25.8110.01000
Sixty-ninth
Legislative Assembly
of North Dakota
Introduced by
Industry, Business and Labor Committee
(At the request of the Department of Financial Institutions)
A BILL for an Act to create and enact chapter 13-01.2 of the North Dakota Century Code,
relating to the financial institution data security program; and to amend and reenact sections
6-01-04.1 and 6-01-04.2, subsection 7 of section 6-03-02, sections 13-04.1-01.1, 13-04.1-11.1,
13-05-07.1, 13-08-10, 13-08-11.1, and 13-09.1-14, subsection 3 of section 13-09.1-17, sections
13-09.1-38 and 13-10-05, subsection 1 of section 13-11-10, section 13-12-19, subsections 6,
21, and 22 of section 13-13-01, and sections 13-13-04 and 13-13-18 of the North Dakota
Century Code, relating to the department of financial institutions, financial institutions, response
to department requests, renewal of licenses, orders to cease and desist, issuance of licenses,
revocation of licenses, and exemptions from licenses.
BE IT ENACTED BY THE LEGISLATIVE ASSEMBLY OF NORTH DAKOTA:
SECTION 1. AMENDMENT. Section 6-01-04.1 of the North Dakota Century Code is
amended and reenacted as follows:
6-01-04.1. Removal of officers, directors, and employees of financial corporations or
institutions.
1.The department of financial institutions or the board may issue, upon any current or
former officer, director, or employee of a financial corporation, financial institution, or
credit union subject to its jurisdiction and upon a financial corporation, financial
institution, or credit union involved, an order stating:
a.That the current or former officer, director, or employee is engaging, or has
engaged, in any of the following conduct:
(1)Violating any law, regulation, board order, or written agreement with the
board.
(2)Engaging or participating in any unsafe or unsound practice.
Page No. 1 25.8110.01000
HOUSE BILL NO. 1127
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 Sixty-ninth
Legislative Assembly
(3)Performing any act of commission or omission or practice which is a breach
of trust or a breach of fiduciary duty.
b.The term of the suspension or removal from employment and participation within
the conduct of the affairs of a financial corporation, financial institution, credit
union, or any other entity licensed by the department of financial institutions.
2.The order must contain a notice of opportunity for hearing pursuant to chapter 28-32.
The date for the hearing must be set not less than thirty days after the date the
complaint is served upon the current or former officer, director, or employee of a
financial corporation, financial institution, credit union, or any other entity licensed by
the department of financial institutions. The current or former officer, director, or
employee may waive the thirty-day notice requirement.
3.If no hearing is requested within twenty days of the date the order is served upon the
current or former officer, director, or employee, the order is final. If a hearing is held
and the board finds that the record so warrants, it may enter a final order. The final
order suspending or removing the current or former officer, director, or employee is
final. The current or former officer or employee may request a termination of the final
order after a period of no less than three years.
4.A contested or default suspension or removal order is effective immediately upon
issuance on the current or former officer, director, or employee and upon a financial
corporation, financial institution, or credit union. A consent order is effective as agreed.
5.Any current or former officer, director, or employee suspended or removed from any
position pursuant to this section is not eligible, while under suspension or removal, to
be employed or otherwise participate in the affairs of any financial corporation,
financial institution, or credit union or any other entity licensed by the department of
financial institutions until the suspension or removal is terminated by the department of
financial institutions or board.
6.When any current or former officer, director, employee, or other person participating in
the conduct of the affairs of a financial corporation, financial institution, or credit union
is charged with a felony in state or federal court, involving dishonesty or breach of
trust, the commissioner may immediately suspend the person from office or prohibit
the person from any further participation in a financial corporation's, financial
Page No. 2 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
institution's, or credit union's affairs. The order is effective immediately upon issuance
of the order on a financial corporation, financial institution, or credit union and the
person charged, and remains in effect until the criminal charge is finally disposed of or
until modified by the board. If a judgment of conviction, a federal pretrial diversion,
conviction or agreement to plea to lesser charges, or similar state order or judgment is
entered, the board or commissioner may order that the suspension or prohibition be
made permanent. A finding of not guilty or other disposition of the charge does not
preclude the commissioner or the board from pursuing administrative or civil remedies.
7.The commissioner or board may issue upon a current or former officer, director,
employee, or other person participating in the conduct of the affairs of a financial
corporation, financial institution, or credit union an order permanently suspending and
prohibiting the person from participation in a financial corporation's, financial
institution's, or credit union's affairs if convicted of any charge involving dishonesty or
breach of trust in state or federal court. The suspension or removal order is effective
immediately upon issuance on the current or former officer, director, or employee and
upon a financial corporation, financial institution, or credit union.
SECTION 2. AMENDMENT. Section 6-01-04.2 of the North Dakota Century Code is
amended and reenacted as follows:
6-01-04.2. Cease and desist orders.
1.The department of financial institutions or the board may issue and serve upon a
financial corporation, financial institution, or credit union subject to its jurisdiction a
complaint stating the factual basis for the department's or board's belief that the
financial corporation, financial institution, or credit union is engaging in any of the
following conduct:
a.An unsafe or unsound practice.
b.A violation in the past or on a continuing basis of any law, regulation, board order,
or written agreement entered into with the board or department of financial
institutions.
