standards Board; 22
748747 (B) Accompanied by an opinion acceptable to the 23
749748 commissioner; and 24
750749 (C) Dated within fifteen (15) months preceding the date on 25
751750 which the application is filed. 26
752751 27
753752 SECTION 6. Arkansas Code § 23 -39-506(f), concerning audited financial 28
754753 statements under the Fair Mortgage Lending Act, is amended to read as 29
755754 follows: 30
756755 (f)(1) A mortgage banker or a mortgage servicer shall submit audited 31
757756 financial statements to the commissioner within ninety (90) days after the 32
758757 end of the mortgage banker's or mortgage servicer's fiscal year. 33
759758 (2) The audited financial statements submitted to the 34
760759 commissioner under subdivision (f)(1) of this section shall: 35
761760 (A) Reflect that the mortgage banker or mortgage servicer 36 HB1466
762761
763762 21 02/12/2025 2:18:59 PM ANS120
764763 has a net worth of at least twenty -five thousand dollars ($25,000); and 1
765764 (B) Comply with the requirements of § 23 -39-505(g)(1)-(3). 2
766765 (3)(A) Failure to timely submit audited financial statements to 3
767766 the commissioner shall result in a late fee of two hundred fifty dollars 4
768767 ($250). 5
769768 (B) All or part of the late fee may be waived by the 6
770769 commissioner for good cause. 7
771770 8
772771 SECTION 7. Arkansas Code § 23 -39-506, concerning license renewal under 9
773772 the Fair Mortgage Lending Act, is amended to add additional subsections to 10
774773 read as follows: 11
775774 (g)(1) A mortgage servicer subject to § 23 -39-505(p) or § 23-39-505(q) 12
776775 shall submit audited financial statements to the commissioner within ninety 13
777776 (90) days after the end of the mortgage servicer's fiscal year. 14
778777 (2) The audited financial statements submitted to the 15
779778 commissioner under subdivision (g)(1) of this section shall reflect that the 16
780779 mortgage servicer has a net worth that remains in compliance with § 23-39-17
781780 505(p) or § 23-39-505(q), as applicable. 18
782781 (3)(A) A licensee servicing Arkansas residential mortgage loans, 19
783782 other than a covered institution servicer, may apply to the commissioner to 20
784783 waive or adjust one (1) or more of the net worth requirements. 21
785784 (B) In considering a request to waive or adjust one (1) or 22
786785 more of the net worth requirements, the commissioner shall consider the 23
787786 number and types of loans being serviced and whether the licensee has a 24
788787 positive net worth and adequate operating reserves. 25
789788 (C) For purposes of this section, “operating reserves” 26
790789 means the funds set aside in anticipation of future payments or obligations 27
791790 and are included in liquidity. 28
792791 (4)(A) Failure to timely submit audited financial statements to 29
793792 the commissioner shall result in a late fee of two hundred fifty dollars 30
794793 ($250). 31
795794 (B) All or part of the late fee may be waived by the 32
796795 commissioner for good cause. 33
797796 (h) A covered institution servicer shall remain in compliance with the 34
798797 requirements of § 23 -39-505(q) and § 23-39-519. 35
799798 36 HB1466
800799
801800 22 02/12/2025 2:18:59 PM ANS120
802801 SECTION 8. Arkansas Code Title 23, Chapter 39, Subchapter 5, is 1
803802 amended to add additional sections to read as follows: 2
804803 23-39-519. Prudential standards for covered institution servicers — 3
805804 Financial condition. 4
806805 (a) A covered institution servicer shall meet or exceed the minimum 5
807806 financial requirements of the Federal Housing Finance Agency's Eligibility 6
808807 Requirements for Enterprise Single -Family Seller/Servicers in order to 7
809808 maintain the capital and servicing liquidity as required by this section and 8
810809 § 23-39-505(q). 9
811810 (b) All financial data shall be determined according to generally 10
812811 accepted accounting principles or the international financial reporting 11
813812 standards promulgated by the International Financial Reporting Standards 12
814813 Foundation and the International Accounting Standards Board. 13
815814 (c) A covered institution servicer that meets the Federal Housing 14
816815 Finance Agency's Eligibility Requirements for Enterprise Single -Family 15
817816 Seller/Servicers for capital, net worth ratio, and servicing liquidity, 16
818817 whether or not the servicer is approved for government -sponsored enterprises 17
