ND
North Dakota House Bill HB1127

North Dakota 2025-2026 Regular Session

North Dakota House Bill HB1127 Compare Versions

OldNewDifferences
1-Sixty-ninth Legislative Assembly of North Dakota
2-In Regular Session Commencing Tuesday, January 7, 2025
3-HOUSE BILL NO. 1127
4-(Industry, Business and Labor Committee)
1+25.8110.02001
2+Title.03000
3+Adopted by the Senate Industry and
4+Business Committee
5+Sixty-ninth
6+March 10, 2025
7+Legislative Assembly
8+of North Dakota
9+Introduced by
10+Industry, Business and Labor Committee
511 (At the request of the Department of Financial Institutions)
6-AN ACT to create and enact chapter 13-01.2 of the North Dakota Century Code, relating to the financial
7-institution data security program; and to amend and reenact sections 6-01-04.1 and 6-01-04.2,
8-subsection 7 of section 6-03-02, sections 13-04.1-01.1, 13-04.1-11.1, 13-05-07.1, 13-08-10,
9-13-08-11.1, and 13-09.1-14, subsection 3 of section 13-09.1-17, sections 13-09.1-38 and
10-13-10-05, subsection 1 of section 13-11-10, section 13-12-19, subsections 6, 21, and 22 of
11-section 13-13-01, and sections 13-13-04 and 13-13-18 of the North Dakota Century Code,
12-relating to the department of financial institutions, financial institutions, response to department
13-requests, renewal of licenses, orders to cease and desist, issuance of licenses, revocation of
14-licenses, and exemptions from licenses.
12+A BILL for an Act to create and enact chapter 13-01.2 of the North Dakota Century Code,
13+relating to the financial institution data security program; and to amend and reenact sections
14+6-01-04.1 and 6-01-04.2, subsection 7 of section 6-03-02, sections 13-04.1-01.1, 13-04.1-11.1,
15+13-05-07.1, 13-08-10, 13-08-11.1, and 13-09.1-14, subsection 3 of section 13-09.1-17, sections
16+13-09.1-38 and 13-10-05, subsection 1 of section 13-11-10, section 13-12-19, subsections 6,
17+21, and 22 of section 13-13-01, and sections 13-13-04 and 13-13-18 of the North Dakota
18+Century Code, relating to the department of financial institutions, financial institutions, response
19+to department requests, renewal of licenses, orders to cease and desist, issuance of licenses,
20+revocation of licenses, and exemptions from licenses.
1521 BE IT ENACTED BY THE LEGISLATIVE ASSEMBLY OF NORTH DAKOTA:
16-SECTION 1. AMENDMENT. Section 6-01-04.1 of the North Dakota Century Code is amended and
17-reenacted as follows:
22+SECTION 1. AMENDMENT. Section 6-01-04.1 of the North Dakota Century Code is
23+amended and reenacted as follows:
1824 6-01-04.1. Removal of officers, directors, and employees of financial corporations or
1925 institutions.
20-1.The department of financial institutions or the board may issue, upon any current or former
21-officer, director, or employee of a financial corporation, financial institution, or credit union
22-subject to its jurisdiction and upon a financial corporation, financial institution, or credit union
23-involved, an order stating:
24-a.That the current or former officer, director, or employee is engaging, or has engaged, in
25-any of the following conduct:
26-(1)Violating any law, regulation, board order, or written agreement with the board.
26+1.The department of financial institutions or the board may issue, upon any current or
27+former officer, director, or employee of a financial corporation, financial institution, or
28+credit union subject to its jurisdiction and upon a financial corporation, financial
29+institution, or credit union involved, an order stating:
30+a.That the current or former officer, director, or employee is engaging, or has
31+engaged, in any of the following conduct:
32+Page No. 1 25.8110.02001
33+ENGROSSED HOUSE BILL NO. 1127
34+FIRST ENGROSSMENT
35+PROPOSED AMENDMENTS TO
36+1
37+2
38+3
39+4
40+5
41+6
42+7
43+8
44+9
45+10
46+11
47+12
48+13
49+14
50+15
51+16
52+17
53+18
54+19
55+20 Sixty-ninth
56+Legislative Assembly
57+(1)Violating any law, regulation, board order, or written agreement with the
58+board.
2759 (2)Engaging or participating in any unsafe or unsound practice.
28-(3)Performing any act of commission or omission or practice which is a breach of trust
29-or a breach of fiduciary duty.
30-b.The term of the suspension or removal from employment and participation within the
31-conduct of the affairs of a financial corporation, financial institution, credit union, or any
32-other entity licensed by the department of financial institutions.
33-2.The order must contain a notice of opportunity for hearing pursuant to chapter 28-32. The date
34-for the hearing must be set not less than thirty days after the date the complaint is served
35-upon the current or former officer, director, or employee of a financial corporation, financial
36-institution, credit union, or any other entity licensed by the department of financial institutions.
37-The current or former officer, director, or employee may waive the thirty-day notice
38-requirement.
39-3.If no hearing is requested within twenty days of the date the order is served upon the current
40-or former officer, director, or employee, the order is final. If a hearing is held and the board
41-finds that the record so warrants, it may enter a final order. The final order suspending or
42-removing the current or former officer, director, or employee is final. The current or former
43-officer or employee may request a termination of the final order after a period of no less than
44-three years. H. B. NO. 1127 - PAGE 2
45-4.A contested or default suspension or removal order is effective immediately upon issuance on
46-the current or former officer, director, or employee and upon a financial corporation, financial
47-institution, or credit union. A consent order is effective as agreed.
48-5.Any current or former officer, director, or employee suspended or removed from any position
49-pursuant to this section is not eligible, while under suspension or removal, to be employed or
50-otherwise participate in the affairs of any financial corporation, financial institution, or credit
51-union or any other entity licensed by the department of financial institutions until the
52-suspension or removal is terminated by the department of financial institutions or board.
53-6.When any current or former officer, director, employee, or other person participating in the
54-conduct of the affairs of a financial corporation, financial institution, or credit union is charged
55-with a felony in state or federal court, involving dishonesty or breach of trust, the
56-commissioner may immediately suspend the person from office or prohibit the person from
57-any further participation in a financial corporation's, financial institution's, or credit union's
58-affairs. The order is effective immediately upon issuance of the order on a financial
59-corporation, financial institution, or credit union and the person charged, and remains in effect
60-until the criminal charge is finally disposed of or until modified by the board. If a judgment of
61-conviction, a federal pretrial diversion, conviction or agreement to plea to lesser charges, or
62-similar state order or judgment is entered, the board or commissioner may order that the
63-suspension or prohibition be made permanent. A finding of not guilty or other disposition of the
64-charge does not preclude the commissioner or the board from pursuing administrative or civil
65-remedies.
66-7.The commissioner or board may issue upon a current or former officer, director, employee, or
67-other person participating in the conduct of the affairs of a financial corporation, financial
68-institution, or credit union an order permanently suspending and prohibiting the person from
69-participation in a financial corporation's, financial institution's, or credit union's affairs if
70-convicted of any charge involving dishonesty or breach of trust in state or federal court. The
71-suspension or removal order is effective immediately upon issuance on the current or former
72-officer, director, or employee and upon a financial corporation, financial institution, or credit
73-union.
74-SECTION 2. AMENDMENT. Section 6-01-04.2 of the North Dakota Century Code is amended and
75-reenacted as follows:
60+(3)Performing any act of commission or omission or practice which is a breach
61+of trust or a breach of fiduciary duty.
62+b.The term of the suspension or removal from employment and participation within
63+the conduct of the affairs of a financial corporation, financial institution, credit
64+union, or any other entity licensed by the department of financial institutions.
65+2.The order must contain a notice of opportunity for hearing pursuant to chapter 28-32.
66+The date for the hearing must be set not less than thirty days after the date the
67+complaint is served upon the current or former officer, director, or employee of a
68+financial corporation, financial institution, credit union, or any other entity licensed by
69+the department of financial institutions. The current or former officer, director, or
70+employee may waive the thirty-day notice requirement.
71+3.If no hearing is requested within twenty days of the date the order is served upon the
72+current or former officer, director, or employee, the order is final. If a hearing is held
73+and the board finds that the record so warrants, it may enter a final order. The final
74+order suspending or removing the current or former officer, director, or employee is
75+final. The current or former officer or employee may request a termination of the final
76+order after a period of no less than three years.
77+4.A contested or default suspension or removal order is effective immediately upon
78+issuance on the current or former officer, director, or employee and upon a financial
79+corporation, financial institution, or credit union. A consent order is effective as agreed.
80+5.Any current or former officer, director, or employee suspended or removed from any
81+position pursuant to this section is not eligible, while under suspension or removal, to
82+be employed or otherwise participate in the affairs of any financial corporation,
83+financial institution, or credit union or any other entity licensed by the department of
84+financial institutions until the suspension or removal is terminated by the department of
85+financial institutions or board.
86+6.When any current or former officer, director, employee, or other person participating in
87+the conduct of the affairs of a financial corporation, financial institution, or credit union
88+Page No. 2 25.8110.02001
89+1
90+2
91+3
92+4
93+5
94+6
95+7
96+8
97+9
98+10
99+11
100+12
101+13
102+14
103+15
104+16
105+17
106+18
107+19
108+20
109+21
110+22
111+23
112+24
113+25
114+26
115+27
116+28
117+29
118+30
119+31 Sixty-ninth
120+Legislative Assembly
121+is charged with a felony in state or federal court, involving dishonesty or breach of
122+trust, the commissioner may immediately suspend the person from office or prohibit
123+the person from any further participation in a financial corporation's, financial
124+institution's, or credit union's affairs. The order is effective immediately upon issuance
125+of the order on a financial corporation, financial institution, or credit union and the
126+person charged, and remains in effect until the criminal charge is finally disposed of or
127+until modified by the board. If a judgment of conviction, a federal pretrial diversion,
128+conviction or agreement to plea to lesser charges, or similar state order or judgment is
129+entered, the board or commissioner may order that the suspension or prohibition be
130+made permanent. A finding of not guilty or other disposition of the charge does not
131+preclude the commissioner or the board from pursuing administrative or civil remedies.
132+7.The commissioner or board may issue upon a current or former officer, director,
133+employee, or other person participating in the conduct of the affairs of a financial
134+corporation, financial institution, or credit union an order permanently suspending and
135+prohibiting the person from participation in a financial corporation's, financial
136+institution's, or credit union's affairs if convicted of any charge involving dishonesty or
137+breach of trust in state or federal court. The suspension or removal order is effective
138+immediately upon issuance on the current or former officer, director, or employee and
139+upon a financial corporation, financial institution, or credit union.
140+SECTION 2. AMENDMENT. Section 6-01-04.2 of the North Dakota Century Code is
141+amended and reenacted as follows:
76142 6-01-04.2. Cease and desist orders.
77-1.The department of financial institutions or the board may issue and serve upon a financial
78-corporation, financial institution, or credit union subject to its jurisdiction a complaint stating the
79-factual basis for the department's or board's belief that the financial corporation, financial
80-institution, or credit union is engaging in any of the following conduct:
143+1.The department of financial institutions or the board may issue and serve upon a
144+financial corporation, financial institution, or credit union subject to its jurisdiction a
145+complaint stating the factual basis for the department's or board's belief that the
146+financial corporation, financial institution, or credit union is engaging in any of the
147+following conduct:
81148 a.An unsafe or unsound practice.
82-b.A violation in the past or on a continuing basis of any law, regulation, board order, or
83-written agreement entered into with the board or department of financial institutions.
84-2.The complaint must contain a notice of opportunity for hearing pursuant to chapter 28-32. The
85-date for the hearing must be set not less than thirty days after the date the complaint is served
86-upon the financial corporation, financial institution, or credit union. The financial corporation,
87-financial institution, or credit union may waive the thirty-day notice requirement.