2.The complaint must contain a notice of opportunity for hearing pursuant to chapter
28-32. The date for the hearing must be set not less than thirty days after the date the
complaint is served upon the financial corporation, financial institution, or credit union.
Page No. 3 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
The financial corporation, financial institution, or credit union may waive the thirty-day
notice requirement.
3.If the financial corporation, financial institution, or credit union fails to respond to the
complaint within twenty days of its service, or if a hearing is held and the board
concludes that the record so warrants, the board may enter an order directing the
financial corporation, financial institution, or credit union to cease and desist from
engaging in the conduct which was the subject of the complaint and hearing and to
take corrective action.
4.The commissioner or the board may enter an emergency, temporary cease and desist
order if the commissioner or the board finds the conduct described in the complaint is
likely to cause insolvency, substantial dissipation of assets, earnings, or capital of the
financial corporation, financial institution, or credit union, or substantial prejudice to the
depositors, shareholders, members, or creditors of the financial corporation, financial
institution, or credit union. An emergency, temporary cease and desist order is
effective immediately upon service on the financial corporation, financial institution, or
credit union and remains in effect for no longer than sixty days or until the conclusion
of permanent cease and desist proceedings pursuant to this section, whichever is
sooner. An emergency, temporary cease and desist order may be issued without an
opportunity for hearing. A bank or credit union may request a hearing before the state
banking board or state credit union board within ten days of the order to review the
factual basis used to issue the emergency, temporary cease and desist order. The
decision made by the board during this hearing will be final. If a hearing is not
requested, the initial decision of the commissioner or board will be final.
SECTION 3. AMENDMENT. Subsection 7 of section 6-03-02 of the North Dakota Century
Code is amended and reenacted as follows:
7.Exercise, as determined by the board or commissioner by order or rule, all the
incidental powers as are necessary to carry on the business of banking, including
discounting and negotiating promissory notes, bills of exchange, drafts, and other
evidences of debt; receiving deposits; buying and selling exchange, coin, and bullion;
loaning money upon real or personal security, or both; soliciting and receiving deposits
in the nature of custodial accounts for the purpose of health savings or similar health
Page No. 4 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
care cost funding accounts, retirement fund contracts, or pension programs, and such
custodial accounts are exempt from chapter 6-05; and providing services to its
customers involving electronic transfer of funds to the same extent that other financial
institutions chartered and regulated by an agency of the federal government are
permitted to provide those services within this state. A bank that provides electronic
funds transfer equipment and service to its customers, at premises separate from its
main banking house or duly authorized facility approved by the state banking board,
must make the equipment and service available for use by customers of any other
bank upon the request of the other bank to share its use and the agreement of the
other bank to share pro rata all costs incurred in connection with its installation and
operation, and the electronic operations are not deemed to be the establishment of a
branch, nor of a separate facility. The electronic operations at premises separate from
its banking house or duly authorized facility must be considered a customer electronic
funds transfer center and may be established subject to rules that the state banking
board adopts.
SECTION 4. Chapter 13-01.2 of the North Dakota Century Code is created and enacted as
follows:
13-01.2-01. Definitions.
For purposes of this chapter, the following definitions shall apply:
1."Authorized user" means any employee, contractor, agent, or other person who:
a.Participates in a financial corporation's business operations; and
b.Is authorized to access and use any of the financial corporation's information
systems and data.
2."Commissioner" means the commissioner of the department of financial institutions.
3."Consumer":
a.Means an individual, or that individual's legal representative, who applies for or
has obtained a financial product or service from a financial corporation which is to
be used primarily for personal, family, or household purposes. A consumer
includes an individual who:
(1)Applies to a financial corporation for credit for personal, family, or household
purposes, regardless of whether the credit is extended.
Page No. 5 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
(2)Provides nonpublic personal information to a financial corporation to obtain
a determination about whether the applicant may qualify for a loan to be
used primarily for personal, family, or household purposes, regardless of
whether the loan is extended.
(3)Provides nonpublic personal information to a financial corporation in
connection with obtaining or seeking to obtain financial, investment, or
economic advisory services, regardless of whether the financial corporation
establishes a continuing advisory relationship.
(4)Has a loan for personal, family, or household purposes in which the financial
corporation has ownership or servicing rights, even if the financial
corporation or one or more other corporations that hold ownership or
servicing rights in conjunction with the financial corporation hires an agent to
collect on the loan.
b.Does not include an individual who:
(1)Uses a different financial corporation or financial institution to act solely as
an agent for, or provide processing or other services to, the individual
financial corporation or financial institution.
(2)Designates a financial corporation solely for the purposes to act as trustee
for a trust.
(3)Is a beneficiary of a trust for which the financial corporation is a trustee.
(4)Is a participant or a beneficiary of an employee benefit plan that the financial
corporation sponsors or for which the financial corporation acts as a trustee
or fiduciary.
