Florida Senate - 2026 CS for CS for SB 540
By the Appropriations Committee on Agriculture, Environment, and
General Government; the Committee on Banking and Insurance; and
Senator Martin
601-02832-26 2026540c2
1 A bill to be entitled
2 An act relating to the Office of Financial Regulation;
3 amending s. 415.106, F.S.; requiring the Department of
4 Children and Families to cooperate with and seek
5 cooperation from the Office of Financial Regulation
6 concerning certain protective investigations of
7 suspected financial exploitation of specified adults;
8 requiring the department to provide copies of certain
9 suspected financial exploitation reports to the office
10 within a certain timeframe; authorizing the department
11 to provide copies of certain records at the request of
12 the office within a specified timeframe; authorizing
13 the office to use such reports or records as required
14 or authorized in certain provisions; specifying that
15 certain confidentiality provisions that apply to the
16 department apply to the records of the office and its
17 employees and agents; authorizing the department and
18 the office to enter into a specified memorandum of
19 agreement; amending s. 415.107, F.S.; revising the
20 persons, officials, and agencies granted access to
21 certain records relating to vulnerable adults;
22 creating s. 494.00123, F.S.; defining terms; requiring
23 loan originators, mortgage brokers, and mortgage
24 lenders to develop, implement, and maintain
25 comprehensive written information security programs
26 for the protection of information systems and
27 nonpublic personal information; providing requirements
28 for such programs; requiring loan originators,
29 mortgage brokers, and mortgage lenders to establish
30 written incident response plans for specified
31 purposes; providing requirements for such plans;
32 providing applicability; providing compliance
33 requirements under specified circumstances; requiring
34 loan originators, mortgage brokers, and mortgage
35 lenders to maintain copies of information security
36 programs for a specified timeframe and to make them
37 available to the office under certain circumstances;
38 specifying requirements for notices of security
39 breaches; providing construction; requiring the
40 Financial Services Commission to adopt rules; amending
41 s. 494.00255, F.S.; providing additional acts that
42 constitute a ground for specified disciplinary actions
43 against loan originators and mortgage brokers;
44 amending s. 517.021, F.S.; revising the definition of
45 the term “investment adviser”; defining terms;
46 amending s. 517.061, F.S.; defining terms; amending s.
47 517.201, F.S.; authorizing the office to make
48 investigations and examinations to aid the Department
49 of Children and Families with certain protective
50 investigations; authorizing the office to consider or
51 use certain information as part of certain
52 investigations and examinations; amending s. 517.34,
53 F.S.; revising the information required to be
54 contained in the form by which a dealer or investment
55 advisor notifies the office of certain delayed
56 disbursements or transactions of funds or securities;
57 providing construction; creating s. 520.135, F.S.;
58 specifying that the rights and obligations of parties
59 with respect to a surrendered or repossessed motor
60 vehicle are exclusively governed by certain
61 provisions; amending s. 560.114, F.S.; specifying the
62 entities that are subject to certain disciplinary
63 actions and penalties; revising the list of actions by
64 money services businesses which constitute grounds for
65 certain disciplinary actions and penalties; specifying
66 requirements for emergency suspension orders that
67 suspend money services business licenses; providing
68 that an emergency suspension order is effective when
69 the licensee against whom the order is directed has
70 actual or constructive knowledge of the order;
71 requiring the office to institute timely proceedings
72 after issuance of an emergency suspension order;
73 authorizing a licensee subject to an emergency
74 suspension order to seek judicial review; requiring,
75 rather than authorizing, the office to suspend
76 licenses of money services businesses under certain
77 circumstances; creating s. 560.1311, F.S.; defining
78 terms; requiring money services businesses to develop,
79 implement, and maintain comprehensive written
80 information security programs for the protection of
81 information systems and nonpublic personal
82 information; specifying requirements for such
83 programs; requiring money services businesses to
84 establish written incident response plans for
85 specified purposes; specifying requirements for such
86 plans; providing applicability; specifying compliance
87 requirements under specified circumstances; requiring
88 money services businesses to maintain copies of
89 information security programs for a specified
90 timeframe and to make them available to the office
91 under certain circumstances; specifying requirements
92 for notices of security breaches; providing
93 construction; requiring the commission to adopt rules;
94 amending s. 560.309, F.S.; providing that licensees
95 must comply with the Fair Debt Collections Practices
96 Act only if the licensees meet certain criteria;
97 amending s. 560.405, F.S.; specifying that redemption
98 in cash must be treated in the same manner as
99 redemption through debt card transactions; prohibiting
100 redemption through a credit card transaction; amending
101 s. 560.406, F.S.; providing that licensees must comply
102 with the Fair Debt Collections Practices Act only if
103 the licensees meet certain criteria; creating s.
104 655.0171, F.S.; defining terms; requiring financial
105 institutions to take measures to protect and secure
106 certain data that contain personal information;
107 providing requirements for notices of security
108 breaches to the office, the Department of Legal
109 Affairs, certain individuals, and certain credit
110 reporting agencies; amending s. 655.032, F.S.;
111 authorizing the office to consider or use certain
112 information as part of certain investigations;
113 amending s. 655.045, F.S.; authorizing the office to
114 consider or use certain information as part of certain
115 investigations; revising the timeline for the mailing
116 of payment for salary and travel expenses of certain
117 field staff; amending s. 657.005, F.S.; revising
118 requirements for permission to organize credit unions;
119 amending s. 657.024, F.S.; authorizing meetings of
120 credit union members to be held virtually without an
121 in-person quorum and authorizing virtual attendance to
122 satisfy quorum requirements under certain
123 circumstances; amending s. 657.042, F.S.; removing
124 provisions that impose limitations on investments in
125 real estate and equipment for credit unions; amending
126 s. 658.21, F.S.; revising requirements and factors for
127 approving applications for organizing banks and trust
128 companies; amending s. 658.33, F.S.; revising
129 requirements for directors of certain banks and trust
130 companies; amending s. 662.141, F.S.; revising the
131 timeline for the mailing of payment for the salary and
132 travel expenses of certain field staff; amending s.
133 517.12, F.S.; conforming a cross-reference; providing
134 an effective date.
135
136 Be It Enacted by the Legislature of the State of Florida:
137
138 Section 1. Subsection (4) is added to section 415.106,
139 Florida Statutes, to read:
140 415.106 Cooperation by the department and criminal justice
141 and other agencies.—
142 (4) To the fullest extent possible, the department shall
143 cooperate with and seek cooperation from the Office of Financial
144 Regulation concerning protective investigations of suspected
145 financial exploitation of specified adults, as defined in s.
146 415.10341, which are reported to the central abuse hotline and
147 which the department is responsible for conducting pursuant to
148 s. 415.104.
149 (a) In accordance with s. 415.107, the department must
150 provide copies of all suspected financial exploitation reports
151 received by the central abuse hotline pursuant to s. 415.1034
152 from any financial institution as defined in s. 655.005(1),
153 securities dealer as defined in s. 517.021(12), or investment
154 adviser as defined in s. 517.021(20) to the Office of Financial
155 Regulation within 15 days after receiving the report. The
156 department may provide copies of any records generated as a
157 result of such reports at the request of the Office of Financial
158 Regulation within 15 days after such request.
159 1. The Office of Financial Regulation may use the reports
160 or records obtained as required or authorized in this subsection
161 during an investigation or examination conducted pursuant to
162 chapter 517 or chapter 655.
163 2. Except as provided in this chapter and chapters 517 and
164 655, all confidentiality provisions that apply to the department
165 continue to apply to the records made available to the Office of
166 Financial Regulation and its officials, employees, and agents
167 under s. 415.107.
168 (b) The department and the Office of Financial Regulation
169 may enter into a memorandum of agreement that specifies how the
170 Office of Financial Regulation, in the agency’s role as the
171 regulator of financial institutions, may assist the department
172 with effectively and efficiently conducting a protective
173 investigation of any vulnerable adult abuse report received by
174 the central abuse hotline, and that specifies how such
175 assistance will be implemented.