88-3.If the financial corporation, financial institution, or credit union fails to respond to the complaint
89-within twenty days of its service, or if a hearing is held and the board concludes that the record
90-so warrants, the board may enter an order directing the financial corporation, financial
91-institution, or credit union to cease and desist from engaging in the conduct which was the
92-subject of the complaint and hearing and to take corrective action. H. B. NO. 1127 - PAGE 3
93-4.The commissioner or the board may enter an emergency, temporary cease and desist order if
94-the commissioner or the board finds the conduct described in the complaint is likely to cause
95-insolvency, substantial dissipation of assets, earnings, or capital of the financial corporation,
96-financial institution, or credit union, or substantial prejudice to the depositors, shareholders,
97-members, or creditors of the financial corporation, financial institution, or credit union. An
98-emergency, temporary cease and desist order is effective immediately upon service on the
99-financial corporation, financial institution, or credit union and remains in effect for no longer
100-than sixty days or until the conclusion of permanent cease and desist proceedings pursuant to
101-this section, whichever is sooner. An emergency, temporary cease and desist order may be
102-issued without an opportunity for hearing. A bank or credit union may request a hearing before
103-the state banking board or state credit union board within ten days of the order to review the
104-factual basis used to issue the emergency, temporary cease and desist order. The decision
105-made by the board during this hearing will be final. If a hearing is not requested, the initial
106-decision of the commissioner or board will be final.
107-SECTION 3. AMENDMENT. Subsection 7 of section 6-03-02 of the North Dakota Century Code is
108-amended and reenacted as follows:
109-7.Exercise, as determined by the board or commissioner by order or rule, all the incidental
110-powers as are necessary to carry on the business of banking, including discounting and
111-negotiating promissory notes, bills of exchange, drafts, and other evidences of debt; receiving
112-deposits; buying and selling exchange, coin, and bullion; loaning money upon real or personal
113-security, or both; soliciting and receiving deposits in the nature of custodial accounts for the
114-purpose of health savings or similar health care cost funding accounts, retirement fund
115-contracts, or pension programs, and such custodial accounts are exempt from chapter 6-05;
116-and providing services to its customers involving electronic transfer of funds to the same
117-extent that other financial institutions chartered and regulated by an agency of the federal
118-government are permitted to provide those services within this state. A bank that provides
119-electronic funds transfer equipment and service to its customers, at premises separate from its
120-main banking house or duly authorized facility approved by the state banking board, must
121-make the equipment and service available for use by customers of any other bank upon the
122-request of the other bank to share its use and the agreement of the other bank to share pro
123-rata all costs incurred in connection with its installation and operation, and the electronic
124-operations are not deemed to be the establishment of a branch, nor of a separate facility. The
125-electronic operations at premises separate from its banking house or duly authorized facility
126-must be considered a customer electronic funds transfer center and may be established
127-subject to rules that the state banking board adopts.
128-SECTION 4. Chapter 13-01.2 of the North Dakota Century Code is created and enacted as follows:
149+b.A violation in the past or on a continuing basis of any law, regulation, board order,
150+or written agreement entered into with the board or department of financial
151+institutions .
152+Page No. 3 25.8110.02001
153+1
154+2
155+3
156+4
157+5
158+6
159+7
160+8
161+9
162+10
163+11
164+12
165+13
166+14
167+15
168+16
169+17
170+18
171+19
172+20
173+21
174+22
175+23
176+24
177+25
178+26
179+27
180+28
181+29
182+30
183+31 Sixty-ninth
184+Legislative Assembly
185+2.The complaint must contain a notice of opportunity for hearing pursuant to chapter
186+28-32. The date for the hearing must be set not less than thirty days after the date the
187+complaint is served upon the financial corporation, financial institution, or credit union.
188+The financial corporation, financial institution, or credit union may waive the thirty-day
189+notice requirement.
190+3.If the financial corporation, financial institution, or credit union fails to respond to the
191+complaint within twenty days of its service, or if a hearing is held and the board
192+concludes that the record so warrants, the board may enter an order directing the
193+financial corporation, financial institution, or credit union to cease and desist from
194+engaging in the conduct which was the subject of the complaint and hearing and to
195+take corrective action.
196+4.The commissioner or the board may enter an emergency, temporary cease and desist
197+order if the commissioner or the board finds the conduct described in the complaint is
198+likely to cause insolvency, substantial dissipation of assets, earnings, or capital of the
199+financial corporation, financial institution, or credit union, or substantial prejudice to the
200+depositors, shareholders, members, or creditors of the financial corporation, financial
201+institution, or credit union. An emergency, temporary cease and desist order is
202+effective immediately upon service on the financial corporation, financial institution, or
203+credit union and remains in effect for no longer than sixty days or until the conclusion
204+of permanent cease and desist proceedings pursuant to this section, whichever is
205+sooner. An emergency, temporary cease and desist order may be issued without an
206+opportunity for hearing. A bank or credit union may request a hearing before the state
207+banking board or state credit union board within ten days of the order to review the
208+factual basis used to issue the emergency, temporary cease and desist order. The
209+decision made by the board during this hearing will be final. If a hearing is not
210+requested, the initial decision of the commissioner or board will be final.
211+SECTION 3. AMENDMENT. Subsection 7 of section 6-03-02 of the North Dakota Century
212+Code is amended and reenacted as follows:
213+7.Exercise, as determined by the board or commissioner by order or rule, all the
214+incidental powers as are necessary to carry on the business of banking, including
215+discounting and negotiating promissory notes, bills of exchange, drafts, and other
216+Page No. 4 25.8110.02001
217+1
218+2
219+3
220+4
221+5
222+6
223+7
224+8
225+9
226+10
227+11
228+12
229+13
230+14
231+15
232+16
233+17
234+18
235+19
236+20
237+21
238+22
239+23
240+24
241+25
242+26
243+27
244+28
245+29
246+30
247+31 Sixty-ninth
248+Legislative Assembly
249+evidences of debt; receiving deposits; buying and selling exchange, coin, and bullion;
250+loaning money upon real or personal security, or both; soliciting and receiving deposits
251+in the nature of custodial accounts for the purpose of health savings or similar health
252+care cost funding accounts, retirement fund contracts, or pension programs, and such
253+custodial accounts are exempt from chapter 6-05; and providing services to its
254+customers involving electronic transfer of funds to the same extent that other financial
255+institutions chartered and regulated by an agency of the federal government are
256+permitted to provide those services within this state. A bank that provides electronic
257+funds transfer equipment and service to its customers, at premises separate from its
258+main banking house or duly authorized facility approved by the state banking board,
259+must make the equipment and service available for use by customers of any other
260+bank upon the request of the other bank to share its use and the agreement of the
261+other bank to share pro rata all costs incurred in connection with its installation and
262+operation, and the electronic operations are not deemed to be the establishment of a
263+branch, nor of a separate facility. The electronic operations at premises separate from
264+its banking house or duly authorized facility must be considered a customer electronic
265+funds transfer center and may be established subject to rules that the state banking
266+board adopts.
267+SECTION 4. Chapter 13-01.2 of the North Dakota Century Code is created and enacted as
268+follows:
129269 13-01.2-01. Definitions.
130270 For purposes of this chapter, the following definitions shall apply:
131271 1."Authorized user" means any employee, contractor, agent, or other person who:
132272 a.Participates in a financial corporation's business operations; and
133-b.Is authorized to access and use any of the financial corporation's information systems
134-and data.
273+b.Is authorized to access and use any of the financial corporation's information
274+systems and data.
135275 2."Commissioner" means the commissioner of the department of financial institutions.
136276 3."Consumer":
137-a.Means an individual, or that individual's legal representative, who applies for or has
138-obtained a financial product or service from a financial corporation which is to be used H. B. NO. 1127 - PAGE 4
139-primarily for personal, family, or household purposes. A consumer includes an individual
140-who:
277+a.Means an individual, or that individual's legal representative, who applies for or
278+has obtained a financial product or service from a financial corporation which is to
279+Page No. 5 25.8110.02001
280+1
281+2
282+3
283+4
284+5
285+6
286+7
287+8
288+9
289+10
290+11
291+12
292+13
293+14
294+15
295+16
296+17
297+18
298+19
299+20
300+21
301+22
302+23
303+24
304+25
305+26
306+27
307+28
308+29
309+30 Sixty-ninth
310+Legislative Assembly
311+be used primarily for personal, family, or household purposes. A consumer
312+includes an individual who:
141313 (1)Applies to a financial corporation for credit for personal, family, or household
142314 purposes, regardless of whether the credit is extended.
143-(2)Provides nonpublic personal information to a financial corporation to obtain a
144-determination about whether the applicant may qualify for a loan to be used
145-primarily for personal, family, or household purposes, regardless of whether the loan
146-is extended.
147-(3)Provides nonpublic personal information to a financial corporation in connection with
148-obtaining or seeking to obtain financial, investment, or economic advisory services,
149-regardless of whether the financial corporation establishes a continuing advisory
150-relationship.
315+(2)Provides nonpublic personal information to a financial corporation to obtain
316+a determination about whether the applicant may qualify for a loan to be
317+used primarily for personal, family, or household purposes, regardless of
318+whether the loan is extended.
319+(3)Provides nonpublic personal information to a financial corporation in
320+connection with obtaining or seeking to obtain financial, investment, or
321+economic advisory services, regardless of whether the financial corporation
322+establishes a continuing advisory relationship.
151323 (4)Has a loan for personal, family, or household purposes in which the financial
152-corporation has ownership or servicing rights, even if the financial corporation or
153-one or more other corporations that hold ownership or servicing rights in conjunction
154-with the financial corporation hires an agent to collect on the loan.
324+corporation has ownership or servicing rights, even if the financial
325+corporation or one or more other corporations that hold ownership or
326+servicing rights in conjunction with the financial corporation hires an agent to
327+collect on the loan.
155328 b.Does not include an individual who:
156-(1)Uses a different financial corporation or financial institution to act solely as an agent
157-for, or provide processing or other services to, the individual financial corporation or
158-financial institution.
159-(2)Designates a financial corporation solely for the purposes to act as trustee for a
160-trust.
329+(1)Uses a different financial corporation or financial institution to act solely as
330+an agent for, or provide processing or other services to, the individual
331+financial corporation or financial institution.
332+(2)Designates a financial corporation solely for the purposes to act as trustee
333+for a trust.
161334 (3)Is a beneficiary of a trust for which the financial corporation is a trustee.
162335 (4)Is a participant or a beneficiary of an employee benefit plan that the financial
163-corporation sponsors or for which the financial corporation acts as a trustee or
164-fiduciary.
336+corporation sponsors or for which the financial corporation acts as a trustee
337+or fiduciary.