4."Continuing relationship":
a.Means a situation in which a consumer:
(1)Has a credit or investment account with a financial corporation;
(2)Obtains a loan from a financial corporation;
(3)Purchases an insurance product from a financial corporation;
(4)Holds an investment product through a financial corporation, including when
a financial corporation acts as a custodian for securities or for assets in an
individual retirement arrangement;
Page No. 6 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
(5)Enters into an agreement or understanding with a financial corporation in
which the financial corporation undertakes to arrange or broker a home
mortgage loan, or credit to purchase a vehicle, for the consumer;
(6)Enters into a lease of personal property on a nonoperating basis with a
financial corporation;
(7)Obtains financial, investment, or economic advisory services from a
financial corporation for a fee;
(8)Becomes a financial corporation's client for the purpose of obtaining tax
preparation or credit counseling services from the financial corporation;
(9)Obtains career counseling while:
(a)Seeking employment with a financial corporation or the finance,
accounting, or audit department of any company; or
(b)Employed by a financial corporation or department of any company;
(10)Is obligated on an account that a financial corporation purchases from
another financial corporation, regardless of whether the account is in default
when purchased, unless the financial corporation does not locate the
consumer or attempt to collect any amount from the consumer on the
account;
(11)Obtains real estate settlement services from a financial corporation; or
(12)Has a loan for which a financial corporation owns the servicing rights.
b.Does not include a situation in which:
(1)The consumer obtains a financial product or service from a financial
corporation only in isolated transactions, including:
(a)A financial corporation's automated teller machine to withdraw cash
from an account at another financial institution;
(b)Purchasing a money order from a financial corporation;
(c)Cashing a check with a financial corporation; or
(d)Making a wire transfer through a financial corporation;
(2)A financial corporation sells the consumer's loan and does not retain the
rights to service that loan;
Page No. 7 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 Sixty-ninth
Legislative Assembly
(3)A financial corporation sells the consumer an airline ticket, travel insurance,
or a traveler's check in isolated transactions;
(4)The consumer obtains one-time personal or real property appraisal services
from a financial corporation; or
(5)The consumer purchases checks for a personal checking account from a
financial corporation.
5."Customer" means a consumer who has a customer relationship with a financial
corporation.
6."Customer information" means any record containing nonpublic personal information
about a customer of a financial corporation, whether in paper, electronic, or other form,
which is handled or maintained by or on behalf of the financial corporation or the
financial corporation's affiliates.
7."Customer relationship" means a continuing relationship between a consumer and a
financial corporation under which the financial corporation provides one or more
financial products or services to the consumer that are used primarily for personal,
family, or household purposes.
8."Encryption" means the transformation of data into a form that results in a low
probability of assigning meaning without the use of a protective process or key,
consistent with current cryptographic standards and accompanied by appropriate
safeguards for cryptographic key material.
9."Financial corporation" means all entities regulated by the department of financial
institutions, excluding financial institutions and credit unions.
10."Financial institution" means any bank, industrial loan company, or savings and loan
association organized under the laws of this state or of the United States.
11."Financial product or service" means any product or service that a financial holding
company could offer by engaging in a financial activity under the federal Bank Holding
Company Act of 1956 [12 U.S.C. 1843 section 4(k)]. The term includes a financial
corporation's evaluation or brokerage of information that a financial corporation
collects in connection with a request or an application from a consumer for a financial
product or service.
Page No. 8 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 Sixty-ninth
Legislative Assembly
12."Information security program" means the administrative, technical, or physical
safeguards a financial corporation uses to access, collect, distribute, process, protect,
store, use, transmit, dispose of, or otherwise handle customer information.
13."Information system" means a discrete set of electronic information resources
organized for the collection, processing, maintenance, use, sharing, dissemination, or
disposition of electronic information, as well as any specialized system, including
industrial process controls systems, telephone switching and private branch exchange
systems, and environmental controls systems that contain customer information or
that is connected to a system that contains customer information.
14."Multifactor authentication" means authentication through verification of at least two of
the following types of authentication factors:
a.Knowledge factors, including a password;
b.Possession factors, including a token; or
c.Inherence factors, including biometric characteristics.
15."Nonpublic personal information":
a.Means:
(1)Personally identifiable financial information; and
(2)Any list, description, or other grouping of consumers, including publicly
available information pertaining to the consumers that is derived using
personally identifiable financial information that is not publicly available,
including account numbers.
b.Does not include:
(1)Publicly available information, except as included on a list described in
paragraph 2 of subdivision a;
(2)Any list, description, or other grouping of consumers, including publicly
available information pertaining to the consumers that is derived without
using any personally identifiable financial information that is not publicly
available; or
(3)Any list of individuals' names and addresses that contains only publicly
available information, is not derived, in whole or in part, using personally
identifiable financial information that is not publicly available, and is not
Page No. 9 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
disclosed in a manner that indicates that any individual on the list is the
financial corporation's consumer.
16."Notification event" means the acquisition of unencrypted customer information without
the authorization of the individual to which the information pertains. Customer
information is considered unencrypted for purposes of this subsection if the encryption
key was accessed by an unauthorized person. Unauthorized acquisition is presumed
to include unauthorized access to unencrypted customer information unless the
financial corporation has reliable evidence showing there has not been, or could not
reasonably have been, unauthorized acquisition of customer information.
17."Penetration testing" means a test methodology in which assessors attempt to
circumvent or defeat the security features of an information system by attempting to
penetrate databases or controls from outside or inside a financial corporation's
information systems.
