Florida Senate - 2026 CS for CS for CS for SB 540
By the Committee on Rules; the Appropriations Committee on
Agriculture, Environment, and General Government; the Committee
on Banking and Insurance; and Senator Martin
595-03185-26 2026540c3
1 A bill to be entitled
2 An act relating to the Office of Financial Regulation;
3 amending s. 415.106, F.S.; requiring the Department of
4 Children and Families to cooperate with and seek
5 cooperation from the Office of Financial Regulation
6 concerning certain protective investigations of
7 suspected financial exploitation of specified adults;
8 requiring the department to provide copies of certain
9 suspected financial exploitation reports to the office
10 within a certain timeframe; authorizing the department
11 to provide copies of certain records at the request of
12 the office within a specified timeframe; authorizing
13 the office to use such reports or records as required
14 or authorized in certain provisions; specifying that
15 certain confidentiality provisions that apply to the
16 department apply to the records of the office and its
17 employees and agents; authorizing the department and
18 the office to enter into a specified memorandum of
19 agreement; amending s. 415.107, F.S.; revising the
20 persons, officials, and agencies granted access to
21 certain records relating to vulnerable adults;
22 creating s. 494.00123, F.S.; defining terms; requiring
23 loan originators, mortgage brokers, and mortgage
24 lenders to develop, implement, and maintain
25 comprehensive written information security programs
26 for the protection of information systems and
27 nonpublic personal information; providing requirements
28 for such programs; requiring loan originators,
29 mortgage brokers, and mortgage lenders to establish
30 written incident response plans for specified
31 purposes; providing requirements for such plans;
32 providing applicability; providing compliance
33 requirements under specified circumstances; requiring
34 loan originators, mortgage brokers, and mortgage
35 lenders to maintain copies of information security
36 programs for a specified timeframe and to make them
37 available to the office under certain circumstances;
38 specifying requirements for notices of security
39 breaches; providing construction; requiring the
40 Financial Services Commission to adopt rules; amending
41 s. 494.00255, F.S.; providing additional acts that
42 constitute a ground for specified disciplinary actions
43 against loan originators and mortgage brokers;
44 amending s. 517.021, F.S.; revising the definition of
45 the term “investment adviser”; defining terms;
46 amending s. 517.061, F.S.; defining terms; amending s.
47 517.201, F.S.; authorizing the office to make
48 investigations and examinations to aid the Department
49 of Children and Families with certain protective
50 investigations; authorizing the office to consider or
51 use certain information as part of certain
52 investigations and examinations; amending s. 517.34,
53 F.S.; revising the information required to be
54 contained in the form by which a dealer or investment
55 advisor notifies the office of certain delayed
56 disbursements or transactions of funds or securities;
57 providing construction; creating s. 520.135, F.S.;
58 specifying that the rights and obligations of parties
59 with respect to a surrendered or repossessed motor
60 vehicle are exclusively governed by certain
61 provisions; amending s. 560.114, F.S.; specifying the
62 entities that are subject to certain disciplinary
63 actions and penalties; revising the list of actions by
64 money services businesses which constitute grounds for
65 certain disciplinary actions and penalties; specifying
66 requirements for emergency suspension orders that
67 suspend money services business licenses; providing
68 that an emergency suspension order is effective when
69 the licensee against whom the order is directed has
70 actual or constructive knowledge of the order;
71 requiring the office to institute timely proceedings
72 after issuance of an emergency suspension order;
73 authorizing a licensee subject to an emergency
74 suspension order to seek judicial review; requiring,
75 rather than authorizing, the office to suspend
76 licenses of money services businesses under certain
77 circumstances; creating s. 560.1311, F.S.; defining
78 terms; requiring money services businesses to develop,
79 implement, and maintain comprehensive written
80 information security programs for the protection of
81 information systems and nonpublic personal
82 information; specifying requirements for such
83 programs; requiring money services businesses to
84 establish written incident response plans for
85 specified purposes; specifying requirements for such
86 plans; providing applicability; specifying compliance
87 requirements under specified circumstances; requiring
88 money services businesses to maintain copies of
89 information security programs for a specified
90 timeframe and to make them available to the office
91 under certain circumstances; specifying requirements
92 for notices of security breaches; providing
93 construction; requiring the commission to adopt rules;
94 amending s. 560.309, F.S.; providing that licensees
95 must comply with the Fair Debt Collections Practices
96 Act only if the licensees meet certain criteria;
97 amending s. 560.405, F.S.; requiring that redemptions
98 transacted using a debit card be treated the same as
99 redemptions transacted using cash; prohibiting
100 redemption through a credit card transaction; amending
101 s. 560.406, F.S.; providing that licensees must comply
102 with the Fair Debt Collections Practices Act only if
103 the licensees meet certain criteria; creating s.