176 Section 2. Paragraph (m) is added to subsection (3) of
177 section 415.107, Florida Statutes, to read:
178 415.107 Confidentiality of reports and records.—
179 (3) Access to all records, excluding the name of the
180 reporter which shall be released only as provided in subsection
181 (6), shall be granted only to the following persons, officials,
182 and agencies:
183 (m) Any appropriate officials, employees, or agents of the
184 Office of Financial Regulation who are responsible for
185 conducting investigations pursuant to chapters 517 and 655.
186 Section 3. Section 494.00123, Florida Statutes, is created
187 to read:
188 494.00123 Information security programs.—
189 (1) DEFINITIONS.—As used in this section, the term:
190 (a) “Customer” means a person who seeks to obtain or who
191 obtains or has obtained a financial product or service from a
192 licensee.
193 (b) “Customer information” means any record containing
194 nonpublic personal information about a customer of a financial
195 transaction, whether on paper, electronic, or in other forms,
196 which is handled or maintained by or on behalf of the licensee
197 or its affiliates.
198 (c) “Cybersecurity event” means an event resulting in
199 unauthorized access to, or disruption or misuse of, an
200 information system or customer information stored on such
201 information system. The term does not include the unauthorized
202 acquisition of encrypted customer information if the encryption
203 process or key is not also acquired, released, or used without
204 authorization. The term does not include an event with regard to
205 which the licensee has determined that the customer information
206 accessed by an unauthorized person has not been used or released
207 and has been returned or destroyed.
208 (d) “Encrypted” means the transformation of data into a
209 form that results in a low probability of assigning meaning
210 without the use of a protective process or key.
211 (e) “Financial product or service” means any product or
212 service offered by a licensee under this chapter.
213 (f) “Information security program” means the
214 administrative, technical, or physical safeguards used to
215 access, collect, distribute, process, protect, store, use,
216 transmit, dispose of, or otherwise handle customer information.
217 (g) “Information system” means a discrete set of electronic
218 information resources organized for the collection, processing,
219 maintenance, use, sharing, dissemination, or disposition of
220 electronic information, as well as any specialized system such
221 as an industrial process control system, telephone switching and
222 private branch exchange system, or environmental control system,
223 which contain customer information or which are connected to a
224 system that contains customer information.
225 (h)1. “Nonpublic personal information” means:
226 a. Personally identifiable financial information; and
227 b. Any list, description, or other grouping of customers
228 which is derived using any personally identifiable financial
229 information that is not publicly available, such as account
230 numbers, including any list of individuals’ names and street
231 addresses which is derived, in whole or in part, using
232 personally identifiable financial information that is not
233 publicly available.
234 2. The term does not include:
235 a. Publicly available information, except as included on a
236 list, description, or other grouping of customers described in
237 sub-subparagraph 1.b.;
238 b. Any list, description, or other grouping of consumers,
239 or any publicly available information pertaining to such list,
240 description, or other grouping of consumers, which is derived
241 without using any personally identifiable financial information
242 that is not publicly available; or
243 c. Any list of individuals’ names and addresses which
244 contains only publicly available information, is not derived, in
245 whole or in part, using personally identifiable financial
246 information that is not publicly available, and is not disclosed
247 in a manner that indicates that any of the individuals on the
248 list is a customer of a licensee.
249 3. As used in this paragraph, the term:
250 a.(I) “Personally identifiable financial information” means
251 any information that:
252 (A) A customer provides to a licensee to obtain a financial
253 product or service, such as information that a customer provides
254 to a licensee on an application to obtain a loan or other
255 financial product or service;
256 (B) A licensee receives about a consumer which is obtained
257 during or as a result of any transaction involving a financial
258 product or service between the licensee and the customer, such
259 as information collected through an information-collecting
260 device from a web server; or
261 (C) A licensee otherwise obtains about a customer in
262 connection with providing a financial product or service to the
263 customer, such as the fact that an individual is or has been one
264 of the licensee’s customers or has obtained a financial product
265 or service from the licensee.
266 (II) The term “personally identifiable financial
267 information” does not include:
268 (A) A list of names and addresses of customers of an entity
269 that is not a financial institution; or
270 (B) Information that does not identify a customer, such as
271 blind data or aggregate information that does not contain
272 personal identifiers such as account numbers, names, or
273 addresses.
274 b.(I) “Publicly available information” means any
275 information that a licensee has a reasonable basis to believe is
276 lawfully made available to the general public from:
277 (A) Federal, state, or local government records, such as
278 government real estate records or security interest filings;
279 (B) Widely distributed media, such as information from a
280 telephone records repository or directory, a television or radio
281 program, a newspaper, a social media platform, or a website that
282 is available to the general public on an unrestricted basis. A
283 website is not restricted merely because an Internet service
284 provider or a site operator requires a fee or a password, so
285 long as access is available to the general public; or
286 (C) Disclosures to the general public which are required to
287 be made by federal, state, or local law.
288 (II) As used in this sub-subparagraph, the term “reasonable
289 basis to believe is lawfully made available to the general
290 public” relating to any information means that the person has
291 taken steps to determine:
292 (A) That the information is of the type that is available
293 to the general public, such as information included on the
294 public record in the jurisdiction where the mortgage would be
295 recorded; and
296 (B) Whether an individual can direct that the information
297 not be made available to the general public and, if so, the
298 customer to whom the information relates has not done so, such
299 as when a telephone number is listed in a telephone directory
300 and the customer has informed the licensee that the telephone
301 number is not unlisted.
302 (i) “Third-party service provider” means a person, other
303 than a licensee, which contracts with a licensee to maintain,
304 process, or store nonpublic personal information, or is
305 otherwise permitted access to nonpublic personal information
306 through its provision of services to a licensee.
307 (2) INFORMATION SECURITY PROGRAM.—
308 (a) Each licensee shall develop, implement, and maintain a
309 comprehensive written information security program that contains
310 administrative, technical, and physical safeguards for the
311 protection of the licensee’s information system and nonpublic
312 personal information.
313 (b) Each licensee shall ensure that the information
314 security program meets all of the following criteria:
315 1. Be commensurate with the following measures:
316 a. Size and complexity of the licensee.
317 b. Nature and scope of the licensee’s activities, including
318 the licensee’s use of third-party service providers.
319 c. Sensitivity of nonpublic personal information that is
320 used by the licensee or that is in the licensee’s possession,
321 custody, or control.
322 2. Be designed to do all of the following:
323 a. Protect the security and confidentiality of nonpublic
324 personal information and the security of the licensee’s
325 information system.
326 b. Protect against threats or hazards to the security or
327 integrity of nonpublic personal information and the licensee’s
328 information system.
329 c. Protect against unauthorized access to or the use of
330 nonpublic personal information and minimize the likelihood of
331 harm to any customer.
332 3. Define and periodically reevaluate the retention
333 schedule and the mechanism for the destruction of nonpublic
334 personal information if retention is no longer necessary for the
335 licensee’s business operations or is no longer required by
336 applicable law.
337 4. Regularly test and monitor systems and procedures for
338 the detection of actual and attempted attacks on, or intrusions
339 into, the licensee’s information system.
340 5. Be monitored, evaluated, and adjusted, as necessary, to
341 meet all of the following requirements:
342 a. Determine whether the licensee’s information security
343 program is consistent with relevant changes in technology.
344 b. Confirm the licensee’s information security program
345 accounts for the sensitivity of nonpublic personal information.
346 c. Identify changes that may be necessary to the licensee’s
347 information system.
348 d. Mitigate any internal or external threats to nonpublic
349 personal information.
350 e. Amend the licensee’s information security program for
351 any material changes to the licensee’s business arrangements,
352 including, but not limited to, mergers and acquisitions,
353 alliances and joint ventures, and outsourcing arrangements.
354 (c)1. As part of a licensee’s information security program,
355 the licensee shall establish a written incident response plan
356 designed to promptly respond to, and recover from, a
357 cybersecurity event that compromises:
358 a. The confidentiality, integrity, or availability of
359 nonpublic personal information in the licensee’s possession;
360 b. The licensee’s information system; or
361 c. The continuing functionality of any aspect of the
362 licensee’s operations.
