Florida Senate - 2026 SB 540
By Senator Martin
33-00646-26 2026540__
1 A bill to be entitled
2 An act relating to the Office of Financial Regulation;
3 creating s. 494.00123, F.S.; defining terms; requiring
4 loan originators, mortgage brokers, and mortgage
5 lenders to develop, implement, and maintain
6 comprehensive written information security programs
7 for the protection of information systems and
8 nonpublic personal information; providing requirements
9 for such programs; requiring loan originators,
10 mortgage brokers, and mortgage lenders to establish
11 written incident response plans for specified
12 purposes; providing requirements for such plans;
13 providing applicability; providing compliance
14 requirements under specified circumstances; requiring
15 loan originators, mortgage brokers, and mortgage
16 lenders to maintain copies of information security
17 programs for a specified timeframe and to make them
18 available to the Office of Financial Regulation under
19 certain circumstances; requiring loan originators,
20 mortgage brokers, and mortgage lenders and certain
21 entities to conduct investigations of cybersecurity
22 events under certain circumstances; providing
23 requirements for such investigations; providing
24 requirements for records and documentation
25 maintenance; providing requirements for notices of
26 security breaches; providing construction; providing
27 rulemaking authority; amending s. 494.00255, F.S.;
28 providing additional acts that constitute a ground for
29 specified disciplinary actions against loan
30 originators and mortgage brokers; amending s. 517.021,
31 F.S.; revising the definition of the term “investment
32 adviser” and defining the term “place of business”;
33 amending s. 559.952, F.S.; revising definitions;
34 removing the definition of the term “innovative”;
35 revising the list of general law provisions that are
36 waived upon approval of a Financial Technology Sandbox
37 application; revising conditions under which a waiver
38 of a requirement may be granted; providing that
39 provisions applicable to the Financial Technology
40 Sandbox innovative financial products and services
41 apply to Financial Technology Sandbox financial
42 products and services; revising the criteria for the
43 office to consider when deciding whether to approve or
44 deny an application for licensure; authorizing, rather
45 than requiring, the office to specify the maximum
46 number of consumers authorized to receive financial
47 products and services from a Financial Technology
48 Sandbox applicant; removing provisions that limit the
49 number of such customers; revising construction;
50 amending s. 560.114, F.S.; specifying the entities
51 that are subject to certain disciplinary actions and
52 penalties; revising the list of actions by money
53 services businesses which constitute grounds for
54 certain disciplinary actions and penalties; requiring,
55 rather than authorizing, the office to suspend
56 licenses of money services businesses under certain
57 circumstances; creating s. 560.1311, F.S.; defining
58 terms; requiring money services businesses to develop,
59 implement, and maintain comprehensive written
60 information security programs for the protection of
61 information systems and nonpublic personal
62 information; providing requirements for such programs;
63 requiring money services businesses to establish
64 written incident response plans for specified
65 purposes; providing requirements for such plans;
66 providing applicability; providing compliance
67 requirements under specified circumstances; requiring
68 money services businesses to maintain copies of
69 information security programs for a specified
70 timeframe and to make them available to the office
71 under certain circumstances; requiring money services
72 businesses and certain entities to conduct
73 investigations of cybersecurity events under certain
74 circumstances; providing requirements for such
75 investigations; providing requirements for records and
76 documentation maintenance; providing requirements for
77 notices of security breaches; providing construction;
78 providing rulemaking authority; creating s. 655.0171,
79 F.S.; defining terms; requiring financial institutions
80 to take measures to protect and secure certain data
81 that contain personal information; providing
82 requirements for notices of security breaches to the
83 office, the Department of Legal Affairs, certain
84 individuals, and certain credit reporting agencies;
85 amending s. 655.045, F.S.; revising the timeline for
86 the mailing of payment for salary and travel expenses
87 of certain field staff; amending s. 657.005, F.S.;
88 revising requirements for permission to organize
89 credit unions; amending s. 657.024, F.S.; authorizing
90 meetings of credit union members to be held virtually
91 and without quorums under certain circumstances;
92 amending s. 657.042, F.S.; removing provisions that
93 impose limitations on investments in real estate and
94 equipment for credit unions; amending s. 658.21, F.S.;
95 revising requirements and factors for approving
96 applications for organizing banks and trust companies;
97 amending s. 658.33, F.S.; revising requirements for
98 directors of certain banks and trust companies;
99 amending s. 662.141, F.S.; revising the timeline for
100 the mailing of payment for the salary and travel
101 expenses of certain field staff; amending s. 517.12,
102 F.S.; conforming a cross-reference; providing an
103 effective date.
104
105 Be It Enacted by the Legislature of the State of Florida:
106
107 Section 1. Section 494.00123, Florida Statutes, is created
108 to read:
109 494.00123 Information security programs; cybersecurity
110 event investigations.—
111 (1) DEFINITIONS.—As used in this section, the term:
112 (a) “Customer” means a person who seeks to obtain or who
113 obtains or has obtained a financial product or service from a
114 licensee.
115 (b) “Customer information” means any record containing
116 nonpublic personal information about a customer of a financial
117 transaction, whether on paper, electronic, or in other forms,
118 which is handled or maintained by or on behalf of the licensee
119 or its affiliates.
120 (c) “Cybersecurity event” means an event resulting in
121 unauthorized access to, or disruption or misuse of, an
122 information system, information stored on such information
123 system, or customer information held in physical form.
124 (d) “Financial product or service” means any product or
125 service offered by a licensee under this chapter.
126 (e) “Information security program” means the
127 administrative, technical, or physical safeguards used to
128 access, collect, distribute, process, protect, store, use,
129 transmit, dispose of, or otherwise handle customer information.
130 (f) “Information system” means a discrete set of electronic
131 information resources organized for the collection, processing,
132 maintenance, use, sharing, dissemination, or disposition of
133 electronic information, as well as any specialized system such
134 as an industrial process control system, telephone switching and
135 private branch exchange system, or environmental control system,
136 which contain customer information or which are connected to a
137 system that contains customer information.
138 (g) “Licensee” means a person licensed under this chapter.
139 (h)1. “Nonpublic personal information” means:
140 a. Personally identifiable financial information; and
141 b. Any list, description, or other grouping of customers
142 which is derived using any personally identifiable financial
143 information that is not publicly available, such as account
144 numbers, including any list of individuals’ names and street
145 addresses which is derived, in whole or in part, using
146 personally identifiable financial information that is not
147 publicly available.
148 2. The term does not include:
149 a. Publicly available information, except as included on a
150 list, description, or other grouping of customers described in
151 sub-subparagraph 1.b.;
152 b. Any list, description, or other grouping of consumers,
153 or any publicly available information pertaining to such list,
154 description, or other grouping of consumers, which is derived
155 without using any personally identifiable financial information
156 that is not publicly available; or
157 c. Any list of individuals’ names and addresses which
158 contains only publicly available information, is not derived, in
159 whole or in part, using personally identifiable financial
160 information that is not publicly available, and is not disclosed
161 in a manner that indicates that any of the individuals on the
162 list is a customer of a licensee.
163 3. As used in this paragraph, the term:
164 a.(I) “Personally identifiable financial information” means
165 any information that:
166 (A) A customer provides to a licensee to obtain a financial
167 product or service, such as information that a customer provides
168 to a licensee on an application to obtain a loan or other
169 financial product or service;
170 (B) A licensee receives about a consumer which is obtained
171 during or as a result of any transaction involving a financial
172 product or service between the licensee and the customer, such
173 as information collected through an information-collecting
174 device from a web server; or
175 (C) A licensee otherwise obtains about a customer in
176 connection with providing a financial product or service to the
177 customer, such as the fact that an individual is or has been one
178 of the licensee’s customers or has obtained a financial product
179 or service from the licensee.
180 (II) The term “personally identifiable financial
181 information” does not include:
182 (A) A list of names and addresses of customers of an entity
183 that is not a financial institution; or
184 (B) Information that does not identify a customer, such as
185 blind data or aggregate information that does not contain
186 personal identifiers such as account numbers, names, or
187 addresses.
188 b.(I) “Publicly available information” means any
189 information that a licensee has a reasonable basis to believe is
190 lawfully made available to the general public from:
191 (A) Federal, state, or local government records, such as
192 government real estate records or security interest filings;
193 (B) Widely distributed media, such as information from a
194 telephone records repository or directory, a television or radio
195 program, a newspaper, a social media platform, or a website that
196 is available to the general public on an unrestricted basis. A
197 website is not restricted merely because an Internet service
198 provider or a site operator requires a fee or a password, so
199 long as access is available to the general public; or
200 (C) Disclosures to the general public which are required to
201 be made by federal, state, or local law.
202 (II) As used in this sub-subparagraph, the term “reasonable
203 basis to believe is lawfully made available to the general
204 public” relating to any information means that the person has
205 taken steps to determine:
206 (A) That the information is of the type that is available
207 to the general public, such as information included on the
208 public record in the jurisdiction where the mortgage would be
209 recorded; and
210 (B) Whether an individual can direct that the information
211 not be made available to the general public and, if so, the
212 customer to whom the information relates has not done so, such
213 as when a telephone number is listed in a telephone directory
214 and the customer has informed the licensee that the telephone
215 number is not unlisted.
