On April 11, North Dakota enacted HB 1127, overhauling its regulatory framework for financial institutions and nonbank financial service providers. The law amends multiple chapters of the North Dakota Century Code and creates a new data security mandate for financial corporations—a category that includes non-depository entities regulated by the Department of Financial Institutions (DFI). It also expands the licensing requirement for brokers to include “alternative financing products,” potentially impacting a broad array of fintech providers.
The law introduces sweeping data protection obligations for nonbank financial corporations through new requirements created in Chapter 13-01.2. Specifically, covered entities must:
- Implement an information security program. This includes administrative, technical, and physical safeguards, based on a written risk assessment.
- Designate a qualified individual. Each financial corporation must designate a qualified individual responsible for overseeing the security program and report annually to its board or a senior officer.
- Conduct regular testing. Annual penetration tests and biannual vulnerability assessments are mandatory unless continuous monitoring is in place.
- Secure consumer data. Encryption of data in transit and at rest is required unless a compensating control is approved. Multifactor authentication is also mandatory.
- Notify regulators of breaches. A data breach involving 500 or more consumers must be reported to the Commissioner within 45 days.
The bill also amends North Dakota’s broker licensing laws to authorize the DFI to classify certain alternative financing arrangements as “loans.”
Putting It Into Practice: Of the many amendments here, North Dakota’s expansion of licensing requirements for brokers of alternative financing products may have the biggest impact for institutions, especially fintechs.