363 2. The written incident response plan must address all of
364 the following:
365 a. The licensee’s internal process for responding to a
366 cybersecurity event.
367 b. The goals of the licensee’s incident response plan.
368 c. The assignment of clear roles, responsibilities, and
369 levels of decisionmaking authority for the licensee’s personnel
370 that participate in the incident response plan.
371 d. External communications, internal communications, and
372 information sharing related to a cybersecurity event.
373 e. The identification of remediation requirements for
374 weaknesses identified in information systems and associated
375 controls.
376 f. The documentation and reporting regarding cybersecurity
377 events and related incident response activities.
378 g. The evaluation and revision of the incident response
379 plan, as appropriate, following a cybersecurity event.
380 h. The process by which notice must be given as required
381 under subsection (3) and s. 501.171(3) and (4).
382 (d)1. This section does not apply to a licensee that has
383 fewer than:
384 a. Twenty individuals on its workforce, including employees
385 and independent contractors; or
386 b. Five hundred customers during a calendar year.
387 2. A licensee that no longer qualifies for exemption under
388 subparagraph 1. has 180 calendar days to comply with this
389 section after the date of the disqualification.
390 (e) Each licensee shall maintain a copy of the information
391 security program for a minimum of 5 years and shall make it
392 available to the office upon request or as part of an
393 examination.
394 (3) NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee
395 shall provide notice to the office of any breach of security, as
396 defined in s. 501.171, affecting 500 or more individuals in this
397 state at a time and in the manner prescribed by commission rule.
398 (4) CONSTRUCTION.—This section may not be construed to
399 relieve a covered entity from complying with s. 501.171. To the
400 extent a licensee is a covered entity, as defined in s.
401 501.171(1), the licensee remains subject to s. 501.171.
402 (5) RULES.—The commission shall adopt rules to administer
403 this section, including rules that allow a licensee that is in
404 compliance with the Federal Trade Commission’s Standards for
405 Safeguarding Customer Information, 16 C.F.R. part 314, to be
406 deemed in substantial compliance with subsection (2).
407 Section 4. Paragraph (z) is added to subsection (1) of
408 section 494.00255, Florida Statutes, to read:
409 494.00255 Administrative penalties and fines; license
410 violations.—
411 (1) Each of the following acts constitutes a ground for
412 which the disciplinary actions specified in subsection (2) may
413 be taken against a person licensed or required to be licensed
414 under part II or part III of this chapter:
415 (z) Failure to comply with the notification requirements in
416 s. 501.171(3) and (4).
417 Section 5. Present subsections (28) through (36) of section
418 517.021, Florida Statutes, are redesignated as subsections (29)
419 through (37), respectively, a new subsection (28) is added to
420 that section, and subsection (20) of that section is amended, to
421 read:
422 517.021 Definitions.—When used in this chapter, unless the
423 context otherwise indicates, the following terms have the
424 following respective meanings:
425 (20)(a) “Investment adviser” means a person, other than an
426 associated person of an investment adviser or a federal covered
427 adviser, that receives compensation, directly or indirectly, and
428 engages for all or part of the person’s time, directly or
429 indirectly, or through publications or writings, in the business
430 of advising others as to the value of securities or as to the
431 advisability of investments in, purchasing of, or selling of
432 securities.
433 (b) The term does not include any of the following:
434 1. A dealer or an associated person of a dealer whose
435 performance of services in paragraph (a) is solely incidental to
436 the conduct of the dealer’s or associated person’s business as a
437 dealer and who does not receive special compensation for those
438 services.
439 2. A licensed practicing attorney or certified public
440 accountant whose performance of such services is solely
441 incidental to the practice of the attorney’s or accountant’s
442 profession.
443 3. A bank authorized to do business in this state.
444 4. A bank holding company as defined in the Bank Holding
445 Company Act of 1956, as amended, authorized to do business in
446 this state.
447 5. A trust company having trust powers, as defined in s.
448 658.12, which it is authorized to exercise in this state, which
449 trust company renders or performs investment advisory services
450 in a fiduciary capacity incidental to the exercise of its trust
451 powers.
452 6. A person that renders investment advice exclusively to
453 insurance or investment companies.
454 7. A person:
455 a. Without a place of business in this state if the person
456 has had that, during the preceding 12 months, has fewer than six
457 clients who are residents of this state.
458 b. With a place of business in this state if the person has
459 had, during the preceding 12 months, fewer than six clients who
460 are residents of this state and no clients who are not residents
461 of this state.
462
463 As used in this subparagraph, the term “client” has the same
464 meaning as provided in Securities and Exchange Commission Rule
465 222-2 275.222-2, 17 C.F.R. s. 275.222-2, as amended.
466 8. A federal covered adviser.
467 9. The United States, a state, or any political subdivision
468 of a state, or any agency, authority, or instrumentality of any
469 such entity; a business entity that is wholly owned directly or
470 indirectly by such a governmental entity; or any officer, agent,
471 or employee of any such governmental or business entity who is
472 acting within the scope of his or her official duties.
473 10. A family office as defined in Securities and Exchange
474 Commission Rule 202(a)(11)(G)-1(b) under the Investment Advisers
475 Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)-1(b), as amended. In
476 determining whether a person meets the definition of a family
477 office under this subparagraph, the terms “affiliated family
478 office,” “control,” “executive officer,” “family client,”
479 “family entity,” “family member,” “former family member,” “key
480 employee,” and “spousal equivalent” have the same meaning as in
481 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d) under
482 the Investment Advisers Act of 1940, 17 C.F.R. s.
483 275.202(a)(11)(G)-1(d), as amended.
484 (28) “Place of business” of an investment adviser means an
485 office at which the investment adviser regularly provides
486 investment advisory services to, solicits, meets with, or
487 otherwise communicates with clients; and any other location that
488 is held out to the general public as a location at which the
489 investment adviser provides investment advisory services to,
490 solicits, meets with, or otherwise communicates with clients.
491 Section 6. Paragraph (i) of subsection (9) of section
492 517.061, Florida Statutes, is amended to read:
493 517.061 Exempt transactions.—Except as otherwise provided
494 in subsection (11), the exemptions provided herein from the
495 registration requirements of s. 517.07 are self-executing and do
496 not require any filing with the office before being claimed. Any
497 person who claims entitlement to an exemption under this section
498 bears the burden of proving such entitlement in any proceeding
499 brought under this chapter. The registration provisions of s.
500 517.07 do not apply to any of the following transactions;
501 however, such transactions are subject to s. 517.301:
502 (9) The offer or sale of securities to:
503 (i) A family office as defined in Securities and Exchange
504 Commission Rule 202(a)(11)(G)-1(b) 202(a)(11)(G)-1 under the
505 Investment Advisers Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)
506 1(b) s. 275.202(a)(11)(G)-1, as amended, provided that:
507 1. The family office has assets under management in excess
508 of $5 million;
509 2. The family office is not formed for the specific purpose
510 of acquiring the securities offered; and
511 3. The prospective investment of the family office is
512 directed by a person who has knowledge and experience in
513 financial and business matters that the family office is capable
514 of evaluating the merits and risks of the prospective
515 investment.
516
517 In determining whether a person meets the definition of a family
518 office under this paragraph, the terms “affiliated family
519 office,” “control,” “executive officer,” “family client,”
520 “family entity,” “family member,” “former family member,” “key
521 employee,” and “spousal equivalent” have the same meaning as in
522 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d) under
523 the Investment Advisers Act of 1940, 17 C.F.R. s.
524 275.202(a)(11)(G)-1(d), as amended.