18."Personally identifiable financial information":
a.Means any information:
(1)A consumer provides to a financial corporation to obtain a financial product
or service;
(2)About a consumer resulting from any transaction involving a financial
product or service between a financial corporation and a consumer; or
(3)A financial corporation otherwise obtains about a consumer in connection
with providing a financial product or service to that consumer.
b.Includes:
(1)Information a consumer provides to a financial corporation on an application
to obtain a loan, credit card, or other financial product or service;
(2)Account balance information, payment history, overdraft history, and credit
or debit card purchase information;
(3)An individual that is or has been a financial corporation's customer or has
obtained a financial product or service from the financial corporation;
(4)Any information about a financial corporation's consumer if it is disclosed in
a manner that indicates the individual is or has been a financial
corporation's consumer;
Page No. 10 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
(5)Any information a consumer provides to a financial corporation or which a
financial corporation or a financial corporation's agent otherwise obtains in
connection with collecting on, or servicing, a credit account;
(6)Any information a financial corporation collects through an information
collecting device from a web server; and
(7)Information from a consumer report.
c.Does not include:
(1)A list of names and addresses of customers of an entity that is not a
financial corporation; and
(2)Information that does not identify a consumer, such as aggregate
information or blind data that does not contain personal identifiers such as
account numbers, names, or addresses.
19.a."Publicly available information":
(1)Means any information that a financial corporation has a reasonable basis
to believe is lawfully made available to the general public from:
(a)Federal, state, or local government records;
(b)Widely distributed media; or
(c)Disclosures to the general public which are required under federal,
state, or local law.
(2)Includes information:
(a)In government real estate records and security interest filings; or
(b)From widely distributed media, a telephone book, a television or radio
program, a newspaper, or a website that is available to the general
public on an unrestricted basis. A website is not restricted because an
internet service provider or a site operator requires a fee or a
password, provided access is available to the general public.
b.For purposes of this subsection, a financial corporation has a reasonable basis to
believe information is lawfully made available to the general public if the financial
corporation has taken steps to determine:
(1)The information is of the type available to the general public; and
Page No. 11 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 Sixty-ninth
Legislative Assembly
(2)Whether an individual can direct that the information not be made available
to the general public and, if so, that the financial corporation's consumer has
not done so. A financial corporation has a reasonable basis to believe
mortgage information is lawfully made available to the general public if the
financial corporation determines the information is of the type included on
the public record in the jurisdiction where the mortgage is recorded. A
financial corporation has a reasonable basis to believe an individual's
telephone number is lawfully made available to the general public if the
financial corporation has located the telephone number in the telephone
book or the consumer has informed the financial corporation the telephone
number is not unlisted.
20."Qualified individual" means the individual designated by a financial institution to
oversee, implement, and enforce the financial institution's information security
program.
21."Security event" means an event resulting in unauthorized access to, or disruption or
misuse of:
a.An information system or information stored on an information system; or
b.Customer information held in physical form.
22."Service provider" means any person or entity that receives, maintains, processes, or
otherwise is permitted access to customer information through its provision of services
directly to a financial corporation that is subject to this chapter.
13-01.2-02. Standards for safeguarding customer information.
1.A financial corporation shall develop, implement, and maintain a comprehensive
information security program.
2.The information security program must:
a.Be written in one or more readily accessible parts; and
b.Maintain administrative, technical, and physical safeguards that are appropriate
to the financial corporation's size and complexity, the nature and scope of the
financial corporation's activities, and the sensitivity of any customer information at
issue.
3.The financial corporation shall develop a security program that:
Page No. 12 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
a.Ensures the security and confidentiality of customer information;
b.Protects against any anticipated threats or hazards to the security or integrity of
such information; and
c.Protects against unauthorized access to or use of such information that could
result in substantial harm or inconvenience to any customer.
13 - 01.2 - 03. Elements of a security program.
1.A financial corporation's information security program must denote a designation of a
qualified individual responsible for overseeing and implementing the financial
corporation's information security program and enforcing the financial corporation's
information security program. The qualified individual may be employed by the
financial corporation, an affiliate, or a service provider.
2.If a financial corporation designates an individual employed by an affiliate or service
provider as the qualified individual, the financial corporation shall:
a.Retain responsibility for compliance with this chapter;
b.Designate a senior member of the financial corporation's personnel to be
responsible for directing and overseeing the qualified individual; and
c.Require the service provider or affiliate to maintain an information security
program that protects the financial corporation in accordance with the
requirements of this chapter.
3.A financial corporation shall base the financial corporation's information security
program on a risk assessment that:
a.Identifies reasonably foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information that could result in the
unauthorized disclosure, misuse, alteration, destruction or other compromise of
customer information;
b.Assesses the sufficiency of any safeguards in place to control the risks in
subdivision a; and
c.Includes additional periodic risk assessments that:
(1)Re-examine the reasonably foreseeable internal and external risks to the
security, confidentiality, and integrity of customer information that could
Page No. 13 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 Sixty-ninth
Legislative Assembly
result in the unauthorized disclosure, misuse, alteration, destruction or other
compromise of such information; and
(2)Reassess the sufficiency of any safeguards in place to control these risks.
