Florida Senate - 2026 CS for SB 540
By the Committee on Banking and Insurance; and Senator Martin
597-01923-26 2026540c1
1 A bill to be entitled
2 An act relating to the Office of Financial Regulation;
3 creating s. 494.00123, F.S.; defining terms; requiring
4 loan originators, mortgage brokers, and mortgage
5 lenders to develop, implement, and maintain
6 comprehensive written information security programs
7 for the protection of information systems and
8 nonpublic personal information; providing requirements
9 for such programs; requiring loan originators,
10 mortgage brokers, and mortgage lenders to establish
11 written incident response plans for specified
12 purposes; providing requirements for such plans;
13 providing applicability; providing compliance
14 requirements under specified circumstances; requiring
15 loan originators, mortgage brokers, and mortgage
16 lenders to maintain copies of information security
17 programs for a specified timeframe and to make them
18 available to the Office of Financial Regulation under
19 certain circumstances; requiring loan originators,
20 mortgage brokers, and mortgage lenders and certain
21 entities to conduct investigations of cybersecurity
22 events under certain circumstances; providing
23 requirements for such investigations; providing
24 requirements for records and documentation
25 maintenance; providing requirements for notices of
26 security breaches; providing construction; providing
27 rulemaking authority; amending s. 494.00255, F.S.;
28 providing additional acts that constitute a ground for
29 specified disciplinary actions against loan
30 originators and mortgage brokers; amending s. 517.021,
31 F.S.; revising the definition of the term “investment
32 adviser” and defining terms; amending s. 517.061,
33 F.S.; defining terms; creating s. 520.135, F.S.;
34 specifying that the rights and obligation of parties
35 with respect to a surrendered or repossessed motor
36 vehicle are exclusively governed by certain
37 provisions; amending s. 560.114, F.S.; specifying the
38 entities that are subject to certain disciplinary
39 actions and penalties; revising the list of actions by
40 money services businesses which constitute grounds for
41 certain disciplinary actions and penalties; requiring,
42 rather than authorizing, the office to suspend
43 licenses of money services businesses under certain
44 circumstances; creating s. 560.1311, F.S.; defining
45 terms; requiring money services businesses to develop,
46 implement, and maintain comprehensive written
47 information security programs for the protection of
48 information systems and nonpublic personal
49 information; providing requirements for such programs;
50 requiring money services businesses to establish
51 written incident response plans for specified
52 purposes; providing requirements for such plans;
53 providing applicability; providing compliance
54 requirements under specified circumstances; requiring
55 money services businesses to maintain copies of
56 information security programs for a specified
57 timeframe and to make them available to the office
58 under certain circumstances; requiring money services
59 businesses and certain entities to conduct
60 investigations of cybersecurity events under certain
61 circumstances; providing requirements for such
62 investigations; providing requirements for records and
63 documentation maintenance; providing requirements for
64 notices of security breaches; providing construction;
65 providing rulemaking authority; creating s. 655.0171,
66 F.S.; defining terms; requiring financial institutions
67 to take measures to protect and secure certain data
68 that contain personal information; providing
69 requirements for notices of security breaches to the
70 office, the Department of Legal Affairs, certain
71 individuals, and certain credit reporting agencies;
72 amending s. 655.045, F.S.; revising the timeline for
73 the mailing of payment for salary and travel expenses
74 of certain field staff; amending s. 657.005, F.S.;
75 revising requirements for permission to organize
76 credit unions; amending s. 657.024, F.S.; authorizing
77 meetings of credit union members to be held virtually
78 without an in-person quorum and authorizing virtual
79 attendance to satisfy quorum requirements under
80 certain circumstances; amending s. 657.042, F.S.;
81 removing provisions that impose limitations on
82 investments in real estate and equipment for credit
83 unions; amending s. 658.21, F.S.; revising
84 requirements and factors for approving applications
85 for organizing banks and trust companies; amending s.
86 658.33, F.S.; revising requirements for directors of
87 certain banks and trust companies; amending s.
88 662.141, F.S.; revising the timeline for the mailing
89 of payment for the salary and travel expenses of
90 certain field staff; amending s. 517.12, F.S.;
91 conforming a cross-reference; providing an effective
92 date.
93
94 Be It Enacted by the Legislature of the State of Florida:
95
96 Section 1. Section 494.00123, Florida Statutes, is created
97 to read:
98 494.00123 Information security programs; cybersecurity
99 event investigations.—
100 (1) DEFINITIONS.—As used in this section, the term:
101 (a) “Customer” means a person who seeks to obtain or who
102 obtains or has obtained a financial product or service from a
103 licensee.
104 (b) “Customer information” means any record containing
105 nonpublic personal information about a customer of a financial
106 transaction, whether on paper, electronic, or in other forms,
107 which is handled or maintained by or on behalf of the licensee
108 or its affiliates.
109 (c) “Cybersecurity event” means an event resulting in
110 unauthorized access to, or disruption or misuse of, an
111 information system, information stored on such information
112 system, or customer information held in physical form.
113 (d) “Financial product or service” means any product or
114 service offered by a licensee under this chapter.
115 (e) “Information security program” means the
116 administrative, technical, or physical safeguards used to
117 access, collect, distribute, process, protect, store, use,
118 transmit, dispose of, or otherwise handle customer information.
119 (f) “Information system” means a discrete set of electronic
120 information resources organized for the collection, processing,
121 maintenance, use, sharing, dissemination, or disposition of
122 electronic information, as well as any specialized system such
123 as an industrial process control system, telephone switching and
124 private branch exchange system, or environmental control system,
125 which contain customer information or which are connected to a
126 system that contains customer information.
127 (g) “Licensee” means a person licensed under this chapter.
128 (h)1. “Nonpublic personal information” means:
129 a. Personally identifiable financial information; and
130 b. Any list, description, or other grouping of customers
131 which is derived using any personally identifiable financial
132 information that is not publicly available, such as account
133 numbers, including any list of individuals’ names and street
134 addresses which is derived, in whole or in part, using
135 personally identifiable financial information that is not
136 publicly available.
137 2. The term does not include:
138 a. Publicly available information, except as included on a
139 list, description, or other grouping of customers described in
140 sub-subparagraph 1.b.;
141 b. Any list, description, or other grouping of consumers,
142 or any publicly available information pertaining to such list,
143 description, or other grouping of consumers, which is derived
144 without using any personally identifiable financial information
145 that is not publicly available; or
146 c. Any list of individuals’ names and addresses which
147 contains only publicly available information, is not derived, in
148 whole or in part, using personally identifiable financial
149 information that is not publicly available, and is not disclosed
150 in a manner that indicates that any of the individuals on the
151 list is a customer of a licensee.