525 Section 7. Paragraph (a) of subsection (1) of section
526 517.201, Florida Statutes, is amended, and paragraph (c) is
527 added to that subsection, to read:
528 517.201 Investigations; examinations; subpoenas; hearings;
529 witnesses.—
530 (1) The office:
531 (a) May make investigations and examinations within or
532 outside of this state as it deems necessary:
533 1. To determine whether a person has violated or is about
534 to violate any provision of this chapter or a rule or order
535 hereunder; or
536 2. To aid in the enforcement of this chapter; or
537 3. In accordance with a memorandum of understanding
538 pursuant to s. 415.106(4)(b), to aid the Department of Children
539 and Families with any protective investigations the Department
540 of Children and Families is required to conduct under s.
541 415.104.
542 (c) May consider or use as part of any investigation or
543 examination pursuant to this section the information contained
544 in any suspected financial exploitation report or any records
545 generated as a result of such report which is obtained pursuant
546 to s. 415.106(4).
547 Section 8. Paragraphs (b) and (c) of subsection (3) and
548 subsection (6) of section 517.34, Florida Statutes, are amended
549 to read:
550 517.34 Protection of specified adults.—
551 (3) A dealer or investment adviser may delay a disbursement
552 or transaction of funds or securities from an account of a
553 specified adult or an account for which a specified adult is a
554 beneficiary or beneficial owner if all of the following apply:
555 (b) Not later than 3 business days after the date on which
556 the delay was first placed, the dealer or investment adviser
557 complies with all of the following conditions:
558 1. Notifies in writing all parties authorized to transact
559 business on the account and any trusted contact on the account,
560 using the contact information provided for the account, with the
561 exception of any party the dealer or investment adviser
562 reasonably believes has engaged in, is engaging in, has
563 attempted to engage in, or will attempt to engage in the
564 suspected financial exploitation of the specified adult. The
565 notice, which may be provided electronically, must provide the
566 reason for the delay.
567 2. Notifies the office of the delay electronically on a
568 form prescribed by commission rule. The form must be consistent
569 with the purposes of this section and must contain, but need not
570 be limited to, the following information:
571 a. The date on which the delay was first placed.
572 b. The name, age, and address, or location, if different,
573 of the specified adult.
574 c. The business location of the dealer or investment
575 adviser.
576 d. The name, address, and telephone number and title of the
577 employee who reported suspected financial exploitation of the
578 specified adult.
579 e. The facts and circumstances that caused the employee to
580 report suspected financial exploitation.
581 f. The names, addresses, and telephone numbers of the
582 specified adult’s family members.
583 g. The name, address, and telephone number of each person
584 suspected of engaging in financial exploitation.
585 h. The name, address, and telephone number of the caregiver
586 of the specified adult, if different from the person or persons
587 suspected of engaging in financial exploitation.
588 i. A description of actions taken by the dealer or
589 investment adviser, if any, such as notification to a criminal
590 justice agency.
591 j. Any other information available to the reporting person
592 which may establish the cause of financial exploitation that
593 occurred or is occurring.
594 (c) Not later than 3 business days after the date on which
595 the delay was first placed, the dealer or investment adviser
596 Notifies the office of the delay electronically on a form
597 prescribed by commission rule. The form must be consistent with
598 the purposes of this section and may include only the following
599 information:
600 1. The date on which the notice is submitted to the office.
601 2. The date on which the delay was first placed.
602 3. The following information about the specified adult:
603 a. Gender.
604 b. Age.
605 c. Zip code of residence address.
606 4. The following information about the dealer or investment
607 adviser who placed the delay:
608 a. Name.
609 b. Title.
610 c. Firm name.
611 d. Business address.
612 5. A section with the following questions for which the
613 only allowable responses are “Yes” or “No”:
614 a. Is financial exploitation of a specified adult suspected
615 in connection with a disbursement or transaction?
616 b. Are funds currently at risk of being lost?
617
618 The form must contain substantially the following statement in
619 conspicuous type: “The office may take disciplinary action
620 against any person making a knowing and willful
621 misrepresentation on this form.”
622 (6) A dealer, an investment adviser, or an associated
623 person who in good faith and exercising reasonable care complies
624 with this section is immune from any administrative or civil
625 liability that might otherwise arise from such delay in a
626 disbursement or transaction in accordance with this section.
627 This subsection does not supersede or diminish any immunity
628 granted under chapter 415, nor does it substitute for the duty
629 to report to the central abuse hotline as required under s.
630 415.1034.
631 Section 9. Section 520.135, Florida Statutes, is created to
632 read:
633 520.135 Surrendered or repossessed vehicles.—The rights and
634 obligations of parties with respect to a surrendered or
635 repossessed motor vehicle are exclusively governed by part VI of
636 chapter 679.
637 Section 10. Subsections (1) and (2) of section 560.114,
638 Florida Statutes, are amended to read:
639 560.114 Disciplinary actions; penalties.—
640 (1) The following actions by a money services business, an
641 authorized vendor, or a affiliated party that was affiliated at
642 the time of commission of the actions constitute grounds for the
643 issuance of a cease and desist order; the issuance of a removal
644 order; the denial, suspension, or revocation of a license; or
645 taking any other action within the authority of the office
646 pursuant to this chapter:
647 (a) Failure to comply with any provision of this chapter or
648 related rule or order, or any written agreement entered into
649 with the office.
650 (b) Fraud, misrepresentation, deceit, or gross negligence
651 in any transaction by a money services business, regardless of
652 reliance thereon by, or damage to, a customer.
653 (c) Fraudulent misrepresentation, circumvention, or
654 concealment of any matter that must be stated or furnished to a
655 customer pursuant to this chapter, regardless of reliance
656 thereon by, or damage to, such customer.
657 (d) False, deceptive, or misleading advertising.
658 (e) Failure to maintain, preserve, keep available for
659 examination, and produce all books, accounts, files, or other
660 documents required by this chapter or related rules or orders,
661 by 31 C.F.R. ss. 1010.306, 1010.311, 1010.312, 1010.340,
662 1010.410, 1010.415, 1022.210, 1022.320, 1022.380, and 1022.410,
663 or by an agreement entered into with the office.
664 (f) Refusing to allow the examination or inspection of
665 books, accounts, files, or other documents by the office
666 pursuant to this chapter, or to comply with a subpoena issued by
667 the office.
668 (g) Failure to pay a judgment recovered in any court by a
669 claimant in an action arising out of a money transmission
670 transaction within 30 days after the judgment becomes final.
671 (h) Engaging in an act prohibited under s. 560.111 or s.
672 560.1115.
673 (i) Insolvency.
674 (j) Failure by a money services business to remove an
675 affiliated party after the office has issued and served upon the
676 money services business a final order setting forth a finding
677 that the affiliated party has violated a provision of this
678 chapter.
679 (k) Making a material misstatement, misrepresentation, or
680 omission in an application for licensure, any amendment to such
681 application, or application for the appointment of an authorized
682 vendor.
683 (l) Committing any act that results in a license or its
684 equivalent, to practice any profession or occupation being
685 denied, suspended, revoked, or otherwise acted against by a
686 licensing authority in any jurisdiction.
687 (m) Being the subject of final agency action or its
688 equivalent, issued by an appropriate regulator, for engaging in
689 unlicensed activity as a money services business or deferred
690 presentment provider in any jurisdiction.
691 (n) Committing any act resulting in a license or its
692 equivalent to practice any profession or occupation being
693 denied, suspended, revoked, or otherwise acted against by a
694 licensing authority in any jurisdiction for a violation of 18
695 U.S.C. s. 1956, 18 U.S.C. s. 1957, 18 U.S.C. s. 1960, 31 U.S.C.
696 s. 5324, or any other law or rule of another state or of the
697 United States relating to a money services business, deferred
698 presentment provider, or usury that may cause the denial,
699 suspension, or revocation of a money services business or
700 deferred presentment provider license or its equivalent in such
701 jurisdiction.
702 (o) Having been convicted of, or entered a plea of guilty
703 or nolo contendere to, any felony or crime punishable by
704 imprisonment of 1 year or more under the law of any state or the
705 United States which involves fraud, moral turpitude, or
706 dishonest dealing, regardless of adjudication.