819818 servicing, or Federal National Mortgage Association servicing, or Federal 18
820819 Home Loan Mortgage Corporation servicing, satisfies the requirements of 19
821820 subsection (a) and subsection (b) of this section. 20
822821 (d)(1) A covered institution servicer shall maintain written policies 21
823822 and procedures implementing the capital and servicing liquidity requirements. 22
824823 (2) The policies and procedures under subdivision (d)(1) of this 23
825824 section shall include a sustainable written methodology for satisfying the 24
826825 requirements of subsection (a) of this section and be available to the 25
827826 Securities Commissioner upon request. 26
828827 (e)(1) A covered institution servicer under this subchapter shall: 27
829828 (A) Maintain sufficient allowable assets for liquidity in 28
830829 addition to the amounts required for servicing liquidity to cover normal 29
831830 business operations; and 30
832831 (B) Have in place sound cash management and business 31
833832 operating plans that match the size and sophistication of the covered 32
834833 institution servicer to ensure normal business operations. 33
835834 (2)(A) The management or key individual of a covered institution 34
836835 servicer shall develop, establish, and implement plans, policies, and 35
837836 procedures for maintaining operating liquidity sufficient for the ongoing 36 HB1466
838837
839838 23 02/12/2025 2:18:59 PM ANS120
840839 needs of the covered institution servicer. 1
841840 (B) The plans, policies, and procedures under subdivision 2
842841 (e)(2)(A) of this section shall: 3
843842 (i) Contain sustainable, written methodologies for 4
844843 maintaining sufficient operating liquidity; and 5
845844 (ii) Be available to the commissioner upon request. 6
846845 7
847846 23-39-520. Corporate governance for covered institution servicers. 8
848847 (a) A covered institution servicer shall establish and maintain a 9
849848 board of directors who are responsible for the oversight of the covered 10
850849 institution servicer. 11
851850 (b) For a covered institution servicer that is not approved to service 12
852851 loans by a government -sponsored enterprise, the Federal National Mortgage 13
853852 Association and the Federal Home Loan Mortgage Corporation, or the Government 14
854853 National Mortgage Association, or when these federal agencies have granted 15
855854 approval for a board alternative, a covered institution servicer may 16
856855 establish a similar body constituted to exercise oversight and fulfill the 17
857856 board of directors’ responsibilities under subsection (c) of this section. 18
858857 (c) The board of directors shall be responsible for: 19
859858 (1) Establishing a written corporate governance framework, 20
860859 including appropriate internal controls designed to monitor corporate 21
861860 governance and assess compliance with the corporate governance framework, 22
862861 available to the Securities Commissioner upon request; 23
863862 (2) Monitoring and ensuring the covered institution servicer's 24
864863 compliance with the corporate governance framework and this subchapter; and 25
865864 (3) Accurate and timely regulatory reporting, including without 26
866865 limitation the requirements for filing the mortgage call report. 27
867866 (d)(1) The board of directors shall establish internal audit 28
868867 requirements that are appropriate for the size, complexity, and risk profile 29
869868 of the covered institution servicer, with appropriate independence to provide 30
870869 a reliable evaluation of the covered institution servicer’s internal control 31
871870 structure, risk management, and governance. 32
872871 (2) Internal audit requirements established by the board of 33
873872 directors and the results of internal audits shall be made available to the 34
874873 commissioner upon request. 35
875874 (e)(1) A covered institution servicer shall receive an external audit, 36 HB1466
876875
877876 24 02/12/2025 2:18:59 PM ANS120
878877 including audited financial statements and audit reports, conducted by an 1
879878 independent certified public accountant annually. 2
880879 (2) The external audit required under subdivision (e)(1) of this 3
881880 section shall: 4
882881 (A) Be available to the commissioner upon request; and 5
883882 (B) Include at a minimum: 6
884883 (i) Annual financial statements including a balance 7