152 3. As used in this paragraph, the term:
153 a.(I) “Personally identifiable financial information” means
154 any information that:
155 (A) A customer provides to a licensee to obtain a financial
156 product or service, such as information that a customer provides
157 to a licensee on an application to obtain a loan or other
158 financial product or service;
159 (B) A licensee receives about a consumer which is obtained
160 during or as a result of any transaction involving a financial
161 product or service between the licensee and the customer, such
162 as information collected through an information-collecting
163 device from a web server; or
164 (C) A licensee otherwise obtains about a customer in
165 connection with providing a financial product or service to the
166 customer, such as the fact that an individual is or has been one
167 of the licensee’s customers or has obtained a financial product
168 or service from the licensee.
169 (II) The term “personally identifiable financial
170 information” does not include:
171 (A) A list of names and addresses of customers of an entity
172 that is not a financial institution; or
173 (B) Information that does not identify a customer, such as
174 blind data or aggregate information that does not contain
175 personal identifiers such as account numbers, names, or
176 addresses.
177 b.(I) “Publicly available information” means any
178 information that a licensee has a reasonable basis to believe is
179 lawfully made available to the general public from:
180 (A) Federal, state, or local government records, such as
181 government real estate records or security interest filings;
182 (B) Widely distributed media, such as information from a
183 telephone records repository or directory, a television or radio
184 program, a newspaper, a social media platform, or a website that
185 is available to the general public on an unrestricted basis. A
186 website is not restricted merely because an Internet service
187 provider or a site operator requires a fee or a password, so
188 long as access is available to the general public; or
189 (C) Disclosures to the general public which are required to
190 be made by federal, state, or local law.
191 (II) As used in this sub-subparagraph, the term “reasonable
192 basis to believe is lawfully made available to the general
193 public” relating to any information means that the person has
194 taken steps to determine:
195 (A) That the information is of the type that is available
196 to the general public, such as information included on the
197 public record in the jurisdiction where the mortgage would be
198 recorded; and
199 (B) Whether an individual can direct that the information
200 not be made available to the general public and, if so, the
201 customer to whom the information relates has not done so, such
202 as when a telephone number is listed in a telephone directory
203 and the customer has informed the licensee that the telephone
204 number is not unlisted.
205 (i) “Third-party service provider” means a person, other
206 than a licensee, which contracts with a licensee to maintain,
207 process, or store nonpublic personal information, or is
208 otherwise permitted access to nonpublic personal information
209 through its provision of services to a licensee.
210 (2) INFORMATION SECURITY PROGRAM.—
211 (a) Each licensee shall develop, implement, and maintain a
212 comprehensive written information security program that contains
213 administrative, technical, and physical safeguards for the
214 protection of the licensee’s information system and nonpublic
215 personal information.
216 (b) Each licensee shall ensure that the information
217 security program meets all of the following criteria:
218 1. Be commensurate with the following measures:
219 a. Size and complexity of the licensee.
220 b. Nature and scope of the licensee’s activities, including
221 the licensee’s use of third-party service providers.
222 c. Sensitivity of nonpublic personal information that is
223 used by the licensee or that is in the licensee’s possession,
224 custody, or control.
225 2. Be designed to do all of the following:
226 a. Protect the security and confidentiality of nonpublic
227 personal information and the security of the licensee’s
228 information system.
229 b. Protect against threats or hazards to the security or
230 integrity of nonpublic personal information and the licensee’s
231 information system.
232 c. Protect against unauthorized access to or the use of
233 nonpublic personal information and minimize the likelihood of
234 harm to any customer.
235 3. Define and periodically reevaluate the retention
236 schedule and the mechanism for the destruction of nonpublic
237 personal information if retention is no longer necessary for the
238 licensee’s business operations or is no longer required by
239 applicable law.
240 4. Regularly test and monitor systems and procedures for
241 the detection of actual and attempted attacks on, or intrusions
242 into, the licensee’s information system.
243 5. Be monitored, evaluated, and adjusted, as necessary, to
244 meet all of the following requirements:
245 a. Determine whether the licensee’s information security
246 program is consistent with relevant changes in technology.
247 b. Confirm the licensee’s information security program
248 accounts for the sensitivity of nonpublic personal information.
249 c. Identify changes that may be necessary to the licensee’s
250 information system.
251 d. Eliminate any internal or external threats to nonpublic
252 personal information.
253 e. Amend the licensee’s information security program for
254 any of the licensee’s changing business arrangements, including,
255 but not limited to, mergers and acquisitions, alliances and
256 joint ventures, and outsourcing arrangements.
257 (c)1. As part of a licensee’s information security program,
258 the licensee shall establish a written incident response plan
259 designed to promptly respond to, and recover from, a
260 cybersecurity event that compromises:
261 a. The confidentiality, integrity, or availability of
262 nonpublic personal information in the licensee’s possession;
263 b. The licensee’s information system; or
264 c. The continuing functionality of any aspect of the
265 licensee’s operations.
266 2. The written incident response plan must address all of
267 the following:
268 a. The licensee’s internal process for responding to a
269 cybersecurity event.
270 b. The goals of the licensee’s incident response plan.
271 c. The assignment of clear roles, responsibilities, and
272 levels of decisionmaking authority for the licensee’s personnel
273 that participate in the incident response plan.
274 d. External communications, internal communications, and
275 information sharing related to a cybersecurity event.
276 e. The identification of remediation requirements for
277 weaknesses identified in information systems and associated
278 controls.
279 f. The documentation and reporting regarding cybersecurity
280 events and related incident response activities.
281 g. The evaluation and revision of the incident response
282 plan, as appropriate, following a cybersecurity event.
283 h. The process by which notice must be given as required
284 under subsection (4) and s. 501.171(3) and (4).
285 (d)1. This section does not apply to a licensee that has
286 fewer than:
287 a. Twenty individuals on its workforce, including employees
288 and independent contractors; or
289 b. Five hundred customers during a calendar year.
290 2. A licensee that no longer qualifies for exemption under
291 subparagraph 1. has 180 calendar days to comply with this
292 section after the date of the disqualification.
293 (e) Each licensee shall maintain a copy of the information
294 security program for a minimum of 5 years and shall make it
295 available to the office upon request or as part of an
296 examination.
297 (3) CYBERSECURITY EVENT INVESTIGATION.—
298 (a) If a licensee discovers that a cybersecurity event has
299 occurred or that a cybersecurity event may have occurred, the
300 licensee, or an outside vendor or third-party service provider
301 that the licensee has designated to act on its behalf, shall
302 conduct a prompt investigation of the cybersecurity event.
