Sixty-ninth Legislative Assembly of North Dakota
In Regular Session Commencing Tuesday, January 7, 2025
HOUSE BILL NO. 1127
(Industry, Business and Labor Committee)
(At the request of the Department of Financial Institutions)
AN ACT to create and enact chapter 13-01.2 of the North Dakota Century Code, relating to the financial
institution data security program; and to amend and reenact sections 6-01-04.1 and 6-01-04.2,
subsection 7 of section 6-03-02, sections 13-04.1-01.1, 13-04.1-11.1, 13-05-07.1, 13-08-10,
13-08-11.1, and 13-09.1-14, subsection 3 of section 13-09.1-17, sections 13-09.1-38 and
13-10-05, subsection 1 of section 13-11-10, section 13-12-19, subsections 6, 21, and 22 of
section 13-13-01, and sections 13-13-04 and 13-13-18 of the North Dakota Century Code,
relating to the department of financial institutions, financial institutions, response to department
requests, renewal of licenses, orders to cease and desist, issuance of licenses, revocation of
licenses, and exemptions from licenses.
BE IT ENACTED BY THE LEGISLATIVE ASSEMBLY OF NORTH DAKOTA:
SECTION 1. AMENDMENT. Section 6-01-04.1 of the North Dakota Century Code is amended and
reenacted as follows:
6-01-04.1. Removal of officers, directors, and employees of financial corporations or
institutions.
1.The department of financial institutions or the board may issue, upon any current or former
officer, director, or employee of a financial corporation, financial institution, or credit union
subject to its jurisdiction and upon a financial corporation, financial institution, or credit union
involved, an order stating:
a.That the current or former officer, director, or employee is engaging, or has engaged, in
any of the following conduct:
(1)Violating any law, regulation, board order, or written agreement with the board.
(2)Engaging or participating in any unsafe or unsound practice.
(3)Performing any act of commission or omission or practice which is a breach of trust
or a breach of fiduciary duty.
b.The term of the suspension or removal from employment and participation within the
conduct of the affairs of a financial corporation, financial institution, credit union, or any
other entity licensed by the department of financial institutions.
2.The order must contain a notice of opportunity for hearing pursuant to chapter 28-32. The date
for the hearing must be set not less than thirty days after the date the complaint is served
upon the current or former officer, director, or employee of a financial corporation, financial
institution, credit union, or any other entity licensed by the department of financial institutions.
The current or former officer, director, or employee may waive the thirty-day notice
requirement.
3.If no hearing is requested within twenty days of the date the order is served upon the current
or former officer, director, or employee, the order is final. If a hearing is held and the board
finds that the record so warrants, it may enter a final order. The final order suspending or
removing the current or former officer, director, or employee is final. The current or former
officer or employee may request a termination of the final order after a period of no less than
three years. H. B. NO. 1127 - PAGE 2
4.A contested or default suspension or removal order is effective immediately upon issuance on
the current or former officer, director, or employee and upon a financial corporation, financial
institution, or credit union. A consent order is effective as agreed.
5.Any current or former officer, director, or employee suspended or removed from any position
pursuant to this section is not eligible, while under suspension or removal, to be employed or
otherwise participate in the affairs of any financial corporation, financial institution, or credit
union or any other entity licensed by the department of financial institutions until the
suspension or removal is terminated by the department of financial institutions or board.
6.When any current or former officer, director, employee, or other person participating in the
conduct of the affairs of a financial corporation, financial institution, or credit union is charged
with a felony in state or federal court, involving dishonesty or breach of trust, the
commissioner may immediately suspend the person from office or prohibit the person from
any further participation in a financial corporation's, financial institution's, or credit union's
affairs. The order is effective immediately upon issuance of the order on a financial
corporation, financial institution, or credit union and the person charged, and remains in effect
until the criminal charge is finally disposed of or until modified by the board. If a judgment of
conviction, a federal pretrial diversion, conviction or agreement to plea to lesser charges, or
similar state order or judgment is entered, the board or commissioner may order that the
suspension or prohibition be made permanent. A finding of not guilty or other disposition of the
charge does not preclude the commissioner or the board from pursuing administrative or civil
remedies.
7.The commissioner or board may issue upon a current or former officer, director, employee, or
other person participating in the conduct of the affairs of a financial corporation, financial
institution, or credit union an order permanently suspending and prohibiting the person from
participation in a financial corporation's, financial institution's, or credit union's affairs if
convicted of any charge involving dishonesty or breach of trust in state or federal court. The
suspension or removal order is effective immediately upon issuance on the current or former
officer, director, or employee and upon a financial corporation, financial institution, or credit
union.
SECTION 2. AMENDMENT. Section 6-01-04.2 of the North Dakota Century Code is amended and
reenacted as follows:
6-01-04.2. Cease and desist orders.
1.The department of financial institutions or the board may issue and serve upon a financial
corporation, financial institution, or credit union subject to its jurisdiction a complaint stating the
factual basis for the department's or board's belief that the financial corporation, financial
institution, or credit union is engaging in any of the following conduct:
a.An unsafe or unsound practice.
b.A violation in the past or on a continuing basis of any law, regulation, board order, or
written agreement entered into with the board or department of financial institutions.