104 655.0171, F.S.; defining terms; requiring financial
105 institutions to take measures to protect and secure
106 certain data that contain personal information;
107 providing requirements for notices of security
108 breaches to the office, the Department of Legal
109 Affairs, certain individuals, and certain credit
110 reporting agencies; amending s. 655.032, F.S.;
111 authorizing the office to consider or use certain
112 information as part of certain investigations or other
113 actions; amending s. 655.045, F.S.; authorizing the
114 office to consider or use certain information as part
115 of certain investigations or other actions; revising
116 the timeline for the mailing of payment for salary and
117 travel expenses of certain field staff; amending s.
118 657.005, F.S.; revising requirements for permission to
119 organize credit unions; amending s. 657.024, F.S.;
120 authorizing meetings of credit union members to be
121 held virtually without an in-person quorum and
122 authorizing virtual attendance to satisfy quorum
123 requirements under certain circumstances; amending s.
124 657.042, F.S.; removing provisions that impose
125 limitations on investments in real estate and
126 equipment for credit unions; amending s. 658.21, F.S.;
127 revising requirements and factors for approving
128 applications for organizing banks and trust companies;
129 amending s. 658.33, F.S.; revising requirements for
130 directors of certain banks and trust companies;
131 amending s. 662.141, F.S.; revising the timeline for
132 the mailing of payment for the salary and travel
133 expenses of certain field staff; amending s. 517.12,
134 F.S.; conforming a cross-reference; providing an
135 effective date.
136
137 Be It Enacted by the Legislature of the State of Florida:
138
139 Section 1. Subsection (4) is added to section 415.106,
140 Florida Statutes, to read:
141 415.106 Cooperation by the department and criminal justice
142 and other agencies.—
143 (4) To the fullest extent possible, the department shall
144 cooperate with and seek cooperation from the Office of Financial
145 Regulation concerning protective investigations of suspected
146 financial exploitation of specified adults, as defined in s.
147 415.10341, which are reported to the central abuse hotline and
148 which the department is responsible for conducting pursuant to
149 s. 415.104.
150 (a) In accordance with s. 415.107, the department shall
151 provide copies of all suspected financial exploitation reports
152 received by the central abuse hotline pursuant to s. 415.1034
153 from any financial institution as defined in s. 655.005(1),
154 securities dealer as defined in s. 517.021(12), or investment
155 adviser as defined in s. 517.021(20) to the Office of Financial
156 Regulation within 15 days after receiving the report. The
157 department may provide copies of any records generated as a
158 result of such reports at the request of the Office of Financial
159 Regulation within 15 days after such request.
160 1. The Office of Financial Regulation may use the reports
161 or records obtained as required or authorized in this subsection
162 for any investigation, examination, or other action conducted
163 pursuant to s. 20.121(3)(a)2., chapter 517, or chapter 655.
164 2. Except as provided in this chapter and chapters 517 and
165 655, all confidentiality provisions that apply to the department
166 continue to apply to the records made available to the Office of
167 Financial Regulation and its officials, employees, and agents
168 under s. 415.107.
169 (b) The department and the Office of Financial Regulation
170 may enter into a memorandum of agreement that specifies how the
171 Office of Financial Regulation, in the agency’s role as the
172 regulator of financial services, may assist the department with
173 effectively and efficiently conducting a protective
174 investigation of any vulnerable adult financial exploitation
175 report received by the central abuse hotline and, if the
176 agencies enter into a memorandum of agreement, it must specify
177 how such assistance will be implemented.
178 Section 2. Paragraph (m) is added to subsection (3) of
179 section 415.107, Florida Statutes, to read:
180 415.107 Confidentiality of reports and records.—
181 (3) Access to all records, excluding the name of the
182 reporter which shall be released only as provided in subsection
183 (6), shall be granted only to the following persons, officials,
184 and agencies:
185 (m) Any appropriate officials, employees, or agents of the
186 Office of Financial Regulation who are responsible for
187 conducting investigations, examinations, or other actions
188 pursuant to s. 20.121(3)(a)2., chapter 517, or chapter 655.
189 Section 3. Section 494.00123, Florida Statutes, is created
190 to read:
191 494.00123 Information security programs.—
192 (1) DEFINITIONS.—As used in this section, the term:
193 (a) “Customer” means a person who seeks to obtain or who
194 obtains or has obtained a financial product or service from a
195 licensee.