303 (b) During the investigation, the licensee, or the outside
304 vendor or third-party service provider that the licensee has
305 designated to act on its behalf, shall, at a minimum, determine
306 as much of the following as possible:
307 1. Confirm that a cybersecurity event has occurred.
308 2. Identify the date that the cybersecurity event first
309 occurred.
310 3. Assess the nature and scope of the cybersecurity event.
311 4. Identify all nonpublic personal information that may
312 have been compromised by the cybersecurity event.
313 5. Perform or oversee reasonable measures to restore the
314 security of any compromised information system in order to
315 prevent further unauthorized acquisition, release, or use of
316 nonpublic personal information that is in the licensee’s,
317 outside vendor’s, or third-party service provider’s possession,
318 custody, or control.
319 (c) If a licensee learns that a cybersecurity event has
320 occurred, or may have occurred, in an information system
321 maintained by a third-party service provider of the licensee,
322 the licensee shall complete an investigation in compliance with
323 this section or confirm and document that the third-party
324 service provider has completed an investigation in compliance
325 with this section.
326 (d) A licensee shall maintain all records and documentation
327 related to the licensee’s investigation of a cybersecurity event
328 for a minimum of 5 years after the date of the cybersecurity
329 event and shall produce the records and documentation to the
330 office upon request.
331 (4) NOTICE TO OFFICE OF SECURITY BREACH.—
332 (a) Each licensee shall provide notice to the office of any
333 breach of security affecting 500 or more individuals in this
334 state at a time and in the manner prescribed by commission rule.
335 (b) Each licensee shall, upon the office’s request, provide
336 a quarterly update of a cybersecurity event investigation under
337 subsection (3) until conclusion of the investigation.
338 (5) CONSTRUCTION.—This section may not be construed to
339 relieve a covered entity from complying with s. 501.171. To the
340 extent a licensee is a covered entity, as defined in s.
341 501.171(1), the licensee remains subject to s. 501.171.
342 (6) RULES.—The commission may adopt rules to administer
343 this section, including rules that allow a licensee that is in
344 full compliance with the Federal Trade Commission’s Standards
345 for Safeguarding Customer Information, 16 C.F.R. part 314, to be
346 deemed in compliance with subsection (2).
347 Section 2. Paragraph (z) is added to subsection (1) of
348 section 494.00255, Florida Statutes, to read:
349 494.00255 Administrative penalties and fines; license
350 violations.—
351 (1) Each of the following acts constitutes a ground for
352 which the disciplinary actions specified in subsection (2) may
353 be taken against a person licensed or required to be licensed
354 under part II or part III of this chapter:
355 (z) Failure to comply with the notification requirements in
356 s. 501.171(3) and (4).
357 Section 3. Present subsections (28) through (36) of section
358 517.021, Florida Statutes, are redesignated as subsections (29)
359 through (37), respectively, a new subsection (28) is added to
360 that section, and subsection (20) of that section is amended, to
361 read:
362 517.021 Definitions.—When used in this chapter, unless the
363 context otherwise indicates, the following terms have the
364 following respective meanings:
365 (20)(a) “Investment adviser” means a person, other than an
366 associated person of an investment adviser or a federal covered
367 adviser, that receives compensation, directly or indirectly, and
368 engages for all or part of the person’s time, directly or
369 indirectly, or through publications or writings, in the business
370 of advising others as to the value of securities or as to the
371 advisability of investments in, purchasing of, or selling of
372 securities.
373 (b) The term does not include any of the following:
374 1. A dealer or an associated person of a dealer whose
375 performance of services in paragraph (a) is solely incidental to
376 the conduct of the dealer’s or associated person’s business as a
377 dealer and who does not receive special compensation for those
378 services.
379 2. A licensed practicing attorney or certified public
380 accountant whose performance of such services is solely
381 incidental to the practice of the attorney’s or accountant’s
382 profession.
383 3. A bank authorized to do business in this state.
384 4. A bank holding company as defined in the Bank Holding
385 Company Act of 1956, as amended, authorized to do business in
386 this state.
387 5. A trust company having trust powers, as defined in s.
388 658.12, which it is authorized to exercise in this state, which
389 trust company renders or performs investment advisory services
390 in a fiduciary capacity incidental to the exercise of its trust
391 powers.
392 6. A person that renders investment advice exclusively to
393 insurance or investment companies.
394 7. A person:
395 a. Without a place of business in this state if the person
396 has had that, during the preceding 12 months, has fewer than six
397 clients who are residents of this state.
398 b. With a place of business in this state if the person has
399 had, during the preceding 12 months, fewer than six clients who
400 are residents of this state and no clients who are not residents
401 of this state.
402
403 As used in this subparagraph, the term “client” has the same
404 meaning as provided in Securities and Exchange Commission Rule
405 222-2 275.222-2, 17 C.F.R. s. 275.222-2, as amended.
406 8. A federal covered adviser.
407 9. The United States, a state, or any political subdivision
408 of a state, or any agency, authority, or instrumentality of any
409 such entity; a business entity that is wholly owned directly or
410 indirectly by such a governmental entity; or any officer, agent,
411 or employee of any such governmental or business entity who is
412 acting within the scope of his or her official duties.
413 10. A family office as defined in Securities and Exchange
414 Commission Rule 202(a)(11)(G)-1(b) under the Investment Advisers
415 Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)-1(b), as amended. In
416 determining whether a person meets the definition of a family
417 office under this subparagraph, the terms “affiliated family
418 office,” “control,” “executive officer,” “family client,”
419 “family entity,” “family member,” “former family member,” “key
420 employee,” and “spousal equivalent” have the same meaning as in
421 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d), 17
422 C.F.R. s. 275.202(a)(11)(G)-1(d).
423 (28) “Place of business” of an investment adviser means an
424 office at which the investment adviser regularly provides
425 investment advisory services to, solicits, meets with, or
426 otherwise communicates with clients; and any other location that
427 is held out to the general public as a location at which the
428 investment adviser provides investment advisory services to,
429 solicits, meets with, or otherwise communicates with clients.
430 Section 4. Paragraph (i) of subsection (9) of section
431 517.061, Florida Statutes, is amended to read:
432 517.061 Exempt transactions.—Except as otherwise provided
433 in subsection (11), the exemptions provided herein from the
434 registration requirements of s. 517.07 are self-executing and do
435 not require any filing with the office before being claimed. Any
436 person who claims entitlement to an exemption under this section
437 bears the burden of proving such entitlement in any proceeding
438 brought under this chapter. The registration provisions of s.