165338 4."Continuing relationship":
166339 a.Means a situation in which a consumer:
167340 (1)Has a credit or investment account with a financial corporation;
168341 (2)Obtains a loan from a financial corporation;
342+Page No. 6 25.8110.02001
343+1
344+2
345+3
346+4
347+5
348+6
349+7
350+8
351+9
352+10
353+11
354+12
355+13
356+14
357+15
358+16
359+17
360+18
361+19
362+20
363+21
364+22
365+23
366+24
367+25
368+26
369+27
370+28
371+29
372+30
373+31 Sixty-ninth
374+Legislative Assembly
169375 (3)Purchases an insurance product from a financial corporation;
170-(4)Holds an investment product through a financial corporation, including when a
171-financial corporation acts as a custodian for securities or for assets in an individual
172-retirement arrangement;
173-(5)Enters into an agreement or understanding with a financial corporation in which the
174-financial corporation undertakes to arrange or broker a home mortgage loan, or
175-credit to purchase a vehicle, for the consumer;
176-(6)Enters into a lease of personal property on a nonoperating basis with a financial
177-corporation;
178-(7)Obtains financial, investment, or economic advisory services from a financial
179-corporation for a fee; H. B. NO. 1127 - PAGE 5
180-(8)Becomes a financial corporation's client for the purpose of obtaining tax preparation
181-or credit counseling services from the financial corporation;
376+(4)Holds an investment product through a financial corporation, including when
377+a financial corporation acts as a custodian for securities or for assets in an
378+individual retirement arrangement;
379+(5)Enters into an agreement or understanding with a financial corporation in
380+which the financial corporation undertakes to arrange or broker a home
381+mortgage loan, or credit to purchase a vehicle, for the consumer;
382+(6)Enters into a lease of personal property on a nonoperating basis with a
383+financial corporation;
384+(7)Obtains financial, investment, or economic advisory services from a
385+financial corporation for a fee;
386+(8)Becomes a financial corporation's client for the purpose of obtaining tax
387+preparation or credit counseling services from the financial corporation;
182388 (9)Obtains career counseling while:
183-(a)Seeking employment with a financial corporation or the finance, accounting,
184-or audit department of any company; or
389+(a)Seeking employment with a financial corporation or the finance,
390+accounting, or audit department of any company; or
185391 (b)Employed by a financial corporation or department of any company;
186-(10)Is obligated on an account that a financial corporation purchases from another
187-financial corporation, regardless of whether the account is in default when
188-purchased, unless the financial corporation does not locate the consumer or attempt
189-to collect any amount from the consumer on the account;
392+(10)Is obligated on an account that a financial corporation purchases from
393+another financial corporation, regardless of whether the account is in default
394+when purchased, unless the financial corporation does not locate the
395+consumer or attempt to collect any amount from the consumer on the
396+account;
190397 (11)Obtains real estate settlement services from a financial corporation; or
191398 (12)Has a loan for which a financial corporation owns the servicing rights.
192399 b.Does not include a situation in which:
193-(1)The consumer obtains a financial product or service from a financial corporation
194-only in isolated transactions, including:
195-(a)A financial corporation's automated teller machine to withdraw cash from an
196-account at another financial institution;
400+(1)The consumer obtains a financial product or service from a financial
401+corporation only in isolated transactions, including:
402+(a)A financial corporation's automated teller machine to withdraw cash
403+from an account at another financial institution;
197404 (b)Purchasing a money order from a financial corporation;
198405 (c)Cashing a check with a financial corporation; or
406+Page No. 7 25.8110.02001
407+1
408+2
409+3
410+4
411+5
412+6
413+7
414+8
415+9
416+10
417+11
418+12
419+13
420+14
421+15
422+16
423+17
424+18
425+19
426+20
427+21
428+22
429+23
430+24
431+25
432+26
433+27
434+28
435+29
436+30
437+31 Sixty-ninth
438+Legislative Assembly
199439 (d)Making a wire transfer through a financial corporation;
200-(2)A financial corporation sells the consumer's loan and does not retain the rights to
201-service that loan;
202-(3)A financial corporation sells the consumer an airline ticket, travel insurance, or a
203-traveler's check in isolated transactions;
204-(4)The consumer obtains one-time personal or real property appraisal services from a
205-financial corporation; or
206-(5)The consumer purchases checks for a personal checking account from a financial
440+(2)A financial corporation sells the consumer's loan and does not retain the
441+rights to service that loan;
442+(3)A financial corporation sells the consumer an airline ticket, travel insurance,
443+or a traveler's check in isolated transactions;
444+(4)The consumer obtains one-time personal or real property appraisal services
445+from a financial corporation; or
446+(5)The consumer purchases checks for a personal checking account from a
447+financial corporation.
448+5."Customer" means a consumer who has a customer relationship with a financial
207449 corporation.
208-5."Customer" means a consumer who has a customer relationship with a financial corporation.
209-6."Customer information" means any record containing nonpublic personal information about a
210-customer of a financial corporation, whether in paper, electronic, or other form, which is
211-handled or maintained by or on behalf of the financial corporation or the financial corporation's
212-affiliates.
213-7."Customer relationship" means a continuing relationship between a consumer and a financial
214-corporation under which the financial corporation provides one or more financial products or
215-services to the consumer that are used primarily for personal, family, or household purposes.
216-8."Encryption" means the transformation of data into a form that results in a low probability of
217-assigning meaning without the use of a protective process or key, consistent with current
218-cryptographic standards and accompanied by appropriate safeguards for cryptographic key
219-material. H. B. NO. 1127 - PAGE 6
220-9."Financial corporation" means all entities regulated by the department of financial institutions,
221-excluding financial institutions and credit unions.
450+6."Customer information" means any record containing nonpublic personal information
451+about a customer of a financial corporation, whether in paper, electronic, or other form,
452+which is handled or maintained by or on behalf of the financial corporation or the
453+financial corporation's affiliates.
454+7."Customer relationship" means a continuing relationship between a consumer and a
455+financial corporation under which the financial corporation provides one or more
456+financial products or services to the consumer that are used primarily for personal,
457+family, or household purposes.
458+8."Encryption" means the transformation of data into a form that results in a low
459+probability of assigning meaning without the use of a protective process or key,
460+consistent with current cryptographic standards and accompanied by appropriate
461+safeguards for cryptographic key material.
462+9."Financial corporation" means all entities regulated by the department of financial
463+institutions, excluding financial institutions and credit unions.
222464 10."Financial institution" means any bank, industrial loan company, or savings and loan
223465 association organized under the laws of this state or of the United States.
224-11."Financial product or service" means any product or service that a financial holding company
225-could offer by engaging in a financial activity under the federal Bank Holding Company Act of
226-1956 [12 U.S.C. 1843 section 4(k)]. The term includes a financial corporation's evaluation or
227-brokerage of information that a financial corporation collects in connection with a request or an
228-application from a consumer for a financial product or service.
229-12."Information security program" means the administrative, technical, or physical safeguards a
230-financial corporation uses to access, collect, distribute, process, protect, store, use, transmit,
231-dispose of, or otherwise handle customer information.
232-13."Information system" means a discrete set of electronic information resources organized for
233-the collection, processing, maintenance, use, sharing, dissemination, or disposition of
234-electronic information, as well as any specialized system, including industrial process controls
235-systems, telephone switching and private branch exchange systems, and environmental
236-controls systems that contain customer information or that is connected to a system that
237-contains customer information.
238-14."Multifactor authentication" means authentication through verification of at least two of the
239-following types of authentication factors:
466+11."Financial product or service" means any product or service that a financial holding
467+company could offer by engaging in a financial activity under the federal Bank Holding
468+Company Act of 1956 [12 U.S.C. 1843 section 4(k)]. The term includes a financial
469+corporation's evaluation or brokerage of information that a financial corporation
470+Page No. 8 25.8110.02001
471+1
472+2
473+3
474+4
475+5
476+6
477+7
478+8
479+9
480+10
481+11
482+12
483+13
484+14
485+15
486+16
487+17
488+18
489+19
490+20
491+21
492+22
493+23
494+24
495+25
496+26
497+27
498+28
499+29
500+30
501+31 Sixty-ninth
502+Legislative Assembly
503+collects in connection with a request or an application from a consumer for a financial
504+product or service.
505+12."Information security program" means the administrative, technical, or physical
506+safeguards a financial corporation uses to access, collect, distribute, process, protect,
507+store, use, transmit, dispose of, or otherwise handle customer information.
508+13."Information system" means a discrete set of electronic information resources
509+organized for the collection, processing, maintenance, use, sharing, dissemination, or
510+disposition of electronic information, as well as any specialized system, including
511+industrial process controls systems, telephone switching and private branch exchange
512+systems, and environmental controls systems that contain customer information or
513+that is connected to a system that contains customer information.
514+14."Multifactor authentication" means authentication through verification of at least two of
515+the following types of authentication factors:
240516 a.Knowledge factors, including a password;
241517 b.Possession factors, including a token; or
242518 c.Inherence factors, including biometric characteristics.
243519 15."Nonpublic personal information":
244520 a.Means:
245521 (1)Personally identifiable financial information; and
246-(2)Any list, description, or other grouping of consumers, including publicly available
247-information pertaining to the consumers that is derived using personally identifiable
248-financial information that is not publicly available, including account numbers.
522+(2)Any list, description, or other grouping of consumers, including publicly
523+available information pertaining to the consumers that is derived using
524+personally identifiable financial information that is not publicly available,
525+including account numbers.
249526 b.Does not include:
250-(1)Publicly available information, except as included on a list described in paragraph 2
251-of subdivision a;
252-(2)Any list, description, or other grouping of consumers, including publicly available
253-information pertaining to the consumers that is derived without using any personally
254-identifiable financial information that is not publicly available; or
255-(3)Any list of individuals' names and addresses that contains only publicly available
256-information, is not derived, in whole or in part, using personally identifiable financial
257-information that is not publicly available, and is not disclosed in a manner that
258-indicates that any individual on the list is the financial corporation's consumer.
259-16."Notification event" means the acquisition of unencrypted customer information without the
260-authorization of the individual to which the information pertains. Customer information is
261-considered unencrypted for purposes of this subsection if the encryption key was accessed by H. B. NO. 1127 - PAGE 7
262-an unauthorized person. Unauthorized acquisition is presumed to include unauthorized access
263-to unencrypted customer information unless the financial corporation has reliable evidence
264-showing there has not been, or could not reasonably have been, unauthorized acquisition of
265-customer information.
266-17."Penetration testing" means a test methodology in which assessors attempt to circumvent or
267-defeat the security features of an information system by attempting to penetrate databases or
268-controls from outside or inside a financial corporation's information systems.
527+(1)Publicly available information, except as included on a list described in
528+paragraph 2 of subdivision a;
529+(2)Any list, description, or other grouping of consumers, including publicly
530+available information pertaining to the consumers that is derived without
531+using any personally identifiable financial information that is not publicly
532+available; or
533+Page No. 9 25.8110.02001
534+1
535+2
536+3
537+4
538+5
539+6
540+7
541+8
542+9
543+10
544+11
545+12
546+13
547+14
548+15
549+16
550+17
551+18
552+19
553+20
554+21
555+22
556+23
557+24
558+25
559+26
560+27
561+28
562+29
563+30 Sixty-ninth
564+Legislative Assembly
565+(3)Any list of individuals' names and addresses that contains only publicly
566+available information, is not derived, in whole or in part, using personally
567+identifiable financial information that is not publicly available, and is not
568+disclosed in a manner that indicates that any individual on the list is the
569+financial corporation's consumer.
570+16."Notification event" means the acquisition of unencrypted customer information without
571+the authorization of the individual to which the information pertains. Customer
572+information is considered unencrypted for purposes of this subsection if the encryption
573+key was accessed by an unauthorized person. Unauthorized acquisition is presumed
574+to include unauthorized access to unencrypted customer information unless the
575+financial corporation has reliable evidence showing there has not been, or could not
576+reasonably have been, unauthorized acquisition of customer information.
577+17."Penetration testing" means a test methodology in which assessors attempt to
578+circumvent or defeat the security features of an information system by attempting to
579+penetrate databases or controls from outside or inside a financial corporation's
580+information systems.
269581 18."Personally identifiable financial information":
270582 a.Means any information:
271-(1)A consumer provides to a financial corporation to obtain a financial product or
272-service;
273-(2)About a consumer resulting from any transaction involving a financial product or
274-service between a financial corporation and a consumer; or
275-(3)A financial corporation otherwise obtains about a consumer in connection with
276-providing a financial product or service to that consumer.
583+(1)A consumer provides to a financial corporation to obtain a financial product
584+or service;
585+(2)About a consumer resulting from any transaction involving a financial
586+product or service between a financial corporation and a consumer; or
587+(3)A financial corporation otherwise obtains about a consumer in connection
588+with providing a financial product or service to that consumer.