2.The complaint must contain a notice of opportunity for hearing pursuant to chapter 28-32. The
date for the hearing must be set not less than thirty days after the date the complaint is served
upon the financial corporation, financial institution, or credit union. The financial corporation,
financial institution, or credit union may waive the thirty-day notice requirement.
3.If the financial corporation, financial institution, or credit union fails to respond to the complaint
within twenty days of its service, or if a hearing is held and the board concludes that the record
so warrants, the board may enter an order directing the financial corporation, financial
institution, or credit union to cease and desist from engaging in the conduct which was the
subject of the complaint and hearing and to take corrective action. H. B. NO. 1127 - PAGE 3
4.The commissioner or the board may enter an emergency, temporary cease and desist order if
the commissioner or the board finds the conduct described in the complaint is likely to cause
insolvency, substantial dissipation of assets, earnings, or capital of the financial corporation,
financial institution, or credit union, or substantial prejudice to the depositors, shareholders,
members, or creditors of the financial corporation, financial institution, or credit union. An
emergency, temporary cease and desist order is effective immediately upon service on the
financial corporation, financial institution, or credit union and remains in effect for no longer
than sixty days or until the conclusion of permanent cease and desist proceedings pursuant to
this section, whichever is sooner. An emergency, temporary cease and desist order may be
issued without an opportunity for hearing. A bank or credit union may request a hearing before
the state banking board or state credit union board within ten days of the order to review the
factual basis used to issue the emergency, temporary cease and desist order. The decision
made by the board during this hearing will be final. If a hearing is not requested, the initial
decision of the commissioner or board will be final.
SECTION 3. AMENDMENT. Subsection 7 of section 6-03-02 of the North Dakota Century Code is
amended and reenacted as follows:
7.Exercise, as determined by the board or commissioner by order or rule, all the incidental
powers as are necessary to carry on the business of banking, including discounting and
negotiating promissory notes, bills of exchange, drafts, and other evidences of debt; receiving
deposits; buying and selling exchange, coin, and bullion; loaning money upon real or personal
security, or both; soliciting and receiving deposits in the nature of custodial accounts for the
purpose of health savings or similar health care cost funding accounts, retirement fund
contracts, or pension programs, and such custodial accounts are exempt from chapter 6-05;
and providing services to its customers involving electronic transfer of funds to the same
extent that other financial institutions chartered and regulated by an agency of the federal
government are permitted to provide those services within this state. A bank that provides
electronic funds transfer equipment and service to its customers, at premises separate from its
main banking house or duly authorized facility approved by the state banking board, must
make the equipment and service available for use by customers of any other bank upon the
request of the other bank to share its use and the agreement of the other bank to share pro
rata all costs incurred in connection with its installation and operation, and the electronic
operations are not deemed to be the establishment of a branch, nor of a separate facility. The
electronic operations at premises separate from its banking house or duly authorized facility
must be considered a customer electronic funds transfer center and may be established
subject to rules that the state banking board adopts.
SECTION 4. Chapter 13-01.2 of the North Dakota Century Code is created and enacted as follows:
13-01.2-01. Definitions.
For purposes of this chapter, the following definitions shall apply:
1."Authorized user" means any employee, contractor, agent, or other person who:
a.Participates in a financial corporation's business operations; and
b.Is authorized to access and use any of the financial corporation's information systems
and data.
2."Commissioner" means the commissioner of the department of financial institutions.
3."Consumer":
a.Means an individual, or that individual's legal representative, who applies for or has
obtained a financial product or service from a financial corporation which is to be used H. B. NO. 1127 - PAGE 4
primarily for personal, family, or household purposes. A consumer includes an individual
who:
(1)Applies to a financial corporation for credit for personal, family, or household
purposes, regardless of whether the credit is extended.
(2)Provides nonpublic personal information to a financial corporation to obtain a
determination about whether the applicant may qualify for a loan to be used
primarily for personal, family, or household purposes, regardless of whether the loan
is extended.
(3)Provides nonpublic personal information to a financial corporation in connection with
obtaining or seeking to obtain financial, investment, or economic advisory services,
regardless of whether the financial corporation establishes a continuing advisory
relationship.
(4)Has a loan for personal, family, or household purposes in which the financial
corporation has ownership or servicing rights, even if the financial corporation or
one or more other corporations that hold ownership or servicing rights in conjunction
with the financial corporation hires an agent to collect on the loan.
b.Does not include an individual who:
(1)Uses a different financial corporation or financial institution to act solely as an agent
for, or provide processing or other services to, the individual financial corporation or
financial institution.
(2)Designates a financial corporation solely for the purposes to act as trustee for a
trust.
(3)Is a beneficiary of a trust for which the financial corporation is a trustee.
(4)Is a participant or a beneficiary of an employee benefit plan that the financial
corporation sponsors or for which the financial corporation acts as a trustee or
fiduciary.