439 517.07 do not apply to any of the following transactions;
440 however, such transactions are subject to s. 517.301:
441 (9) The offer or sale of securities to:
442 (i) A family office as defined in Securities and Exchange
443 Commission Rule 202(a)(11)(G)-1(b) 202(a)(11)(G)-1 under the
444 Investment Advisers Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)
445 1(b) s. 275.202(a)(11)(G)-1, as amended, provided that:
446 1. The family office has assets under management in excess
447 of $5 million;
448 2. The family office is not formed for the specific purpose
449 of acquiring the securities offered; and
450 3. The prospective investment of the family office is
451 directed by a person who has knowledge and experience in
452 financial and business matters that the family office is capable
453 of evaluating the merits and risks of the prospective
454 investment.
455
456 In determining whether a person meets the definition of a family
457 office under this paragraph, the terms “affiliated family
458 office,” “control,” “executive officer,” “family client,”
459 “family entity,” “family member,” “former family member,” “key
460 employee,” and “spousal equivalent” have the same meaning as in
461 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d), 17
462 C.F.R. s. 275.202(a)(11)(G)-1(d).
463 Section 5. Section 520.135, Florida Statutes, is created to
464 read:
465 520.135 Surrendered or repossessed vehicles.—The rights and
466 obligations of parties with respect to a surrendered or
467 repossessed motor vehicle are exclusively governed by part VI of
468 chapter 679.
469 Section 6. Subsections (1) and (2) of section 560.114,
470 Florida Statutes, are amended to read:
471 560.114 Disciplinary actions; penalties.—
472 (1) The following actions by a money services business, an
473 authorized vendor, or a affiliated party that was affiliated at
474 the time of commission of the actions constitute grounds for the
475 issuance of a cease and desist order; the issuance of a removal
476 order; the denial, suspension, or revocation of a license; or
477 taking any other action within the authority of the office
478 pursuant to this chapter:
479 (a) Failure to comply with any provision of this chapter or
480 related rule or order, or any written agreement entered into
481 with the office.
482 (b) Fraud, misrepresentation, deceit, or gross negligence
483 in any transaction by a money services business, regardless of
484 reliance thereon by, or damage to, a customer.
485 (c) Fraudulent misrepresentation, circumvention, or
486 concealment of any matter that must be stated or furnished to a
487 customer pursuant to this chapter, regardless of reliance
488 thereon by, or damage to, such customer.
489 (d) False, deceptive, or misleading advertising.
490 (e) Failure to maintain, preserve, keep available for
491 examination, and produce all books, accounts, files, or other
492 documents required by this chapter or related rules or orders,
493 by 31 C.F.R. ss. 1010.306, 1010.311, 1010.312, 1010.340,
494 1010.410, 1010.415, 1022.210, 1022.320, 1022.380, and 1022.410,
495 or by an agreement entered into with the office.
496 (f) Refusing to allow the examination or inspection of
497 books, accounts, files, or other documents by the office
498 pursuant to this chapter, or to comply with a subpoena issued by
499 the office.
500 (g) Failure to pay a judgment recovered in any court by a
501 claimant in an action arising out of a money transmission
502 transaction within 30 days after the judgment becomes final.
503 (h) Engaging in an act prohibited under s. 560.111 or s.
504 560.1115.
505 (i) Insolvency.
506 (j) Failure by a money services business to remove an
507 affiliated party after the office has issued and served upon the
508 money services business a final order setting forth a finding
509 that the affiliated party has violated a provision of this
510 chapter.
511 (k) Making a material misstatement, misrepresentation, or
512 omission in an application for licensure, any amendment to such
513 application, or application for the appointment of an authorized
514 vendor.
515 (l) Committing any act that results in a license or its
516 equivalent, to practice any profession or occupation being
517 denied, suspended, revoked, or otherwise acted against by a
518 licensing authority in any jurisdiction.
519 (m) Being the subject of final agency action or its
520 equivalent, issued by an appropriate regulator, for engaging in
521 unlicensed activity as a money services business or deferred
522 presentment provider in any jurisdiction.
523 (n) Committing any act resulting in a license or its
524 equivalent to practice any profession or occupation being
525 denied, suspended, revoked, or otherwise acted against by a
526 licensing authority in any jurisdiction for a violation of 18
527 U.S.C. s. 1956, 18 U.S.C. s. 1957, 18 U.S.C. s. 1960, 31 U.S.C.
528 s. 5324, or any other law or rule of another state or of the
529 United States relating to a money services business, deferred
530 presentment provider, or usury that may cause the denial,
531 suspension, or revocation of a money services business or
532 deferred presentment provider license or its equivalent in such
533 jurisdiction.
534 (o) Having been convicted of, or entered a plea of guilty
535 or nolo contendere to, any felony or crime punishable by
536 imprisonment of 1 year or more under the law of any state or the
537 United States which involves fraud, moral turpitude, or
538 dishonest dealing, regardless of adjudication.
539 (p) Having been convicted of, or entered a plea of guilty
540 or nolo contendere to, a crime under 18 U.S.C. s. 1956 or 31
541 U.S.C. s. 5318, s. 5322, or s. 5324, regardless of adjudication.
542 (q) Having been convicted of, or entered a plea of guilty
543 or nolo contendere to, misappropriation, conversion, or unlawful
544 withholding of moneys belonging to others, regardless of
545 adjudication.
546 (r) Having been convicted of, or entered a plea of guilty
547 or nolo contendere to, a violation of 31 C.F.R. chapter X, part
548 1022, regardless of adjudication.
549 (s)(r) Failure to inform the office in writing within 30
550 days after having pled guilty or nolo contendere to, or being
551 convicted of, any felony or crime punishable by imprisonment of
552 1 year or more under the law of any state or the United States,
553 or any crime involving fraud, moral turpitude, or dishonest
554 dealing.
555 (t)(s) Aiding, assisting, procuring, advising, or abetting
556 any person in violating a provision of this chapter or any order
557 or rule of the office or commission.
558 (u)(t) Failure to pay any fee, charge, or cost imposed or
559 assessed under this chapter.
560 (v)(u) Failing to pay a fine assessed by the office within
561 30 days after the due date as stated in a final order.
562 (w)(v) Failure to pay any judgment entered by any court
563 within 30 days after the judgment becomes final.
564 (x)(w) Engaging or advertising engagement in the business
565 of a money services business or deferred presentment provider
566 without a license, unless exempted from licensure.