707 (p) Having been convicted of, or entered a plea of guilty
708 or nolo contendere to, a crime under 18 U.S.C. s. 1956 or 31
709 U.S.C. s. 5318, s. 5322, or s. 5324, regardless of adjudication.
710 (q) Having been convicted of, or entered a plea of guilty
711 or nolo contendere to, misappropriation, conversion, or unlawful
712 withholding of moneys belonging to others, regardless of
713 adjudication.
714 (r) Having been convicted of, or entered a plea of guilty
715 or nolo contendere to, a violation of 31 C.F.R. chapter X, part
716 1022, regardless of adjudication.
717 (s)(r) Failure to inform the office in writing within 30
718 days after having pled guilty or nolo contendere to, or being
719 convicted of, any felony or crime punishable by imprisonment of
720 1 year or more under the law of any state or the United States,
721 or any crime involving fraud, moral turpitude, or dishonest
722 dealing.
723 (t)(s) Aiding, assisting, procuring, advising, or abetting
724 any person in violating a provision of this chapter or any order
725 or rule of the office or commission.
726 (u)(t) Failure to pay any fee, charge, or cost imposed or
727 assessed under this chapter.
728 (v)(u) Failing to pay a fine assessed by the office within
729 30 days after the due date as stated in a final order.
730 (w)(v) Failure to pay any judgment entered by any court
731 within 30 days after the judgment becomes final.
732 (x)(w) Engaging or advertising engagement in the business
733 of a money services business or deferred presentment provider
734 without a license, unless exempted from licensure.
735 (y)(x) Payment to the office for a license or other fee,
736 charge, cost, or fine with a check or electronic transmission of
737 funds that is dishonored by the applicant’s or licensee’s
738 financial institution.
739 (z)(y) Violations of 31 C.F.R. ss. 1010.306, 1010.311,
740 1010.312, 1010.340, 1010.410, 1010.415, 1022.210, 1022.320,
741 1022.380, and 1022.410, and United States Treasury Interpretive
742 Release 2004-1.
743 (aa)(z) Any practice or conduct that creates the likelihood
744 of a material loss, insolvency, or dissipation of assets of a
745 money services business or otherwise materially prejudices the
746 interests of its customers.
747 (bb)(aa) Failure of a check casher to maintain a federally
748 insured depository account as required by s. 560.309.
749 (cc)(bb) Failure of a check casher to deposit into its own
750 federally insured depository account any payment instrument
751 cashed as required by s. 560.309.
752 (dd)(cc) Violating any provision of the Military Lending
753 Act, 10 U.S.C. s. 987, or the regulations adopted under that act
754 in 32 C.F.R. part 232, in connection with a deferred presentment
755 transaction conducted under part IV of this chapter.
756 (ee) Failure to comply with the notification requirements
757 in s. 501.171(3) and (4).
758 (2) Pursuant to s. 120.60(6), The office shall issue an
759 emergency suspension order suspending may summarily suspend the
760 license of a money services business if the office finds that a
761 licensee poses a danger deemed by the Legislature to be an
762 immediate and, serious danger to the public health, safety, and
763 welfare. A proceeding in which the office seeks the issuance of
764 a final order for the summary suspension of a licensee shall be
765 conducted by the commissioner of the office, or his or her
766 designee, who shall issue such order.
767 (a) An emergency suspension order under this subsection may
768 be issued without prior notice and an opportunity to be heard.
769 An emergency suspension order must:
770 1. State the grounds on which the order is based;
771 2. Advise the licensee against whom the order is directed
772 that the order takes effect immediately and, to the extent
773 applicable, requires the licensee to immediately cease and
774 desist from the conduct or violation that is the subject of the
775 order or to take the affirmative action stated in the order as
776 necessary to correct a condition resulting from the conduct or
777 violation or as otherwise appropriate;
778 3. Be delivered by personal delivery or sent by certified
779 mail, return receipt requested, to the licensee against whom the
780 order is directed at the licensee’s last known address; and
781 4. Include a notice that the licensee subject to the
782 emergency suspension order may seek judicial review pursuant to
783 s. 120.68.
784 (b) An emergency suspension order is effective as soon as
785 the licensee against whom the order is directed has actual or
786 constructive knowledge of the issuance of the order.
787 (c) The office shall institute timely proceedings under ss.
788 120.569 and 120.57 after issuance of an emergency suspension
789 order.
790 (d) A licensee subject to an emergency suspension order may
791 seek judicial review pursuant to s. 120.68.
792 (e) The following acts are deemed by the Legislature to
793 constitute an immediate and serious danger to the public health,
794 safety, and welfare, and the office shall may immediately issue
795 an emergency suspension order to suspend the license of a money
796 services business if:
797 1.(a) The money services business fails to provide to the
798 office, upon written request, any of the records required by s.
799 560.123, s. 560.1235, s. 560.211, or s. 560.310 or any rule
800 adopted under those sections. The suspension may be rescinded if
801 the licensee submits the requested records to the office.
802 2.(b) The money services business fails to maintain a
803 federally insured depository account as required by s.
804 560.208(4) or s. 560.309.
805 3.(c) A natural person required to be listed on the license
806 application for a money services business pursuant to s.
807 560.141(1)(a)3. is criminally charged with, or arrested for, a
808 crime described in paragraph (1)(o), paragraph (1)(p), or
809 paragraph(1)(q).
810 Section 11. Section 560.1311, Florida Statutes, is created
811 to read:
812 560.1311 Information security programs.—
813 (1) DEFINITIONS.—As used in this section, the term:
814 (a) “Customer” means a person who seeks to obtain or who
815 obtains or has obtained a financial product or service from a
816 licensee.
817 (b) “Customer information” means any record containing
818 nonpublic personal information about a customer of a financial
819 transaction, whether on paper, electronic, or in other forms,
820 which is handled or maintained by or on behalf of the licensee
821 or its affiliates.
822 (c) “Cybersecurity event” means an event resulting in
823 unauthorized access to, or disruption or misuse of, an
824 information system or customer information stored on such
825 information system. The term does not include the unauthorized
826 acquisition of encrypted customer information if the encryption
827 process or key is not also acquired, released, or used without
828 authorization. The term does not include an event with regard to
829 which the licensee has determined that the customer information
830 accessed by an unauthorized person has not been used or released
831 and has been returned or destroyed.
832 (d) “Encrypted” means the transformation of data into a
833 form that results in a low probability of assigning meaning
834 without the use of a protective process or key.
835 (e) “Financial product or service” means any product or
836 service offered by a licensee under this chapter.
837 (f) “Information security program” means the
838 administrative, technical, or physical safeguards used to
839 access, collect, distribute, process, protect, store, use,
840 transmit, dispose of, or otherwise handle customer information.
841 (g) “Information system” means a discrete set of electronic
842 information resources organized for the collection, processing,
843 maintenance, use, sharing, dissemination, or disposition of
844 electronic information, as well as any specialized system such
845 as an industrial process control system, telephone switching and
846 private branch exchange system, or environmental control system,
847 which contain customer information or which are connected to a
848 system that contains customer information.
849 (h) “Licensee” means a person licensed under this chapter.
850 (i)1. “Nonpublic personal information” means:
851 a. Personally identifiable financial information; and
852 b. Any list, description, or other grouping of customers
853 which is derived using any personally identifiable financial
854 information that is not publicly available, such as account
855 numbers, including any list of individuals’ names and street
856 addresses which is derived, in whole or in part, using
857 personally identifiable financial information that is not
858 publicly available.
859 2. The term does not include:
860 a. Publicly available information, except as included on a
861 list, description, or other grouping of customers described in
862 sub-subparagraph 1.b.;
863 b. Any list, description, or other grouping of consumers,
864 or any publicly available information pertaining to such list,
865 description, or other grouping of consumers, which is derived
866 without using any personally identifiable financial information
867 that is not publicly available; or
868 c. Any list of individuals’ names and addresses which
869 contains only publicly available information, is not derived, in
870 whole or in part, using personally identifiable financial
871 information that is not publicly available, and is not disclosed
872 in a manner that indicates that any of the individuals on the
873 list is a customer of a licensee.