4."Continuing relationship":
a.Means a situation in which a consumer:
(1)Has a credit or investment account with a financial corporation;
(2)Obtains a loan from a financial corporation;
(3)Purchases an insurance product from a financial corporation;
(4)Holds an investment product through a financial corporation, including when a
financial corporation acts as a custodian for securities or for assets in an individual
retirement arrangement;
(5)Enters into an agreement or understanding with a financial corporation in which the
financial corporation undertakes to arrange or broker a home mortgage loan, or
credit to purchase a vehicle, for the consumer;
(6)Enters into a lease of personal property on a nonoperating basis with a financial
corporation;
(7)Obtains financial, investment, or economic advisory services from a financial
corporation for a fee; H. B. NO. 1127 - PAGE 5
(8)Becomes a financial corporation's client for the purpose of obtaining tax preparation
or credit counseling services from the financial corporation;
(9)Obtains career counseling while:
(a)Seeking employment with a financial corporation or the finance, accounting,
or audit department of any company; or
(b)Employed by a financial corporation or department of any company;
(10)Is obligated on an account that a financial corporation purchases from another
financial corporation, regardless of whether the account is in default when
purchased, unless the financial corporation does not locate the consumer or attempt
to collect any amount from the consumer on the account;
(11)Obtains real estate settlement services from a financial corporation; or
(12)Has a loan for which a financial corporation owns the servicing rights.
b.Does not include a situation in which:
(1)The consumer obtains a financial product or service from a financial corporation
only in isolated transactions, including:
(a)A financial corporation's automated teller machine to withdraw cash from an
account at another financial institution;
(b)Purchasing a money order from a financial corporation;
(c)Cashing a check with a financial corporation; or
(d)Making a wire transfer through a financial corporation;
(2)A financial corporation sells the consumer's loan and does not retain the rights to
service that loan;
(3)A financial corporation sells the consumer an airline ticket, travel insurance, or a
traveler's check in isolated transactions;
(4)The consumer obtains one-time personal or real property appraisal services from a
financial corporation; or
(5)The consumer purchases checks for a personal checking account from a financial
corporation.
5."Customer" means a consumer who has a customer relationship with a financial corporation.
6."Customer information" means any record containing nonpublic personal information about a
customer of a financial corporation, whether in paper, electronic, or other form, which is
handled or maintained by or on behalf of the financial corporation or the financial corporation's
affiliates.
7."Customer relationship" means a continuing relationship between a consumer and a financial
corporation under which the financial corporation provides one or more financial products or
services to the consumer that are used primarily for personal, family, or household purposes.
8."Encryption" means the transformation of data into a form that results in a low probability of
assigning meaning without the use of a protective process or key, consistent with current
cryptographic standards and accompanied by appropriate safeguards for cryptographic key
material. H. B. NO. 1127 - PAGE 6
9."Financial corporation" means all entities regulated by the department of financial institutions,
excluding financial institutions and credit unions.
10."Financial institution" means any bank, industrial loan company, or savings and loan
association organized under the laws of this state or of the United States.
11."Financial product or service" means any product or service that a financial holding company
could offer by engaging in a financial activity under the federal Bank Holding Company Act of
1956 [12 U.S.C. 1843 section 4(k)]. The term includes a financial corporation's evaluation or
brokerage of information that a financial corporation collects in connection with a request or an
application from a consumer for a financial product or service.
12."Information security program" means the administrative, technical, or physical safeguards a
financial corporation uses to access, collect, distribute, process, protect, store, use, transmit,
dispose of, or otherwise handle customer information.
13."Information system" means a discrete set of electronic information resources organized for
the collection, processing, maintenance, use, sharing, dissemination, or disposition of
electronic information, as well as any specialized system, including industrial process controls
systems, telephone switching and private branch exchange systems, and environmental
controls systems that contain customer information or that is connected to a system that
contains customer information.
14."Multifactor authentication" means authentication through verification of at least two of the
following types of authentication factors:
a.Knowledge factors, including a password;
b.Possession factors, including a token; or
c.Inherence factors, including biometric characteristics.
15."Nonpublic personal information":
a.Means:
(1)Personally identifiable financial information; and
(2)Any list, description, or other grouping of consumers, including publicly available
information pertaining to the consumers that is derived using personally identifiable
financial information that is not publicly available, including account numbers.
b.Does not include:
(1)Publicly available information, except as included on a list described in paragraph 2
of subdivision a;
(2)Any list, description, or other grouping of consumers, including publicly available
information pertaining to the consumers that is derived without using any personally
identifiable financial information that is not publicly available; or
(3)Any list of individuals' names and addresses that contains only publicly available
information, is not derived, in whole or in part, using personally identifiable financial
information that is not publicly available, and is not disclosed in a manner that
indicates that any individual on the list is the financial corporation's consumer.
16."Notification event" means the acquisition of unencrypted customer information without the
authorization of the individual to which the information pertains. Customer information is
considered unencrypted for purposes of this subsection if the encryption key was accessed by H. B. NO. 1127 - PAGE 7
an unauthorized person. Unauthorized acquisition is presumed to include unauthorized access
to unencrypted customer information unless the financial corporation has reliable evidence
showing there has not been, or could not reasonably have been, unauthorized acquisition of
customer information.
17."Penetration testing" means a test methodology in which assessors attempt to circumvent or
defeat the security features of an information system by attempting to penetrate databases or
controls from outside or inside a financial corporation's information systems.