196 (b) “Customer information” means any record containing
197 nonpublic personal information about a customer of a financial
198 transaction, whether on paper, electronic, or in other forms,
199 which is handled or maintained by or on behalf of the licensee
200 or its affiliates.
201 (c) “Cybersecurity event” means an event resulting in
202 unauthorized access to, or disruption or misuse of, an
203 information system or customer information stored on such
204 information system. The term does not include the unauthorized
205 acquisition of encrypted customer information if the encryption
206 process or key is not also acquired, released, or used without
207 authorization. The term does not include an event with regard to
208 which the licensee has determined that the customer information
209 accessed by an unauthorized person has not been used or released
210 and has been returned or destroyed.
211 (d) “Encrypted” means the transformation of data into a
212 form that results in a low probability of assigning meaning
213 without the use of a protective process or key.
214 (e) “Financial product or service” means any product or
215 service offered by a licensee under this chapter.
216 (f) “Information security program” means the
217 administrative, technical, or physical safeguards used to
218 access, collect, distribute, process, protect, store, use,
219 transmit, dispose of, or otherwise handle customer information.
220 (g) “Information system” means a discrete set of electronic
221 information resources organized for the collection, processing,
222 maintenance, use, sharing, dissemination, or disposition of
223 electronic information, as well as any specialized system such
224 as an industrial process control system, telephone switching and
225 private branch exchange system, or environmental control system,
226 which contain customer information or which are connected to a
227 system that contains customer information.
228 (h)1. “Nonpublic personal information” means:
229 a. Personally identifiable financial information; and
230 b. Any list, description, or other grouping of customers
231 which is derived using any personally identifiable financial
232 information that is not publicly available, such as account
233 numbers, including any list of individuals’ names and street
234 addresses which is derived, in whole or in part, using
235 personally identifiable financial information that is not
236 publicly available.
237 2. The term does not include:
238 a. Publicly available information, except as included on a
239 list, description, or other grouping of customers described in
240 sub-subparagraph 1.b.;
241 b. Any list, description, or other grouping of consumers,
242 or any publicly available information pertaining to such list,
243 description, or other grouping of consumers, which is derived
244 without using any personally identifiable financial information
245 that is not publicly available; or
246 c. Any list of individuals’ names and addresses which
247 contains only publicly available information, is not derived, in
248 whole or in part, using personally identifiable financial
249 information that is not publicly available, and is not disclosed
250 in a manner that indicates that any of the individuals on the
251 list is a customer of a licensee.
252 3. As used in this paragraph, the term:
253 a.(I) “Personally identifiable financial information” means
254 any information that:
255 (A) A customer provides to a licensee to obtain a financial
256 product or service, such as information that a customer provides
257 to a licensee on an application to obtain a loan or other
258 financial product or service;
259 (B) A licensee receives about a consumer which is obtained
260 during or as a result of any transaction involving a financial
261 product or service between the licensee and the customer, such
262 as information collected through an information-collecting
263 device from a web server; or
264 (C) A licensee otherwise obtains about a customer in
265 connection with providing a financial product or service to the
266 customer, such as the fact that an individual is or has been one
267 of the licensee’s customers or has obtained a financial product
268 or service from the licensee.
269 (II) The term “personally identifiable financial
270 information” does not include:
271 (A) A list of names and addresses of customers of an entity
272 that is not a financial institution; or
273 (B) Information that does not identify a customer, such as
274 blind data or aggregate information that does not contain
275 personal identifiers such as account numbers, names, or
276 addresses.
277 b.(I) “Publicly available information” means any
278 information that a licensee has a reasonable basis to believe is
279 lawfully made available to the general public from:
280 (A) Federal, state, or local government records, such as
281 government real estate records or security interest filings;
282 (B) Widely distributed media, such as information from a
283 telephone records repository or directory, a television or radio
284 program, a newspaper, a social media platform, or a website that
285 is available to the general public on an unrestricted basis. A
286 website is not restricted merely because an Internet service
287 provider or a site operator requires a fee or a password, so
288 long as access is available to the general public; or
289 (C) Disclosures to the general public which are required to
290 be made by federal, state, or local law.