4.The risk assessment must be in writing and include:
a.Criteria to evaluate and categorize identified security risks or threats the financial
corporation faces;
b.Criteria for the assessment of the confidentiality, integrity, and availability of the
financial corporation's information systems and customer information, including
the adequacy of the existing controls in the context of the identified risks or
threats the financial corporation faces; and
c.Requirements describing how:
(1)Identified risks will be mitigated or accepted based on the risk assessment;
and
(2)The information security program will address the risks.
5.A financial corporation shall design and implement safeguards to control the risks the
financial corporation identifies through the risk assessment in subsection 4, which
include:
a.Implementing and periodically reviewing access controls, including technical and
as appropriate, physical controls to:
(1)Authenticate and permit access only to authorized users to protect against
the unauthorized acquisition of customer information; and
(2)Limit an authorized user's access to only customer information the
authorized user needs to perform the authorized user's duties and functions,
or in the case of a customer, to access the customer's own information.
b.Identifying and managing data, personnel, devices, systems, and facilities that
enable the financial corporation to achieve business purposes in accordance with
the business purpose's relative importance to business objectives and the
financial corporation's risk strategy.
c.Protecting by encryption all customer information held or transmitted by the
financial corporation both in transit over external networks and at rest. To the
extent a financial corporation determines that encryption of customer information,
Page No. 14 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
either in transit over external networks or at rest, is infeasible, the financial
corporation may secure customer information using effective alternative
compensating controls reviewed and approved by the financial corporation's
qualified individual.
d.Adopting secure development practices for in-house developed applications
utilized by the financial corporation for transmitting, accessing, or storing
customer information and procedures for evaluating, assessing, or testing the
security of externally developed applications the financial corporation utilizes to
transmit, access, or store customer information.
e.Implementing multifactor authentication for any individual accessing any
information system, unless the financial corporation's qualified individual has
approved in writing the use of a reasonably equivalent or more secure access
control.
f.Developing, implementing, and maintaining procedures to securely dispose of
customer information, in any format, no later than two years after the last date the
information is used in connection with providing a product or service to the
customer which it relates, unless:
(1)The information is necessary for business operations or for other legitimate
business purposes;
(2)Is otherwise required to be retained by law or regulation; or
(3)Where targeted disposal is not reasonably feasible due to the manner in
which the information is maintained.
g.Periodically reviewing the financial corporation's data retention policy to minimize
unnecessary retention of data.
h.Adopting procedures for change management.
i.Implementing policies, procedures and controls designed to:
(1)Monitor and log the activity of authorized users; and
(2)Detect unauthorized access to, use of, or tampering with customer
information by authorized users.
6.a.A financial corporation shall regularly test or otherwise monitor the effectiveness
of the safeguards' key controls, systems, and procedures, including the controls,
Page No. 15 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
systems, and procedures to detect actual and attempted attacks on, or intrusions
into, information systems.
b.Information systems monitoring and testing must include continuous monitoring
or periodic penetration testing, and vulnerability assessments. Without effective
continuous monitoring or other systems to detect, on an ongoing basis, changes
in information systems that may create vulnerabilities, a financial corporation
shall conduct:
(1)Annual penetration testing of the financial corporation's information systems
based on relevant identified risks in accordance with the risk assessment;
and
(2)Vulnerability assessments, including systemic scans or information systems
reviews that are reasonably designed to identify publicly known security
vulnerabilities in the financial corporation's information systems based on
the risk assessment, at least every six months; whenever there are material
changes to the financial corporation's operations or business arrangements;
and whenever there are circumstances the financial corporation knows or
has reason to know may have a material impact on the financial
corporation's information security program.
7.A financial corporation shall implement policies and procedures to ensure the financial
corporation's personnel are able to enact the financial corporation's information
security program by:
a.Providing the financial corporation's personnel with security awareness training
that is updated as necessary to reflect risks identified by the risk assessment;
b.Utilizing qualified information security personnel employed by the financial
corporation or an affiliate or service provider sufficient to manage the financial
corporation's information security risks and to perform or oversee the information
security program;
c.Providing information security personnel with security updates and training
sufficient to address relevant security risks; and
d.Verifying that key information security personnel take steps to maintain current
knowledge of changing information security threats and countermeasures.
Page No. 16 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
8.A financial corporation shall oversee service providers by:
a.Taking reasonable steps to select and retain service providers capable of
maintaining appropriate safeguards for customer information;
b.Requiring, by contract, the financial corporation's service providers implement
and maintain appropriate safeguards; and
c.Periodically assessing the financial corporation's service providers based on the
risk they present, and the continued adequacy of the service providers'
safeguards.
9.A financial corporation shall evaluate and adjust the financial corporation's information
security program by incorporating:
a.The results of the testing and monitoring required under subsection 5;
b.Any material changes to the financial corporation's operations or business
arrangements;
c.The results of risk assessments performed under subsection 3; or
d.Any other circumstances that the financial corporation knows or has reason to
know may have a material impact on the financial corporation's information
security program.