18."Personally identifiable financial information":
a.Means any information:
(1)A consumer provides to a financial corporation to obtain a financial product or
service;
(2)About a consumer resulting from any transaction involving a financial product or
service between a financial corporation and a consumer; or
(3)A financial corporation otherwise obtains about a consumer in connection with
providing a financial product or service to that consumer.
b.Includes:
(1)Information a consumer provides to a financial corporation on an application to
obtain a loan, credit card, or other financial product or service;
(2)Account balance information, payment history, overdraft history, and credit or debit
card purchase information;
(3)An individual that is or has been a financial corporation's customer or has obtained
a financial product or service from the financial corporation;
(4)Any information about a financial corporation's consumer if it is disclosed in a
manner that indicates the individual is or has been a financial corporation's
consumer;
(5)Any information a consumer provides to a financial corporation or which a financial
corporation or a financial corporation's agent otherwise obtains in connection with
collecting on, or servicing, a credit account;
(6)Any information a financial corporation collects through an information collecting
device from a web server; and
(7)Information from a consumer report.
c.Does not include:
(1)A list of names and addresses of customers of an entity that is not a financial
corporation; and
(2)Information that does not identify a consumer, such as aggregate information or
blind data that does not contain personal identifiers such as account numbers,
names, or addresses.
19.a."Publicly available information":
(1)Means any information that a financial corporation has a reasonable basis to
believe is lawfully made available to the general public from: H. B. NO. 1127 - PAGE 8
(a)Federal, state, or local government records;
(b)Widely distributed media; or
(c)Disclosures to the general public which are required under federal, state, or
local law.
(2)Includes information:
(a)In government real estate records and security interest filings; or
(b)From widely distributed media, a telephone book, a television or radio
program, a newspaper, or a website that is available to the general public on
an unrestricted basis. A website is not restricted because an internet service
provider or a site operator requires a fee or a password, provided access is
available to the general public.
b.For purposes of this subsection, a financial corporation has a reasonable basis to believe
information is lawfully made available to the general public if the financial corporation has
taken steps to determine:
(1)The information is of the type available to the general public; and
(2)Whether an individual can direct that the information not be made available to the
general public and, if so, that the financial corporation's consumer has not done so.
A financial corporation has a reasonable basis to believe mortgage information is
lawfully made available to the general public if the financial corporation determines
the information is of the type included on the public record in the jurisdiction where
the mortgage is recorded. A financial corporation has a reasonable basis to believe
an individual's telephone number is lawfully made available to the general public if
the financial corporation has located the telephone number in the telephone book or
the consumer has informed the financial corporation the telephone number is not
unlisted.
20."Qualified individual" means the individual designated by a financial institution to oversee,
implement, and enforce the financial institution's information security program.
21."Security event" means an event resulting in unauthorized access to, or disruption or misuse
of:
a.An information system or information stored on an information system; or
b.Customer information held in physical form.
22."Service provider" means any person or entity that receives, maintains, processes, or
otherwise is permitted access to customer information through its provision of services directly
to a financial corporation that is subject to this chapter.
13-01.2-02. Standards for safeguarding customer information.
1.A financial corporation shall develop, implement, and maintain a comprehensive information
security program.
2.The information security program must:
a.Be written in one or more readily accessible parts; and H. B. NO. 1127 - PAGE 9
b.Maintain administrative, technical, and physical safeguards that are appropriate to the
financial corporation's size and complexity, the nature and scope of the financial
corporation's activities, and the sensitivity of any customer information at issue.
3.The financial corporation shall develop a security program that:
a.Ensures the security and confidentiality of customer information;
b.Protects against any anticipated threats or hazards to the security or integrity of such
information; and
c.Protects against unauthorized access to or use of such information that could result in
substantial harm or inconvenience to any customer.
13 - 01.2 - 03. Elements of a security program.
1.A financial corporation's information security program must denote a designation of a qualified
individual responsible for overseeing and implementing the financial corporation's information
security program and enforcing the financial corporation's information security program. The
qualified individual may be employed by the financial corporation, an affiliate, or a service
provider.
2.If a financial corporation designates an individual employed by an affiliate or service provider
as the qualified individual, the financial corporation shall:
a.Retain responsibility for compliance with this chapter;
b.Designate a senior member of the financial corporation's personnel to be responsible for
directing and overseeing the qualified individual; and
c.Require the service provider or affiliate to maintain an information security program that
protects the financial corporation in accordance with the requirements of this chapter.
3.A financial corporation shall base the financial corporation's information security program on a
risk assessment that:
a.Identifies reasonably foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information that could result in the unauthorized
disclosure, misuse, alteration, destruction or other compromise of customer information;
b.Assesses the sufficiency of any safeguards in place to control the risks in subdivision a;
and
c.Includes additional periodic risk assessments that:
(1)Re-examine the reasonably foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information that could result in the
unauthorized disclosure, misuse, alteration, destruction or other compromise of
such information; and
(2)Reassess the sufficiency of any safeguards in place to control these risks.