291 (II) As used in this sub-subparagraph, the term “reasonable
292 basis to believe is lawfully made available to the general
293 public” relating to any information means that the person has
294 taken steps to determine:
295 (A) That the information is of the type that is available
296 to the general public, such as information included on the
297 public record in the jurisdiction where a mortgage would be
298 recorded; and
299 (B) Whether an individual can direct that the information
300 not be made available to the general public and, if so, the
301 customer to whom the information relates has not done so, such
302 as when a telephone number is listed in a telephone directory
303 and the customer has informed the licensee that the telephone
304 number is not unlisted.
305 (i) “Third-party service provider” means a person, other
306 than a licensee, which contracts with a licensee to maintain,
307 process, or store nonpublic personal information, or is
308 otherwise permitted access to nonpublic personal information
309 through its provision of services to a licensee.
310 (2) INFORMATION SECURITY PROGRAM.—
311 (a) Each licensee shall develop, implement, and maintain a
312 comprehensive written information security program that contains
313 administrative, technical, and physical safeguards for the
314 protection of the licensee’s information system and nonpublic
315 personal information.
316 (b) Each licensee shall ensure that the information
317 security program meets all of the following criteria:
318 1. Be commensurate with the following measures:
319 a. Size and complexity of the licensee.
320 b. Nature and scope of the licensee’s activities, including
321 the licensee’s use of third-party service providers.
322 c. Sensitivity of nonpublic personal information that is
323 used by the licensee or that is in the licensee’s possession,
324 custody, or control.
325 2. Be designed to do all of the following:
326 a. Protect the security and confidentiality of nonpublic
327 personal information and the security of the licensee’s
328 information system.
329 b. Protect against threats or hazards to the security or
330 integrity of nonpublic personal information and the licensee’s
331 information system.
332 c. Protect against unauthorized access to or the use of
333 nonpublic personal information and minimize the likelihood of
334 harm to any customer.
335 3. Define and periodically reevaluate the retention
336 schedule and the mechanism for the destruction of nonpublic
337 personal information if retention is no longer necessary for the
338 licensee’s business operations or is no longer required by
339 applicable law.
340 4. Regularly test and monitor systems and procedures for
341 the detection of actual and attempted attacks on, or intrusions
342 into, the licensee’s information system.
343 5. Be monitored, evaluated, and adjusted, as necessary, to
344 meet all of the following requirements:
345 a. Determine whether the licensee’s information security
346 program is consistent with relevant changes in technology.
347 b. Confirm the licensee’s information security program
348 accounts for the sensitivity of nonpublic personal information.
349 c. Identify changes that may be necessary to the licensee’s
350 information system.
351 d. Mitigate any internal or external threats to nonpublic
352 personal information.
353 e. Amend the licensee’s information security program for
354 any material changes to the licensee’s business arrangements,
355 including, but not limited to, mergers and acquisitions,
356 alliances and joint ventures, and outsourcing arrangements.
357 (c)1. As part of a licensee’s information security program,
358 the licensee shall establish a written incident response plan
359 designed to promptly respond to, and recover from, a
360 cybersecurity event that compromises:
361 a. The confidentiality, integrity, or availability of
362 nonpublic personal information in the licensee’s possession;
363 b. The licensee’s information system; or
364 c. The continuing functionality of any aspect of the
365 licensee’s operations.
366 2. The written incident response plan must address all of
367 the following:
368 a. The licensee’s internal process for responding to a
369 cybersecurity event.
370 b. The goals of the licensee’s incident response plan.
371 c. The assignment of clear roles, responsibilities, and
372 levels of decisionmaking authority for the licensee’s personnel
373 who participate in the incident response plan.
374 d. External communications, internal communications, and
375 information sharing related to a cybersecurity event.
376 e. The identification of remediation requirements for
377 weaknesses identified in information systems and associated
378 controls.
379 f. The documentation and reporting regarding cybersecurity
380 events and related incident response activities.
381 g. The evaluation and revision of the incident response
382 plan, as appropriate, following a cybersecurity event.
383 h. The process by which notice must be given as required
384 under subsection (3) and s. 501.171(3) and (4).
385 (d)1. This section does not apply to a licensee that has
386 fewer than:
387 a. Twenty individuals on its workforce, including employees
388 and independent contractors; or
389 b. Five hundred customers during a calendar year.
390 2. A licensee that no longer qualifies for exemption under
391 subparagraph 1. has 180 calendar days to comply with this
392 section after the date of the disqualification.
393 (e) Each licensee shall maintain a copy of the information
394 security program for a minimum of 5 years and shall make it
395 available to the office upon request or as part of an
396 examination.
397 (3) NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee
398 shall provide notice to the office of any breach of security, as
399 defined in s. 501.171, affecting 500 or more individuals in this
400 state at a time and in the manner prescribed by commission rule.