10.A financial corporation shall establish a written incident response plan designed to
promptly respond to, and recover from, any security event materially affecting the
confidentiality, integrity, or availability of customer information the financial corporation
controls. The plan must address:
a.The goals of the incident response plan;
b.The internal processes for responding to a security event;
c.Clear roles, responsibilities, and levels of decisionmaking authority;
d.External and internal communications and information sharing;
e.Requirements for the remediation of any identified weaknesses in information
systems and associated controls;
f.Documentation and reporting regarding security events and related incident
response activities; and
g.The evaluation and revision of the incident response plan, as necessary, after a
security event.
Page No. 17 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
11.A financial corporation shall require the financial corporation's qualified individual to
report in writing, at least annually, to the financial corporation's board of directors or
equivalent governing body. If no board of directors or equivalent governing body
exists, the report shall be timely presented to a senior officer responsible for the
financial corporation's information security program. The report must include:
a.The overall status of the information security program, and the financial
corporation's compliance with this chapter and associated rules; and
b.Material matters related to the information security program, addressing issues
including risk assessment, risk management and control decisions, service
provider arrangements, results of testing, security events or violations and
management's responses thereto, and recommendations for changes in the
information security program.
12.a.A financial corporation shall notify the commissioner about notification events.
b.After discovery of a notification event described in subdivision c, if the notification
event involves the information of at least five hundred consumers, the financial
corporation shall notify the commissioner as soon as possible, and no later than
forty-five days after the event is discovered. The notice must be made in a format
specified by the commissioner and include:
(1)The name and contact information of the reporting financial corporation;
(2)A description of the types of information involved in the notification event;
(3)The date or date range of the notification event, if the information is possible
to determine;
(4)The number of consumers affected or potentially affected by the notification
event;
(5)A general description of the notification event; and
(6)A statement whether any law enforcement official has provided the financial
corporation with a written determination that notifying the public of the
breach would impede a criminal investigation or cause damage to national
security, and a means for the commissioner to contact the law enforcement
official. A law enforcement official may request an initial delay of up to
forty - five days following the date when notice was provided to the
Page No. 18 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
commissioner. The delay may be extended for an additional period of up to
sixty days if the law enforcement official seeks an extension in writing.
c.A notification event must be treated as discovered on the first day when the event
is known to the financial corporation. A financial corporation is deemed to have
knowledge of a notification event if the event is known to any employee, officer,
or other agent of the financial corporation, other than the person committing the
breach.
13.A financial corporation shall establish a written plan addressing business continuity
and disaster recovery.
13 - 01.2 - 04. Exemptions.
Subsection 4, subdivision b of subsection 6, and subsections 10 and 11 of section
13 - 01.2 - 03 do not apply to financial institutions that maintain customer information concerning
fewer than five thousand consumers.
SECTION 5. AMENDMENT. Section 13-04.1-01.1 of the North Dakota Century Code is
amended and reenacted as follows:
13-04.1-01.1. Definitions.
As used in this chapter, unless the context or subject matter otherwise requires:
1."Borrower" means a person or entity that seeks out, or is solicited by a money broker
for the purpose of money brokering.
2."Commissioner" means the commissioner of financial institutions.
3."Loan" means a contract by which one delivers a sum of money to another and the
latter agrees to return at a future time a sum equivalent to that which the person
borrowed. This includes alternative financing products as identified by the
commissioner through the issuance of an order.
4."Money broker" means a person or entity who, in the ordinary course of business,
engages in money brokering.
4.5."Money brokering" means the act of arranging or providing loans or leases as a form
of financing, or advertising or soliciting either in print, by letter, in person, or otherwise,
the right to find lenders or provide loans or leases for persons or businesses desirous
of obtaining funds for any purposes.
Page No. 19 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 Sixty-ninth
Legislative Assembly
5.6."Net branch" means an office at which a licensed money broker allows a separate
person that does not hold a valid North Dakota money brokers license to originate
loans under the license of the money broker.
6.7."Net branch arrangement" means an arrangement under which a licensed money
broker enters an agreement whereby its designated branch manager has the
appearance of ownership of the licensee by, among other things, sharing in the profits
or losses, establishing, leasing, or renting the branch premises, entering other
contractual relationships with vendors such as for telephones, utilities, and advertising,
having control of a corporate checkbook, or exercising control of personnel through
the power to hire or fire such individuals. A person may be considered to be utilizing a
net branch if the net branch agreement requires the branch manager to indemnify the
licensee for damages from any apparent, express, or implied agency representation
by or through the branch's actions or if the agreement requires the branch manager to
issue a personal check to cover operating expenses whether or not funds are
available from an operating account of the licensee.
7.8."Precomputed loan" means a loan that is expressed as a sum comprising the principal
and the amount of the loan finance charge computed in advance.
SECTION 6. AMENDMENT. Section 13-04.1-11.1 of the North Dakota Century Code is
amended and reenacted as follows:
13-04.1-11.1. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply
with requests for information, documents, or other requests from the department of financial
institutions within the time specified in the request, which must be a minimum of ten days, or, if
no time is specified, within thirty days of the mailing of the request by the department of
financial institutions. If the request for information is in regard to a new application or renewal of
an existing application and is not received within the time specified in the request, or within
thirty days of the mailing of the request, the department may deny the application.