277589 b.Includes:
278-(1)Information a consumer provides to a financial corporation on an application to
279-obtain a loan, credit card, or other financial product or service;
280-(2)Account balance information, payment history, overdraft history, and credit or debit
281-card purchase information;
282-(3)An individual that is or has been a financial corporation's customer or has obtained
283-a financial product or service from the financial corporation;
284-(4)Any information about a financial corporation's consumer if it is disclosed in a
285-manner that indicates the individual is or has been a financial corporation's
286-consumer;
287-(5)Any information a consumer provides to a financial corporation or which a financial
288-corporation or a financial corporation's agent otherwise obtains in connection with
289-collecting on, or servicing, a credit account;
290-(6)Any information a financial corporation collects through an information collecting
291-device from a web server; and
590+(1)Information a consumer provides to a financial corporation on an application
591+to obtain a loan, credit card, or other financial product or service;
592+(2)Account balance information, payment history, overdraft history, and credit
593+or debit card purchase information;
594+(3)An individual that is or has been a financial corporation's customer or has
595+obtained a financial product or service from the financial corporation;
596+Page No. 10 25.8110.02001
597+1
598+2
599+3
600+4
601+5
602+6
603+7
604+8
605+9
606+10
607+11
608+12
609+13
610+14
611+15
612+16
613+17
614+18
615+19
616+20
617+21
618+22
619+23
620+24
621+25
622+26
623+27
624+28
625+29
626+30
627+31 Sixty-ninth
628+Legislative Assembly
629+(4)Any information about a financial corporation's consumer if it is disclosed in
630+a manner that indicates the individual is or has been a financial
631+corporation's consumer;
632+(5)Any information a consumer provides to a financial corporation or which a
633+financial corporation or a financial corporation's agent otherwise obtains in
634+connection with collecting on, or servicing, a credit account;
635+(6)Any information a financial corporation collects through an information
636+collecting device from a web server; and
292637 (7)Information from a consumer report.
293638 c.Does not include:
294-(1)A list of names and addresses of customers of an entity that is not a financial
295-corporation; and
296-(2)Information that does not identify a consumer, such as aggregate information or
297-blind data that does not contain personal identifiers such as account numbers,
298-names, or addresses.
639+(1)A list of names and addresses of customers of an entity that is not a
640+financial corporation; and
641+(2)Information that does not identify a consumer, such as aggregate
642+information or blind data that does not contain personal identifiers such as
643+account numbers, names, or addresses.
299644 19.a."Publicly available information":
300-(1)Means any information that a financial corporation has a reasonable basis to
301-believe is lawfully made available to the general public from: H. B. NO. 1127 - PAGE 8
645+(1)Means any information that a financial corporation has a reasonable basis
646+to believe is lawfully made available to the general public from:
302647 (a)Federal, state, or local government records;
303648 (b)Widely distributed media; or
304-(c)Disclosures to the general public which are required under federal, state, or
305-local law.
649+(c)Disclosures to the general public which are required under federal,
650+state, or local law.
306651 (2)Includes information:
307652 (a)In government real estate records and security interest filings; or
308653 (b)From widely distributed media, a telephone book, a television or radio
309-program, a newspaper, or a website that is available to the general public on
310-an unrestricted basis. A website is not restricted because an internet service
311-provider or a site operator requires a fee or a password, provided access is
312-available to the general public.
313-b.For purposes of this subsection, a financial corporation has a reasonable basis to believe
314-information is lawfully made available to the general public if the financial corporation has
315-taken steps to determine:
654+program, a newspaper, or a website that is available to the general
655+public on an unrestricted basis. A website is not restricted because an
656+internet service provider or a site operator requires a fee or a
657+password, provided access is available to the general public.
658+Page No. 11 25.8110.02001
659+1
660+2
661+3
662+4
663+5
664+6
665+7
666+8
667+9
668+10
669+11
670+12
671+13
672+14
673+15
674+16
675+17
676+18
677+19
678+20
679+21
680+22
681+23
682+24
683+25
684+26
685+27
686+28
687+29 Sixty-ninth
688+Legislative Assembly
689+b.For purposes of this subsection, a financial corporation has a reasonable basis to
690+believe information is lawfully made available to the general public if the financial
691+corporation has taken steps to determine:
316692 (1)The information is of the type available to the general public; and
317-(2)Whether an individual can direct that the information not be made available to the
318-general public and, if so, that the financial corporation's consumer has not done so.
319-A financial corporation has a reasonable basis to believe mortgage information is
320-lawfully made available to the general public if the financial corporation determines
321-the information is of the type included on the public record in the jurisdiction where
322-the mortgage is recorded. A financial corporation has a reasonable basis to believe
323-an individual's telephone number is lawfully made available to the general public if
324-the financial corporation has located the telephone number in the telephone book or
325-the consumer has informed the financial corporation the telephone number is not
326-unlisted.
327-20."Qualified individual" means the individual designated by a financial institution to oversee,
328-implement, and enforce the financial institution's information security program.
329-21."Security event" means an event resulting in unauthorized access to, or disruption or misuse
330-of:
693+(2)Whether an individual can direct that the information not be made available
694+to the general public and, if so, that the financial corporation's consumer has
695+not done so. A financial corporation has a reasonable basis to believe
696+mortgage information is lawfully made available to the general public if the
697+financial corporation determines the information is of the type included on
698+the public record in the jurisdiction where the mortgage is recorded. A
699+financial corporation has a reasonable basis to believe an individual's
700+telephone number is lawfully made available to the general public if the
701+financial corporation has located the telephone number in the telephone
702+book or the consumer has informed the financial corporation the telephone
703+number is not unlisted.
704+20."Qualified individual" means the individual designated by a financial institution to
705+oversee, implement, and enforce the financial institution's information security
706+program.
707+21."Security event" means an event resulting in unauthorized access to, or disruption or
708+misuse of:
331709 a.An information system or information stored on an information system; or
332710 b.Customer information held in physical form.
333711 22."Service provider" means any person or entity that receives, maintains, processes, or
334-otherwise is permitted access to customer information through its provision of services directly
335-to a financial corporation that is subject to this chapter.
712+otherwise is permitted access to customer information through its provision of services
713+directly to a financial corporation that is subject to this chapter.
336714 13-01.2-02. Standards for safeguarding customer information.
337-1.A financial corporation shall develop, implement, and maintain a comprehensive information
338-security program.
715+1.A financial corporation shall develop, implement, and maintain a comprehensive
716+information security program.
339717 2.The information security program must:
340-a.Be written in one or more readily accessible parts; and H. B. NO. 1127 - PAGE 9
341-b.Maintain administrative, technical, and physical safeguards that are appropriate to the
342-financial corporation's size and complexity, the nature and scope of the financial
343-corporation's activities, and the sensitivity of any customer information at issue.
718+a.Be written in one or more readily accessible parts; and
719+Page No. 12 25.8110.02001
720+1
721+2
722+3
723+4
724+5
725+6
726+7
727+8
728+9
729+10
730+11
731+12
732+13
733+14
734+15
735+16
736+17
737+18
738+19
739+20
740+21
741+22
742+23
743+24
744+25
745+26
746+27
747+28
748+29
749+30 Sixty-ninth
750+Legislative Assembly
751+b.Maintain administrative, technical, and physical safeguards that are appropriate
752+to the financial corporation's size and complexity, the nature and scope of the
753+financial corporation's activities, and the sensitivity of any customer information at
754+issue.
344755 3.The financial corporation shall develop a security program that:
345756 a.Ensures the security and confidentiality of customer information;
346-b.Protects against any anticipated threats or hazards to the security or integrity of such
347-information; and
348-c.Protects against unauthorized access to or use of such information that could result in
349-substantial harm or inconvenience to any customer.
757+b.Protects against any anticipated threats or hazards to the security or integrity of
758+such information; and
759+c.Protects against unauthorized access to or use of such information that could
760+result in substantial harm or inconvenience to any customer.
350761 13 - 01.2 - 03. Elements of a security program.
351-1.A financial corporation's information security program must denote a designation of a qualified
352-individual responsible for overseeing and implementing the financial corporation's information
353-security program and enforcing the financial corporation's information security program. The
354-qualified individual may be employed by the financial corporation, an affiliate, or a service
355-provider.
356-2.If a financial corporation designates an individual employed by an affiliate or service provider
357-as the qualified individual, the financial corporation shall:
762+1.A financial corporation's information security program must denote a designation of a
763+qualified individual responsible for overseeing and implementing the financial
764+corporation's information security program and enforcing the financial corporation's
765+information security program. The qualified individual may be employed by the
766+financial corporation, an affiliate, or a service provider.
767+2.If a financial corporation designates an individual employed by an affiliate or service
768+provider as the qualified individual, the financial corporation shall:
358769 a.Retain responsibility for compliance with this chapter;
359-b.Designate a senior member of the financial corporation's personnel to be responsible for
360-directing and overseeing the qualified individual; and
361-c.Require the service provider or affiliate to maintain an information security program that
362-protects the financial corporation in accordance with the requirements of this chapter.
363-3.A financial corporation shall base the financial corporation's information security program on a
364-risk assessment that:
770+b.Designate a senior member of the financial corporation's personnel to be
771+responsible for directing and overseeing the qualified individual; and
772+c.Require the service provider or affiliate to maintain an information security
773+program that protects the financial corporation in accordance with the
774+requirements of this chapter.
775+3.A financial corporation shall base the financial corporation's information security
776+program on a risk assessment that:
365777 a.Identifies reasonably foreseeable internal and external risks to the security,
366-confidentiality, and integrity of customer information that could result in the unauthorized
367-disclosure, misuse, alteration, destruction or other compromise of customer information;
368-b.Assesses the sufficiency of any safeguards in place to control the risks in subdivision a;
369-and
370-c.Includes additional periodic risk assessments that:
371-(1)Re-examine the reasonably foreseeable internal and external risks to the security,
372778 confidentiality, and integrity of customer information that could result in the
373779 unauthorized disclosure, misuse, alteration, destruction or other compromise of
374-such information; and
780+customer information;
781+Page No. 13 25.8110.02001
782+1
783+2
784+3
785+4
786+5
787+6
788+7
789+8
790+9
791+10
792+11
793+12
794+13
795+14
796+15
797+16
798+17
799+18
800+19
801+20
802+21
803+22
804+23
805+24
806+25
807+26
808+27
809+28
810+29
811+30 Sixty-ninth
812+Legislative Assembly
813+b.Assesses the sufficiency of any safeguards in place to control the risks in
814+subdivision a; and
815+c.Includes additional periodic risk assessments that:
816+(1)Re-examine the reasonably foreseeable internal and external risks to the
817+security, confidentiality, and integrity of customer information that could
818+result in the unauthorized disclosure, misuse, alteration, destruction or other
819+compromise of such information; and
375820 (2)Reassess the sufficiency of any safeguards in place to control these risks.
376821 4.The risk assessment must be in writing and include:
377822 a.Criteria to evaluate and categorize identified security risks or threats the financial
378823 corporation faces;
379-b.Criteria for the assessment of the confidentiality, integrity, and availability of the financial
380-corporation's information systems and customer information, including the adequacy of H. B. NO. 1127 - PAGE 10
381-the existing controls in the context of the identified risks or threats the financial
382-corporation faces; and
824+b.Criteria for the assessment of the confidentiality, integrity, and availability of the
825+financial corporation's information systems and customer information, including
826+the adequacy of the existing controls in the context of the identified risks or
827+threats the financial corporation faces; and
383828 c.Requirements describing how:
384-(1)Identified risks will be mitigated or accepted based on the risk assessment; and
829+(1)Identified risks will be mitigated or accepted based on the risk assessment;
830+and
385831 (2)The information security program will address the risks.
386-5.A financial corporation shall design and implement safeguards to control the risks the financial
387-corporation identifies through the risk assessment in subsection 4, which include:
388-a.Implementing and periodically reviewing access controls, including technical and as
389-appropriate, physical controls to:
390-(1)Authenticate and permit access only to authorized users to protect against the
391-unauthorized acquisition of customer information; and
392-(2)Limit an authorized user's access to only customer information the authorized user
393-needs to perform the authorized user's duties and functions, or in the case of a
394-customer, to access the customer's own information.