885884 sheet, statement of operations income statement and cash flows, notes, and 8
886885 supplemental schedules, prepared according to generally accepted accounting 9
887886 principles; 10
888887 (ii) An assessment of the internal control 11
889888 structure; 12
890889 (iii) A computation of tangible net worth; 13
891890 (iv) Validation of mortgage servicing rights 14
892891 valuation and reserve methodology, if applicable; 15
893892 (v) Verification of adequate fidelity and errors and 16
894893 omissions insurance; and 17
895894 (vi) Testing of controls related to risk management 18
896895 activities, including compliance and stress testing, if applicable. 19
897896 (f)(1) A covered institution servicer shall establish a risk 20
898897 management program under the oversight of the board of directors that is 21
899898 available to the commissioner upon request that identifies, measures, 22
900899 monitors, and controls risk sufficient for the level of sophistication of the 23
901900 covered institution servicer. 24
902901 (2) The risk management program required under subdivision 25
903902 (f)(1) of this section shall: 26
904903 (A) Have appropriate processes and models in place to 27
905904 measure, monitor, and mitigate financial risks and changes to the risk 28
906905 profile of the covered institution servicer and assets being serviced; and 29
907906 (B) Be scaled to the complexity of the covered institution 30
908907 servicer, but be sufficiently robust to manage risks in several areas, 31
909908 including without limitation: 32
910909 (i) Credit risk, including the potential that a 33
911910 borrower or counterparty will fail to perform on an obligation; 34
912911 (ii) Servicing liquidity risk, including the 35
913912 potential that the covered institution servicer will be unable to meet the 36 HB1466
914913
915914 25 02/12/2025 2:18:59 PM ANS120
916915 covered institution servicer's obligations as the obligations come due 1
917916 because of an inability to liquidate assets or obtain adequate funding or 2
918917 that it cannot easily unwind or offset specific exposures; 3
919918 (iii) Operational risk, including the risk resulting 4
920919 from inadequate or failed internal processes, people, and systems or from 5
921920 external events; 6
922921 (iv) Market risk, including the risk to the covered 7
923922 institution servicer’s condition resulting from adverse movements in market 8
924923 rates or prices; 9
925924 (v) Compliance risk, including the risk of 10
926925 regulatory sanctions, fines, penalties, or losses resulting from failure to 11
927926 comply with laws, rules, regulations, or other supervisory requirements 12
928927 applicable to a covered institution servicer; 13
929928 (vi) Legal risk, including the potential that 14
930929 actions against the covered institution servicer that result in unenforceable 15
931930 contracts, lawsuits, legal sanctions, or adverse judgments can disrupt or 16
932931 otherwise negatively affect the operations or condition of the covered 17
933932 institution servicer; and 18
934933 (vii) Reputation risk, including the risk to 19
935934 earnings and capital arising from negative publicity regarding the covered 20
936935 institution servicer’s business practices. 21
937936 (g)(1) A covered institution servicer shall conduct a risk management 22
938937 assessment on an annual basis concluding with a formal report to the board of 23
939938 directors and be available to the commissioner upon request. 24
940939 (2) Evidence of risk management activities throughout the year 25
941940 shall be maintained and made part of the report, including findings of issues 26
942941 and the response to address the findings made in the report. 27
943942 28
944943 23-39-521. Standards for safeguarding customer information. 29
945944 (a) A financial institution shall develop, implement, and maintain a 30
946945 comprehensive information security program. 31
947946 (b) The information security program under subsection (a) of this 32
948947 section shall: 33
949948 (1) Be written in one (1) or more readily accessible parts; and 34
950949 (2) Contain administrative, technical, and physical safeguards 35
951950 that are appropriate to the financial institution’s size and complexity, the 36 HB1466
952951
953952 26 02/12/2025 2:18:59 PM ANS120
954953 nature and scope of the financial institution’s activities, and the 1
955954 sensitivity of any customer information at issue. 2