SECTION 7. AMENDMENT. Section 13-05-07.1 of the North Dakota Century Code is
amended and reenacted as follows:
Page No. 20 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29 Sixty-ninth
Legislative Assembly
13-05-07.1. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply
with requests for information, documents, or other requests from the department of financial
institutions within the time specified in the request, which must be a minimum of ten days, or, if
no time is specified, within thirty days of the mailing of the request by the department of
financial institutions. If the request for information is in regard to a new application or renewal of
an existing application and is not received within the time specified in the request, or within
thirty days of the mailing of the request, the department may deny the application.
SECTION 8. AMENDMENT. Section 13-08-10 of the North Dakota Century Code is
amended and reenacted as follows:
13-08-10. Regulations - Examinations.
The commissioner may adopt rules for the implementation and enforcement of this chapter.
A copy of a rule adopted by the commissioner must be mailed to each licensee at least thirty
days before the date the rule takes effect. To assure compliance with this chapter, the
commissioner may examine the relevant business, books, and records of any licensee. The
licensee shall pay an examination or visitation fee, and the commissioner shall charge the
licensee for the actual cost of the examination or visitation at an hourly rate set by the
commissioner which is sufficient to cover all reasonable expenses associated with the
examination or visitation.
SECTION 9. AMENDMENT. Section 13-08-11.1 of the North Dakota Century Code is
amended and reenacted as follows:
13-08-11.1. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply
with requests for information, documents, or other requests from the department of financial
institutions within the time specified in the request, which must be a minimum of ten days, or, if
no time is specified, within thirty days of the mailing of the request by the department of
financial institutions. If the request for information is in regard to a new application or renewal of
an existing application and is not received within the time specified in the request, or within
thirty days of the mailing of the request, the department may deny the application.
SECTION 10. AMENDMENT. Section 13-09.1-14 of the North Dakota Century Code is
amended and reenacted as follows:
Page No. 21 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
13-09.1-14. Renewal of license.
1.A license under this chapter must be renewed annually.
a.An annual nonrefundable renewal fee must be paid by December thirty-first. The
fee must equal five hundred dollars or one-fourth of one percent of the money
transmission dollar volume in North Dakota for the twelve months ending June
thirtieth, whichever is greater. For the transmission of virtual currency as defined
in section 13-09.1-44, the fee must equal five hundred dollars or one-fourth of
one percent of the average United States dollar equivalent market value of the
virtual currency transmitted in North Dakota for the twelve months ending June
thirtieth, whichever is greater. The fee may not exceed two thousand five hundred
dollars.
b.The renewal term must be for a period of one year and begins on January first of
each year after the initial license term and expires on December thirty-first of the
year the renewal term begins.
2.A licensee shall submit a renewal report with the renewal fee, in a form and in a
medium prescribed by the commissioner. The renewal report must state or contain a
description of each material change in information submitted by the licensee in its
original license application which has not been reported to the commissioner.
3.The commissioner for good cause may grant an extension of the renewal date.
4.The commissioner may utilize the nationwide system to process license renewals
provided that such functionality is consistent with this section.
5.A licensee may renew an expired license no later than January thirty-first subject to a
late fee of fifty dollars.
6.The commissioner may deny an application to renew a license if the licensee no
longer meets the criteria for licensure or otherwise fails to comply with this chapter.
SECTION 11. AMENDMENT. Subsection 3 of section 13-09.1-17 of the North Dakota
Century Code is amended and reenacted as follows:
3.A notice of disapproval must contain a statement of the basis for disapproval and must
be sent to the licensee and the disapproved individual. A licensee may appeal a notice
of disapproval by requesting a hearing before the commissioner within thirtytwenty
days after receipt of notice of disapproval in accordance with chapter 28-32.
Page No. 22 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
SECTION 12. AMENDMENT. Section 13-09.1-38 of the North Dakota Century Code is
amended and reenacted as follows:
13-09.1-38. Orders to cease and desist.
1.If the commissioner determines that a violation of this chapter or of a rule adopted or
an order issued under this chapter by a licensee or authorized delegate is likely to
cause immediate and irreparable harm to the licensee, its customers, or the public as
a result of the violation, or cause insolvency or significant dissipation of assets of the
licensee, the commissioner may issue an order requiring the licensee or authorized
delegate to cease and desist from the violation. The order becomes effective upon
issuance.
2.The commissioner may issue an order against a licensee to cease and desist from
providing money transmission through an authorized delegate that is the subject of a
separate order by the commissioner.
3.An order to cease and desist remains effective and enforceable pending the
completion of an administrative proceedingmust contain a notice of opportunity for a
hearing pursuant to chapter 28-32.
4.An order to cease and desist expires unless the commissioner commences an
administrative proceeding pursuant to chapter 28-32 within ten days after it is issuedIf
the company or individual subject to an order to cease and desist fails to request a
hearing in writing to the commissioner within twenty days of issuance, or if a hearing is
held and the commissioner concludes the record so warrants, the order to cease and
desist becomes final.
SECTION 13. AMENDMENT. Section 13-10-05 of the North Dakota Century Code is
amended and reenacted as follows:
13-10-05. Issuance of license.