395-b.Identifying and managing data, personnel, devices, systems, and facilities that enable the
396-financial corporation to achieve business purposes in accordance with the business
397-purpose's relative importance to business objectives and the financial corporation's risk
398-strategy.
399-c.Protecting by encryption all customer information held or transmitted by the financial
400-corporation both in transit over external networks and at rest. To the extent a financial
401-corporation determines that encryption of customer information, either in transit over
402-external networks or at rest, is infeasible, the financial corporation may secure customer
403-information using effective alternative compensating controls reviewed and approved by
404-the financial corporation's qualified individual.
405-d.Adopting secure development practices for in-house developed applications utilized by
406-the financial corporation for transmitting, accessing, or storing customer information and
407-procedures for evaluating, assessing, or testing the security of externally developed
408-applications the financial corporation utilizes to transmit, access, or store customer
409-information.
410-e.Implementing multifactor authentication for any individual accessing any information
411-system, unless the financial corporation's qualified individual has approved in writing the
412-use of a reasonably equivalent or more secure access control.
413-f.Developing, implementing, and maintaining procedures to securely dispose of customer
414-information, in any format, no later than two years after the last date the information is
415-used in connection with providing a product or service to the customer which it relates,
416-unless:
832+5.A financial corporation shall design and implement safeguards to control the risks the
833+financial corporation identifies through the risk assessment in subsection 4, which
834+include:
835+a.Implementing and periodically reviewing access controls, including technical and
836+as appropriate, physical controls to:
837+(1)Authenticate and permit access only to authorized users to protect against
838+the unauthorized acquisition of customer information; and
839+(2)Limit an authorized user's access to only customer information the
840+authorized user needs to perform the authorized user's duties and functions,
841+or in the case of a customer, to access the customer's own information.
842+b.Identifying and managing data, personnel, devices, systems, and facilities that
843+enable the financial corporation to achieve business purposes in accordance with
844+Page No. 14 25.8110.02001
845+1
846+2
847+3
848+4
849+5
850+6
851+7
852+8
853+9
854+10
855+11
856+12
857+13
858+14
859+15
860+16
861+17
862+18
863+19
864+20
865+21
866+22
867+23
868+24
869+25
870+26
871+27
872+28
873+29
874+30
875+31 Sixty-ninth
876+Legislative Assembly
877+the business purpose's relative importance to business objectives and the
878+financial corporation's risk strategy.
879+c.Protecting by encryption all customer information held or transmitted by the
880+financial corporation both in transit over external networks and at rest. To the
881+extent a financial corporation determines that encryption of customer information,
882+either in transit over external networks or at rest, is infeasible, the financial
883+corporation may secure customer information using effective alternative
884+compensating controls reviewed and approved by the financial corporation's
885+qualified individual.
886+d.Adopting secure development practices for in-house developed applications
887+utilized by the financial corporation for transmitting, accessing, or storing
888+customer information and procedures for evaluating, assessing, or testing the
889+security of externally developed applications the financial corporation utilizes to
890+transmit, access, or store customer information.
891+e.Implementing multifactor authentication for any individual accessing any
892+information system, unless the financial corporation's qualified individual has
893+approved in writing the use of a reasonably equivalent or more secure access
894+control.
895+f.Developing, implementing, and maintaining procedures to securely dispose of
896+customer information, in any format, no later than two years after the last date the
897+information is used in connection with providing a product or service to the
898+customer which it relates, unless:
417899 (1)The information is necessary for business operations or for other legitimate
418900 business purposes;
419901 (2)Is otherwise required to be retained by law or regulation; or
420-(3)Where targeted disposal is not reasonably feasible due to the manner in which the
421-information is maintained.
902+(3)Where targeted disposal is not reasonably feasible due to the manner in
903+which the information is maintained.
422904 g.Periodically reviewing the financial corporation's data retention policy to minimize
423-unnecessary retention of data. H. B. NO. 1127 - PAGE 11
905+unnecessary retention of data.
424906 h.Adopting procedures for change management.
425907 i.Implementing policies, procedures and controls designed to:
908+Page No. 15 25.8110.02001
909+1
910+2
911+3
912+4
913+5
914+6
915+7
916+8
917+9
918+10
919+11
920+12
921+13
922+14
923+15
924+16
925+17
926+18
927+19
928+20
929+21
930+22
931+23
932+24
933+25
934+26
935+27
936+28
937+29
938+30
939+31 Sixty-ninth
940+Legislative Assembly
426941 (1)Monitor and log the activity of authorized users; and
427-(2)Detect unauthorized access to, use of, or tampering with customer information by
428-authorized users.
429-6.a.A financial corporation shall regularly test or otherwise monitor the effectiveness of the
430-safeguards' key controls, systems, and procedures, including the controls, systems, and
431-procedures to detect actual and attempted attacks on, or intrusions into, information
432-systems.
433-b.Information systems monitoring and testing must include continuous monitoring or
434-periodic penetration testing, and vulnerability assessments. Without effective continuous
435-monitoring or other systems to detect, on an ongoing basis, changes in information
436-systems that may create vulnerabilities, a financial corporation shall conduct:
437-(1)Annual penetration testing of the financial corporation's information systems based
438-on relevant identified risks in accordance with the risk assessment; and
439-(2)Vulnerability assessments, including systemic scans or information systems reviews
440-that are reasonably designed to identify publicly known security vulnerabilities in the
441-financial corporation's information systems based on the risk assessment, at least
442-every six months; whenever there are material changes to the financial
443-corporation's operations or business arrangements; and whenever there are
444-circumstances the financial corporation knows or has reason to know may have a
445-material impact on the financial corporation's information security program.
942+(2)Detect unauthorized access to, use of, or tampering with customer
943+information by authorized users.
944+6.a.A financial corporation shall regularly test or otherwise monitor the effectiveness
945+of the safeguards' key controls, systems, and procedures, including the controls,
946+systems, and procedures to detect actual and attempted attacks on, or intrusions
947+into, information systems.
948+b.Information systems monitoring and testing must include continuous monitoring
949+or periodic penetration testing, and vulnerability assessments. Without effective
950+continuous monitoring or other systems to detect, on an ongoing basis, changes
951+in information systems that may create vulnerabilities, a financial corporation
952+shall conduct:
953+(1)Annual penetration testing of the financial corporation's information systems
954+based on relevant identified risks in accordance with the risk assessment;
955+and
956+(2)Vulnerability assessments, including systemic scans or information systems
957+reviews that are reasonably designed to identify publicly known security
958+vulnerabilities in the financial corporation's information systems based on
959+the risk assessment, at least every six months; whenever there are material
960+changes to the financial corporation's operations or business arrangements;
961+and whenever there are circumstances the financial corporation knows or
962+has reason to know may have a material impact on the financial
963+corporation's information security program.
446964 7.A financial corporation shall implement policies and procedures to ensure the financial
447-corporation's personnel are able to enact the financial corporation's information security
448-program by:
449-a.Providing the financial corporation's personnel with security awareness training that is
450-updated as necessary to reflect risks identified by the risk assessment;
451-b.Utilizing qualified information security personnel employed by the financial corporation or
452-an affiliate or service provider sufficient to manage the financial corporation's information
453-security risks and to perform or oversee the information security program;
454-c.Providing information security personnel with security updates and training sufficient to
455-address relevant security risks; and
965+corporation's personnel are able to enact the financial corporation's information
966+security program by:
967+a.Providing the financial corporation's personnel with security awareness training
968+that is updated as necessary to reflect risks identified by the risk assessment;
969+b.Utilizing qualified information security personnel employed by the financial
970+corporation or an affiliate or service provider sufficient to manage the financial
971+Page No. 16 25.8110.02001
972+1
973+2
974+3
975+4
976+5
977+6
978+7
979+8
980+9
981+10
982+11
983+12
984+13
985+14
986+15
987+16
988+17
989+18
990+19
991+20
992+21
993+22
994+23
995+24
996+25
997+26
998+27
999+28
1000+29
1001+30 Sixty-ninth
1002+Legislative Assembly
1003+corporation's information security risks and to perform or oversee the information
1004+security program;
1005+c.Providing information security personnel with security updates and training
1006+sufficient to address relevant security risks; and
4561007 d.Verifying that key information security personnel take steps to maintain current
4571008 knowledge of changing information security threats and countermeasures.
4581009 8.A financial corporation shall oversee service providers by:
459-a.Taking reasonable steps to select and retain service providers capable of maintaining
460-appropriate safeguards for customer information;
461-b.Requiring, by contract, the financial corporation's service providers implement and
462-maintain appropriate safeguards; and
463-c.Periodically assessing the financial corporation's service providers based on the risk they
464-present, and the continued adequacy of the service providers' safeguards. H. B. NO. 1127 - PAGE 12
465-9.A financial corporation shall evaluate and adjust the financial corporation's information security
466-program by incorporating:
1010+a.Taking reasonable steps to select and retain service providers capable of
1011+maintaining appropriate safeguards for customer information;
1012+b.Requiring, by contract, the financial corporation's service providers implement
1013+and maintain appropriate safeguards; and
1014+c.Periodically assessing the financial corporation's service providers based on the
1015+risk they present, and the continued adequacy of the service providers'
1016+safeguards.
1017+9.A financial corporation shall evaluate and adjust the financial corporation's information
1018+security program by incorporating:
4671019 a.The results of the testing and monitoring required under subsection 5;
468-b.Any material changes to the financial corporation's operations or business arrangements;
1020+b.Any material changes to the financial corporation's operations or business
1021+arrangements;
4691022 c.The results of risk assessments performed under subsection 3; or
470-d.Any other circumstances that the financial corporation knows or has reason to know may
471-have a material impact on the financial corporation's information security program.
472-10.A financial corporation shall establish a written incident response plan designed to promptly
473-respond to, and recover from, any security event materially affecting the confidentiality,
474-integrity, or availability of customer information the financial corporation controls. The plan
475-must address:
1023+d.Any other circumstances that the financial corporation knows or has reason to
1024+know may have a material impact on the financial corporation's information
1025+security program.
1026+10.A financial corporation shall establish a written incident response plan designed to
1027+promptly respond to, and recover from, any security event materially affecting the
1028+confidentiality, integrity, or availability of customer information the financial corporation
1029+controls. The plan must address:
4761030 a.The goals of the incident response plan;
4771031 b.The internal processes for responding to a security event;
4781032 c.Clear roles, responsibilities, and levels of decisionmaking authority;
4791033 d.External and internal communications and information sharing;
480-e.Requirements for the remediation of any identified weaknesses in information systems
481-and associated controls;
482-f.Documentation and reporting regarding security events and related incident response
483-activities; and
484-g.The evaluation and revision of the incident response plan, as necessary, after a security
485-event.
486-11.A financial corporation shall require the financial corporation's qualified individual to report in
487-writing, at least annually, to the financial corporation's board of directors or equivalent
488-governing body. If no board of directors or equivalent governing body exists, the report shall
489-be timely presented to a senior officer responsible for the financial corporation's information
490-security program. The report must include:
491-a.The overall status of the information security program, and the financial corporation's
492-compliance with this chapter and associated rules; and
493-b.Material matters related to the information security program, addressing issues including
494-risk assessment, risk management and control decisions, service provider arrangements,
495-results of testing, security events or violations and management's responses thereto, and
496-recommendations for changes in the information security program.
1034+Page No. 17 25.8110.02001
1035+1
1036+2
1037+3
1038+4
1039+5
1040+6
1041+7
1042+8
1043+9
1044+10
1045+11
1046+12
1047+13
1048+14
1049+15
1050+16
1051+17
1052+18
1053+19
1054+20
1055+21
1056+22
1057+23
1058+24
1059+25
1060+26
1061+27
1062+28
1063+29
1064+30
1065+31 Sixty-ninth
1066+Legislative Assembly
1067+e.Requirements for the remediation of any identified weaknesses in information
1068+systems and associated controls;
1069+f.Documentation and reporting regarding security events and related incident
1070+response activities; and
1071+g.The evaluation and revision of the incident response plan, as necessary, after a
1072+security event.