4.The risk assessment must be in writing and include:
a.Criteria to evaluate and categorize identified security risks or threats the financial
corporation faces;
b.Criteria for the assessment of the confidentiality, integrity, and availability of the financial
corporation's information systems and customer information, including the adequacy of H. B. NO. 1127 - PAGE 10
the existing controls in the context of the identified risks or threats the financial
corporation faces; and
c.Requirements describing how:
(1)Identified risks will be mitigated or accepted based on the risk assessment; and
(2)The information security program will address the risks.
5.A financial corporation shall design and implement safeguards to control the risks the financial
corporation identifies through the risk assessment in subsection 4, which include:
a.Implementing and periodically reviewing access controls, including technical and as
appropriate, physical controls to:
(1)Authenticate and permit access only to authorized users to protect against the
unauthorized acquisition of customer information; and
(2)Limit an authorized user's access to only customer information the authorized user
needs to perform the authorized user's duties and functions, or in the case of a
customer, to access the customer's own information.
b.Identifying and managing data, personnel, devices, systems, and facilities that enable the
financial corporation to achieve business purposes in accordance with the business
purpose's relative importance to business objectives and the financial corporation's risk
strategy.
c.Protecting by encryption all customer information held or transmitted by the financial
corporation both in transit over external networks and at rest. To the extent a financial
corporation determines that encryption of customer information, either in transit over
external networks or at rest, is infeasible, the financial corporation may secure customer
information using effective alternative compensating controls reviewed and approved by
the financial corporation's qualified individual.
d.Adopting secure development practices for in-house developed applications utilized by
the financial corporation for transmitting, accessing, or storing customer information and
procedures for evaluating, assessing, or testing the security of externally developed
applications the financial corporation utilizes to transmit, access, or store customer
information.
e.Implementing multifactor authentication for any individual accessing any information
system, unless the financial corporation's qualified individual has approved in writing the
use of a reasonably equivalent or more secure access control.
f.Developing, implementing, and maintaining procedures to securely dispose of customer
information, in any format, no later than two years after the last date the information is
used in connection with providing a product or service to the customer which it relates,
unless:
(1)The information is necessary for business operations or for other legitimate
business purposes;
(2)Is otherwise required to be retained by law or regulation; or
(3)Where targeted disposal is not reasonably feasible due to the manner in which the
information is maintained.
g.Periodically reviewing the financial corporation's data retention policy to minimize
unnecessary retention of data. H. B. NO. 1127 - PAGE 11
h.Adopting procedures for change management.
i.Implementing policies, procedures and controls designed to:
(1)Monitor and log the activity of authorized users; and
(2)Detect unauthorized access to, use of, or tampering with customer information by
authorized users.
6.a.A financial corporation shall regularly test or otherwise monitor the effectiveness of the
safeguards' key controls, systems, and procedures, including the controls, systems, and
procedures to detect actual and attempted attacks on, or intrusions into, information
systems.
b.Information systems monitoring and testing must include continuous monitoring or
periodic penetration testing, and vulnerability assessments. Without effective continuous
monitoring or other systems to detect, on an ongoing basis, changes in information
systems that may create vulnerabilities, a financial corporation shall conduct:
(1)Annual penetration testing of the financial corporation's information systems based
on relevant identified risks in accordance with the risk assessment; and
(2)Vulnerability assessments, including systemic scans or information systems reviews
that are reasonably designed to identify publicly known security vulnerabilities in the
financial corporation's information systems based on the risk assessment, at least
every six months; whenever there are material changes to the financial
corporation's operations or business arrangements; and whenever there are
circumstances the financial corporation knows or has reason to know may have a
material impact on the financial corporation's information security program.
7.A financial corporation shall implement policies and procedures to ensure the financial
corporation's personnel are able to enact the financial corporation's information security
program by:
a.Providing the financial corporation's personnel with security awareness training that is
updated as necessary to reflect risks identified by the risk assessment;
b.Utilizing qualified information security personnel employed by the financial corporation or
an affiliate or service provider sufficient to manage the financial corporation's information
security risks and to perform or oversee the information security program;
c.Providing information security personnel with security updates and training sufficient to
address relevant security risks; and
d.Verifying that key information security personnel take steps to maintain current
knowledge of changing information security threats and countermeasures.
8.A financial corporation shall oversee service providers by:
a.Taking reasonable steps to select and retain service providers capable of maintaining
appropriate safeguards for customer information;
b.Requiring, by contract, the financial corporation's service providers implement and
maintain appropriate safeguards; and
c.Periodically assessing the financial corporation's service providers based on the risk they
present, and the continued adequacy of the service providers' safeguards. H. B. NO. 1127 - PAGE 12
9.A financial corporation shall evaluate and adjust the financial corporation's information security
program by incorporating:
a.The results of the testing and monitoring required under subsection 5;
b.Any material changes to the financial corporation's operations or business arrangements;
c.The results of risk assessments performed under subsection 3; or
d.Any other circumstances that the financial corporation knows or has reason to know may
have a material impact on the financial corporation's information security program.
10.A financial corporation shall establish a written incident response plan designed to promptly
respond to, and recover from, any security event materially affecting the confidentiality,
integrity, or availability of customer information the financial corporation controls. The plan
must address:
a.The goals of the incident response plan;
b.The internal processes for responding to a security event;
c.Clear roles, responsibilities, and levels of decisionmaking authority;
d.External and internal communications and information sharing;
e.Requirements for the remediation of any identified weaknesses in information systems
and associated controls;
f.Documentation and reporting regarding security events and related incident response
activities; and
g.The evaluation and revision of the incident response plan, as necessary, after a security
event.