216 (i) “Third-party service provider” means a person, other
217 than a licensee, which contracts with a licensee to maintain,
218 process, or store nonpublic personal information, or is
219 otherwise permitted access to nonpublic personal information
220 through its provision of services to a licensee.
221 (2) INFORMATION SECURITY PROGRAM.—
222 (a) Each licensee shall develop, implement, and maintain a
223 comprehensive written information security program that contains
224 administrative, technical, and physical safeguards for the
225 protection of the licensee’s information system and nonpublic
226 personal information.
227 (b) Each licensee shall ensure that the information
228 security program meets all of the following criteria:
229 1. Be commensurate with the following measures:
230 a. Size and complexity of the licensee.
231 b. Nature and scope of the licensee’s activities, including
232 the licensee’s use of third-party service providers.
233 c. Sensitivity of nonpublic personal information that is
234 used by the licensee or that is in the licensee’s possession,
235 custody, or control.
236 2. Be designed to do all of the following:
237 a. Protect the security and confidentiality of nonpublic
238 personal information and the security of the licensee’s
239 information system.
240 b. Protect against threats or hazards to the security or
241 integrity of nonpublic personal information and the licensee’s
242 information system.
243 c. Protect against unauthorized access to or the use of
244 nonpublic personal information and minimize the likelihood of
245 harm to any customer.
246 3. Define and periodically reevaluate the retention
247 schedule and the mechanism for the destruction of nonpublic
248 personal information if retention is no longer necessary for the
249 licensee’s business operations or is no longer required by
250 applicable law.
251 4. Regularly test and monitor systems and procedures for
252 the detection of actual and attempted attacks on, or intrusions
253 into, the licensee’s information system.
254 5. Be monitored, evaluated, and adjusted, as necessary, to
255 meet all of the following requirements:
256 a. Determine whether the licensee’s information security
257 program is consistent with relevant changes in technology.
258 b. Confirm the licensee’s information security program
259 accounts for the sensitivity of nonpublic personal information.
260 c. Identify changes that may be necessary to the licensee’s
261 information system.
262 d. Eliminate any internal or external threats to nonpublic
263 personal information.
264 e. Amend the licensee’s information security program for
265 any of the licensee’s changing business arrangements, including,
266 but not limited to, mergers and acquisitions, alliances and
267 joint ventures, and outsourcing arrangements.
268 (c)1. As part of a licensee’s information security program,
269 the licensee shall establish a written incident response plan
270 designed to promptly respond to, and recover from, a
271 cybersecurity event that compromises:
272 a. The confidentiality, integrity, or availability of
273 nonpublic personal information in the licensee’s possession;
274 b. The licensee’s information system; or
275 c. The continuing functionality of any aspect of the
276 licensee’s operations.
277 2. The written incident response plan must address all of
278 the following:
279 a. The licensee’s internal process for responding to a
280 cybersecurity event.
281 b. The goals of the licensee’s incident response plan.
282 c. The assignment of clear roles, responsibilities, and
283 levels of decisionmaking authority for the licensee’s personnel
284 that participate in the incident response plan.
285 d. External communications, internal communications, and
286 information sharing related to a cybersecurity event.
287 e. The identification of remediation requirements for
288 weaknesses identified in information systems and associated
289 controls.
290 f. The documentation and reporting regarding cybersecurity
291 events and related incident response activities.
292 g. The evaluation and revision of the incident response
293 plan, as appropriate, following a cybersecurity event.
294 h. The process by which notice must be given as required
295 under subsection (4) and s. 501.171(3) and (4).
296 (d)1. This section does not apply to a licensee that has
297 fewer than:
298 a. Twenty individuals on its workforce, including employees
299 and independent contractors; or
300 b. Five hundred customers during a calendar year.
301 2. A licensee that no longer qualifies for exemption under
302 subparagraph 1. has 180 calendar days to comply with this
303 section after the date of the disqualification.
304 (e) Each licensee shall maintain a copy of the information
305 security program for a minimum of 5 years and shall make it
306 available to the office upon request or as part of an
307 examination.
308 (3) CYBERSECURITY EVENT INVESTIGATION.—
309 (a) If a licensee discovers that a cybersecurity event has
310 occurred or that a cybersecurity event may have occurred, the
311 licensee, or an outside vendor or third-party service provider
312 that the licensee has designated to act on its behalf, shall
313 conduct a prompt investigation of the cybersecurity event.
314 (b) During the investigation, the licensee, or the outside
315 vendor or third-party service provider that the licensee has
316 designated to act on its behalf, shall, at a minimum, determine
317 as much of the following as possible:
318 1. Confirm that a cybersecurity event has occurred.
319 2. Identify the date that the cybersecurity event first
320 occurred.
321 3. Assess the nature and scope of the cybersecurity event.
322 4. Identify all nonpublic personal information that may
323 have been compromised by the cybersecurity event.
324 5. Perform or oversee reasonable measures to restore the
325 security of any compromised information system in order to
326 prevent further unauthorized acquisition, release, or use of
327 nonpublic personal information that is in the licensee’s,
328 outside vendor’s, or third-party service provider’s possession,
329 custody, or control.
330 (c) If a licensee learns that a cybersecurity event has
331 occurred, or may have occurred, in an information system
332 maintained by a third-party service provider of the licensee,
333 the licensee shall complete an investigation in compliance with
334 this section or confirm and document that the third-party
335 service provider has completed an investigation in compliance
336 with this section.
337 (d) A licensee shall maintain all records and documentation
338 related to the licensee’s investigation of a cybersecurity event
339 for a minimum of 5 years after the date of the cybersecurity
340 event and shall produce the records and documentation to the
341 office upon request.
342 (4) NOTICE TO OFFICE OF SECURITY BREACH.—
343 (a) Each licensee shall provide notice to the office of any
344 breach of security affecting 500 or more individuals in this
345 state at a time and in the manner prescribed by commission rule.
346 (b) Each licensee shall, upon the office’s request, provide
347 a quarterly update of a cybersecurity event investigation under
348 subsection (3) until conclusion of the investigation.
349 (5) CONSTRUCTION.—This section may not be construed to
350 relieve a covered entity from complying with s. 501.171. To the
351 extent a licensee is a covered entity, as defined in s.
352 501.171(1), the licensee remains subject to s. 501.171.
353 (6) RULES.—The commission may adopt rules to administer
354 this section, including rules that allow a licensee that is in
355 full compliance with the Federal Trade Commission’s Standards
356 for Safeguarding Customer Information, 16 C.F.R. part 314, to be
357 deemed in compliance with subsection (2).
358 Section 2. Paragraph (z) is added to subsection (1) of
359 section 494.00255, Florida Statutes, to read:
360 494.00255 Administrative penalties and fines; license
361 violations.—
362 (1) Each of the following acts constitutes a ground for
363 which the disciplinary actions specified in subsection (2) may
364 be taken against a person licensed or required to be licensed
365 under part II or part III of this chapter:
366 (z) Failure to comply with the notification requirements in
367 s. 501.171(3) and (4).
368 Section 3. Present subsections (28) through (36) of section
369 517.021, Florida Statutes, are redesignated as subsections (29)
370 through (37), respectively, a new subsection (28) is added to
371 that section, and subsection (20) of that section is amended, to
372 read:
373 517.021 Definitions.—When used in this chapter, unless the
374 context otherwise indicates, the following terms have the
375 following respective meanings:
376 (20)(a) “Investment adviser” means a person, other than an
377 associated person of an investment adviser or a federal covered
378 adviser, that receives compensation, directly or indirectly, and
379 engages for all or part of the person’s time, directly or
380 indirectly, or through publications or writings, in the business
381 of advising others as to the value of securities or as to the
382 advisability of investments in, purchasing of, or selling of
383 securities.
384 (b) The term does not include any of the following:
385 1. A dealer or an associated person of a dealer whose
386 performance of services in paragraph (a) is solely incidental to
387 the conduct of the dealer’s or associated person’s business as a
388 dealer and who does not receive special compensation for those
389 services.
390 2. A licensed practicing attorney or certified public
391 accountant whose performance of such services is solely
392 incidental to the practice of the attorney’s or accountant’s
393 profession.
394 3. A bank authorized to do business in this state.
395 4. A bank holding company as defined in the Bank Holding
396 Company Act of 1956, as amended, authorized to do business in
397 this state.
398 5. A trust company having trust powers, as defined in s.
399 658.12, which it is authorized to exercise in this state, which
400 trust company renders or performs investment advisory services
401 in a fiduciary capacity incidental to the exercise of its trust
402 powers.
403 6. A person that renders investment advice exclusively to
404 insurance or investment companies.
405 7. A person:
406 a. Without a place of business in this state if the person
407 has had that, during the preceding 12 months, has fewer than six
408 clients who are residents of this state.