1073+11.A financial corporation shall require the financial corporation's qualified individual to
1074+report in writing, at least annually, to the financial corporation's board of directors or
1075+equivalent governing body. If no board of directors or equivalent governing body
1076+exists, the report shall be timely presented to a senior officer responsible for the
1077+financial corporation's information security program. The report must include:
1078+a.The overall status of the information security program, and the financial
1079+corporation's compliance with this chapter and associated rules; and
1080+b.Material matters related to the information security program, addressing issues
1081+including risk assessment, risk management and control decisions, service
1082+provider arrangements, results of testing, security events or violations and
1083+management's responses thereto, and recommendations for changes in the
1084+information security program.
4971085 12.a.A financial corporation shall notify the commissioner about notification events.
498-b.After discovery of a notification event described in subdivision c, if the notification event
499-involves the information of at least five hundred consumers, the financial corporation
500-shall notify the commissioner as soon as possible, and no later than forty-five days after
501-the event is discovered. The notice must be made in a format specified by the
502-commissioner and include:
1086+b.After discovery of a notification event described in subdivision c, if the notification
1087+event involves the information of at least five hundred consumers, the financial
1088+corporation shall notify the commissioner as soon as possible, and no later than
1089+forty-five days after the event is discovered. The notice must be made in a format
1090+specified by the commissioner and include:
5031091 (1)The name and contact information of the reporting financial corporation;
504-(2)A description of the types of information involved in the notification event; H. B. NO. 1127 - PAGE 13
505-(3)The date or date range of the notification event, if the information is possible to
506-determine;
507-(4)The number of consumers affected or potentially affected by the notification event;
1092+(2)A description of the types of information involved in the notification event;
1093+(3)The date or date range of the notification event, if the information is possible
1094+to determine;
1095+(4)The number of consumers affected or potentially affected by the notification
1096+event;
5081097 (5)A general description of the notification event; and
1098+Page No. 18 25.8110.02001
1099+1
1100+2
1101+3
1102+4
1103+5
1104+6
1105+7
1106+8
1107+9
1108+10
1109+11
1110+12
1111+13
1112+14
1113+15
1114+16
1115+17
1116+18
1117+19
1118+20
1119+21
1120+22
1121+23
1122+24
1123+25
1124+26
1125+27
1126+28
1127+29
1128+30
1129+31 Sixty-ninth
1130+Legislative Assembly
5091131 (6)A statement whether any law enforcement official has provided the financial
510-corporation with a written determination that notifying the public of the breach would
511-impede a criminal investigation or cause damage to national security, and a means
512-for the commissioner to contact the law enforcement official. A law enforcement
513-official may request an initial delay of up to forty - five days following the date when
514-notice was provided to the commissioner. The delay may be extended for an
515-additional period of up to sixty days if the law enforcement official seeks an
516-extension in writing.
517-c.A notification event must be treated as discovered on the first day when the event is
518-known to the financial corporation. A financial corporation is deemed to have knowledge
519-of a notification event if the event is known to any employee, officer, or other agent of the
520-financial corporation, other than the person committing the breach.
521-13.A financial corporation shall establish a written plan addressing business continuity and
522-disaster recovery.
1132+corporation with a written determination that notifying the public of the
1133+breach would impede a criminal investigation or cause damage to national
1134+security, and a means for the commissioner to contact the law enforcement
1135+official. A law enforcement official may request an initial delay of up to
1136+forty - five days following the date when notice was provided to the
1137+commissioner. The delay may be extended for an additional period of up to
1138+sixty days if the law enforcement official seeks an extension in writing.
1139+c.A notification event must be treated as discovered on the first day when the event
1140+is known to the financial corporation. A financial corporation is deemed to have
1141+knowledge of a notification event if the event is known to any employee, officer,
1142+or other agent of the financial corporation, other than the person committing the
1143+breach.
1144+13.A financial corporation shall establish a written plan addressing business continuity
1145+and disaster recovery.
5231146 13 - 01.2 - 04. Exemptions.
524-Subsection 4, subdivision b of subsection 6, and subsections 10 and 11 of section 13 - 01.2 - 03 do
525-not apply to financial institutions that maintain customer information concerning fewer than five
526-thousand consumers.
527-SECTION 5. AMENDMENT. Section 13-04.1-01.1 of the North Dakota Century Code is amended
528-and reenacted as follows:
1147+Subsection 4, subdivision b of subsection 6, and subsections 10 and 11 of section
1148+13 - 01.2 - 03 do not apply to financial institutions that maintain customer information concerning
1149+fewer than five thousand consumers.
1150+SECTION 5. AMENDMENT. Section 13-04.1-01.1 of the North Dakota Century Code is
1151+amended and reenacted as follows:
5291152 13-04.1-01.1. Definitions.
5301153 As used in this chapter, unless the context or subject matter otherwise requires:
531-1."Borrower" means a person or entity that seeks out, or is solicited by a money broker for the
532-purpose of money brokering.
1154+1."Borrower" means a person or entity that seeks out, or is solicited by a money broker
1155+for the purpose of money brokering.
5331156 2."Commissioner" means the commissioner of financial institutions.
534-3."Loan" means a contract by which one delivers a sum of money to another and the latter
535-agrees to return at a future time a sum equivalent to that which the person borrowed. This
536-includes alternative financing products as identified by the commissioner through the issuance
537-of an order.
538-4."Money broker" means a person or entity who, in the ordinary course of business, engages in
539-money brokering.
540-4.5."Money brokering" means the act of arranging or providing loans or leases as a form of
541-financing, or advertising or soliciting either in print, by letter, in person, or otherwise, the right
542-to find lenders or provide loans or leases for persons or businesses desirous of obtaining
543-funds for any purposes.
544-5.6."Net branch" means an office at which a licensed money broker allows a separate person that
545-does not hold a valid North Dakota money brokers license to originate loans under the license
546-of the money broker. H. B. NO. 1127 - PAGE 14
547-6.7."Net branch arrangement" means an arrangement under which a licensed money broker
548-enters an agreement whereby its designated branch manager has the appearance of
549-ownership of the licensee by, among other things, sharing in the profits or losses, establishing,
550-leasing, or renting the branch premises, entering other contractual relationships with vendors
551-such as for telephones, utilities, and advertising, having control of a corporate checkbook, or
552-exercising control of personnel through the power to hire or fire such individuals. A person may
553-be considered to be utilizing a net branch if the net branch agreement requires the branch
554-manager to indemnify the licensee for damages from any apparent, express, or implied
555-agency representation by or through the branch's actions or if the agreement requires the
556-branch manager to issue a personal check to cover operating expenses whether or not funds
557-are available from an operating account of the licensee.
558-7.8."Precomputed loan" means a loan that is expressed as a sum comprising the principal and the
559-amount of the loan finance charge computed in advance.
560-SECTION 6. AMENDMENT. Section 13-04.1-11.1 of the North Dakota Century Code is amended
561-and reenacted as follows:
1157+3."Loan" means a contract by which one delivers a sum of money to another and the
1158+latter agrees to return at a future time a sum equivalent to that which the person
1159+borrowed. This includes alternative financing products as identified by the
1160+commissioner through the issuance of an order.
1161+Page No. 19 25.8110.02001
1162+1
1163+2
1164+3
1165+4
1166+5
1167+6
1168+7
1169+8
1170+9
1171+10
1172+11
1173+12
1174+13
1175+14
1176+15
1177+16
1178+17
1179+18
1180+19
1181+20
1182+21
1183+22
1184+23
1185+24
1186+25
1187+26
1188+27
1189+28
1190+29
1191+30 Sixty-ninth
1192+Legislative Assembly
1193+4."Money broker" means a person or entity who, in the ordinary course of business,
1194+engages in money brokering.
1195+4.5."Money brokering" means the act of arranging or providing loans or leases as a form
1196+of financing, or advertising or soliciting either in print, by letter, in person, or otherwise,
1197+the right to find lenders or provide loans or leases for persons or businesses desirous
1198+of obtaining funds for any purposes.
1199+5.6."Net branch" means an office at which a licensed money broker allows a separate
1200+person that does not hold a valid North Dakota money brokers license to originate
1201+loans under the license of the money broker.
1202+6.7."Net branch arrangement" means an arrangement under which a licensed money
1203+broker enters an agreement whereby its designated branch manager has the
1204+appearance of ownership of the licensee by, among other things, sharing in the profits
1205+or losses, establishing, leasing, or renting the branch premises, entering other
1206+contractual relationships with vendors such as for telephones, utilities, and advertising,
1207+having control of a corporate checkbook, or exercising control of personnel through
1208+the power to hire or fire such individuals. A person may be considered to be utilizing a
1209+net branch if the net branch agreement requires the branch manager to indemnify the
1210+licensee for damages from any apparent, express, or implied agency representation
1211+by or through the branch's actions or if the agreement requires the branch manager to
1212+issue a personal check to cover operating expenses whether or not funds are
1213+available from an operating account of the licensee.
1214+7.8."Precomputed loan" means a loan that is expressed as a sum comprising the principal
1215+and the amount of the loan finance charge computed in advance.
1216+SECTION 6. AMENDMENT. Section 13-04.1-11.1 of the North Dakota Century Code is
1217+amended and reenacted as follows:
5621218 13-04.1-11.1. Response to department requests.
563-An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
564-requests for information, documents, or other requests from the department of financial institutions
565-within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
566-within thirty days of the mailing of the request by the department of financial institutions. If the request
567-for information is in regard to a new application or renewal of an existing application and is not received
568-within the time specified in the request, or within thirty days of the mailing of the request, the
569-department may deny the application.
570-SECTION 7. AMENDMENT. Section 13-05-07.1 of the North Dakota Century Code is amended and
571-reenacted as follows:
1219+An applicant, licensee, or other person subject to the provisions of this chapter shall comply
1220+with requests for information, documents, or other requests from the department of financial
1221+institutions within the time specified in the request, which must be a minimum of ten days, or, if
1222+no time is specified, within thirty days of the mailing of the request by the department of
1223+financial institutions. If the request for information is in regard to a new application or renewal of
1224+Page No. 20 25.8110.02001
1225+1
1226+2
1227+3
1228+4
1229+5
1230+6
1231+7
1232+8
1233+9
1234+10
1235+11
1236+12
1237+13
1238+14
1239+15
1240+16
1241+17
1242+18
1243+19
1244+20
1245+21
1246+22
1247+23
1248+24
1249+25
1250+26
1251+27
1252+28
1253+29
1254+30
1255+31 Sixty-ninth
1256+Legislative Assembly
1257+an existing application and is not received within the time specified in the request, or within
1258+thirty days of the mailing of the request, the department may deny the application.
1259+SECTION 7. AMENDMENT. Section 13-05-07.1 of the North Dakota Century Code is
1260+amended and reenacted as follows:
5721261 13-05-07.1. Response to department requests.
573-An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
574-requests for information, documents, or other requests from the department of financial institutions
575-within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
576-within thirty days of the mailing of the request by the department of financial institutions. If the request
577-for information is in regard to a new application or renewal of an existing application and is not received
578-within the time specified in the request, or within thirty days of the mailing of the request, the
579-department may deny the application.
580-SECTION 8. AMENDMENT. Section 13-08-10 of the North Dakota Century Code is amended and
581-reenacted as follows:
1262+An applicant, licensee, or other person subject to the provisions of this chapter shall comply
1263+with requests for information, documents, or other requests from the department of financial
1264+institutions within the time specified in the request, which must be a minimum of ten days, or, if
1265+no time is specified, within thirty days of the mailing of the request by the department of
1266+financial institutions. If the request for information is in regard to a new application or renewal of
1267+an existing application and is not received within the time specified in the request, or within
1268+thirty days of the mailing of the request, the department may deny the application.