956955 (c) The information security program shall include the information 3
957956 required under § 23-39-522. 4
958957 5
959958 23-39-522. Information security program required elements. 6
960959 (a) In order for a financial institution to develop, implement, and 7
961960 maintain an information security program, the financial institution shall 8
962961 comply with this section. 9
963962 (b)(1) A financial institution shall designate a qualified individual 10
964963 responsible for overseeing and implementing the financial institution’s 11
965964 information security program and enforcing an information security program. 12
966965 (2)(A) The qualified individual may be employed by the financial 13
967966 institution, an affiliate, or a service provider. 14
968967 (B) If a financial institution designates an individual 15
969968 employed by an affiliate or a service provider, the financial institution 16
970969 shall: 17
971970 (i) Retain responsibility for compliance with this 18
972971 section; 19
973972 (ii) Designate a senior member of the financial 20
974973 institution’s personnel to be responsible for direction and oversight of the 21
975974 qualified individual; and 22
976975 (iii) Require the service provider or affiliate to 23
977976 maintain an information security program that protects the financial 24
978977 institution in accordance with the requirements of this section. 25
979978 (c)(1) A financial institution shall base the financial institution’s 26
980979 information security program on a risk assessment that: 27
981980 (A) Identifies reasonably foreseeable internal and 28
982981 external risks to the security, confidentiality, and integrity of customer 29
983982 information that could result in the unauthorized disclosure, misuse, 30
984983 alteration, destruction, or other compromise of the information; and 31
985984 (B) Assesses the sufficiency of any safeguards in place to 32
986985 control these risks. 33
987986 (2) The risk assessment shall be written and include: 34
988987 (A) Criteria for the evaluation and categorization of 35
989988 identified security risks or threats the financial institution faces; 36 HB1466
990989
991990 27 02/12/2025 2:18:59 PM ANS120
992991 (B) Criteria for the assessment of the confidentiality, 1
993992 integrity, and availability of the financial institution’s information 2
994993 systems and customer information, including the adequacy of the existing 3
995994 controls in the context of the identified risks or threats the financial 4
996995 institution faces; and 5
997996 (C) Requirements describing how identified risks will be 6
998997 mitigated or accepted based on the risk assessment and how the information 7
999998 security program will address the risks. 8
1000999 (3) A financial institution shall periodically perform 9
10011000 additional risk assessments that: 10
10021001 (A) Reexamine the reasonably foreseeable internal and 11
10031002 external risks to the security, confidentiality, and integrity of customer 12
10041003 information that could result in the unauthorized disclosure, misuse, 13
10051004 alteration, destruction, or other compromise of the customer information; and 14
10061005 (B) Reassess the sufficiency of any safeguards in place to 15
10071006 control these risks. 16
10081007 (d) A financial institution shall design and implement safeguards to 17
10091008 control the risks the financial institution identifies through the risk 18
10101009 assessment as required under subsection (c) of this section, including 19
10111010 without limitation: 20
10121011 (1) Implementing and periodically reviewing access controls, 21
10131012 including technical and, as appropriate, physical controls, to: 22
10141013 (A) Authenticate and permit access only to authorized 23
10151014 users to protect against the unauthorized acquisition of customer 24
10161015 information; and 25
10171016 (B) Limit authorized users’ access only to customer 26
10181017 information that the authorized user needs to perform the authorized user’s 27
10191018 duties and functions, or in the case of customers, to access the customer’s 28
10201019 own customer information; 29
10211020 (2) Identifying and managing the data, personnel, devices, 30
10221021 systems, and facilities that enable the financial institution to achieve 31
10231022 business purposes according to the financial institution's relative 32
10241023 importance to business objectives and the financial institution’s risk 33