874 3. As used in this paragraph, the term:
875 a.(I) “Personally identifiable financial information” means
876 any information that:
877 (A) A customer provides to a licensee to obtain a financial
878 product or service, such as information that a customer provides
879 to a licensee on an application to obtain a loan or other
880 financial product or service;
881 (B) A licensee receives about a consumer which is obtained
882 during or as a result of any transaction involving a financial
883 product or service between the licensee and the customer, such
884 as information collected through an information-collecting
885 device from a web server; or
886 (C) A licensee otherwise obtains about a customer in
887 connection with providing a financial product or service to the
888 customer, such as the fact that an individual is or has been one
889 of the licensee’s customers or has obtained a financial product
890 or service from the licensee.
891 (II) The term “personally identifiable financial
892 information” does not include:
893 (A) A list of names and addresses of customers of an entity
894 that is not a financial institution; or
895 (B) Information that does not identify a customer, such as
896 blind data or aggregate information that does not contain
897 personal identifiers such as account numbers, names, or
898 addresses.
899 b.(I) “Publicly available information” means any
900 information that a licensee has a reasonable basis to believe is
901 lawfully made available to the general public from:
902 (A) Federal, state, or local government records, such as
903 government real estate records or security interest filings;
904 (B) Widely distributed media, such as information from a
905 telephone records repository or directory, a television or radio
906 program, a newspaper, a social media platform, or a website that
907 is available to the general public on an unrestricted basis. A
908 website is not restricted merely because an Internet service
909 provider or a site operator requires a fee or a password, so
910 long as access is available to the general public; or
911 (C) Disclosures to the general public which are required to
912 be made by federal, state, or local law.
913 (II) As used in this sub-subparagraph, the term “reasonable
914 basis to believe is lawfully made available to the general
915 public” relating to any information means that the person has
916 taken steps to determine:
917 (A) That the information is of the type that is available
918 to the general public, such as information included on the
919 public record in the jurisdiction where the mortgage would be
920 recorded; and
921 (B) Whether an individual can direct that the information
922 not be made available to the general public and, if so, the
923 customer to whom the information relates has not done so, such
924 as when a telephone number is listed in a telephone directory
925 and the customer has informed the licensee that the telephone
926 number is not unlisted.
927 (j) “Third-party service provider” means a person, other
928 than a licensee, which contracts with a licensee to maintain,
929 process, or store nonpublic personal information, or is
930 otherwise permitted access to nonpublic personal information
931 through its provision of services to a licensee.
932 (2) INFORMATION SECURITY PROGRAM.—
933 (a) Each licensee shall develop, implement, and maintain a
934 comprehensive written information security program that contains
935 administrative, technical, and physical safeguards for the
936 protection of the licensee’s information system and nonpublic
937 personal information.
938 (b) Each licensee shall ensure that the information
939 security program meets all of the following criteria:
940 1. Be commensurate with the following measures:
941 a. Size and complexity of the licensee.
942 b. Nature and scope of the licensee’s activities, including
943 the licensee’s use of third-party service providers.
944 c. Sensitivity of nonpublic personal information that is
945 used by the licensee or that is in the licensee’s possession,
946 custody, or control.
947 2. Be designed to do all of the following:
948 a. Protect the security and confidentiality of nonpublic
949 personal information and the security of the licensee’s
950 information system.
951 b. Protect against threats or hazards to the security or
952 integrity of nonpublic personal information and the licensee’s
953 information system.
954 c. Protect against unauthorized access to or the use of
955 nonpublic personal information and minimize the likelihood of
956 harm to any customer.
957 3. Define and periodically reevaluate the retention
958 schedule and the mechanism for the destruction of nonpublic
959 personal information if retention is no longer necessary for the
960 licensee’s business operations or is no longer required by
961 applicable law.
962 4. Regularly test and monitor systems and procedures for
963 the detection of actual and attempted attacks on, or intrusions
964 into, the licensee’s information system.
965 5. Be monitored, evaluated, and adjusted, as necessary, to
966 meet all of the following requirements:
967 a. Determine whether the licensee’s information security
968 program is consistent with relevant changes in technology.
969 b. Confirm the licensee’s information security program
970 accounts for the sensitivity of nonpublic personal information.
971 c. Identify changes that may be necessary to the licensee’s
972 information system.
973 d. Mitigate any internal or external threats to nonpublic
974 personal information.
975 e. Amend the licensee’s information security program for
976 any material changes to the licensee’s business arrangements,
977 including, but not limited to, mergers and acquisitions,
978 alliances and joint ventures, and outsourcing arrangements.
979 (c)1. As part of a licensee’s information security program,
980 the licensee shall establish a written incident response plan
981 designed to promptly respond to, and recover from, a
982 cybersecurity event that compromises:
983 a. The confidentiality, integrity, or availability of
984 nonpublic personal information in the licensee’s possession;
985 b. The licensee’s information system; or
986 c. The continuing functionality of any aspect of the
987 licensee’s operations.
988 2. The written incident response plan must address all of
989 the following:
990 a. The licensee’s internal process for responding to a
991 cybersecurity event.
992 b. The goals of the licensee’s incident response plan.
993 c. The assignment of clear roles, responsibilities, and
994 levels of decisionmaking authority for the licensee’s personnel
995 that participate in the incident response plan.
996 d. External communications, internal communications, and
997 information sharing related to a cybersecurity event.
998 e. The identification of remediation requirements for
999 weaknesses identified in information systems and associated
1000 controls.
1001 f. The documentation and reporting regarding cybersecurity
1002 events and related incident response activities.
1003 g. The evaluation and revision of the incident response
1004 plan, as appropriate, following a cybersecurity event.
1005 h. The process by which notice must be given as required
1006 under subsection (3) and s. 501.171(3) and (4).
1007 (d)1. This section does not apply to a licensee that has
1008 fewer than:
1009 a. Twenty individuals on its workforce, including employees
1010 and independent contractors; or
1011 b. Five hundred customers during a calendar year.
1012 2. A licensee that no longer qualifies for exemption under
1013 subparagraph 1. has 180 calendar days to comply with this
1014 section after the date of the disqualification.
1015 (e) Each licensee shall maintain a copy of the information
1016 security program for a minimum of 5 years and shall make it
1017 available to the office upon request or as part of an
1018 examination.
1019 (3) NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee
1020 shall provide notice to the office of any breach of security, as
1021 defined in s. 501.171(1), affecting 500 or more individuals in
1022 this state at a time and in the manner prescribed by commission
1023 rule.
1024 (4) CONSTRUCTION.—This section may not be construed to
1025 relieve a covered entity from complying with s. 501.171. To the
1026 extent a licensee is a covered entity, as defined in s.
1027 501.171(1), the licensee remains subject to s. 501.171.
1028 (5) RULES.—The commission shall adopt rules to administer
1029 this section, including rules that allow a licensee that is in
1030 compliance with the Federal Trade Commission’s Standards for
1031 Safeguarding Customer Information, 16 C.F.R. part 314, to be
1032 deemed in compliance with subsection (2).
1033 Section 12. Subsection (10) of section 560.309, Florida
1034 Statutes, is amended to read:
1035 560.309 Conduct of business.—
1036 (10) If a check is returned to a licensee from a payor
1037 financial institution due to lack of funds, a closed account, or
1038 a stop-payment order, the licensee may seek collection pursuant
1039 to s. 68.065. In seeking collection, the licensee must comply
1040 with the prohibitions against harassment or abuse, false or
1041 misleading representations, and unfair practices in the Florida
1042 Consumer Collection Practices Act under part VI of chapter 559,
1043 including s. 559.77. The licensee must also comply with the Fair
1044 Debt Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and
1045 1692f if the licensee uses a third-party debt collector or any
1046 name other than its own to collect such debts. A violation of
1047 this subsection is a deceptive and unfair trade practice and
1048 constitutes a violation of the Deceptive and Unfair Trade
1049 Practices Act under part II of chapter 501. In addition, a
1050 licensee must comply with the applicable provisions of the
1051 Consumer Collection Practices Act under part VI of chapter 559,
1052 including s. 559.77.