The commissioner shall not issue a mortgage loan originator license unless the
commissioner makes at a minimum the following findings:
1.The applicant has never had a mortgage loan originator license revoked in any
governmental jurisdiction, except that a subsequent formal vacation of such revocation
shall not be deemed a revocation.
Page No. 23 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 Sixty-ninth
Legislative Assembly
2.The applicant has not been charged pending trial, convicted of, or pled guilty, pled to
lesser charges, or pled nolo contendere to, a felony in a domestic, foreign, or military
court:
a.During the seven-year period preceding the date of the application for licensing
and registration; or
b.At any time preceding such date of application, if such felony involved an act of
fraud, dishonesty, or a breach of trust, or money laundering;
c.Provided that any pardon of a conviction shall not be a conviction for purposes of
this subsection.
3.a.The applicant has demonstrated financial responsibility, character, and general
fitness such as to command the confidence of the community and to warrant a
determination that the mortgage loan originator will operate honestly, fairly, and
efficiently within the purposes of this chapter.
b.For purposes of this subsection, a person has shown that that person is not
financially responsible when that person has shown a disregard in the
management of that person's own financial condition. A determination that an
individual has not shown financial responsibility may include:
(1)Current outstanding judgments, except judgments solely as a result of
medical expenses;
(2)Current outstanding tax liens or other government liens and filings;
(3)Foreclosures within the past three years; and
(4)A pattern of seriously delinquent accounts within the past three years.
4.The applicant has completed the prelicensing education requirement described in
section 13-10-06.
5.The applicant has passed a written test that meets the test requirement described in
section 13-10-07.
6.The applicant has met the net worth and surety bond requirements under section
13-10-13.
SECTION 14. AMENDMENT. Subsection 1 of section 13-11-10 of the North Dakota Century
Code is amended and reenacted as follows:
Page No. 24 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 Sixty-ninth
Legislative Assembly
1.If the commissioner has reason to believe that grounds for revocation of a license
exist, the commissioner may send by certified mail tonotify the licensee with a notice
of hearing stating the contemplated action and in general the grounds thereof and
setting the time and place for a hearing thereon. Grounds for revocation of a license
include:
a.Any debt-settlement provider has failed to pay the annual license fee or to
maintain in effect the bond required under this chapter;
b.The debt-settlement provider has violated this chapter or any rule lawfully made
by the commissioner implementing this chapter;
c.Any fact or condition exists that, if it had existed at the time of the original
application for a license, would have warranted the commissioner in refusing its
issuance; or
d.Any applicant has made any false statement or representation to the
commissioner in applying for a license under this chapter.
SECTION 15. AMENDMENT. Section 13-12-19 of the North Dakota Century Code is
amended and reenacted as follows:
13-12-19. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply
with requests for information, documents, or other requests from the department of financial
institutions within the time specified in the request, which must be a minimum of ten days, or, if
no time is specified, within thirty days of the mailing of the request by the department of
financial institutions. If the request for information is in regard to a new application or renewal of
an existing application and is not received within the time specified in the request, or within
thirty days of the mailing of the request, the department may deny the application.
SECTION 16. AMENDMENT. Subsections 6, 21, and 22 of section 13-13-01 of the North
Dakota Century Code are amended and reenacted as follows:
6."Interim serviced prior to salemortgage servicing" means the activity of collecting a
limited number of contractual mortgage payments immediately after origination on
loans held for sale but prior to the loans being sold into the secondary market.
21."Service or servicing a loan" means on behalf of the lender or investor of a residential
mortgage loan:
Page No. 25 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
a.Collecting or receiving payments on existing obligations due and owing to the
lender or investor, including payments of principal, interest, escrow amounts, and
other amounts due;
b.Collecting fees due to the servicer;
c.Working with the borrower and the licensed lender or servicer to collect data and
make decisions necessary to modify certain terms of those obligations either
temporarily or permanently;
d.Otherwise finalizing collection through the foreclosure process; or
e.Servicing a reverse mortgage loan.
22."Servicer" means the entity performing the routine administration of residential
mortgage loans on behalf of the owner or owners of the related mortgages under the
terms of a servicing contract.
SECTION 17. AMENDMENT. Section 13-13-04 of the North Dakota Century Code is
amended and reenacted as follows:
13-13-04. Entities exempted from licensing requirements.
This chapter does not apply to:
1.Banks;
2.Credit unions;
3.Savings and loan associations;
4.State or federal housing finance agencies;
5.Institutions chartered by the farm credit administration; or
6.Not-for-profit mortgage servicers; or
7.Entities solely performing interim mortgage servicing.
SECTION 18. AMENDMENT. Section 13-13-18 of the North Dakota Century Code is
amended and reenacted as follows:
13-13-18. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply
with requests for information, documents, or other requests from the department of financial
institutions within the time specified in the request, which must be a minimum of ten days, or, if
no time is specified, within thirty days of the mailing of the request by the department of
financial institutions. If the request for information is in regard to a new application or renewal of
Page No. 26 25.8110.01000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
an existing application and is not received within the time specified in the request, or within
thirty days of the mailing of the request, the department may deny the application.
Page No. 27 25.8110.01000
1
2