567 (y)(x) Payment to the office for a license or other fee,
568 charge, cost, or fine with a check or electronic transmission of
569 funds that is dishonored by the applicant’s or licensee’s
570 financial institution.
571 (z)(y) Violations of 31 C.F.R. ss. 1010.306, 1010.311,
572 1010.312, 1010.340, 1010.410, 1010.415, 1022.210, 1022.320,
573 1022.380, and 1022.410, and United States Treasury Interpretive
574 Release 2004-1.
575 (aa)(z) Any practice or conduct that creates the likelihood
576 of a material loss, insolvency, or dissipation of assets of a
577 money services business or otherwise materially prejudices the
578 interests of its customers.
579 (bb)(aa) Failure of a check casher to maintain a federally
580 insured depository account as required by s. 560.309.
581 (cc)(bb) Failure of a check casher to deposit into its own
582 federally insured depository account any payment instrument
583 cashed as required by s. 560.309.
584 (dd)(cc) Violating any provision of the Military Lending
585 Act, 10 U.S.C. s. 987, or the regulations adopted under that act
586 in 32 C.F.R. part 232, in connection with a deferred presentment
587 transaction conducted under part IV of this chapter.
588 (ee) Failure to comply with the notification requirements
589 in s. 501.171(3) and (4).
590 (2) Pursuant to s. 120.60(6), The office shall issue an
591 emergency order suspending may summarily suspend the license of
592 a money services business if the office finds that a licensee
593 poses an immediate, serious danger to the public health, safety,
594 and welfare. A proceeding in which the office seeks the issuance
595 of a final order for the summary suspension of a licensee shall
596 be conducted by the commissioner of the office, or his or her
597 designee, who shall issue such order. The following acts are
598 deemed by the Legislature to constitute an immediate and serious
599 danger to the public health, safety, and welfare, and the office
600 shall may immediately suspend the license of a money services
601 business without making any further findings of immediate
602 danger, necessity, and procedural fairness if:
603 (a) The money services business fails to provide to the
604 office, upon written request, any of the records required by s.
605 560.123, s. 560.1235, s. 560.211, or s. 560.310 or any rule
606 adopted under those sections. The suspension may be rescinded if
607 the licensee submits the requested records to the office.
608 (b) The money services business fails to maintain a
609 federally insured depository account as required by s.
610 560.208(4) or s. 560.309.
611 (c) A natural person required to be listed on the license
612 application for a money services business pursuant to s.
613 560.141(1)(a)3. is criminally charged with, or arrested for, a
614 crime described in paragraph (1)(o), paragraph (1)(p), or
615 paragraph(1)(q).
616 Section 7. Section 560.1311, Florida Statutes, is created
617 to read:
618 560.1311 Information security programs; cybersecurity event
619 investigations.—
620 (1) DEFINITIONS.—As used in this section, the term:
621 (a) “Customer” means a person who seeks to obtain or who
622 obtains or has obtained a financial product or service from a
623 licensee.
624 (b) “Customer information” means any record containing
625 nonpublic personal information about a customer of a financial
626 transaction, whether on paper, electronic, or in other forms,
627 which is handled or maintained by or on behalf of the licensee
628 or its affiliates.
629 (c) “Cybersecurity event” means an event resulting in
630 unauthorized access to, or disruption or misuse of, an
631 information system, information stored on such information
632 system, or customer information held in physical form.
633 (d) “Financial product or service” means any product or
634 service offered by a licensee under this chapter.
635 (e) “Information security program” means the
636 administrative, technical, or physical safeguards used to
637 access, collect, distribute, process, protect, store, use,
638 transmit, dispose of, or otherwise handle customer information.
639 (f) “Information system” means a discrete set of electronic
640 information resources organized for the collection, processing,
641 maintenance, use, sharing, dissemination, or disposition of
642 electronic information, as well as any specialized system such
643 as an industrial process control system, telephone switching and
644 private branch exchange system, or environmental control system,
645 which contain customer information or which are connected to a
646 system that contains customer information.
647 (g)1. “Nonpublic personal information” means:
648 a. Personally identifiable financial information; and
649 b. Any list, description, or other grouping of customers
650 which is derived using any personally identifiable financial
651 information that is not publicly available, such as account
652 numbers, including any list of individuals’ names and street
653 addresses which is derived, in whole or in part, using
654 personally identifiable financial information that is not
655 publicly available.
656 2. The term does not include:
657 a. Publicly available information, except as included on a
658 list, description, or other grouping of customers described in
659 sub-subparagraph 1.b.;
660 b. Any list, description, or other grouping of consumers,
661 or any publicly available information pertaining to such list,
662 description, or other grouping of consumers, which is derived
663 without using any personally identifiable financial information
664 that is not publicly available; or
665 c. Any list of individuals’ names and addresses which
666 contains only publicly available information, is not derived, in
667 whole or in part, using personally identifiable financial
668 information that is not publicly available, and is not disclosed
669 in a manner that indicates that any of the individuals on the
670 list is a customer of a licensee.
671 3. As used in this paragraph, the term:
672 a.(I) “Personally identifiable financial information” means
673 any information that:
674 (A) A customer provides to a licensee to obtain a financial
675 product or service, such as information that a customer provides
676 to a licensee on an application to obtain a loan or other
677 financial product or service;
678 (B) A licensee receives about a consumer which is obtained
679 during or as a result of any transaction involving a financial
680 product or service between the licensee and the customer, such
681 as information collected through an information-collecting
682 device from a web server; or
683 (C) A licensee otherwise obtains about a customer in
684 connection with providing a financial product or service to the
685 customer, such as the fact that an individual is or has been one
686 of the licensee’s customers or has obtained a financial product
687 or service from the licensee.
688 (II) The term “personally identifiable financial
689 information” does not include:
690 (A) A list of names and addresses of customers of an entity
691 that is not a financial institution; or
692 (B) Information that does not identify a customer, such as
693 blind data or aggregate information that does not contain
694 personal identifiers such as account numbers, names, or
695 addresses.
696 b.(I) “Publicly available information” means any
697 information that a licensee has a reasonable basis to believe is
698 lawfully made available to the general public from:
699 (A) Federal, state, or local government records, such as
700 government real estate records or security interest filings;
701 (B) Widely distributed media, such as information from a
702 telephone records repository or directory, a television or radio
703 program, a newspaper, a social media platform, or a website that
704 is available to the general public on an unrestricted basis. A
705 website is not restricted merely because an Internet service
706 provider or a site operator requires a fee or a password, so
707 long as access is available to the general public; or
708 (C) Disclosures to the general public which are required to
709 be made by federal, state, or local law.