409 b. With a place of business in this state if the person has
410 had, during the preceding 12 months, fewer than six clients who
411 are residents of this state and no clients who are not residents
412 of this state.
413
414 As used in this subparagraph, the term “client” has the same
415 meaning as provided in Securities and Exchange Commission Rule
416 222-2 275.222-2, 17 C.F.R. s. 275.222-2, as amended.
417 8. A federal covered adviser.
418 9. The United States, a state, or any political subdivision
419 of a state, or any agency, authority, or instrumentality of any
420 such entity; a business entity that is wholly owned directly or
421 indirectly by such a governmental entity; or any officer, agent,
422 or employee of any such governmental or business entity who is
423 acting within the scope of his or her official duties.
424 10. A family office as defined in Securities and Exchange
425 Commission Rule 202(a)(11)(G)-1(b) and (d) under the Investment
426 Advisers Act of 1940, 17 C.F.R. s. 275. 202(a)(11)(G)-1(b) and
427 (d), as amended, without giving regard to paragraph 1(a) or
428 paragraph 1(c) of that rule.
429 (28) “Place of business” of an investment adviser means an
430 office at which the investment adviser regularly provides
431 investment advisory services to, solicits, meets with, or
432 otherwise communicates with clients; and any other location that
433 is held out to the general public as a location at which the
434 investment adviser provides investment advisory services to,
435 solicits, meets with, or otherwise communicates with clients.
436 Section 4. Section 559.952, Florida Statutes, is amended to
437 read:
438 559.952 Financial Technology Sandbox.—
439 (1) SHORT TITLE.—This section may be cited as the
440 “Financial Technology Sandbox.”
441 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
442 created the Financial Technology Sandbox within the Office of
443 Financial Regulation to allow financial technology innovators to
444 test new products and services in a supervised, flexible
445 regulatory sandbox using exceptions to specified general law and
446 waivers of specified provisions of general law and the
447 corresponding rule requirements under defined conditions. The
448 creation of a supervised, flexible regulatory sandbox provides a
449 welcoming business environment for technology innovators and may
450 lead to significant business growth.
451 (3) DEFINITIONS.—As used in this section, the term:
452 (a) “Business entity” means any corporation, limited
453 liability company, or trust that may or may not be fictitiously
454 named and that does business in this state a domestic
455 corporation or other organized domestic entity with a physical
456 presence, other than that of a registered office or agent or
457 virtual mailbox, in this state.
458 (b) “Commission” means the Financial Services Commission.
459 (c) “Consumer” means a person in this state, whether a
460 natural person or a business organization, who purchases, uses,
461 receives, or enters into an agreement to purchase, use, or
462 receive a an innovative financial product or service made
463 available through the Financial Technology Sandbox.
464 (d) “Control person” means an individual, a partnership, a
465 corporation, a trust, or other organization that possesses the
466 power, directly or indirectly, to direct the management or
467 policies of a company, whether through ownership of securities,
468 by contract, or through other means. A person is presumed to
469 control a company if, with respect to a particular company, that
470 person:
471 1. Is a director, a general partner, or an officer
472 exercising executive responsibility or having similar status or
473 functions;
474 2. Directly or indirectly may vote 10 percent or more of a
475 class of a voting security or sell or direct the sale of 10
476 percent or more of a class of voting securities; or
477 3. In the case of a partnership, may receive upon
478 dissolution or has contributed 10 percent or more of the
479 capital.
480 (e) “Corresponding rule requirements” means the commission
481 rules, or portions thereof, which implement the general laws
482 enumerated in paragraph (4)(a).
483 (f) “Financial product or service” means a product or
484 service related to a consumer finance loan, as defined in s.
485 516.01, or credit, banking services, money transmission, or
486 securities transactions a money transmitter or payment
487 instrument seller, as those terms are defined in s. 560.103,
488 including mediums of exchange that are in electronic or digital
489 form, which is subject to the general laws enumerated in
490 paragraph (4)(a) and corresponding rule requirements and which
491 is under the jurisdiction of the office.
492 (g) “Financial Technology Sandbox” means the program
493 created by this section which allows a licensee to make a an
494 innovative financial product or service available to consumers
495 during a sandbox period through waivers of exceptions to general
496 laws and waivers of corresponding rule requirements.
497 (h) “Innovative” means new or emerging technology, or new
498 uses of existing technology, which provide a product, service,
499 business model, or delivery mechanism to the public and which
500 are not known to have a comparable offering in this state
501 outside the Financial Technology Sandbox.
502 (h)(i) “Licensee” means a business entity that has been
503 approved by the office to participate in the Financial
504 Technology Sandbox.
505 (i)(j) “Office” means, unless the context clearly indicates
506 otherwise, the Office of Financial Regulation.
507 (j)(k) “Sandbox period” means the initial 24-month period
508 in which the office has authorized a licensee to make a an
509 innovative financial product or service available to consumers,
510 and any extension granted pursuant to subsection (7).
511 (4) WAIVERS OF EXCEPTIONS TO GENERAL LAW AND CORRESPONDING
512 WAIVERS OF RULE REQUIREMENTS.—
513 (a) Notwithstanding any other law, upon approval of a
514 Financial Technology Sandbox application, the office may grant
515 an applicant during a sandbox period a waiver of a requirement,
516 or a portion thereof, imposed by a general law or rule in any
517 following chapter, or part thereof, if all of the conditions in
518 paragraph (b) are met following provisions and corresponding
519 rule requirements are not applicable to the licensee during the
520 sandbox period:
521 1. Chapter 516, Consumer Finance.
522 2. Chapter 517, Securities Transactions.
523 3. Chapter 520, Retail Installment Sales.
524 4. Chapter 537, Title Loans.
525 5. Part I or part II of chapter 560, General Provisions of
526 Money Services Businesses or Payment Instruments and Funds
527 Transmission.
528 6. Chapter 655, Financial Institutions Generally.
529 7. Chapter 657, Credit Unions.
530 8. Chapter 658, Banks and Trust Companies.
531 9. Chapter 660, Trust Business.
532 10. Chapter 662, Family Trust Companies.
533 11. Chapter 663, International Banking.
534 1. Section 516.03(1), except for the application fee, the
535 investigation fee, the requirement to provide the social
536 security numbers of control persons, evidence of liquid assets
537 of at least $25,000 or documents satisfying the requirements of
538 s. 516.05(10), and the office’s authority to investigate the
539 applicant’s background. The office may prorate the license
540 renewal fee for an extension granted under subsection (7).
541 2. Section 516.05(1) and (2), except that the office shall
542 investigate the applicant’s background.
543 3. Section 560.109, only to the extent that the section
544 requires the office to examine a licensee at least once every 5
545 years.
546 4. Section 560.118(2).
547 5. Section 560.125(1), only to the extent that the
548 subsection would prohibit a licensee from engaging in the
549 business of a money transmitter or payment instrument seller
550 during the sandbox period.
551 6. Section 560.125(2), only to the extent that the
552 subsection would prohibit a licensee from appointing an
553 authorized vendor during the sandbox period. Any authorized
554 vendor of such a licensee during the sandbox period remains
555 liable to the holder or remitter.
556 7. Section 560.128.
557 8. Section 560.141, except for s. 560.141(1)(a)1., 3., 7.
558 10. and (b), (c), and (d).
559 9. Section 560.142(1) and (2), except that the office may
560 prorate, but may not entirely eliminate, the license renewal
561 fees in s. 560.143 for an extension granted under subsection
562 (7).
563 10. Section 560.143(2), only to the extent necessary for
564 proration of the renewal fee under subparagraph 9.
565 11. Section 560.204(1), only to the extent that the
566 subsection would prohibit a licensee from engaging in, or
567 advertising that it engages in, the activity of a payment
568 instrument seller or money transmitter during the sandbox
569 period.
570 12. Section 560.205(2).
571 13. Section 560.208(2).
572 14. Section 560.209, only to the extent that the office may
573 modify, but may not entirely eliminate, the net worth, corporate
574 surety bond, and collateral deposit amounts required under that
575 section. The modified amounts must be in such lower amounts that
576 the office determines to be commensurate with the factors under
577 paragraph (5)(c) and the maximum number of consumers authorized
578 to receive the financial product or service under this section.
579 (b) The office may grant an applicant during a sandbox
580 period a waiver of a requirement, or a portion thereof, imposed
581 by a general law or rule in any chapter enumerated in paragraph
582 (a) if all of the following conditions are met: approve a
583 Financial Technology Sandbox application if one or more of the
584 general laws enumerated in paragraph (a) currently prevent the
585 innovative financial product or service from being made
586 available to consumers and if all other requirements of this
587 section are met.
588 1. The general law or rule does not currently authorize the
589 financial product or service to be made available to consumers.
590 2. The waiver is not broader than necessary to accomplish
591 the purposes and standards specified in this section, as
592 determined by the office.
