(a) An applicant, before submitting an application, shall create and, during licensure, maintain in a record, policies and procedures for:
- (1) An information-security and operational-security program;
- (2) A business-continuity program;
- (3) A disaster-recovery program;
- (4) An anti-fraud program;
- (5) An anti-money-laundering program; and
- (6) A program to ensure compliance with the Bank Secrecy Act and the USA Patriot Act.
- (b) A licensee’s information-security and operational-security policy must include reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any non-public personal information or currency transmission it receives, maintains, or transmits.
- (c) A licensee is not required to file with the department a copy of a report it makes to a federal authority unless the department specifically requires filing.
- (d) After the policies and procedures required under this section are created by the licensee and approved by the department, the licensee shall engage a responsible individual with adequate authority and experience to monitor each policy and procedure, recommend changes as desirable, and enforce it.
(e) A licensee may:
- (1) Request advice from the department as to compliance with this section; and
- (2) With the department’s approval, outsource functions, other than compliance, required under this section.
- (f) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.
History of Section.
P.L. 2019, ch. 226, § 4; P.L. 2019, ch. 246, § 4.