Key Points:

• Limited Exemptions:

  Companies that qualify for the limited exemption are not required to comply with all the regulation's requirements, but they still need to file a compliance certification or an acknowledgement of non-compliance by April 15, 2025.

• Full Exemptions:

  Companies that qualify for full exemptions do not need to submit any notifications to the NY DFS.

• Annual Filing:

  This is an annual requirement, and the deadline is April 15th of each year.

• Compliance or Acknowledgement:

  Companies must either certify their compliance with the regulation or file an acknowledgement of non-compliance, along with a remediation timeline or confirmation that remediation has been completed, if they are not compliant. 

The Financial Industry Regulatory Authority is touting its focus this year on a number of common compliance themes, including broker-dealers’ cybersecurity risks, and anti-money laundering controls, while adding some new hot spots, including the selection of third-party vendors, according to its annual regulatory oversight report.

On February 20, 2025, the Securities and Exchange Commission (SEC) announced the formation of the Cyber and Emerging Technologies Unit, known as “CETU,” which will replace the Crypto Assets and Cyber Unit (“CACU”).

CETU aims to combat cyber-related misconduct and provide safeguards for retail investors against malpractices emerging in the technologies sector. The formation of CETU reflects a significant shift in the SEC’s priorities as to the digital assets sector, specifically an apparent move away from non-fraud crypto enforcement actions, such as alleged registration or technical violations of the securities laws.

On May 16, 2024, the SEC adopted amendments to Regulation S-P requiring broker-dealers, registered investment companies, registered investment advisers, funding portals, and transfer agents (collectively, “covered institutions”) to create an incident response program to deal with unauthorized access to or use of customer information. The amendments also expanded the obligations of covered institutions by requiring them to safeguard and properly dispose of a broader range of data types and maintain records documenting compliance with the amendments. Finally, the annual privacy notice delivery provisions now include an exception from a 2015 amendment to the Gramm-Leach-Bliley Act (GLBA).

The Financial Industry Regulatory Authority on Tuesday touted its focus this year on a number of common compliance themes, including broker-dealers’ cybersecurity risks and anti-money laundering controls while adding some new hot spots, including the selection of third-party vendors, according to its annual regulatory oversight report.