593 3. Any provision relating to the liability of an
594 incorporator, director, or officer of the applicant is not
595 eligible for a waiver.
596 (c) A licensee may conduct business through electronic
597 means, including through the Internet or a software application.
598 (5) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
599 APPROVAL.—
600 (a) Before filing an application for licensure under this
601 section, a substantially affected person may seek a declaratory
602 statement pursuant to s. 120.565 regarding the applicability of
603 a statute, a rule, or an agency order to the petitioner’s
604 particular set of circumstances or a variance or waiver of a
605 rule pursuant to s. 120.542.
606 (b) Before making a an innovative financial product or
607 service available to consumers in the Financial Technology
608 Sandbox, a business entity must file with the office an
609 application for licensure under the Financial Technology
610 Sandbox. The commission shall, by rule, prescribe the form and
611 manner of the application and how the office will evaluate and
612 apply each of the factors specified in paragraph (c).
613 1. The application must specify each general law enumerated
614 in paragraph (4)(a) which currently prevents the innovative
615 financial product or service from being made available to
616 consumers and the reasons why those provisions of general law
617 prevent the innovative financial product or service from being
618 made available to consumers.
619 2. The application must contain sufficient information for
620 the office to evaluate the factors specified in paragraph (c).
621 3. An application submitted on behalf of a business entity
622 must include evidence that the business entity has authorized
623 the person to submit the application on behalf of the business
624 entity intending to make a an innovative financial product or
625 service available to consumers.
626 4. The application must specify the maximum number of
627 consumers, which may not exceed the number of consumers
628 specified in paragraph (f), to whom the applicant proposes to
629 provide the innovative financial product or service.
630 5. The application must include a proposed draft of the
631 statement or statements meeting the requirements of paragraph
632 (6)(b) which the applicant proposes to provide to consumers.
633 (c) The office shall approve or deny in writing a Financial
634 Technology Sandbox application within 60 days after receiving
635 the completed application. The office and the applicant may
636 jointly agree to extend the time beyond 60 days. Consistent with
637 this section, the office may impose conditions on any approval.
638 In deciding whether to approve or deny an application for
639 licensure, the office must consider each of the following:
640 1. The nature of the innovative financial product or
641 service proposed to be made available to consumers in the
642 Financial Technology Sandbox, including all relevant technical
643 details.
644 2. The potential risk to consumers and the methods that
645 will be used to protect consumers and resolve complaints during
646 the sandbox period.
647 2.3. The business plan proposed by the applicant, including
648 company information, market analysis, and financial projections
649 or pro forma financial statements, and evidence of the financial
650 viability of the applicant.
651 4. Whether the applicant has the necessary personnel,
652 adequate financial and technical expertise, and a sufficient
653 plan to test, monitor, and assess the innovative financial
654 product or service.
655 3.5. Whether any control person of the applicant,
656 regardless of adjudication, has pled no contest to, has been
657 convicted or found guilty of, or is currently under
658 investigation for fraud, a state or federal securities
659 violation, a property-based offense, or a crime involving moral
660 turpitude or dishonest dealing, in which case the application to
661 the Financial Technology Sandbox must be denied.
662 4.6. A copy of the disclosures that will be provided to
663 consumers under paragraph (6)(b).
664 5.7. The financial responsibility of the applicant and any
665 control person, including whether the applicant or any control
666 person has a history of unpaid liens, unpaid judgments, or other
667 general history of nonpayment of legal debts, including, but not
668 limited to, having been the subject of a petition for bankruptcy
669 under the United States Bankruptcy Code within the past 7
670 calendar years.
671 6.8. Any other factor that the office determines to be
672 relevant.
673 (d) The office may not approve an application if:
674 1. The applicant had a prior Financial Technology Sandbox
675 application that was approved and that related to a
676 substantially similar financial product or service;
677 2. Any control person of the applicant was substantially
678 involved in the development, operation, or management with
679 another Financial Technology Sandbox applicant whose application
680 was approved and whose application related to a substantially
681 similar financial product or service; or
682 3. The applicant or any control person has failed to
683 affirmatively demonstrate financial responsibility.
684 (e) Upon approval of an application, the office shall
685 notify the licensee of the specific that the licensee is exempt
686 from the provisions of general law enumerated in paragraph
687 (4)(a) and the corresponding rule requirements that are waived
688 during the sandbox period. The office shall post on its website
689 notice of the approval of the application, a summary of the
690 innovative financial product or service, and the contact
691 information of the licensee.
692 (f) The office, on a case-by-case basis, may shall specify
693 the maximum number of consumers authorized to receive a an
694 innovative financial product or service, after consultation with
695 the Financial Technology Sandbox applicant. The office may not
696 authorize more than 15,000 consumers to receive the financial
697 product or service until the licensee has filed the first report
698 required under subsection (8). After the filing of that report,
699 if the licensee demonstrates adequate financial capitalization,
700 risk management processes, and management oversight, the office
701 may authorize up to 25,000 consumers to receive the financial
702 product or service.
703 (g) A licensee has a continuing obligation to promptly
704 inform the office of any material change to the information
705 provided under paragraph (b).
706 (h) The following information provided to and held by the
707 office in a Financial Technology Sandbox application under this
708 subsection is confidential and exempt from s. 119.07(1) and s.
709 24(a), Art. I of the State Constitution:
710 1. The reasons why a general law enumerated in paragraph
711 (4)(a) prevents the innovative financial product or service from
712 being made available to consumers.
713 2. The information provided for evaluation of the factors
714 specified in subparagraphs (c)1. and 2. 3.
715 3. The information provided for evaluation of whether the
716 applicant has a sufficient plan to test, monitor, and assess the
717 innovative financial product or service, under subparagraph
718 (c)4.
719
720 However, the confidential and exempt information may be released
721 to appropriate state and federal agencies for the purposes of
722 investigation. Nothing in this paragraph shall be construed to
723 prevent the office from disclosing a summary of the innovative
724 financial product or service.
725 (6) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
726 (a) A licensee may make a an innovative financial product
727 or service available to consumers during the sandbox period.
728 (b)1. Before a consumer purchases, uses, receives, or
729 enters into an agreement to purchase, use, or receive a an
730 innovative financial product or service through the Financial
731 Technology Sandbox, the licensee must provide a written
732 statement of all of the following to the consumer:
733 a. The name and contact information of the licensee.
734 b. That the financial product or service has been
735 authorized to be made available to consumers for a temporary
736 period by the office, under the laws of this state.
737 c. That the state does not endorse the financial product or
738 service.
739 d. That the financial product or service is undergoing
740 testing, may not function as intended, and may entail financial
741 risk.
742 e. That the licensee is not immune from civil liability for
743 any losses or damages caused by the financial product or
744 service.
745 f. The expected end date of the sandbox period.
746 g. The contact information for the office and notification
747 that suspected legal violations, complaints, or other comments
748 related to the financial product or service may be submitted to
749 the office.
750 h. Any other statements or disclosures required by rule of
751 the commission which are necessary to further the purposes of
752 this section.
753 2. The written statement under subparagraph 1. must contain
754 an acknowledgment from the consumer, which must be retained for
755 the duration of the sandbox period by the licensee.
756 (c) The office may enter into an agreement with a state,
757 federal, or foreign regulatory agency to allow licensees under
758 the Financial Technology Sandbox to make their products or
759 services available in other jurisdictions. The commission shall
760 adopt rules to implement this paragraph.
761 (d) The office may examine the records of a licensee at any
762 time, with or without prior notice.
763 (7) EXTENSION AND CONCLUSION OF SANDBOX PERIOD.—
764 (a) A licensee may apply for one extension of the initial
765 24-month sandbox period for 12 additional months for a purpose
766 specified in subparagraph (b)1. or subparagraph (b)2. A complete
767 application for an extension must be filed with the office at
768 least 90 days before the conclusion of the initial sandbox
769 period. The office shall approve or deny the application for
770 extension in writing at least 35 days before the conclusion of
771 the initial sandbox period. In determining whether to approve or
772 deny an application for extension of the sandbox period, the
773 office must, at a minimum, consider the current status of the
774 factors previously considered under paragraph (5)(c).
775 (b) An application for an extension under paragraph (a)
776 must cite one of the following reasons as the basis for the
777 application and must provide all relevant supporting
778 information:
779 1. Amendments to general law or rules are necessary to
780 offer the innovative financial product or service in this state
781 permanently.
782 2. An application for a license that is required in order
783 to offer the innovative financial product or service in this
784 state permanently has been filed with the office and approval is
785 pending.
786 (c) At least 30 days before the conclusion of the initial
787 24-month sandbox period or the extension, whichever is later, a
788 licensee shall provide written notification to consumers
789 regarding the conclusion of the initial sandbox period or the
790 extension and may not make the financial product or service
791 available to any new consumers after the conclusion of the
792 initial sandbox period or the extension, whichever is later,
793 until legal authority outside of the Financial Technology
794 Sandbox exists for the licensee to make the financial product or
795 service available to consumers. After the conclusion of the
796 sandbox period or the extension, whichever is later, the
797 business entity formerly licensed under the Financial Technology
798 Sandbox may:
799 1. Collect and receive money owed to the business entity or
800 pay money owed by the business entity, based on agreements with
801 consumers made before the conclusion of the sandbox period or
802 the extension.