1053 Section 13. Subsection (3) of section 560.405, Florida
1054 Statutes, is amended to read:
1055 560.405 Deposit; redemption.—
1056 (3) Notwithstanding subsection (1), in lieu of presentment,
1057 a deferred presentment provider may allow the check to be
1058 redeemed at any time upon payment of the outstanding transaction
1059 balance and earned fees. Redemption in cash must be treated in
1060 the same manner as redemption through a debit card transaction.
1061 However, payment may not be made in the form of a personal check
1062 or through a credit card transaction. Upon redemption, the
1063 deferred presentment provider must return the drawer’s check and
1064 provide a signed, dated receipt showing that the drawer’s check
1065 has been redeemed.
1066 Section 14. Subsection (2) of section 560.406, Florida
1067 Statutes, is amended to read:
1068 560.406 Worthless checks.—
1069 (2) If a check is returned to a deferred presentment
1070 provider from a payor financial institution due to insufficient
1071 funds, a closed account, or a stop-payment order, the deferred
1072 presentment provider may pursue all legally available civil
1073 remedies to collect the check, including, but not limited to,
1074 the imposition of all charges imposed on the deferred
1075 presentment provider by the financial institution. In its
1076 collection practices, a deferred presentment provider must
1077 comply with the prohibitions against harassment or abuse, false
1078 or misleading representations, and unfair practices that are
1079 contained in the Florida Consumer Collection Practices Act under
1080 part VI of chapter 559, including s. 559.77. A deferred
1081 presentment provider must also comply with the Fair Debt
1082 Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and 1692f
1083 if the deferred presentment provider uses a third-party debt
1084 collector or any name other than its own to collect such debts.
1085 A violation of this act is a deceptive and unfair trade practice
1086 and constitutes a violation of the Deceptive and Unfair Trade
1087 Practices Act under part II of chapter 501. In addition, a
1088 deferred presentment provider must comply with the applicable
1089 provisions of the Consumer Collection Practices Act under part
1090 VI of chapter 559, including s. 559.77.
1091 Section 15. Section 655.0171, Florida Statutes, is created
1092 to read:
1093 655.0171 Requirements for customer data security and for
1094 notices of security breaches.—
1095 (1) DEFINITIONS.—As used in this section, the term:
1096 (a) “Breach of security” or “breach” means unauthorized
1097 access of data in electronic form containing personal
1098 information. Good faith access of personal information by an
1099 employee or agent of a financial institution does not constitute
1100 a breach of security, provided that the information is not used
1101 for a purpose unrelated to the business or subject to further
1102 unauthorized use. As used in this paragraph, the term “data in
1103 electronic form” means any data stored electronically or
1104 digitally on any computer system or other database and includes
1105 recordable tapes and other mass storage devices.
1106 (b) “Department” means the Department of Legal Affairs.
1107 (c)1. “Personal information” means:
1108 a. An individual’s first name, or first initial, and last
1109 name, in combination with any of the following data elements for
1110 that individual:
1111 (I) A social security number;
1112 (II) A driver license or identification card number,
1113 passport number, military identification number, or other
1114 similar number issued on a government document used to verify
1115 identity;
1116 (III) A financial account number or credit or debit card
1117 number, in combination with any required security code, access
1118 code, or password that is necessary to permit access to the
1119 individual’s financial account;
1120 (IV) The individual’s biometric data as defined in s.
1121 501.702; or
1122 (V) Any information regarding the individual’s geolocation;
1123 or
1124 b. A username or e-mail address, in combination with a
1125 password or security question and answer that would permit
1126 access to an online account.
1127 2. The term does not include information about an
1128 individual which has been made publicly available by a federal,
1129 state, or local governmental entity. The term also does not
1130 include information that is encrypted, secured, or modified by
1131 any other method or technology that removes elements that
1132 personally identify an individual or that otherwise renders the
1133 information unusable.
1134 (2) REQUIREMENTS FOR DATA SECURITY.—Each financial
1135 institution shall take reasonable measures to protect and secure
1136 data that are in electronic form and that contain personal
1137 information.
1138 (3) NOTICE TO OFFICE AND DEPARTMENT OF SECURITY BREACH.—
1139 (a)1. Each financial institution shall provide notice to
1140 the office of any breach of security affecting 500 or more
1141 individuals in this state. Such notice must be provided to the
1142 office as expeditiously as practicable, but no later than 30
1143 days after the determination of the breach or the determination
1144 of a reason to believe that a breach has occurred.
1145 2. The written notice to the office must include the items
1146 required under s. 501.171(3)(b).
1147 3. A financial institution must provide the following
1148 information to the office upon its request:
1149 a. A police report, incident report, or computer forensics
1150 report.
1151 b. A copy of the policies in place regarding breaches.
1152 c. Steps that have been taken to rectify the breach.
1153 4. A financial institution may provide the office with
1154 supplemental information regarding a breach at any time.
1155 (b) Each financial institution shall provide notice to the
1156 department of any breach of security affecting 500 or more
1157 individuals in this state. Such notice must be provided to the
1158 department in accordance with s. 501.171.
1159 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—Each
1160 financial institution shall give notice to each individual in
1161 this state whose personal information was, or the financial
1162 institution reasonably believes to have been, accessed as a
1163 result of the breach in accordance with s. 501.171(4). The
1164 notice must be provided no later than 30 days after the
1165 determination of the breach or the determination of a reason to
1166 believe that a breach has occurred. A financial institution may
1167 receive 15 additional days to provide notice to individuals of a
1168 security breach as required in this subsection if good cause for
1169 delay is provided in writing to the office within 30 days after
1170 determination of the breach or determination of the reason to
1171 believe that a breach has occurred.
1172 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a financial
1173 institution discovers circumstances requiring notice pursuant to
1174 this section of more than 1,000 individuals at a single time,
1175 the financial institution shall also notify, without
1176 unreasonable delay, all consumer reporting agencies that compile
1177 and maintain files on consumers on a nationwide basis, as
1178 defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p),
1179 of the timing, distribution, and content of the notices.
1180 Section 16. Present subsections (3), (4), and (5) of
1181 section 655.032, Florida Statutes, are redesignated as
1182 subsections (4), (5), and (6), respectively, and a new
1183 subsection (3) is added to that section, to read:
1184 655.032 Investigations, subpoenas, hearings, and
1185 witnesses.—
1186 (3) The office may consider or use as part of any
1187 investigation pursuant to this section the information contained
1188 in any suspected financial exploitation report or any records
1189 generated as a result of such report which is obtained pursuant
1190 to s. 415.106(4).
1191 Section 17. Present paragraphs (c) through (f) of
1192 subsection (1) of section 655.045, Florida Statutes, are
1193 redesignated as paragraphs (d) through (g), respectively, a new
1194 paragraph (c) is added to that subsection, and present paragraph
1195 (d) of that subsection is amended, to read:
1196 655.045 Examinations, reports, and internal audits;
1197 penalty.—
1198 (1) The office shall conduct an examination of the
1199 condition of each state financial institution at least every 18
1200 months. The office may conduct more frequent examinations based
1201 upon the risk profile of the financial institution, prior
1202 examination results, or significant changes in the institution
1203 or its operations. The office may use continuous, phase, or
1204 other flexible scheduling examination methods for very large or
1205 complex state financial institutions and financial institutions
1206 owned or controlled by a multi-financial institution holding
1207 company. The office shall consider examination guidelines from
1208 federal regulatory agencies in order to facilitate, coordinate,
1209 and standardize examination processes.
1210 (c) The office may consider or use as part of any
1211 examination conducted pursuant to this section the information
1212 contained in any suspected financial exploitation report or any
1213 records generated as a result of such report which is obtained
1214 pursuant to s. 415.106(4).