710 (II) As used in this sub-subparagraph, the term “reasonable
711 basis to believe is lawfully made available to the general
712 public” relating to any information means that the person has
713 taken steps to determine:
714 (A) That the information is of the type that is available
715 to the general public, such as information included on the
716 public record in the jurisdiction where the mortgage would be
717 recorded; and
718 (B) Whether an individual can direct that the information
719 not be made available to the general public and, if so, the
720 customer to whom the information relates has not done so, such
721 as when a telephone number is listed in a telephone directory
722 and the customer has informed the licensee that the telephone
723 number is not unlisted.
724 (h) “Third-party service provider” means a person, other
725 than a licensee, which contracts with a licensee to maintain,
726 process, or store nonpublic personal information, or is
727 otherwise permitted access to nonpublic personal information
728 through its provision of services to a licensee.
729 (2) INFORMATION SECURITY PROGRAM.—
730 (a) Each licensee shall develop, implement, and maintain a
731 comprehensive written information security program that contains
732 administrative, technical, and physical safeguards for the
733 protection of the licensee’s information system and nonpublic
734 personal information.
735 (b) Each licensee shall ensure that the information
736 security program meets all of the following criteria:
737 1. Be commensurate with the following measures:
738 a. Size and complexity of the licensee.
739 b. Nature and scope of the licensee’s activities, including
740 the licensee’s use of third-party service providers.
741 c. Sensitivity of nonpublic personal information that is
742 used by the licensee or that is in the licensee’s possession,
743 custody, or control.
744 2. Be designed to do all of the following:
745 a. Protect the security and confidentiality of nonpublic
746 personal information and the security of the licensee’s
747 information system.
748 b. Protect against threats or hazards to the security or
749 integrity of nonpublic personal information and the licensee’s
750 information system.
751 c. Protect against unauthorized access to or the use of
752 nonpublic personal information and minimize the likelihood of
753 harm to any customer.
754 3. Define and periodically reevaluate the retention
755 schedule and the mechanism for the destruction of nonpublic
756 personal information if retention is no longer necessary for the
757 licensee’s business operations or is no longer required by
758 applicable law.
759 4. Regularly test and monitor systems and procedures for
760 the detection of actual and attempted attacks on, or intrusions
761 into, the licensee’s information system.
762 5. Be monitored, evaluated, and adjusted, as necessary, to
763 meet all of the following requirements:
764 a. Determine whether the licensee’s information security
765 program is consistent with relevant changes in technology.
766 b. Confirm the licensee’s information security program
767 accounts for the sensitivity of nonpublic personal information.
768 c. Identify changes that may be necessary to the licensee’s
769 information system.
770 d. Eliminate any internal or external threats to nonpublic
771 personal information.
772 e. Amend the licensee’s information security program for
773 any of the licensee’s changing business arrangements, including,
774 but not limited to, mergers and acquisitions, alliances and
775 joint ventures, and outsourcing arrangements.
776 (c)1. As part of a licensee’s information security program,
777 the licensee shall establish a written incident response plan
778 designed to promptly respond to, and recover from, a
779 cybersecurity event that compromises:
780 a. The confidentiality, integrity, or availability of
781 nonpublic personal information in the licensee’s possession;
782 b. The licensee’s information system; or
783 c. The continuing functionality of any aspect of the
784 licensee’s operations.
785 2. The written incident response plan must address all of
786 the following:
787 a. The licensee’s internal process for responding to a
788 cybersecurity event.
789 b. The goals of the licensee’s incident response plan.
790 c. The assignment of clear roles, responsibilities, and
791 levels of decisionmaking authority for the licensee’s personnel
792 that participate in the incident response plan.
793 d. External communications, internal communications, and
794 information sharing related to a cybersecurity event.
795 e. The identification of remediation requirements for
796 weaknesses identified in information systems and associated
797 controls.
798 f. The documentation and reporting regarding cybersecurity
799 events and related incident response activities.
800 g. The evaluation and revision of the incident response
801 plan, as appropriate, following a cybersecurity event.
802 h. The process by which notice must be given as required
803 under subsection (4) and s. 501.171(3) and (4).
804 (d)1. This section does not apply to a licensee that has
805 fewer than:
806 a. Twenty individuals on its workforce, including employees
807 and independent contractors; or
808 b. Five hundred customers during a calendar year.
809 2. A licensee that no longer qualifies for exemption under
810 subparagraph 1. has 180 calendar days to comply with this
811 section after the date of the disqualification.
812 (e) Each licensee shall maintain a copy of the information
813 security program for a minimum of 5 years and shall make it
814 available to the office upon request or as part of an
815 examination.
816 (3) CYBERSECURITY EVENT INVESTIGATION.—
817 (a) If a licensee discovers that a cybersecurity event has
818 occurred or that a cybersecurity event may have occurred, the
819 licensee, or an outside vendor or third-party service provider
820 that the licensee has designated to act on its behalf, shall
821 conduct a prompt investigation of the cybersecurity event.
822 (b) During the investigation, the licensee, or the outside
823 vendor or third-party service provider that the licensee has
824 designated to act on its behalf, shall, at a minimum, determine
825 as much of the following as possible:
826 1. Confirm that a cybersecurity event has occurred.
827 2. Identify the date that the cybersecurity event first
828 occurred.
829 3. Assess the nature and scope of the cybersecurity event.
830 4. Identify all nonpublic personal information that may
831 have been compromised by the cybersecurity event.
832 5. Perform or oversee reasonable measures to restore the
833 security of any compromised information system in order to
834 prevent further unauthorized acquisition, release, or use of
835 nonpublic personal information that is in the licensee’s,
836 outside vendor’s, or third-party service provider’s possession,
837 custody, or control.
838 (c) If a licensee learns that a cybersecurity event has
839 occurred, or may have occurred, in an information system
840 maintained by a third-party service provider of the licensee,
841 the licensee shall complete an investigation in compliance with
842 this section or confirm and document that the third-party
843 service provider has completed an investigation in compliance
844 with this section.
845 (d) A licensee shall maintain all records and documentation
846 related to the licensee’s investigation of a cybersecurity event
847 for a minimum of 5 years after the date of the cybersecurity
848 event and shall produce the records and documentation to the
849 office upon request.
850 (4) NOTICE TO OFFICE OF SECURITY BREACH.—
851 (a) Each licensee shall provide notice to the office of any
852 breach of security affecting 500 or more individuals in this
853 state at a time and in the manner prescribed by commission rule.
854 (b) Each licensee shall, upon the office’s request, provide
855 a quarterly update of a cybersecurity event investigation under
856 subsection (3) until conclusion of the investigation.