10251024 strategy; 34
10261025 (3)(A) Protecting by encryption all customer information held or 35
10271026 transmitted by the financial institution both in transit over external 36 HB1466
10281027
10291028 28 02/12/2025 2:18:59 PM ANS120
10301029 networks and at rest. 1
10311030 (B) To the extent the financial institution determines 2
10321031 that encryption of customer information, either in transit over external 3
10331032 networks or at rest, is infeasible, the financial institution may instead 4
10341033 secure the customer information using effective alternative compensating 5
10351034 controls reviewed and approved by the financial institution’s qualified 6
10361035 individual; 7
10371036 (4) Adopting secure development practices for in -house developed 8
10381037 applications utilized by the financial institution for transmitting, 9
10391038 accessing, or storing customer information and procedures for evaluating, 10
10401039 assessing, or testing the security of externally developed applications the 11
10411040 financial institution utilizes to transmit, access, or store customer 12
10421041 information; 13
10431042 (5) Implementing multifactor authentication for an individual 14
10441043 accessing an information system, unless the financial institution’s qualified 15
10451044 individual has approved in writing the use of reasonably equivalent or more 16
10461045 secure access controls; 17
10471046 (6) Developing, implementing, and maintaining procedures for the 18
10481047 secure disposal of customer information in any format no later than two (2) 19
10491048 years after the last date the customer information is used in connection with 20
10501049 the provision of a financial product or service to the customer, unless the 21
10511050 customer information is: 22
10521051 (A) Necessary for business operations or for other 23
10531052 legitimate business purposes; 24
10541053 (B) Otherwise required to be retained by state law or 25
10551054 rule, or federal law or regulation; or 26
10561055 (C) Where targeted disposal is not reasonably feasible due 27
10571056 to the manner in which the information is maintained; 28
10581057 (7) Periodically reviewing the financial institution’s data 29
10591058 retention policy to minimize the unnecessary retention of data; 30
10601059 (8) Adopting procedures for change management; and 31
10611060 (9) Implementing policies, procedures, and controls designed to 32
10621061 monitor and log the activity of authorized users and detect unauthorized 33
10631062 access or use of, or tampering with, customer information by these users. 34
10641063 (e)(1) A financial institution shall regularly test or otherwise 35
10651064 monitor the effectiveness of the safeguards' key controls, systems, and 36 HB1466
10661065
10671066 29 02/12/2025 2:18:59 PM ANS120
10681067 procedures of the safeguards' required under this section, including those to 1
10691068 detect actual and attempted attacks on, or intrusions into, information 2
10701069 systems. 3
10711070 (2)(A) For information systems, monitoring and testing shall 4
10721071 include continuous monitoring or periodic penetration testing and 5
10731072 vulnerability assessments. 6
10741073 (B) Absent effective continuous monitoring or other 7
10751074 systems to detect, on an ongoing basis, changes in information systems that 8
10761075 may create vulnerabilities, the financial institution shall conduct: 9
10771076 (i) Annual penetration testing of a financial 10
10781077 institution’s information systems determined each given year based on 11
10791078 relevant identified risks according to the risk assessment; and 12
10801079 (ii) Vulnerability assessments, including a systemic 13
10811080 scan or review of an information system reasonably designed to identify 14
10821081 publicly known security vulnerabilities in the financial institution’s 15
10831082 information systems based on the risk assessment, at least every six (6) 16
10841083 months, and whenever there are: 17
10851084 (a) Material changes to the financial 18
10861085 institution’s operations or business arrangements; and 19
10871086 (b) Circumstances the financial institution 20
10881087 knows or has reason to know may have a material impact on the financial 21
10891088 institution’s information security program. 22
10901089 (f) A financial institution shall implement policies and procedures to 23
10911090 ensure that personnel are able to enact the financial institution’s 24