1269+SECTION 8. AMENDMENT. Section 13-08-10 of the North Dakota Century Code is
1270+amended and reenacted as follows:
5821271 13-08-10. Regulations - Examinations.
583-The commissioner may adopt rules for the implementation and enforcement of this chapter. A copy
584-of a rule adopted by the commissioner must be mailed to each licensee at least thirty days before the
585-date the rule takes effect. To assure compliance with this chapter, the commissioner may examine the
586-relevant business, books, and records of any licensee. The licensee shall pay an examination or
587-visitation fee, and the commissioner shall charge the licensee for the actual cost of the examination or
588-visitation at an hourly rate set by the commissioner which is sufficient to cover all reasonable expenses
589-associated with the examination or visitation.
590-SECTION 9. AMENDMENT. Section 13-08-11.1 of the North Dakota Century Code is amended and
591-reenacted as follows: H. B. NO. 1127 - PAGE 15
1272+The commissioner may adopt rules for the implementation and enforcement of this chapter.
1273+A copy of a rule adopted by the commissioner must be mailed to each licensee at least thirty
1274+days before the date the rule takes effect. To assure compliance with this chapter, the
1275+commissioner may examine the relevant business, books, and records of any licensee. The
1276+licensee shall pay an examination or visitation fee, and the commissioner shall charge the
1277+licensee for the actual cost of the examination or visitation at an hourly rate set by the
1278+commissioner which is sufficient to cover all reasonable expenses associated with the
1279+examination or visitation.
1280+SECTION 9. AMENDMENT. Section 13-08-11.1 of the North Dakota Century Code is
1281+amended and reenacted as follows:
5921282 13-08-11.1. Response to department requests.
593-An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
594-requests for information, documents, or other requests from the department of financial institutions
595-within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
596-within thirty days of the mailing of the request by the department of financial institutions. If the request
597-for information is in regard to a new application or renewal of an existing application and is not received
598-within the time specified in the request, or within thirty days of the mailing of the request, the
599-department may deny the application.
600-SECTION 10. AMENDMENT. Section 13-09.1-14 of the North Dakota Century Code is amended
601-and reenacted as follows:
1283+An applicant, licensee, or other person subject to the provisions of this chapter shall comply
1284+with requests for information, documents, or other requests from the department of financial
1285+institutions within the time specified in the request, which must be a minimum of ten days, or, if
1286+no time is specified, within thirty days of the mailing of the request by the department of
1287+financial institutions. If the request for information is in regard to a new application or renewal of
1288+Page No. 21 25.8110.02001
1289+1
1290+2
1291+3
1292+4
1293+5
1294+6
1295+7
1296+8
1297+9
1298+10
1299+11
1300+12
1301+13
1302+14
1303+15
1304+16
1305+17
1306+18
1307+19
1308+20
1309+21
1310+22
1311+23
1312+24
1313+25
1314+26
1315+27
1316+28
1317+29
1318+30
1319+31 Sixty-ninth
1320+Legislative Assembly
1321+an existing application and is not received within the time specified in the request, or within
1322+thirty days of the mailing of the request, the department may deny the application.
1323+SECTION 10. AMENDMENT. Section 13-09.1-14 of the North Dakota Century Code is
1324+amended and reenacted as follows:
6021325 13-09.1-14. Renewal of license.
6031326 1.A license under this chapter must be renewed annually.
604-a.An annual nonrefundable renewal fee must be paid by December thirty-first. The fee
605-must equal five hundred dollars or one-fourth of one percent of the money transmission
606-dollar volume in North Dakota for the twelve months ending June thirtieth, whichever is
607-greater. For the transmission of virtual currency as defined in section 13-09.1-44, the fee
608-must equal five hundred dollars or one-fourth of one percent of the average United
609-States dollar equivalent market value of the virtual currency transmitted in North Dakota
610-for the twelve months ending June thirtieth, whichever is greater. The fee may not exceed
611-two thousand five hundred dollars.
612-b.The renewal term must be for a period of one year and begins on January first of each
613-year after the initial license term and expires on December thirty-first of the year the
614-renewal term begins.
615-2.A licensee shall submit a renewal report with the renewal fee, in a form and in a medium
616-prescribed by the commissioner. The renewal report must state or contain a description of
617-each material change in information submitted by the licensee in its original license application
618-which has not been reported to the commissioner.
1327+a.An annual nonrefundable renewal fee must be paid by December thirty-first. The
1328+fee must equal five hundred dollars or one-fourth of one percent of the money
1329+transmission dollar volume in North Dakota for the twelve months ending June
1330+thirtieth, whichever is greater. For the transmission of virtual currency as defined
1331+in section 13-09.1-44, the fee must equal five hundred dollars or one-fourth of
1332+one percent of the average United States dollar equivalent market value of the
1333+virtual currency transmitted in North Dakota for the twelve months ending June
1334+thirtieth, whichever is greater. The fee may not exceed two thousand five hundred
1335+dollars.
1336+b.The renewal term must be for a period of one year and begins on January first of
1337+each year after the initial license term and expires on December thirty-first of the
1338+year the renewal term begins.
1339+2.A licensee shall submit a renewal report with the renewal fee, in a form and in a
1340+medium prescribed by the commissioner. The renewal report must state or contain a
1341+description of each material change in information submitted by the licensee in its
1342+original license application which has not been reported to the commissioner.
6191343 3.The commissioner for good cause may grant an extension of the renewal date.
620-4.The commissioner may utilize the nationwide system to process license renewals provided
621-that such functionality is consistent with this section.
622-5.A licensee may renew an expired license no later than January thirty-first subject to a late fee
623-of fifty dollars.
624-6.The commissioner may deny an application to renew a license if the licensee no longer meets
625-the criteria for licensure or otherwise fails to comply with this chapter.
626-SECTION 11. AMENDMENT. Subsection 3 of section 13-09.1-17 of the North Dakota Century
627-Code is amended and reenacted as follows:
628-3.A notice of disapproval must contain a statement of the basis for disapproval and must be sent
629-to the licensee and the disapproved individual. A licensee may appeal a notice of disapproval
630-by requesting a hearing before the commissioner within thirtytwenty days after receipt of
631-notice of disapproval in accordance with chapter 28-32.
632-SECTION 12. AMENDMENT. Section 13-09.1-38 of the North Dakota Century Code is amended
633-and reenacted as follows: H. B. NO. 1127 - PAGE 16
1344+4.The commissioner may utilize the nationwide system to process license renewals
1345+provided that such functionality is consistent with this section.
1346+5.A licensee may renew an expired license no later than January thirty-first subject to a
1347+late fee of fifty dollars.
1348+6.The commissioner may deny an application to renew a license if the licensee no
1349+longer meets the criteria for licensure or otherwise fails to comply with this chapter.
1350+SECTION 11. AMENDMENT. Subsection 3 of section 13-09.1-17 of the North Dakota
1351+Century Code is amended and reenacted as follows:
1352+Page No. 22 25.8110.02001
1353+1
1354+2
1355+3
1356+4
1357+5
1358+6
1359+7
1360+8
1361+9
1362+10
1363+11
1364+12
1365+13
1366+14
1367+15
1368+16
1369+17
1370+18
1371+19
1372+20
1373+21
1374+22
1375+23
1376+24
1377+25
1378+26
1379+27
1380+28
1381+29
1382+30
1383+31 Sixty-ninth
1384+Legislative Assembly
1385+3.A notice of disapproval must contain a statement of the basis for disapproval and must
1386+be sent to the licensee and the disapproved individual. A licensee may appeal a notice
1387+of disapproval by requesting a hearing before the commissioner within thirtytwenty
1388+days after receipt of notice of disapproval in accordance with chapter 28-32.
1389+SECTION 12. AMENDMENT. Section 13-09.1-38 of the North Dakota Century Code is
1390+amended and reenacted as follows:
6341391 13-09.1-38. Orders to cease and desist.
635-1.If the commissioner determines that a violation of this chapter or of a rule adopted or an order
636-issued under this chapter by a licensee or authorized delegate is likely to cause immediate
637-and irreparable harm to the licensee, its customers, or the public as a result of the violation, or
638-cause insolvency or significant dissipation of assets of the licensee, the commissioner may
639-issue an order requiring the licensee or authorized delegate to cease and desist from the
640-violation. The order becomes effective upon issuance.
641-2.The commissioner may issue an order against a licensee to cease and desist from providing
642-money transmission through an authorized delegate that is the subject of a separate order by
643-the commissioner.
644-3.An order to cease and desist remains effective and enforceable pending the completion of an
645-administrative proceedingmust contain a notice of opportunity for a hearing pursuant to
646-chapter 28-32.
647-4.An order to cease and desist expires unless the commissioner commences an administrative
648-proceeding pursuant to chapter 28-32 within ten days after it is issuedIf the company or
649-individual subject to an order to cease and desist fails to request a hearing in writing to the
650-commissioner within twenty days of issuance, or if a hearing is held and the commissioner
651-concludes the record so warrants, the order to cease and desist becomes final.
652-SECTION 13. AMENDMENT. Section 13-10-05 of the North Dakota Century Code is amended and
653-reenacted as follows:
1392+1.If the commissioner determines that a violation of this chapter or of a rule adopted or
1393+an order issued under this chapter by a licensee or authorized delegate is likely to
1394+cause immediate and irreparable harm to the licensee, its customers, or the public as
1395+a result of the violation, or cause insolvency or significant dissipation of assets of the
1396+licensee, the commissioner may issue an order requiring the licensee or authorized
1397+delegate to cease and desist from the violation. The order becomes effective upon
1398+issuance.
1399+2.The commissioner may issue an order against a licensee to cease and desist from
1400+providing money transmission through an authorized delegate that is the subject of a
1401+separate order by the commissioner.
1402+3.An order to cease and desist remains effective and enforceable pending the
1403+completion of an administrative proceedingmust contain a notice of opportunity for a
1404+hearing pursuant to chapter 28-32.
1405+4.An order to cease and desist expires unless the commissioner commences an
1406+administrative proceeding pursuant to chapter 28-32 within ten days after it is issuedIf
1407+the company or individual subject to an order to cease and desist fails to request a
1408+hearing in writing to the commissioner within twenty days of issuance, or if a hearing is
1409+held and the commissioner concludes the record so warrants, the order to cease and
1410+desist becomes final .
1411+SECTION 13. AMENDMENT. Section 13-10-05 of the North Dakota Century Code is
1412+amended and reenacted as follows:
6541413 13-10-05. Issuance of license.
655-The commissioner shall not issue a mortgage loan originator license unless the commissioner
656-makes at a minimum the following findings:
657-1.The applicant has never had a mortgage loan originator license revoked in any governmental
658-jurisdiction, except that a subsequent formal vacation of such revocation shall not be deemed
659-a revocation.
660-2.The applicant has not been charged pending trial, convicted of, or pled guilty, pled to lesser
661-charges, or pled nolo contendere to, a felony in a domestic, foreign, or military court:
662-a.During the seven-year period preceding the date of the application for licensing and
663-registration; or
664-b.At any time preceding such date of application, if such felony involved an act of fraud,
665-dishonesty, or a breach of trust, or money laundering;
666-c.Provided that any pardon of a conviction shall not be a conviction for purposes of this
667-subsection.
668-3.a.The applicant has demonstrated financial responsibility, character, and general fitness
669-such as to command the confidence of the community and to warrant a determination
670-that the mortgage loan originator will operate honestly, fairly, and efficiently within the
671-purposes of this chapter.