857 (5) CONSTRUCTION.—This section may not be construed to
858 relieve a covered entity from complying with s. 501.171. To the
859 extent a licensee is a covered entity, as defined in s.
860 501.171(1), the licensee remains subject to s. 501.171.
861 (6) RULES.—The commission may adopt rules to administer
862 this section, including rules that allow a licensee that is in
863 full compliance with the Federal Trade Commission’s Standards
864 for Safeguarding Customer Information, 16 C.F.R. part 314, to be
865 deemed in compliance with subsection (2).
866 Section 8. Section 655.0171, Florida Statutes, is created
867 to read:
868 655.0171 Requirements for customer data security and for
869 notices of security breaches.—
870 (1) DEFINITIONS.—As used in this section, the term:
871 (a) “Breach of security” or “breach” means unauthorized
872 access of data in electronic form containing personal
873 information. Good faith access of personal information by an
874 employee or agent of a financial institution does not constitute
875 a breach of security, provided that the information is not used
876 for a purpose unrelated to the business or subject to further
877 unauthorized use. As used in this paragraph, the term “data in
878 electronic form” means any data stored electronically or
879 digitally on any computer system or other database and includes
880 recordable tapes and other mass storage devices.
881 (b) “Department” means the Department of Legal Affairs.
882 (c)1. “Personal information” means:
883 a. An individual’s first name, or first initial, and last
884 name, in combination with any of the following data elements for
885 that individual:
886 (I) A social security number;
887 (II) A driver license or identification card number,
888 passport number, military identification number, or other
889 similar number issued on a government document used to verify
890 identity;
891 (III) A financial account number or credit or debit card
892 number, in combination with any required security code, access
893 code, or password that is necessary to permit access to the
894 individual’s financial account;
895 (IV) The individual’s biometric data as defined in s.
896 501.702; or
897 (V) Any information regarding the individual’s geolocation;
898 or
899 b. A username or e-mail address, in combination with a
900 password or security question and answer that would permit
901 access to an online account.
902 2. The term does not include information about an
903 individual which has been made publicly available by a federal,
904 state, or local governmental entity. The term also does not
905 include information that is encrypted, secured, or modified by
906 any other method or technology that removes elements that
907 personally identify an individual or that otherwise renders the
908 information unusable.
909 (2) REQUIREMENTS FOR DATA SECURITY.—Each financial
910 institution shall take reasonable measures to protect and secure
911 data that are in electronic form and that contain personal
912 information.
913 (3) NOTICE TO OFFICE AND DEPARTMENT OF SECURITY BREACH.—
914 (a)1. Each financial institution shall provide notice to
915 the office of any breach of security affecting 500 or more
916 individuals in this state. Such notice must be provided to the
917 office as expeditiously as practicable, but no later than 30
918 days after the determination of the breach or the determination
919 of a reason to believe that a breach has occurred.
920 2. The written notice to the office must include the items
921 required under s. 501.171(3)(b).
922 3. A financial institution must provide the following
923 information to the office upon its request:
924 a. A police report, incident report, or computer forensics
925 report.
926 b. A copy of the policies in place regarding breaches.
927 c. Steps that have been taken to rectify the breach.
928 4. A financial institution may provide the office with
929 supplemental information regarding a breach at any time.
930 (b) Each financial institution shall provide notice to the
931 department of any breach of security affecting 500 or more
932 individuals in this state. Such notice must be provided to the
933 department in accordance with s. 501.171.
934 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—Each
935 financial institution shall give notice to each individual in
936 this state whose personal information was, or the financial
937 institution reasonably believes to have been, accessed as a
938 result of the breach in accordance with s. 501.171(4). The
939 notice must be provided no later than 30 days after the
940 determination of the breach or the determination of a reason to
941 believe that a breach has occurred. A financial institution may
942 receive 15 additional days to provide notice to individuals of a
943 security breach as required in this subsection if good cause for
944 delay is provided in writing to the office within 30 days after
945 determination of the breach or determination of the reason to
946 believe that a breach has occurred.
947 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a financial
948 institution discovers circumstances requiring notice pursuant to
949 this section of more than 1,000 individuals at a single time,
950 the financial institution shall also notify, without
951 unreasonable delay, all consumer reporting agencies that compile
952 and maintain files on consumers on a nationwide basis, as
953 defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p),
954 of the timing, distribution, and content of the notices.
955 Section 9. Paragraph (d) of subsection (1) of section
956 655.045, Florida Statutes, is amended to read:
957 655.045 Examinations, reports, and internal audits;
958 penalty.—
959 (1) The office shall conduct an examination of the
960 condition of each state financial institution at least every 18
961 months. The office may conduct more frequent examinations based
962 upon the risk profile of the financial institution, prior
963 examination results, or significant changes in the institution
964 or its operations. The office may use continuous, phase, or
965 other flexible scheduling examination methods for very large or
966 complex state financial institutions and financial institutions
967 owned or controlled by a multi-financial institution holding
968 company. The office shall consider examination guidelines from
969 federal regulatory agencies in order to facilitate, coordinate,
970 and standardize examination processes.
971 (d) As used in this section, the term “costs” means the
972 salary and travel expenses directly attributable to the field
973 staff examining the state financial institution, subsidiary, or
974 service corporation, and the travel expenses of any supervisory
975 staff required as a result of examination findings. The mailing
976 of any costs incurred under this subsection must be postmarked
977 within 45 30 days after the date of receipt of a notice stating
978 that such costs are due. The office may levy a late payment of
979 up to $100 per day or part thereof that a payment is overdue,
980 unless excused for good cause. However, for intentional late
981 payment of costs, the office may levy an administrative fine of
982 up to $1,000 per day for each day the payment is overdue.
983 Section 10. Subsection (2) of section 657.005, Florida
984 Statutes, is amended to read:
985 657.005 Application for authority to organize a credit
986 union; investigation.—
987 (2) Any five or more individuals, a majority of whom are
988 residents of this state and all of whom who represent a limited
989 field of membership, may apply to the office for permission to
990 organize a credit union. The fact that individuals within the
991 proposed limited field of membership have credit union services
992 available to them through another limited field of membership
993 shall not preclude the granting of a certificate of
994 authorization to engage in the business of a credit union.
995 Section 11. Subsection (1) of section 657.024, Florida
996 Statutes, is amended to read:
997 657.024 Membership meetings.—
998 (1) The members shall receive timely notice of the annual
999 meeting and any special meetings of the members, which shall be
1000 held at the time, place, and in the manner provided in the
1001 bylaws. The annual meeting and any special meetings of the
1002 members may be held virtually without an in-person quorum, and
1003 virtual attendance may satisfy quorum requirements, subject to
1004 the bylaws.