803 2. Take necessary legal action.
804 3. Take other actions authorized by commission rule which
805 are not inconsistent with this section.
806 (8) REPORT.—A licensee shall submit a report to the office
807 twice a year as prescribed by commission rule. The report must,
808 at a minimum, include financial reports and the number of
809 consumers who have received the financial product or service.
810 (9) CONSTRUCTION.—A business entity whose Financial
811 Technology Sandbox application is approved under this section:
812 (a) Shall be deemed to possess an appropriate license under
813 any general law requiring state licensure or authorization.
814 (b) Does not obtain a property right.
815 (c) Is not, nor is its financial product or service,
816 endorsed by this state, nor is this state subject to liability
817 for losses or damages caused by the financial product or
818 service.
819 (a) Is licensed under chapter 516, chapter 560, or both
820 chapters 516 and 560, as applicable to the business entity’s
821 activities.
822 (b) Is subject to any provision of chapter 516 or chapter
823 560 not specifically excepted under paragraph (4)(a), as
824 applicable to the business entity’s activities, and must comply
825 with such provisions.
826 (c) May not engage in activities authorized under part III
827 of chapter 560, notwithstanding s. 560.204(2).
828 (10) VIOLATIONS AND PENALTIES.—
829 (a) A licensee who makes a an innovative financial product
830 or service available to consumers in the Financial Technology
831 Sandbox remains subject to:
832 1. Civil damages for acts and omissions arising from or
833 related to any innovative financial product or services provided
834 or made available by the licensee or relating to this section.
835 2. All criminal and consumer protection laws and any other
836 statute not specifically excepted under paragraph (4)(a).
837 (b)1. The office may, by order, revoke or suspend a
838 licensee’s approval to participate in the Financial Technology
839 Sandbox if:
840 a. The licensee has violated or refused to comply with this
841 section, any statute not specifically excepted under paragraph
842 (4)(a), a rule of the commission that has not been waived, an
843 order of the office, or a condition placed by the office on the
844 approval of the licensee’s Financial Technology Sandbox
845 application;
846 b. A fact or condition exists that, if it had existed or
847 become known at the time that the Financial Technology Sandbox
848 application was pending, would have warranted denial of the
849 application or the imposition of material conditions;
850 c. A material error, false statement, misrepresentation, or
851 material omission was made in the Financial Technology Sandbox
852 application; or
853 d. After consultation with the licensee, the office
854 determines that continued testing of the innovative financial
855 product or service would:
856 (I) Be likely to harm consumers; or
857 (II) No longer serve the purposes of this section because
858 of the financial or operational failure of the financial product
859 or service.
860 2. Written notice of a revocation or suspension order made
861 under subparagraph 1. must be served using any means authorized
862 by law. If the notice relates to a suspension, the notice must
863 include any condition or remedial action that the licensee must
864 complete before the office lifts the suspension.
865 (c) The office may refer any suspected violation of law to
866 an appropriate state or federal agency for investigation,
867 prosecution, civil penalties, and other appropriate enforcement
868 action.
869 (d) If service of process on a licensee is not feasible,
870 service on the office is deemed service on the licensee.
871 (11) RULES AND ORDERS.—
872 (a) The commission shall adopt rules to administer this
873 section before approving any application under this section.
874 (b) The office may issue all necessary orders to enforce
875 this section and may enforce these orders in accordance with
876 chapter 120 or in any court of competent jurisdiction. These
877 orders include, but are not limited to, orders for payment of
878 restitution for harm suffered by consumers as a result of a an
879 innovative financial product or service.
880 Section 5. Subsections (1) and (2) of section 560.114,
881 Florida Statutes, are amended to read:
882 560.114 Disciplinary actions; penalties.—
883 (1) The following actions by a money services business, an
884 authorized vendor, or a affiliated party that was affiliated at
885 the time of commission of the actions constitute grounds for the
886 issuance of a cease and desist order; the issuance of a removal
887 order; the denial, suspension, or revocation of a license; or
888 taking any other action within the authority of the office
889 pursuant to this chapter:
890 (a) Failure to comply with any provision of this chapter or
891 related rule or order, or any written agreement entered into
892 with the office.
893 (b) Fraud, misrepresentation, deceit, or gross negligence
894 in any transaction by a money services business, regardless of
895 reliance thereon by, or damage to, a customer.
896 (c) Fraudulent misrepresentation, circumvention, or
897 concealment of any matter that must be stated or furnished to a
898 customer pursuant to this chapter, regardless of reliance
899 thereon by, or damage to, such customer.
900 (d) False, deceptive, or misleading advertising.
901 (e) Failure to maintain, preserve, keep available for
902 examination, and produce all books, accounts, files, or other
903 documents required by this chapter or related rules or orders,
904 by 31 C.F.R. ss. 1010.306, 1010.311, 1010.312, 1010.340,
905 1010.410, 1010.415, 1022.210, 1022.320, 1022.380, and 1022.410,
906 or by an agreement entered into with the office.
907 (f) Refusing to allow the examination or inspection of
908 books, accounts, files, or other documents by the office
909 pursuant to this chapter, or to comply with a subpoena issued by
910 the office.
911 (g) Failure to pay a judgment recovered in any court by a
912 claimant in an action arising out of a money transmission
913 transaction within 30 days after the judgment becomes final.
914 (h) Engaging in an act prohibited under s. 560.111 or s.
915 560.1115.
916 (i) Insolvency.
917 (j) Failure by a money services business to remove an
918 affiliated party after the office has issued and served upon the
919 money services business a final order setting forth a finding
920 that the affiliated party has violated a provision of this
921 chapter.
922 (k) Making a material misstatement, misrepresentation, or
923 omission in an application for licensure, any amendment to such
924 application, or application for the appointment of an authorized
925 vendor.
926 (l) Committing any act that results in a license or its
927 equivalent, to practice any profession or occupation being
928 denied, suspended, revoked, or otherwise acted against by a
929 licensing authority in any jurisdiction.
930 (m) Being the subject of final agency action or its
931 equivalent, issued by an appropriate regulator, for engaging in
932 unlicensed activity as a money services business or deferred
933 presentment provider in any jurisdiction.
934 (n) Committing any act resulting in a license or its
935 equivalent to practice any profession or occupation being
936 denied, suspended, revoked, or otherwise acted against by a
937 licensing authority in any jurisdiction for a violation of 18
938 U.S.C. s. 1956, 18 U.S.C. s. 1957, 18 U.S.C. s. 1960, 31 U.S.C.
939 s. 5324, or any other law or rule of another state or of the
940 United States relating to a money services business, deferred
941 presentment provider, or usury that may cause the denial,
942 suspension, or revocation of a money services business or
943 deferred presentment provider license or its equivalent in such
944 jurisdiction.
945 (o) Having been convicted of, or entered a plea of guilty
946 or nolo contendere to, any felony or crime punishable by
947 imprisonment of 1 year or more under the law of any state or the
948 United States which involves fraud, moral turpitude, or
949 dishonest dealing, regardless of adjudication.
950 (p) Having been convicted of, or entered a plea of guilty
951 or nolo contendere to, a crime under 18 U.S.C. s. 1956 or 31
952 U.S.C. s. 5318, s. 5322, or s. 5324, regardless of adjudication.
953 (q) Having been convicted of, or entered a plea of guilty
954 or nolo contendere to, misappropriation, conversion, or unlawful
955 withholding of moneys belonging to others, regardless of
956 adjudication.
957 (r) Having been convicted of, or entered a plea of guilty
958 or nolo contendere to, a violation of 31 C.F.R. chapter X, part
959 1022, regardless of adjudication.
960 (s)(r) Failure to inform the office in writing within 30
961 days after having pled guilty or nolo contendere to, or being
962 convicted of, any felony or crime punishable by imprisonment of
963 1 year or more under the law of any state or the United States,
964 or any crime involving fraud, moral turpitude, or dishonest
965 dealing.
966 (t)(s) Aiding, assisting, procuring, advising, or abetting
967 any person in violating a provision of this chapter or any order
968 or rule of the office or commission.
969 (u)(t) Failure to pay any fee, charge, or cost imposed or
970 assessed under this chapter.
971 (v)(u) Failing to pay a fine assessed by the office within
972 30 days after the due date as stated in a final order.
973 (w)(v) Failure to pay any judgment entered by any court
974 within 30 days after the judgment becomes final.
975 (x)(w) Engaging or advertising engagement in the business
976 of a money services business or deferred presentment provider
977 without a license, unless exempted from licensure.
978 (y)(x) Payment to the office for a license or other fee,
979 charge, cost, or fine with a check or electronic transmission of
980 funds that is dishonored by the applicant’s or licensee’s
981 financial institution.