1215 (e)(d) As used in this section, the term “costs” means the
1216 salary and travel expenses directly attributable to the field
1217 staff examining the state financial institution, subsidiary, or
1218 service corporation, and the travel expenses of any supervisory
1219 staff required as a result of examination findings. The mailing
1220 of any costs incurred under this subsection must be postmarked
1221 within 45 30 days after the date of receipt of a notice stating
1222 that such costs are due. The office may levy a late payment of
1223 up to $100 per day or part thereof that a payment is overdue,
1224 unless excused for good cause. However, for intentional late
1225 payment of costs, the office may levy an administrative fine of
1226 up to $1,000 per day for each day the payment is overdue.
1227 Section 18. Subsection (2) of section 657.005, Florida
1228 Statutes, is amended to read:
1229 657.005 Application for authority to organize a credit
1230 union; investigation.—
1231 (2) Any five or more individuals, a majority of whom are
1232 residents of this state and all of whom who represent a limited
1233 field of membership, may apply to the office for permission to
1234 organize a credit union. The fact that individuals within the
1235 proposed limited field of membership have credit union services
1236 available to them through another limited field of membership
1237 shall not preclude the granting of a certificate of
1238 authorization to engage in the business of a credit union.
1239 Section 19. Subsection (1) of section 657.024, Florida
1240 Statutes, is amended to read:
1241 657.024 Membership meetings.—
1242 (1) The members shall receive timely notice of the annual
1243 meeting and any special meetings of the members, which shall be
1244 held at the time, place, and in the manner provided in the
1245 bylaws. The annual meeting and any special meetings of the
1246 members may be held virtually without an in-person quorum, and
1247 virtual attendance may satisfy quorum requirements, subject to
1248 the bylaws.
1249 Section 20. Paragraph (b) of subsection (3) and present
1250 subsection (5) of section 657.042, Florida Statutes, are amended
1251 to read:
1252 657.042 Investment powers and limitations.—A credit union
1253 may invest its funds subject to the following definitions,
1254 restrictions, and limitations:
1255 (3) INVESTMENT SUBJECT TO LIMITATION OF TWO PERCENT OF
1256 CAPITAL OF THE CREDIT UNION.—
1257 (b) Commercial paper and bonds of any corporation within
1258 the United States which have a fixed maturity, as provided in
1259 subsection (6) (7), except that the total investment in all such
1260 paper and bonds may not exceed 10 percent of the capital of the
1261 credit union.
1262 (5) INVESTMENTS IN REAL ESTATE AND EQUIPMENT FOR THE CREDIT
1263 UNION.—
1264 (a) Up to 5 percent of the capital of the credit union may
1265 be invested in real estate and improvements thereon, furniture,
1266 fixtures, and equipment utilized or to be utilized by the credit
1267 union for the transaction of business.
1268 (b) The limitations provided by this subsection may be
1269 exceeded with the prior written approval of the office. The
1270 office shall grant such approval if it is satisfied that:
1271 1. The proposed investment is necessary.
1272 2. The amount thereof is commensurate with the size and
1273 needs of the credit union.
1274 3. The investment will be beneficial to the members.
1275 4. A reasonable plan is developed to reduce the investment
1276 to statutory limits.
1277 Section 21. Paragraphs (b) and (c) of subsection (4) of
1278 section 658.21, Florida Statutes, are amended to read:
1279 658.21 Approval of application; findings required.—The
1280 office shall approve the application if it finds that:
1281 (4)
1282 (b) At least two of the proposed directors who are not also
1283 proposed officers must have had within the 10 years before the
1284 date of the application at least 1 year of direct experience as
1285 an executive officer, regulator, or director of a financial
1286 institution as specified in the application within the 5 years
1287 before the date of the application. However, if the applicant
1288 demonstrates that at least one of the proposed directors has
1289 very substantial experience as an executive officer, director,
1290 or regulator of a financial institution more than 5 years before
1291 the date of the application, the office may modify the
1292 requirement and allow the applicant to have only one director
1293 who has direct financial institution experience within the last
1294 5 years.
1295 (c) The proposed president or chief executive officer must
1296 have had at least 1 year of direct experience as an executive
1297 officer, director, or regulator of a financial institution
1298 within the last 10 5 years. In making a decision, the office
1299 must also consider may waive this requirement after considering:
1300 1. The adequacy of the overall experience and expertise of
1301 the proposed president or chief executive officer;
1302 2. The likelihood of successful operation of the proposed
1303 state bank or trust company pursuant to subsection (1);
1304 3. The adequacy of the proposed capitalization under
1305 subsection (2);
1306 4. The proposed capital structure under subsection (3);
1307 5. The experience of the other proposed officers and
1308 directors; and
1309 6. Any other relevant data or information.
1310 Section 22. Subsection (2) of section 658.33, Florida
1311 Statutes, is amended to read:
1312 658.33 Directors, number, qualifications; officers.—
1313 (2) Not less than a majority of the directors must, during
1314 their whole term of service, be citizens of the United States,
1315 and at least a majority of the directors must have resided in
1316 this state for at least 1 year preceding their election and must
1317 be residents therein during their continuance in office. In the
1318 case of a bank or trust company with total assets of less than
1319 $150 million, at least one, and in the case of a bank or trust
1320 company with total assets of $150 million or more, two of the
1321 directors who are not also officers of the bank or trust company
1322 must have had at least 1 year of direct experience as an
1323 executive officer, regulator, or director of a financial
1324 institution within the last 10 5 years.
1325 Section 23. Subsection (4) of section 662.141, Florida
1326 Statutes, is amended to read:
1327 662.141 Examination, investigations, and fees.—The office
1328 may conduct an examination or investigation of a licensed family
1329 trust company at any time it deems necessary to determine
1330 whether the licensed family trust company or licensed family
1331 trust company-affiliated party thereof has violated or is about
1332 to violate any provision of this chapter, any applicable
1333 provision of the financial institutions codes, or any rule
1334 adopted by the commission pursuant to this chapter or the codes.
1335 The office may conduct an examination or investigation of a
1336 family trust company or foreign licensed family trust company at
1337 any time it deems necessary to determine whether the family
1338 trust company or foreign licensed family trust company has
1339 engaged in any act prohibited under s. 662.131 or s. 662.134
1340 and, if a family trust company or a foreign licensed family
1341 trust company has engaged in such act, to determine whether any
1342 applicable provision of the financial institutions codes has
1343 been violated.
1344 (4) For each examination of the books and records of a
1345 family trust company, licensed family trust company, or foreign
1346 licensed family trust company as authorized under this chapter,
1347 the trust company shall pay a fee for the costs of the
1348 examination by the office. As used in this section, the term
1349 “costs” means the salary and travel expenses of field staff
1350 which are directly attributable to the examination of the trust
1351 company and the travel expenses of any supervisory and support
1352 staff required as a result of examination findings. The mailing
1353 of payment for costs incurred must be postmarked within 45 30
1354 days after the receipt of a notice stating that the costs are
1355 due. The office may levy a late payment of up to $100 per day or
1356 part thereof that a payment is overdue unless waived for good
1357 cause. However, if the late payment of costs is intentional, the
1358 office may levy an administrative fine of up to $1,000 per day
1359 for each day the payment is overdue.
1360 Section 24. Subsection (21) of section 517.12, Florida
1361 Statutes, is amended to read:
1362 517.12 Registration of dealers, associated persons,
1363 intermediaries, and investment advisers.—
1364 (21) The registration requirements of this section do not
1365 apply to any general lines insurance agent or life insurance
1366 agent licensed under chapter 626, with regard to the sale of a
1367 security as defined in s. 517.021(34)(g) s. 517.021(33)(g), if
1368 the individual is directly authorized by the issuer to offer or
1369 sell the security on behalf of the issuer and the issuer is a
1370 federally chartered savings bank subject to regulation by the
1371 Federal Deposit Insurance Corporation. Actions under this
1372 subsection constitute activity under the insurance agent’s
1373 license for purposes of ss. 626.611 and 626.621.
1374 Section 25. This act shall take effect July 1, 2026.