11.A financial corporation shall require the financial corporation's qualified individual to report in
writing, at least annually, to the financial corporation's board of directors or equivalent
governing body. If no board of directors or equivalent governing body exists, the report shall
be timely presented to a senior officer responsible for the financial corporation's information
security program. The report must include:
a.The overall status of the information security program, and the financial corporation's
compliance with this chapter and associated rules; and
b.Material matters related to the information security program, addressing issues including
risk assessment, risk management and control decisions, service provider arrangements,
results of testing, security events or violations and management's responses thereto, and
recommendations for changes in the information security program.
12.a.A financial corporation shall notify the commissioner about notification events.
b.After discovery of a notification event described in subdivision c, if the notification event
involves the information of at least five hundred consumers, the financial corporation
shall notify the commissioner as soon as possible, and no later than forty-five days after
the event is discovered. The notice must be made in a format specified by the
commissioner and include:
(1)The name and contact information of the reporting financial corporation;
(2)A description of the types of information involved in the notification event; H. B. NO. 1127 - PAGE 13
(3)The date or date range of the notification event, if the information is possible to
determine;
(4)The number of consumers affected or potentially affected by the notification event;
(5)A general description of the notification event; and
(6)A statement whether any law enforcement official has provided the financial
corporation with a written determination that notifying the public of the breach would
impede a criminal investigation or cause damage to national security, and a means
for the commissioner to contact the law enforcement official. A law enforcement
official may request an initial delay of up to forty - five days following the date when
notice was provided to the commissioner. The delay may be extended for an
additional period of up to sixty days if the law enforcement official seeks an
extension in writing.
c.A notification event must be treated as discovered on the first day when the event is
known to the financial corporation. A financial corporation is deemed to have knowledge
of a notification event if the event is known to any employee, officer, or other agent of the
financial corporation, other than the person committing the breach.
13.A financial corporation shall establish a written plan addressing business continuity and
disaster recovery.
13 - 01.2 - 04. Exemptions.
Subsection 4, subdivision b of subsection 6, and subsections 10 and 11 of section 13 - 01.2 - 03 do
not apply to financial institutions that maintain customer information concerning fewer than five
thousand consumers.
SECTION 5. AMENDMENT. Section 13-04.1-01.1 of the North Dakota Century Code is amended
and reenacted as follows:
13-04.1-01.1. Definitions.
As used in this chapter, unless the context or subject matter otherwise requires:
1."Borrower" means a person or entity that seeks out, or is solicited by a money broker for the
purpose of money brokering.
2."Commissioner" means the commissioner of financial institutions.
3."Loan" means a contract by which one delivers a sum of money to another and the latter
agrees to return at a future time a sum equivalent to that which the person borrowed. This
includes alternative financing products as identified by the commissioner through the issuance
of an order.
4."Money broker" means a person or entity who, in the ordinary course of business, engages in
money brokering.
4.5."Money brokering" means the act of arranging or providing loans or leases as a form of
financing, or advertising or soliciting either in print, by letter, in person, or otherwise, the right
to find lenders or provide loans or leases for persons or businesses desirous of obtaining
funds for any purposes.
5.6."Net branch" means an office at which a licensed money broker allows a separate person that
does not hold a valid North Dakota money brokers license to originate loans under the license
of the money broker. H. B. NO. 1127 - PAGE 14
6.7."Net branch arrangement" means an arrangement under which a licensed money broker
enters an agreement whereby its designated branch manager has the appearance of
ownership of the licensee by, among other things, sharing in the profits or losses, establishing,
leasing, or renting the branch premises, entering other contractual relationships with vendors
such as for telephones, utilities, and advertising, having control of a corporate checkbook, or
exercising control of personnel through the power to hire or fire such individuals. A person may
be considered to be utilizing a net branch if the net branch agreement requires the branch
manager to indemnify the licensee for damages from any apparent, express, or implied
agency representation by or through the branch's actions or if the agreement requires the
branch manager to issue a personal check to cover operating expenses whether or not funds
are available from an operating account of the licensee.
7.8."Precomputed loan" means a loan that is expressed as a sum comprising the principal and the
amount of the loan finance charge computed in advance.
SECTION 6. AMENDMENT. Section 13-04.1-11.1 of the North Dakota Century Code is amended
and reenacted as follows:
13-04.1-11.1. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
requests for information, documents, or other requests from the department of financial institutions
within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
within thirty days of the mailing of the request by the department of financial institutions. If the request
for information is in regard to a new application or renewal of an existing application and is not received
within the time specified in the request, or within thirty days of the mailing of the request, the
department may deny the application.
SECTION 7. AMENDMENT. Section 13-05-07.1 of the North Dakota Century Code is amended and
reenacted as follows:
13-05-07.1. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
requests for information, documents, or other requests from the department of financial institutions
within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
within thirty days of the mailing of the request by the department of financial institutions. If the request
for information is in regard to a new application or renewal of an existing application and is not received
within the time specified in the request, or within thirty days of the mailing of the request, the
department may deny the application.