982 (z)(y) Violations of 31 C.F.R. ss. 1010.306, 1010.311,
983 1010.312, 1010.340, 1010.410, 1010.415, 1022.210, 1022.320,
984 1022.380, and 1022.410, and United States Treasury Interpretive
985 Release 2004-1.
986 (aa)(z) Any practice or conduct that creates the likelihood
987 of a material loss, insolvency, or dissipation of assets of a
988 money services business or otherwise materially prejudices the
989 interests of its customers.
990 (bb)(aa) Failure of a check casher to maintain a federally
991 insured depository account as required by s. 560.309.
992 (cc)(bb) Failure of a check casher to deposit into its own
993 federally insured depository account any payment instrument
994 cashed as required by s. 560.309.
995 (dd)(cc) Violating any provision of the Military Lending
996 Act, 10 U.S.C. s. 987, or the regulations adopted under that act
997 in 32 C.F.R. part 232, in connection with a deferred presentment
998 transaction conducted under part IV of this chapter.
999 (ee) Failure to comply with the notification requirements
1000 in s. 501.171(3) and (4).
1001 (2) Pursuant to s. 120.60(6), The office shall issue an
1002 emergency order suspending may summarily suspend the license of
1003 a money services business if the office finds that a licensee
1004 poses an immediate, serious danger to the public health, safety,
1005 and welfare. A proceeding in which the office seeks the issuance
1006 of a final order for the summary suspension of a licensee shall
1007 be conducted by the commissioner of the office, or his or her
1008 designee, who shall issue such order. The following acts are
1009 deemed by the Legislature to constitute an immediate and serious
1010 danger to the public health, safety, and welfare, and the office
1011 shall may immediately suspend the license of a money services
1012 business without making any further findings of immediate
1013 danger, necessity, and procedural fairness if:
1014 (a) The money services business fails to provide to the
1015 office, upon written request, any of the records required by s.
1016 560.123, s. 560.1235, s. 560.211, or s. 560.310 or any rule
1017 adopted under those sections. The suspension may be rescinded if
1018 the licensee submits the requested records to the office.
1019 (b) The money services business fails to maintain a
1020 federally insured depository account as required by s.
1021 560.208(4) or s. 560.309.
1022 (c) A natural person required to be listed on the license
1023 application for a money services business pursuant to s.
1024 560.141(1)(a)3. is criminally charged with, or arrested for, a
1025 crime described in paragraph (1)(o), paragraph (1)(p), or
1026 paragraph(1)(q).
1027 Section 6. Section 560.1311, Florida Statutes, is created
1028 to read:
1029 560.1311 Information security programs; cybersecurity event
1030 investigations.—
1031 (1) DEFINITIONS.—As used in this section, the term:
1032 (a) “Customer” means a person who seeks to obtain or who
1033 obtains or has obtained a financial product or service from a
1034 licensee.
1035 (b) “Customer information” means any record containing
1036 nonpublic personal information about a customer of a financial
1037 transaction, whether on paper, electronic, or in other forms,
1038 which is handled or maintained by or on behalf of the licensee
1039 or its affiliates.
1040 (c) “Cybersecurity event” means an event resulting in
1041 unauthorized access to, or disruption or misuse of, an
1042 information system, information stored on such information
1043 system, or customer information held in physical form.
1044 (d) “Financial product or service” means any product or
1045 service offered by a licensee under this chapter.
1046 (e) “Information security program” means the
1047 administrative, technical, or physical safeguards used to
1048 access, collect, distribute, process, protect, store, use,
1049 transmit, dispose of, or otherwise handle customer information.
1050 (f) “Information system” means a discrete set of electronic
1051 information resources organized for the collection, processing,
1052 maintenance, use, sharing, dissemination, or disposition of
1053 electronic information, as well as any specialized system such
1054 as an industrial process control system, telephone switching and
1055 private branch exchange system, or environmental control system,
1056 which contain customer information or which are connected to a
1057 system that contains customer information.
1058 (g)1. “Nonpublic personal information” means:
1059 a. Personally identifiable financial information; and
1060 b. Any list, description, or other grouping of customers
1061 which is derived using any personally identifiable financial
1062 information that is not publicly available, such as account
1063 numbers, including any list of individuals’ names and street
1064 addresses which is derived, in whole or in part, using
1065 personally identifiable financial information that is not
1066 publicly available.
1067 2. The term does not include:
1068 a. Publicly available information, except as included on a
1069 list, description, or other grouping of customers described in
1070 sub-subparagraph 1.b.;
1071 b. Any list, description, or other grouping of consumers,
1072 or any publicly available information pertaining to such list,
1073 description, or other grouping of consumers, which is derived
1074 without using any personally identifiable financial information
1075 that is not publicly available; or
1076 c. Any list of individuals’ names and addresses which
1077 contains only publicly available information, is not derived, in
1078 whole or in part, using personally identifiable financial
1079 information that is not publicly available, and is not disclosed
1080 in a manner that indicates that any of the individuals on the
1081 list is a customer of a licensee.
1082 3. As used in this paragraph, the term:
1083 a.(I) “Personally identifiable financial information” means
1084 any information that:
1085 (A) A customer provides to a licensee to obtain a financial
1086 product or service, such as information that a customer provides
1087 to a licensee on an application to obtain a loan or other
1088 financial product or service;
1089 (B) A licensee receives about a consumer which is obtained
1090 during or as a result of any transaction involving a financial
1091 product or service between the licensee and the customer, such
1092 as information collected through an information-collecting
1093 device from a web server; or
1094 (C) A licensee otherwise obtains about a customer in
1095 connection with providing a financial product or service to the
1096 customer, such as the fact that an individual is or has been one
1097 of the licensee’s customers or has obtained a financial product
1098 or service from the licensee.
1099 (II) The term “personally identifiable financial
1100 information” does not include:
1101 (A) A list of names and addresses of customers of an entity
1102 that is not a financial institution; or
1103 (B) Information that does not identify a customer, such as
1104 blind data or aggregate information that does not contain
1105 personal identifiers such as account numbers, names, or
1106 addresses.
1107 b.(I) “Publicly available information” means any
1108 information that a licensee has a reasonable basis to believe is
1109 lawfully made available to the general public from:
1110 (A) Federal, state, or local government records, such as
1111 government real estate records or security interest filings;
1112 (B) Widely distributed media, such as information from a
1113 telephone records repository or directory, a television or radio
1114 program, a newspaper, a social media platform, or a website that
1115 is available to the general public on an unrestricted basis. A
1116 website is not restricted merely because an Internet service
1117 provider or a site operator requires a fee or a password, so
1118 long as access is available to the general public; or
1119 (C) Disclosures to the general public which are required to
1120 be made by federal, state, or local law.
1121 (II) As used in this sub-subparagraph, the term “reasonable
1122 basis to believe is lawfully made available to the general
1123 public” relating to any information means that the person has
1124 taken steps to determine:
1125 (A) That the information is of the type that is available
1126 to the general public, such as information included on the
1127 public record in the jurisdiction where the mortgage would be
1128 recorded; and
1129 (B) Whether an individual can direct that the information
1130 not be made available to the general public and, if so, the
1131 customer to whom the information relates has not done so, such
1132 as when a telephone number is listed in a telephone directory
1133 and the customer has informed the licensee that the telephone
1134 number is not unlisted.
1135 (h) “Third-party service provider” means a person, other
1136 than a licensee, which contracts with a licensee to maintain,
1137 process, or store nonpublic personal information, or is
1138 otherwise permitted access to nonpublic personal information
1139 through its provision of services to a licensee.
1140 (2) INFORMATION SECURITY PROGRAM.—
1141 (a) Each licensee shall develop, implement, and maintain a
1142 comprehensive written information security program that contains
1143 administrative, technical, and physical safeguards for the
1144 protection of the licensee’s information system and nonpublic
1145 personal information.
1146 (b) Each licensee shall ensure that the information
1147 security program meets all of the following criteria:
1148 1. Be commensurate with the following measures:
1149 a. Size and complexity of the licensee.
1150 b. Nature and scope of the licensee’s activities, including
1151 the licensee’s use of third-party service providers.
1152 c. Sensitivity of nonpublic personal information that is
1153 used by the licensee or that is in the licensee’s possession,
1154 custody, or control.
1155 2. Be designed to do all of the following:
1156 a. Protect the security and confidentiality of nonpublic
1157 personal information and the security of the licensee’s
1158 information system.
1159 b. Protect against threats or hazards to the security or
1160 integrity of nonpublic personal information and the licensee’s
1161 information system.
1162 c. Protect against unauthorized access to or the use of
1163 nonpublic personal information and minimize the likelihood of
1164 harm to any customer.
1165 3. Define and periodically reevaluate the retention
1166 schedule and the mechanism for the destruction of nonpublic
1167 personal information if retention is no longer necessary for the
1168 licensee’s business operations or is no longer required by
1169 applicable law.
1170 4. Regularly test and monitor systems and procedures for
1171 the detection of actual and attempted attacks on, or intrusions
1172 into, the licensee’s information system.