1005 Section 12. Paragraph (b) of subsection (3) and present
1006 subsection (5) of section 657.042, Florida Statutes, are amended
1007 to read:
1008 657.042 Investment powers and limitations.—A credit union
1009 may invest its funds subject to the following definitions,
1010 restrictions, and limitations:
1011 (3) INVESTMENT SUBJECT TO LIMITATION OF TWO PERCENT OF
1012 CAPITAL OF THE CREDIT UNION.—
1013 (b) Commercial paper and bonds of any corporation within
1014 the United States which have a fixed maturity, as provided in
1015 subsection (6) (7), except that the total investment in all such
1016 paper and bonds may not exceed 10 percent of the capital of the
1017 credit union.
1018 (5) INVESTMENTS IN REAL ESTATE AND EQUIPMENT FOR THE CREDIT
1019 UNION.—
1020 (a) Up to 5 percent of the capital of the credit union may
1021 be invested in real estate and improvements thereon, furniture,
1022 fixtures, and equipment utilized or to be utilized by the credit
1023 union for the transaction of business.
1024 (b) The limitations provided by this subsection may be
1025 exceeded with the prior written approval of the office. The
1026 office shall grant such approval if it is satisfied that:
1027 1. The proposed investment is necessary.
1028 2. The amount thereof is commensurate with the size and
1029 needs of the credit union.
1030 3. The investment will be beneficial to the members.
1031 4. A reasonable plan is developed to reduce the investment
1032 to statutory limits.
1033 Section 13. Paragraphs (b) and (c) of subsection (4) of
1034 section 658.21, Florida Statutes, are amended to read:
1035 658.21 Approval of application; findings required.—The
1036 office shall approve the application if it finds that:
1037 (4)
1038 (b) At least two of the proposed directors who are not also
1039 proposed officers must have had within the 10 years before the
1040 date of the application at least 1 year of direct experience as
1041 an executive officer, regulator, or director of a financial
1042 institution as specified in the application within the 5 years
1043 before the date of the application. However, if the applicant
1044 demonstrates that at least one of the proposed directors has
1045 very substantial experience as an executive officer, director,
1046 or regulator of a financial institution more than 5 years before
1047 the date of the application, the office may modify the
1048 requirement and allow the applicant to have only one director
1049 who has direct financial institution experience within the last
1050 5 years.
1051 (c) The proposed president or chief executive officer must
1052 have had at least 1 year of direct experience as an executive
1053 officer, director, or regulator of a financial institution
1054 within the last 10 5 years. In making a decision, the office
1055 must also consider may waive this requirement after considering:
1056 1. The adequacy of the overall experience and expertise of
1057 the proposed president or chief executive officer;
1058 2. The likelihood of successful operation of the proposed
1059 state bank or trust company pursuant to subsection (1);
1060 3. The adequacy of the proposed capitalization under
1061 subsection (2);
1062 4. The proposed capital structure under subsection (3);
1063 5. The experience of the other proposed officers and
1064 directors; and
1065 6. Any other relevant data or information.
1066 Section 14. Subsection (2) of section 658.33, Florida
1067 Statutes, is amended to read:
1068 658.33 Directors, number, qualifications; officers.—
1069 (2) Not less than a majority of the directors must, during
1070 their whole term of service, be citizens of the United States,
1071 and at least a majority of the directors must have resided in
1072 this state for at least 1 year preceding their election and must
1073 be residents therein during their continuance in office. In the
1074 case of a bank or trust company with total assets of less than
1075 $150 million, at least one, and in the case of a bank or trust
1076 company with total assets of $150 million or more, two of the
1077 directors who are not also officers of the bank or trust company
1078 must have had at least 1 year of direct experience as an
1079 executive officer, regulator, or director of a financial
1080 institution within the last 10 5 years.
1081 Section 15. Subsection (4) of section 662.141, Florida
1082 Statutes, is amended to read:
1083 662.141 Examination, investigations, and fees.—The office
1084 may conduct an examination or investigation of a licensed family
1085 trust company at any time it deems necessary to determine
1086 whether the licensed family trust company or licensed family
1087 trust company-affiliated party thereof has violated or is about
1088 to violate any provision of this chapter, any applicable
1089 provision of the financial institutions codes, or any rule
1090 adopted by the commission pursuant to this chapter or the codes.
1091 The office may conduct an examination or investigation of a
1092 family trust company or foreign licensed family trust company at
1093 any time it deems necessary to determine whether the family
1094 trust company or foreign licensed family trust company has
1095 engaged in any act prohibited under s. 662.131 or s. 662.134
1096 and, if a family trust company or a foreign licensed family
1097 trust company has engaged in such act, to determine whether any
1098 applicable provision of the financial institutions codes has
1099 been violated.
1100 (4) For each examination of the books and records of a
1101 family trust company, licensed family trust company, or foreign
1102 licensed family trust company as authorized under this chapter,
1103 the trust company shall pay a fee for the costs of the
1104 examination by the office. As used in this section, the term
1105 “costs” means the salary and travel expenses of field staff
1106 which are directly attributable to the examination of the trust
1107 company and the travel expenses of any supervisory and support
1108 staff required as a result of examination findings. The mailing
1109 of payment for costs incurred must be postmarked within 45 30
1110 days after the receipt of a notice stating that the costs are
1111 due. The office may levy a late payment of up to $100 per day or
1112 part thereof that a payment is overdue unless waived for good
1113 cause. However, if the late payment of costs is intentional, the
1114 office may levy an administrative fine of up to $1,000 per day
1115 for each day the payment is overdue.
1116 Section 16. Subsection (21) of section 517.12, Florida
1117 Statutes, is amended to read:
1118 517.12 Registration of dealers, associated persons,
1119 intermediaries, and investment advisers.—
1120 (21) The registration requirements of this section do not
1121 apply to any general lines insurance agent or life insurance
1122 agent licensed under chapter 626, with regard to the sale of a
1123 security as defined in s. 517.021(34)(g) s. 517.021(33)(g), if
1124 the individual is directly authorized by the issuer to offer or
1125 sell the security on behalf of the issuer and the issuer is a
1126 federally chartered savings bank subject to regulation by the
1127 Federal Deposit Insurance Corporation. Actions under this
1128 subsection constitute activity under the insurance agent’s
1129 license for purposes of ss. 626.611 and 626.621.
1130 Section 17. This act shall take effect July 1, 2026.