SECTION 8. AMENDMENT. Section 13-08-10 of the North Dakota Century Code is amended and
reenacted as follows:
13-08-10. Regulations - Examinations.
The commissioner may adopt rules for the implementation and enforcement of this chapter. A copy
of a rule adopted by the commissioner must be mailed to each licensee at least thirty days before the
date the rule takes effect. To assure compliance with this chapter, the commissioner may examine the
relevant business, books, and records of any licensee. The licensee shall pay an examination or
visitation fee, and the commissioner shall charge the licensee for the actual cost of the examination or
visitation at an hourly rate set by the commissioner which is sufficient to cover all reasonable expenses
associated with the examination or visitation.
SECTION 9. AMENDMENT. Section 13-08-11.1 of the North Dakota Century Code is amended and
reenacted as follows: H. B. NO. 1127 - PAGE 15
13-08-11.1. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
requests for information, documents, or other requests from the department of financial institutions
within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
within thirty days of the mailing of the request by the department of financial institutions. If the request
for information is in regard to a new application or renewal of an existing application and is not received
within the time specified in the request, or within thirty days of the mailing of the request, the
department may deny the application.
SECTION 10. AMENDMENT. Section 13-09.1-14 of the North Dakota Century Code is amended
and reenacted as follows:
13-09.1-14. Renewal of license.
1.A license under this chapter must be renewed annually.
a.An annual nonrefundable renewal fee must be paid by December thirty-first. The fee
must equal five hundred dollars or one-fourth of one percent of the money transmission
dollar volume in North Dakota for the twelve months ending June thirtieth, whichever is
greater. For the transmission of virtual currency as defined in section 13-09.1-44, the fee
must equal five hundred dollars or one-fourth of one percent of the average United
States dollar equivalent market value of the virtual currency transmitted in North Dakota
for the twelve months ending June thirtieth, whichever is greater. The fee may not exceed
two thousand five hundred dollars.
b.The renewal term must be for a period of one year and begins on January first of each
year after the initial license term and expires on December thirty-first of the year the
renewal term begins.
2.A licensee shall submit a renewal report with the renewal fee, in a form and in a medium
prescribed by the commissioner. The renewal report must state or contain a description of
each material change in information submitted by the licensee in its original license application
which has not been reported to the commissioner.
3.The commissioner for good cause may grant an extension of the renewal date.
4.The commissioner may utilize the nationwide system to process license renewals provided
that such functionality is consistent with this section.
5.A licensee may renew an expired license no later than January thirty-first subject to a late fee
of fifty dollars.
6.The commissioner may deny an application to renew a license if the licensee no longer meets
the criteria for licensure or otherwise fails to comply with this chapter.
SECTION 11. AMENDMENT. Subsection 3 of section 13-09.1-17 of the North Dakota Century
Code is amended and reenacted as follows:
3.A notice of disapproval must contain a statement of the basis for disapproval and must be sent
to the licensee and the disapproved individual. A licensee may appeal a notice of disapproval
by requesting a hearing before the commissioner within thirtytwenty days after receipt of
notice of disapproval in accordance with chapter 28-32.
SECTION 12. AMENDMENT. Section 13-09.1-38 of the North Dakota Century Code is amended
and reenacted as follows: H. B. NO. 1127 - PAGE 16
13-09.1-38. Orders to cease and desist.
1.If the commissioner determines that a violation of this chapter or of a rule adopted or an order
issued under this chapter by a licensee or authorized delegate is likely to cause immediate
and irreparable harm to the licensee, its customers, or the public as a result of the violation, or
cause insolvency or significant dissipation of assets of the licensee, the commissioner may
issue an order requiring the licensee or authorized delegate to cease and desist from the
violation. The order becomes effective upon issuance.
2.The commissioner may issue an order against a licensee to cease and desist from providing
money transmission through an authorized delegate that is the subject of a separate order by
the commissioner.
3.An order to cease and desist remains effective and enforceable pending the completion of an
administrative proceedingmust contain a notice of opportunity for a hearing pursuant to
chapter 28-32.
4.An order to cease and desist expires unless the commissioner commences an administrative
proceeding pursuant to chapter 28-32 within ten days after it is issuedIf the company or
individual subject to an order to cease and desist fails to request a hearing in writing to the
commissioner within twenty days of issuance, or if a hearing is held and the commissioner
concludes the record so warrants, the order to cease and desist becomes final.
SECTION 13. AMENDMENT. Section 13-10-05 of the North Dakota Century Code is amended and
reenacted as follows:
13-10-05. Issuance of license.
The commissioner shall not issue a mortgage loan originator license unless the commissioner
makes at a minimum the following findings:
1.The applicant has never had a mortgage loan originator license revoked in any governmental
jurisdiction, except that a subsequent formal vacation of such revocation shall not be deemed
a revocation.
2.The applicant has not been charged pending trial, convicted of, or pled guilty, pled to lesser
charges, or pled nolo contendere to, a felony in a domestic, foreign, or military court:
a.During the seven-year period preceding the date of the application for licensing and
registration; or
b.At any time preceding such date of application, if such felony involved an act of fraud,
dishonesty, or a breach of trust, or money laundering;
c.Provided that any pardon of a conviction shall not be a conviction for purposes of this
subsection.
