Who Needs NY DFS (23 NYCRR 500) Compliance
23 NYCRR 500 applies broadly to any company that holds a license, registration, charter, certificate, permit, accreditation, or similar authorization issued by the New York Department of Financial Services (DFS). If your company does business in New York in financial services — whether as a bank, insurer, mortgage company, or fintech — you are almost certainly covered.
Who Is a “Covered Entity”?
The regulation defines a “covered entity” as any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law.
This includes a wide range of organizations:
- Banking institutions: State-chartered banks, trust companies, savings banks, savings associations, and credit unions
- Insurance companies: Life insurers, property & casualty insurers, health insurers, and reinsurers licensed in New York
- Mortgage companies: Mortgage servicers, mortgage bankers, mortgage brokers, and residential mortgage lenders
- Money services businesses: Money transmitters, check cashers, and currency exchangers licensed by DFS
- Premium finance agencies: Companies financing insurance premiums
- Licensed lenders: Consumer finance companies, sales finance companies
- Holding companies: Bank holding companies and insurance holding companies supervised by DFS
- Regulated fintech firms: Virtual currency businesses operating under a BitLicense and other DFS-licensed fintech companies
Who Is Exempt?
The regulation includes a limited exemption for smaller or simpler entities. A covered entity qualifies for a limited exemption if it meets any of the following criteria at the time of certification:
- Fewer than 10 employees (including independent contractors)
- Less than $5 million in gross annual revenue in each of the last three fiscal years from New York business
- Less than $10 million in year-end total assets
Important: Even limited-exemption entities must still comply with certain requirements — they are not fully exempt. They must maintain a cybersecurity program appropriate to their risk profile, designate a CISO or equivalent, and maintain basic controls. The exemption relieves them from some of the more prescriptive requirements like penetration testing schedules and specific technical control mandates.
What About Out-of-State Companies?
If your company is headquartered outside of New York but holds a DFS license (for example, as a surplus lines insurer, a foreign bank with a New York branch, or an out-of-state insurer licensed to do business in New York), you are still a covered entity and must comply with 23 NYCRR 500.
The regulation applies to operations that touch New York, not just companies incorporated in New York.
Third-Party Service Providers
Even if your company is not itself a covered entity, you may be subject to security requirements through third-party vendor obligations. Covered entities must, under the 2023 amendments, include security requirements in contracts with third-party service providers that access NPI, conduct regular assessments of those vendors’ security practices, and maintain vendor inventories.
If you provide technology, cloud services, data processing, or other services to NY DFS-regulated financial institutions, your clients will increasingly require you to meet specific security standards and provide audit evidence.
How Espresso Labs Helps
Espresso Labs delivers managed compliance for NY DFS-regulated organizations — whether you need to achieve full compliance, maintain it cost-effectively, or prepare for a DFS examination. We handle the technical controls, vendor risk documentation, board reporting support, and continuous monitoring your CISO needs to certify compliance each year. Contact us to see how much of your NY DFS compliance burden we can take off your plate.