1173 5. Be monitored, evaluated, and adjusted, as necessary, to
1174 meet all of the following requirements:
1175 a. Determine whether the licensee’s information security
1176 program is consistent with relevant changes in technology.
1177 b. Confirm the licensee’s information security program
1178 accounts for the sensitivity of nonpublic personal information.
1179 c. Identify changes that may be necessary to the licensee’s
1180 information system.
1181 d. Eliminate any internal or external threats to nonpublic
1182 personal information.
1183 e. Amend the licensee’s information security program for
1184 any of the licensee’s changing business arrangements, including,
1185 but not limited to, mergers and acquisitions, alliances and
1186 joint ventures, and outsourcing arrangements.
1187 (c)1. As part of a licensee’s information security program,
1188 the licensee shall establish a written incident response plan
1189 designed to promptly respond to, and recover from, a
1190 cybersecurity event that compromises:
1191 a. The confidentiality, integrity, or availability of
1192 nonpublic personal information in the licensee’s possession;
1193 b. The licensee’s information system; or
1194 c. The continuing functionality of any aspect of the
1195 licensee’s operations.
1196 2. The written incident response plan must address all of
1197 the following:
1198 a. The licensee’s internal process for responding to a
1199 cybersecurity event.
1200 b. The goals of the licensee’s incident response plan.
1201 c. The assignment of clear roles, responsibilities, and
1202 levels of decisionmaking authority for the licensee’s personnel
1203 that participate in the incident response plan.
1204 d. External communications, internal communications, and
1205 information sharing related to a cybersecurity event.
1206 e. The identification of remediation requirements for
1207 weaknesses identified in information systems and associated
1208 controls.
1209 f. The documentation and reporting regarding cybersecurity
1210 events and related incident response activities.
1211 g. The evaluation and revision of the incident response
1212 plan, as appropriate, following a cybersecurity event.
1213 h. The process by which notice must be given as required
1214 under subsection (4) and s. 501.171(3) and (4).
1215 (d)1. This section does not apply to a licensee that has
1216 fewer than:
1217 a. Twenty individuals on its workforce, including employees
1218 and independent contractors; or
1219 b. Five hundred customers during a calendar year.
1220 2. A licensee that no longer qualifies for exemption under
1221 subparagraph 1. has 180 calendar days to comply with this
1222 section after the date of the disqualification.
1223 (e) Each licensee shall maintain a copy of the information
1224 security program for a minimum of 5 years and shall make it
1225 available to the office upon request or as part of an
1226 examination.
1227 (3) CYBERSECURITY EVENT INVESTIGATION.—
1228 (a) If a licensee discovers that a cybersecurity event has
1229 occurred or that a cybersecurity event may have occurred, the
1230 licensee, or an outside vendor or third-party service provider
1231 that the licensee has designated to act on its behalf, shall
1232 conduct a prompt investigation of the cybersecurity event.
1233 (b) During the investigation, the licensee, or the outside
1234 vendor or third-party service provider that the licensee has
1235 designated to act on its behalf, shall, at a minimum, determine
1236 as much of the following as possible:
1237 1. Confirm that a cybersecurity event has occurred.
1238 2. Identify the date that the cybersecurity event first
1239 occurred.
1240 3. Assess the nature and scope of the cybersecurity event.
1241 4. Identify all nonpublic personal information that may
1242 have been compromised by the cybersecurity event.
1243 5. Perform or oversee reasonable measures to restore the
1244 security of any compromised information system in order to
1245 prevent further unauthorized acquisition, release, or use of
1246 nonpublic personal information that is in the licensee’s,
1247 outside vendor’s, or third-party service provider’s possession,
1248 custody, or control.
1249 (c) If a licensee learns that a cybersecurity event has
1250 occurred, or may have occurred, in an information system
1251 maintained by a third-party service provider of the licensee,
1252 the licensee shall complete an investigation in compliance with
1253 this section or confirm and document that the third-party
1254 service provider has completed an investigation in compliance
1255 with this section.
1256 (d) A licensee shall maintain all records and documentation
1257 related to the licensee’s investigation of a cybersecurity event
1258 for a minimum of 5 years after the date of the cybersecurity
1259 event and shall produce the records and documentation to the
1260 office upon request.
1261 (4) NOTICE TO OFFICE OF SECURITY BREACH.—
1262 (a) Each licensee shall provide notice to the office of any
1263 breach of security affecting 500 or more individuals in this
1264 state at a time and in the manner prescribed by commission rule.
1265 (b) Each licensee shall, upon the office’s request, provide
1266 a quarterly update of a cybersecurity event investigation under
1267 subsection (3) until conclusion of the investigation.
1268 (5) CONSTRUCTION.—This section may not be construed to
1269 relieve a covered entity from complying with s. 501.171. To the
1270 extent a licensee is a covered entity, as defined in s.
1271 501.171(1), the licensee remains subject to s. 501.171.
1272 (6) RULES.—The commission may adopt rules to administer
1273 this section, including rules that allow a licensee that is in
1274 full compliance with the Federal Trade Commission’s Standards
1275 for Safeguarding Customer Information, 16 C.F.R. part 314, to be
1276 deemed in compliance with subsection (2).
1277 Section 7. Section 655.0171, Florida Statutes, is created
1278 to read:
1279 655.0171 Requirements for customer data security and for
1280 notices of security breaches.—
1281 (1) DEFINITIONS.—As used in this section, the term:
1282 (a) “Breach of security” or “breach” means unauthorized
1283 access of data in electronic form containing personal
1284 information. Good faith access of personal information by an
1285 employee or agent of a financial institution does not constitute
1286 a breach of security, provided that the information is not used
1287 for a purpose unrelated to the business or subject to further
1288 unauthorized use. As used in this paragraph, the term “data in
1289 electronic form” means any data stored electronically or
1290 digitally on any computer system or other database and includes
1291 recordable tapes and other mass storage devices.
1292 (b) “Department” means the Department of Legal Affairs.
1293 (c)1. “Personal information” means:
1294 a. An individual’s first name, or first initial, and last
1295 name, in combination with any of the following data elements for
1296 that individual:
1297 (I) A social security number;
1298 (II) A driver license or identification card number,
1299 passport number, military identification number, or other
1300 similar number issued on a government document used to verify
1301 identity;
1302 (III) A financial account number or credit or debit card
1303 number, in combination with any required security code, access
1304 code, or password that is necessary to permit access to the
1305 individual’s financial account;
1306 (IV) The individual’s biometric data as defined in s.
1307 501.702; or
1308 (V) Any information regarding the individual’s geolocation;
1309 or
1310 b. A username or e-mail address, in combination with a
1311 password or security question and answer that would permit
1312 access to an online account.
1313 2. The term does not include information about an
1314 individual which has been made publicly available by a federal,
1315 state, or local governmental entity. The term also does not
1316 include information that is encrypted, secured, or modified by
1317 any other method or technology that removes elements that
1318 personally identify an individual or that otherwise renders the
1319 information unusable.
1320 (2) REQUIREMENTS FOR DATA SECURITY.—Each financial
1321 institution shall take reasonable measures to protect and secure
1322 data that are in electronic form and that contain personal
1323 information.
1324 (3) NOTICE TO OFFICE AND DEPARTMENT OF SECURITY BREACH.—
1325 (a)1. Each financial institution shall provide notice to
1326 the office of any breach of security affecting 500 or more
1327 individuals in this state. Such notice must be provided to the
1328 office as expeditiously as practicable, but no later than 30
1329 days after the determination of the breach or the determination
1330 of a reason to believe that a breach has occurred.
1331 2. The written notice to the office must include the items
1332 required under s. 501.171(3)(b).
1333 3. A financial institution must provide the following
1334 information to the office upon its request:
1335 a. A police report, incident report, or computer forensics
1336 report.
1337 b. A copy of the policies in place regarding breaches.
1338 c. Steps that have been taken to rectify the breach.
1339 4. A financial institution may provide the office with
1340 supplemental information regarding a breach at any time.
1341 (b) Each financial institution shall provide notice to the
1342 department of any breach of security affecting 500 or more
1343 individuals in this state. Such notice must be provided to the
1344 department in accordance with s. 501.171.
1345 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—Each
1346 financial institution shall give notice to each individual in
1347 this state whose personal information was, or the financial
1348 institution reasonably believes to have been, accessed as a
1349 result of the breach in accordance with s. 501.171(4). The
1350 notice must be provided no later than 30 days after the
1351 determination of the breach or the determination of a reason to
1352 believe that a breach has occurred. A financial institution may
1353 receive 15 additional days to provide notice to individuals of a
1354 security breach as required in this subsection if good cause for
1355 delay is provided in writing to the office within 30 days after
1356 determination of the breach or determination of the reason to
1357 believe that a breach has occurred.