3.a.The applicant has demonstrated financial responsibility, character, and general fitness
such as to command the confidence of the community and to warrant a determination
that the mortgage loan originator will operate honestly, fairly, and efficiently within the
purposes of this chapter.
b.For purposes of this subsection, a person has shown that that person is not financially
responsible when that person has shown a disregard in the management of that person's
own financial condition. A determination that an individual has not shown financial
responsibility may include:
(1)Current outstanding judgments, except judgments solely as a result of medical
expenses; H. B. NO. 1127 - PAGE 17
(2)Current outstanding tax liens or other government liens and filings;
(3)Foreclosures within the past three years; and
(4)A pattern of seriously delinquent accounts within the past three years.
4.The applicant has completed the prelicensing education requirement described in section
13-10-06.
5.The applicant has passed a written test that meets the test requirement described in section
13-10-07.
6.The applicant has met the net worth and surety bond requirements under section 13-10-13.
SECTION 14. AMENDMENT. Subsection 1 of section 13-11-10 of the North Dakota Century Code
is amended and reenacted as follows:
1.If the commissioner has reason to believe that grounds for revocation of a license exist, the
commissioner may send by certified mail tonotify the licensee with a notice of hearing stating
the contemplated action and in general the grounds thereof and setting the time and place for
a hearing thereon. Grounds for revocation of a license include:
a.Any debt-settlement provider has failed to pay the annual license fee or to maintain in
effect the bond required under this chapter;
b.The debt-settlement provider has violated this chapter or any rule lawfully made by the
commissioner implementing this chapter;
c.Any fact or condition exists that, if it had existed at the time of the original application for
a license, would have warranted the commissioner in refusing its issuance; or
d.Any applicant has made any false statement or representation to the commissioner in
applying for a license under this chapter.
SECTION 15. AMENDMENT. Section 13-12-19 of the North Dakota Century Code is amended and
reenacted as follows:
13-12-19. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
requests for information, documents, or other requests from the department of financial institutions
within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
within thirty days of the mailing of the request by the department of financial institutions. If the request
for information is in regard to a new application or renewal of an existing application and is not received
within the time specified in the request, or within thirty days of the mailing of the request, the
department may deny the application.
SECTION 16. AMENDMENT. Subsections 6, 21, and 22 of section 13-13-01 of the North Dakota
Century Code are amended and reenacted as follows:
6."Interim serviced prior to salemortgage servicing" means the activity of collecting a limited
number of contractual mortgage payments immediately after origination on loans held for sale
but prior to the loans being sold into the secondary market.
21."Service or servicing a loan" means on behalf of the lender or investor of a residential
mortgage loan: H. B. NO. 1127 - PAGE 18
a.Collecting or receiving payments on existing obligations due and owing to the lender or
investor, including payments of principal, interest, escrow amounts, and other amounts
due;
b.Collecting fees due to the servicer;
c.Working with the borrower and the licensed lender or servicer to collect data and make
decisions necessary to modify certain terms of those obligations either temporarily or
permanently;
d.Otherwise finalizing collection through the foreclosure process; or
e.Servicing a reverse mortgage loan.
22."Servicer" means the entity performing the routine administration of residential mortgage loans
on behalf of the owner or owners of the related mortgages under the terms of a servicing
contract.
SECTION 17. AMENDMENT. Section 13-13-04 of the North Dakota Century Code is amended and
reenacted as follows:
13-13-04. Entities exempted from licensing requirements.
This chapter does not apply to:
1.Banks;
2.Credit unions;
3.Savings and loan associations;
4.State or federal housing finance agencies;
5.Institutions chartered by the farm credit administration; or
6.Not-for-profit mortgage servicers; or
7.Entities solely performing interim mortgage servicing.
SECTION 18. AMENDMENT. Section 13-13-18 of the North Dakota Century Code is amended and
reenacted as follows:
13-13-18. Response to department requests.
An applicant, licensee, or other person subject to the provisions of this chapter shall comply with
requests for information, documents, or other requests from the department of financial institutions
within the time specified in the request, which must be a minimum of ten days, or, if no time is specified,
within thirty days of the mailing of the request by the department of financial institutions. If the request
for information is in regard to a new application or renewal of an existing application and is not received
within the time specified in the request, or within thirty days of the mailing of the request, the
department may deny the application. H. B. NO. 1127 - PAGE 19
____________________________ ____________________________
Speaker of the House President of the Senate
____________________________ ____________________________
Chief Clerk of the House Secretary of the Senate
This certifies that the within bill originated in the House of Representatives of the Sixty-ninth Legislative
Assembly of North Dakota and is known on the records of that body as House Bill No. 1127.
House Vote: Yeas 89 Nays 2 Absent 3
Senate Vote:Yeas 46 Nays 1 Absent 0
____________________________
Chief Clerk of the House
Received by the Governor at ________M. on _____________________________________, 2025.
Approved at ________M. on __________________________________________________, 2025.
____________________________
Governor
Filed in this office this ___________day of _______________________________________, 2025,
at ________ o’clock ________M.
____________________________
Secretary of State