672-b.For purposes of this subsection, a person has shown that that person is not financially
673-responsible when that person has shown a disregard in the management of that person's
674-own financial condition. A determination that an individual has not shown financial
675-responsibility may include:
676-(1)Current outstanding judgments, except judgments solely as a result of medical
677-expenses; H. B. NO. 1127 - PAGE 17
1414+The commissioner shall not issue a mortgage loan originator license unless the
1415+commissioner makes at a minimum the following findings:
1416+Page No. 23 25.8110.02001
1417+1
1418+2
1419+3
1420+4
1421+5
1422+6
1423+7
1424+8
1425+9
1426+10
1427+11
1428+12
1429+13
1430+14
1431+15
1432+16
1433+17
1434+18
1435+19
1436+20
1437+21
1438+22
1439+23
1440+24
1441+25
1442+26
1443+27
1444+28
1445+29
1446+30
1447+31 Sixty-ninth
1448+Legislative Assembly
1449+1.The applicant has never had a mortgage loan originator license revoked in any
1450+governmental jurisdiction, except that a subsequent formal vacation of such revocation
1451+shall not be deemed a revocation.
1452+2.The applicant has not been charged pending trial, convicted of, or pled guilty, pled to
1453+lesser charges, or pled nolo contendere to, a felony in a domestic, foreign, or military
1454+court:
1455+a.During the seven-year period preceding the date of the application for licensing
1456+and registration; or
1457+b.At any time preceding such date of application, if such felony involved an act of
1458+fraud, dishonesty, or a breach of trust, or money laundering;
1459+c.Provided that any pardon of a conviction shall not be a conviction for purposes of
1460+this subsection.
1461+3.a.The applicant has demonstrated financial responsibility, character, and general
1462+fitness such as to command the confidence of the community and to warrant a
1463+determination that the mortgage loan originator will operate honestly, fairly, and
1464+efficiently within the purposes of this chapter.
1465+b.For purposes of this subsection, a person has shown that that person is not
1466+financially responsible when that person has shown a disregard in the
1467+management of that person's own financial condition. A determination that an
1468+individual has not shown financial responsibility may include:
1469+(1)Current outstanding judgments, except judgments solely as a result of
1470+medical expenses;
6781471 (2)Current outstanding tax liens or other government liens and filings;
6791472 (3)Foreclosures within the past three years; and
6801473 (4)A pattern of seriously delinquent accounts within the past three years.
681-4.The applicant has completed the prelicensing education requirement described in section
682-13-10-06.
683-5.The applicant has passed a written test that meets the test requirement described in section
684-13-10-07.
685-6.The applicant has met the net worth and surety bond requirements under section 13-10-13.
686-SECTION 14. AMENDMENT. Subsection 1 of section 13-11-10 of the North Dakota Century Code
687-is amended and reenacted as follows:
688-1.If the commissioner has reason to believe that grounds for revocation of a license exist, the
689-commissioner may send by certified mail tonotify the licensee with a notice of hearing stating
690-the contemplated action and in general the grounds thereof and setting the time and place for
691-a hearing thereon. Grounds for revocation of a license include:
692-a.Any debt-settlement provider has failed to pay the annual license fee or to maintain in
693-effect the bond required under this chapter;
694-b.The debt-settlement provider has violated this chapter or any rule lawfully made by the
695-commissioner implementing this chapter;
696-c.Any fact or condition exists that, if it had existed at the time of the original application for
697-a license, would have warranted the commissioner in refusing its issuance; or
698-d.Any applicant has made any false statement or representation to the commissioner in
699-applying for a license under this chapter.
700-SECTION 15. AMENDMENT. Section 13-12-19 of the North Dakota Century Code is amended and
701-reenacted as follows:
1474+4.The applicant has completed the prelicensing education requirement described in
1475+section 13-10-06.
1476+5.The applicant has passed a written test that meets the test requirement described in
1477+section 13-10-07.
1478+6.The applicant has met the net worth and surety bond requirements under section
1479+13-10-13.
1480+Page No. 24 25.8110.02001
1481+1
1482+2
1483+3
1484+4
1485+5
1486+6
1487+7
1488+8
1489+9
1490+10
1491+11
1492+12
1493+13
1494+14
1495+15
1496+16
1497+17
1498+18
1499+19
1500+20
1501+21
1502+22
1503+23
1504+24
1505+25
1506+26
1507+27
1508+28
1509+29
1510+30
1511+31 Sixty-ninth
1512+Legislative Assembly
1513+SECTION 14. AMENDMENT. Subsection 1 of section 13-11-10 of the North Dakota Century
1514+Code is amended and reenacted as follows:
1515+1.If the commissioner has reason to believe that grounds for revocation of a license
1516+exist, the commissioner may send by certified mail tonotify the licensee with a notice
1517+of hearing stating the contemplated action and in general the grounds thereof and
1518+setting the time and place for a hearing thereon. Grounds for revocation of a license
1519+include:
1520+a.Any debt-settlement provider has failed to pay the annual license fee or to
1521+maintain in effect the bond required under this chapter;
1522+b.The debt-settlement provider has violated this chapter or any rule lawfully made
1523+by the commissioner implementing this chapter;
1524+c.Any fact or condition exists that, if it had existed at the time of the original
1525+application for a license, would have warranted the commissioner in refusing its
1526+issuance; or
1527+d.Any applicant has made any false statement or representation to the
1528+commissioner in applying for a license under this chapter.
1529+SECTION 15. AMENDMENT. Section 13-12-19 of the North Dakota Century Code is
1530+amended and reenacted as follows:
7021531 13-12-19. Response to department requests.
703-An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
704-requests for information, documents, or other requests from the department of financial institutions
705-within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
706-within thirty days of the mailing of the request by the department of financial institutions. If the request
707-for information is in regard to a new application or renewal of an existing application and is not received
708-within the time specified in the request, or within thirty days of the mailing of the request, the
709-department may deny the application.
710-SECTION 16. AMENDMENT. Subsections 6, 21, and 22 of section 13-13-01 of the North Dakota
711-Century Code are amended and reenacted as follows:
712-6."Interim serviced prior to salemortgage servicing" means the activity of collecting a limited
713-number of contractual mortgage payments immediately after origination on loans held for sale
714-but prior to the loans being sold into the secondary market.
1532+An applicant, licensee, or other person subject to the provisions of this chapter shall comply
1533+with requests for information, documents, or other requests from the department of financial
1534+institutions within the time specified in the request, which must be a minimum of ten days, or, if
1535+no time is specified, within thirty days of the mailing of the request by the department of
1536+financial institutions. If the request for information is in regard to a new application or renewal of
1537+an existing application and is not received within the time specified in the request, or within
1538+thirty days of the mailing of the request, the department may deny the application.
1539+SECTION 16. AMENDMENT. Subsections 6, 21, and 22 of section 13-13-01 of the North
1540+Dakota Century Code are amended and reenacted as follows:
1541+6."Interim serviced prior to salemortgage servicing" means the activity of collecting a
1542+limited number of contractual mortgage payments immediately after origination on
1543+loans held for sale but prior to the loans being sold into the secondary market.
1544+Page No. 25 25.8110.02001
1545+1
1546+2
1547+3
1548+4
1549+5
1550+6
1551+7
1552+8
1553+9
1554+10
1555+11
1556+12
1557+13
1558+14
1559+15
1560+16
1561+17
1562+18
1563+19
1564+20
1565+21
1566+22
1567+23
1568+24
1569+25
1570+26
1571+27
1572+28
1573+29
1574+30
1575+31 Sixty-ninth
1576+Legislative Assembly
7151577 21."Service or servicing a loan" means on behalf of the lender or investor of a residential
716-mortgage loan: H. B. NO. 1127 - PAGE 18
717-a.Collecting or receiving payments on existing obligations due and owing to the lender or
718-investor, including payments of principal, interest, escrow amounts, and other amounts
719-due;
1578+mortgage loan:
1579+a.Collecting or receiving payments on existing obligations due and owing to the
1580+lender or investor, including payments of principal, interest, escrow amounts, and
1581+other amounts due;
7201582 b.Collecting fees due to the servicer;
721-c.Working with the borrower and the licensed lender or servicer to collect data and make
722-decisions necessary to modify certain terms of those obligations either temporarily or
723-permanently;
1583+c.Working with the borrower and the licensed lender or servicer to collect data and
1584+make decisions necessary to modify certain terms of those obligations either
1585+temporarily or permanently;
7241586 d.Otherwise finalizing collection through the foreclosure process; or
7251587 e.Servicing a reverse mortgage loan.
726-22."Servicer" means the entity performing the routine administration of residential mortgage loans
727-on behalf of the owner or owners of the related mortgages under the terms of a servicing
728-contract.
729-SECTION 17. AMENDMENT. Section 13-13-04 of the North Dakota Century Code is amended and
730-reenacted as follows:
1588+22."Servicer" means the entity performing the routine administration of residential
1589+mortgage loans on behalf of the owner or owners of the related mortgages under the
1590+terms of a servicing contract.
1591+SECTION 17. AMENDMENT. Section 13-13-04 of the North Dakota Century Code is
1592+amended and reenacted as follows:
7311593 13-13-04. Entities exempted from licensing requirements.
7321594 This chapter does not apply to:
7331595 1.Banks;
7341596 2.Credit unions;
7351597 3.Savings and loan associations;
7361598 4.State or federal housing finance agencies;
7371599 5.Institutions chartered by the farm credit administration; or
7381600 6.Not-for-profit mortgage servicers; or
7391601 7.Entities solely performing interim mortgage servicing.
740-SECTION 18. AMENDMENT. Section 13-13-18 of the North Dakota Century Code is amended and
741-reenacted as follows:
1602+SECTION 18. AMENDMENT. Section 13-13-18 of the North Dakota Century Code is
1603+amended and reenacted as follows:
7421604 13-13-18. Response to department requests.
743-An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
744-requests for information, documents, or other requests from the department of financial institutions
745-within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
746-within thirty days of the mailing of the request by the department of financial institutions. If the request
747-for information is in regard to a new application or renewal of an existing application and is not received
748-within the time specified in the request, or within thirty days of the mailing of the request, the
749-department may deny the application. H. B. NO. 1127 - PAGE 19
750-____________________________ ____________________________
751-Speaker of the House President of the Senate
752-____________________________ ____________________________
753-Chief Clerk of the House Secretary of the Senate
754-This certifies that the within bill originated in the House of Representatives of the Sixty-ninth Legislative
755-Assembly of North Dakota and is known on the records of that body as House Bill No. 1127.
756-House Vote: Yeas 89 Nays 2 Absent 3
757-Senate Vote:Yeas 46 Nays 1 Absent 0
758-____________________________
759-Chief Clerk of the House
760-Received by the Governor at ________M. on _____________________________________, 2025.
761-Approved at ________M. on __________________________________________________, 2025.
762-____________________________
763-Governor
764-Filed in this office this ___________day of _______________________________________, 2025,
765-at ________ o’clock ________M.
766-____________________________
767-Secretary of State
1605+An applicant, licensee, or other person subject to the provisions of this chapter shall comply
1606+with requests for information, documents, or other requests from the department of financial
1607+institutions within the time specified in the request, which must be a minimum of ten days, or, if
1608+Page No. 26 25.8110.02001
1609+1
1610+2
1611+3
1612+4
1613+5
1614+6
1615+7
1616+8
1617+9
1618+10
1619+11
1620+12
1621+13
1622+14
1623+15
1624+16
1625+17
1626+18
1627+19
1628+20
1629+21
1630+22
1631+23
1632+24
1633+25
1634+26
1635+27
1636+28
1637+29
1638+30
1639+31 Sixty-ninth
1640+Legislative Assembly
1641+no time is specified, within thirty days of the mailing of the request by the department of
1642+financial institutions. If the request for information is in regard to a new application or renewal of
1643+an existing application and is not received within the time specified in the request, or within
1644+thirty days of the mailing of the request, the department may deny the application.
1645+Page No. 27 25.8110.02001
1646+1
1647+2
1648+3
1649+4