10921091 information security program by: 25
10931092 (1) Providing the financial institution’s personnel with 26
10941093 security awareness training that is updated as necessary to reflect risks 27
10951094 identified by the risk assessment; 28
10961095 (2) Utilizing qualified information security personnel employed 29
10971096 by the financial institution or an affiliate or a service provider sufficient 30
10981097 to manage the financial institution’s information security risks and to 31
10991098 perform or oversee the information security program; 32
11001099 (3) Providing information security personnel with security 33
11011100 updates and training sufficient to address relevant security risks; and 34
11021101 (4) Verifying that key information security personnel take steps 35
11031102 to maintain current knowledge of changing information security threats and 36 HB1466
11041103
11051104 30 02/12/2025 2:18:59 PM ANS120
11061105 countermeasures. 1
11071106 (g) A financial institution shall oversee service providers by: 2
11081107 (1) Taking reasonable steps to select and retain service 3
11091108 providers that are capable of maintaining appropriate safeguards for the 4
11101109 customer information at issue; 5
11111110 (2) Requiring the financial institution’s service providers by 6
11121111 contract to implement and maintain the safeguards referenced under 7
11131112 subdivision (g)(1) of this section; and 8
11141113 (3) Periodically assessing the financial institution’s service 9
11151114 providers based on the risk they present and the continued adequacy of their 10
11161115 safeguards. 11
11171116 (h) A financial institution shall evaluate and adjust the financial 12
11181117 institution’s information security program to reflect: 13
11191118 (1) The results of the testing and monitoring required by 14
11201119 subsection (e) of this section; 15
11211120 (2) Any material change to the financial institution’s 16
11221121 operations or business arrangements or other circumstances; 17
11231122 (3) The results of risk assessments performed under subdivision 18
11241123 (c)(3) of this section; and 19
11251124 (4) Any other circumstances that the financial institution knows 20
11261125 or has reason to know may have a material impact on the financial 21
11271126 institution's information security program. 22
11281127 (i)(1) A financial institution shall establish a written incident 23
11291128 response plan designed to promptly respond to, and recover from, any security 24
11301129 event materially affecting the confidentiality, integrity, or availability of 25
11311130 customer information in the financial institution’s control. 26
11321131 (2) The incident response plan under subdivision (i)(1) of this 27
11331132 section shall address: 28
11341133 (A) The goals of the incident response plan; 29
11351134 (B) The internal processes for responding to a security 30
11361135 event; 31
11371136 (C) The definition of clear roles, responsibilities, and 32
11381137 levels of decision-making authority; 33
11391138 (D) External and internal communications and information 34
11401139 sharing; 35
11411140 (E) Identification of requirements for the remediation of 36 HB1466
11421141
11431142 31 02/12/2025 2:18:59 PM ANS120
11441143 any identified weaknesses in information systems and associated controls; 1
11451144 (F) Documentation and reporting regarding security events 2
11461145 and related incident response activities; and 3
11471146 (G) The evaluation and revision as necessary of the 4
11481147 incident response plan following a security event. 5
11491148 (j)(1) The financial institution’s qualified individual shall report 6
11501149 in writing at least annually, to the financial institution’s board of 7
11511150 directors or equivalent governing body. 8
11521151 (2) If a board of directors or equivalent governing body does 9
11531152 not exist, the report required under subdivision (j)(1) of this section shall 10
11541153 be timely presented to a senior officer responsible for the financial 11
11551154 institution’s information security program. 12
11561155 (3) The report required under subdivision (j)(1) of this section 13
11571156 shall include: 14
11581157 (A) The overall status of the information security program 15
11591158 and the financial institution’s compliance with this section and associated 16
11601159 rules; and 17
11611160 (B) Material matters related to the information security 18