1358 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a financial
1359 institution discovers circumstances requiring notice pursuant to
1360 this section of more than 1,000 individuals at a single time,
1361 the financial institution shall also notify, without
1362 unreasonable delay, all consumer reporting agencies that compile
1363 and maintain files on consumers on a nationwide basis, as
1364 defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p),
1365 of the timing, distribution, and content of the notices.
1366 Section 8. Paragraph (d) of subsection (1) of section
1367 655.045, Florida Statutes, is amended to read:
1368 655.045 Examinations, reports, and internal audits;
1369 penalty.—
1370 (1) The office shall conduct an examination of the
1371 condition of each state financial institution at least every 18
1372 months. The office may conduct more frequent examinations based
1373 upon the risk profile of the financial institution, prior
1374 examination results, or significant changes in the institution
1375 or its operations. The office may use continuous, phase, or
1376 other flexible scheduling examination methods for very large or
1377 complex state financial institutions and financial institutions
1378 owned or controlled by a multi-financial institution holding
1379 company. The office shall consider examination guidelines from
1380 federal regulatory agencies in order to facilitate, coordinate,
1381 and standardize examination processes.
1382 (d) As used in this section, the term “costs” means the
1383 salary and travel expenses directly attributable to the field
1384 staff examining the state financial institution, subsidiary, or
1385 service corporation, and the travel expenses of any supervisory
1386 staff required as a result of examination findings. The mailing
1387 of any costs incurred under this subsection must be postmarked
1388 within 45 30 days after the date of receipt of a notice stating
1389 that such costs are due. The office may levy a late payment of
1390 up to $100 per day or part thereof that a payment is overdue,
1391 unless excused for good cause. However, for intentional late
1392 payment of costs, the office may levy an administrative fine of
1393 up to $1,000 per day for each day the payment is overdue.
1394 Section 9. Subsection (2) of section 657.005, Florida
1395 Statutes, is amended to read:
1396 657.005 Application for authority to organize a credit
1397 union; investigation.—
1398 (2) Any five or more individuals, a majority of whom are
1399 residents of this state and all of whom who represent a limited
1400 field of membership, may apply to the office for permission to
1401 organize a credit union. The fact that individuals within the
1402 proposed limited field of membership have credit union services
1403 available to them through another limited field of membership
1404 shall not preclude the granting of a certificate of
1405 authorization to engage in the business of a credit union.
1406 Section 10. Subsection (1) of section 657.024, Florida
1407 Statutes, is amended to read:
1408 657.024 Membership meetings.—
1409 (1) The members shall receive timely notice of the annual
1410 meeting and any special meetings of the members, which shall be
1411 held at the time, place, and in the manner provided in the
1412 bylaws. The annual meeting and any special meetings of the
1413 members may be held virtually and without a quorum, subject to
1414 the bylaws.
1415 Section 11. Paragraph (b) of subsection (3) and present
1416 subsection (5) of section 657.042, Florida Statutes, are amended
1417 to read:
1418 657.042 Investment powers and limitations.—A credit union
1419 may invest its funds subject to the following definitions,
1420 restrictions, and limitations:
1421 (3) INVESTMENT SUBJECT TO LIMITATION OF TWO PERCENT OF
1422 CAPITAL OF THE CREDIT UNION.—
1423 (b) Commercial paper and bonds of any corporation within
1424 the United States which have a fixed maturity, as provided in
1425 subsection (6) (7), except that the total investment in all such
1426 paper and bonds may not exceed 10 percent of the capital of the
1427 credit union.
1428 (5) INVESTMENTS IN REAL ESTATE AND EQUIPMENT FOR THE CREDIT
1429 UNION.—
1430 (a) Up to 5 percent of the capital of the credit union may
1431 be invested in real estate and improvements thereon, furniture,
1432 fixtures, and equipment utilized or to be utilized by the credit
1433 union for the transaction of business.
1434 (b) The limitations provided by this subsection may be
1435 exceeded with the prior written approval of the office. The
1436 office shall grant such approval if it is satisfied that:
1437 1. The proposed investment is necessary.
1438 2. The amount thereof is commensurate with the size and
1439 needs of the credit union.
1440 3. The investment will be beneficial to the members.
1441 4. A reasonable plan is developed to reduce the investment
1442 to statutory limits.
1443 Section 12. Paragraphs (b) and (c) of subsection (4) of
1444 section 658.21, Florida Statutes, are amended to read:
1445 658.21 Approval of application; findings required.—The
1446 office shall approve the application if it finds that:
1447 (4)
1448 (b) At least two of the proposed directors who are not also
1449 proposed officers must have had within the 10 years before the
1450 date of the application at least 1 year of direct experience as
1451 an executive officer, regulator, or director of a financial
1452 institution as specified in the application within the 5 years
1453 before the date of the application. However, if the applicant
1454 demonstrates that at least one of the proposed directors has
1455 very substantial experience as an executive officer, director,
1456 or regulator of a financial institution more than 5 years before
1457 the date of the application, the office may modify the
1458 requirement and allow the applicant to have only one director
1459 who has direct financial institution experience within the last
1460 5 years.
1461 (c) The proposed president or chief executive officer must
1462 have had at least 1 year of direct experience as an executive
1463 officer, director, or regulator of a financial institution
1464 within the last 10 5 years. In making a decision, the office
1465 must also consider may waive this requirement after considering:
1466 1. The adequacy of the overall experience and expertise of
1467 the proposed president or chief executive officer;
1468 2. The likelihood of successful operation of the proposed
1469 state bank or trust company pursuant to subsection (1);
1470 3. The adequacy of the proposed capitalization under
1471 subsection (2);
1472 4. The proposed capital structure under subsection (3);
1473 5. The experience of the other proposed officers and
1474 directors; and
1475 6. Any other relevant data or information.
1476 Section 13. Subsection (2) of section 658.33, Florida
1477 Statutes, is amended to read:
1478 658.33 Directors, number, qualifications; officers.—
1479 (2) Not less than a majority of the directors must, during
1480 their whole term of service, be citizens of the United States,
1481 and at least a majority of the directors must have resided in
1482 this state for at least 1 year preceding their election and must
1483 be residents therein during their continuance in office. In the
1484 case of a bank or trust company with total assets of less than
1485 $150 million, at least one, and in the case of a bank or trust
1486 company with total assets of $150 million or more, two of the
1487 directors who are not also officers of the bank or trust company
1488 must have had at least 1 year of direct experience as an
1489 executive officer, regulator, or director of a financial
1490 institution within the last 10 5 years.
1491 Section 14. Subsection (4) of section 662.141, Florida
1492 Statutes, is amended to read:
1493 662.141 Examination, investigations, and fees.—The office
1494 may conduct an examination or investigation of a licensed family
1495 trust company at any time it deems necessary to determine
1496 whether the licensed family trust company or licensed family
1497 trust company-affiliated party thereof has violated or is about
1498 to violate any provision of this chapter, any applicable
1499 provision of the financial institutions codes, or any rule
1500 adopted by the commission pursuant to this chapter or the codes.
1501 The office may conduct an examination or investigation of a
1502 family trust company or foreign licensed family trust company at
1503 any time it deems necessary to determine whether the family
1504 trust company or foreign licensed family trust company has
1505 engaged in any act prohibited under s. 662.131 or s. 662.134
1506 and, if a family trust company or a foreign licensed family
1507 trust company has engaged in such act, to determine whether any
1508 applicable provision of the financial institutions codes has
1509 been violated.
1510 (4) For each examination of the books and records of a
1511 family trust company, licensed family trust company, or foreign
1512 licensed family trust company as authorized under this chapter,
1513 the trust company shall pay a fee for the costs of the
1514 examination by the office. As used in this section, the term
1515 “costs” means the salary and travel expenses of field staff
1516 which are directly attributable to the examination of the trust
1517 company and the travel expenses of any supervisory and support
1518 staff required as a result of examination findings. The mailing
1519 of payment for costs incurred must be postmarked within 45 30
1520 days after the receipt of a notice stating that the costs are
1521 due. The office may levy a late payment of up to $100 per day or
1522 part thereof that a payment is overdue unless waived for good
1523 cause. However, if the late payment of costs is intentional, the
1524 office may levy an administrative fine of up to $1,000 per day
1525 for each day the payment is overdue.
1526 Section 15. Subsection (21) of section 517.12, Florida
1527 Statutes, is amended to read:
1528 517.12 Registration of dealers, associated persons,
1529 intermediaries, and investment advisers.—
1530 (21) The registration requirements of this section do not
1531 apply to any general lines insurance agent or life insurance
1532 agent licensed under chapter 626, with regard to the sale of a
1533 security as defined in s. 517.021(34)(g) s. 517.021(33)(g), if
1534 the individual is directly authorized by the issuer to offer or
1535 sell the security on behalf of the issuer and the issuer is a
1536 federally chartered savings bank subject to regulation by the
1537 Federal Deposit Insurance Corporation. Actions under this
1538 subsection constitute activity under the insurance agent’s
1539 license for purposes of ss. 626.611 and 626.621.
1540 Section 16. This act shall take effect July 1, 2026.