11621161 program, addressing issues such as risk assessment, risk management and 19
11631162 control decisions, service provider arrangements, results of testing, 20
11641163 security events or violations and management’s responses to security events 21
11651164 or violations, and recommendations for changes in the information security 22
11661165 program. 23
11671166 (k) A financial institution shall provide notice to the Securities 24
11681167 Commissioner about notification events according to subdivisions (l)(1) and 25
11691168 (2) of this section. 26
11701169 (l)(1) Upon discovery of a notification event as described in 27
11711170 subdivision (l)(3) of this section, if the notification event involves the 28
11721171 information of any consumers in this state, the financial institution shall 29
11731172 notify the commissioner as soon as possible and no later forty -five (45) days 30
11741173 after discovery of the notification event. 31
11751174 (2) The notice required under subdivision (l)(1) of this section 32
11761175 shall: 33
11771176 (A) Be made in a format specified by the commissioner; and 34
11781177 (B) Include the following information: 35
11791178 (i) The name and contact information of the 36 HB1466
11801179
11811180 32 02/12/2025 2:18:59 PM ANS120
11821181 reporting financial institution; 1
11831182 (ii)(a) A description of the types of information 2
11841183 that were involved in the notification event. 3
11851184 (b) If the information is possible to 4
11861185 determine under subdivision (l)(2)(B)(ii)(a) of this section, the notice 5
11871186 required under subdivision (l)(1) of this section shall contain the date or 6
11881187 date range of the notification event; 7
11891188 (iii) The number of consumers affected or 8
11901189 potentially affected by the notification event; 9
11911190 (iv) A general description of the notification 10
11921191 event; and 11
11931192 (v)(a) Whether a law enforcement official has 12
11941193 provided the financial institution with a written determination that 13
11951194 notifying the public of the notification event would impede a criminal 14
11961195 investigation or cause damage to national security, and a means for the 15
11971196 commissioner to contact the law enforcement official. 16
11981197 (b) A law enforcement official under 17
11991198 subdivision (l)(2)(B)(v)(a) of this section may request an initial delay of 18
12001199 up to thirty (30) days following the date when notice was provided to the 19
12011200 commissioner. 20
12021201 (c) The delay under subdivision 21
12031202 (l)(2)(B)(v)(b) of this section may be extended for an additional period of 22
12041203 up to sixty (60) days if the law enforcement official seeks an extension in 23
12051204 writing. 24
12061205 (d) An additional delay beyond the delay under 25
12071206 subdivision (l)(2)(B)(v)(b) of this section may be permitted only if the 26
12081207 State Securities Department determines that public disclosure of a 27
12091208 notification event continues to impede a criminal investigation or cause 28
12101209 damage to national security. 29
12111210 (3)(A) A notification event under this section shall be treated 30
12121211 as discovered as of the first day on which the notification event is known to 31
12131212 the financial institution. 32
12141213 (B) The financial institution under subdivision (l)(3)(A) 33
12151214 of this section shall be deemed to have knowledge of a notification event if 34
12161215 the notification event is known to a person, other than the person committing 35
12171216 the notification event, who is the financial institution’s employee, officer, 36 HB1466
12181217
12191218 33 02/12/2025 2:18:59 PM ANS120
12201219 or other agent. 1
12211220 (m) A financial institution shall establish a written plan addressing 2
12221221 business continuity and disaster recovery. 3
12231222 4
12241223 23-39-523. Exceptions. 5
12251224 This subchapter does not apply to a financial institution that 6
12261225 maintains customer information concerning fewer than five thousand (5,000) 7
12271226 consumers. 8
12281227 9
12291228 10
1230-APPROVED: 3/12/25 11
1229+ 11
12311230 12
12321231 13
12331232 14
12341233 15
12351234 16
12361235 17
12371236 18
12381237 19
12391238 20
12401239 21
12411240 22
12421241 23
12431242 24
12441243 25
12451244 26
12461245 27
12471246 28
12481247 29
12491248 30
12501249 31
12511250 32
12521251 33
12531252 34
12541253 35
12551254 36