401 (4) CONSTRUCTION.—This section may not be construed to
402 relieve a covered entity from complying with s. 501.171. To the
403 extent a licensee is a covered entity, as defined in s.
404 501.171(1), the licensee remains subject to s. 501.171.
405 (5) RULES.—The commission shall adopt rules to administer
406 this section, including rules that allow a licensee that is in
407 compliance with the Federal Trade Commission’s Standards for
408 Safeguarding Customer Information, 16 C.F.R. part 314, to be
409 deemed in compliance with subsection (2).
410 Section 4. Paragraph (z) is added to subsection (1) of
411 section 494.00255, Florida Statutes, to read:
412 494.00255 Administrative penalties and fines; license
413 violations.—
414 (1) Each of the following acts constitutes a ground for
415 which the disciplinary actions specified in subsection (2) may
416 be taken against a person licensed or required to be licensed
417 under part II or part III of this chapter:
418 (z) Failure to comply with the notification requirements in
419 s. 501.171(3) and (4).
420 Section 5. Present subsections (28) through (36) of section
421 517.021, Florida Statutes, are redesignated as subsections (29)
422 through (37), respectively, a new subsection (28) is added to
423 that section, and subsection (20) of that section is amended, to
424 read:
425 517.021 Definitions.—When used in this chapter, unless the
426 context otherwise indicates, the following terms have the
427 following respective meanings:
428 (20)(a) “Investment adviser” means a person, other than an
429 associated person of an investment adviser or a federal covered
430 adviser, that receives compensation, directly or indirectly, and
431 engages for all or part of the person’s time, directly or
432 indirectly, or through publications or writings, in the business
433 of advising others as to the value of securities or as to the
434 advisability of investments in, purchasing of, or selling of
435 securities.
436 (b) The term does not include any of the following:
437 1. A dealer or an associated person of a dealer whose
438 performance of services in paragraph (a) is solely incidental to
439 the conduct of the dealer’s or associated person’s business as a
440 dealer and who does not receive special compensation for those
441 services.
442 2. A licensed practicing attorney or certified public
443 accountant whose performance of such services is solely
444 incidental to the practice of the attorney’s or accountant’s
445 profession.
446 3. A bank authorized to do business in this state.
447 4. A bank holding company as defined in the Bank Holding
448 Company Act of 1956, as amended, authorized to do business in
449 this state.
450 5. A trust company having trust powers, as defined in s.
451 658.12, which it is authorized to exercise in this state, which
452 trust company renders or performs investment advisory services
453 in a fiduciary capacity incidental to the exercise of its trust
454 powers.
455 6. A person that renders investment advice exclusively to
456 insurance or investment companies.
457 7. A person:
458 a. Without a place of business in this state if the person
459 has had that, during the preceding 12 months, has fewer than six
460 clients who are residents of this state.
461 b. With a place of business in this state if the person has
462 had, during the preceding 12 months, fewer than six clients who
463 are residents of this state and no clients who are not residents
464 of this state.
465
466 As used in this subparagraph, the term “client” has the same
467 meaning as provided in Securities and Exchange Commission Rule
468 222-2 275.222-2, 17 C.F.R. s. 275.222-2, as amended.
469 8. A federal covered adviser.
470 9. The United States, a state, or any political subdivision
471 of a state, or any agency, authority, or instrumentality of any
472 such entity; a business entity that is wholly owned directly or
473 indirectly by such a governmental entity; or any officer, agent,
474 or employee of any such governmental or business entity who is
475 acting within the scope of his or her official duties.
476 10. A family office as defined in Securities and Exchange
477 Commission Rule 202(a)(11)(G)-1(b) under the Investment Advisers
478 Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)-1(b), as amended. In
479 determining whether a person meets the definition of a family
480 office under this subparagraph, the terms “affiliated family
481 office,” “control,” “executive officer,” “family client,”
482 “family entity,” “family member,” “former family member,” “key
483 employee,” and “spousal equivalent” have the same meaning as in
484 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d) under
485 the Investment Advisers Act of 1940, 17 C.F.R. s.
486 275.202(a)(11)(G)-1(d), as amended.
487 (28) “Place of business” of an investment adviser means an
488 office at which the investment adviser regularly provides
489 investment advisory services to, solicits, meets with, or
490 otherwise communicates with clients; and any other location that
491 is held out to the general public as a location at which the
492 investment adviser provides investment advisory services to,
493 solicits, meets with, or otherwise communicates with clients.
494 Section 6. Paragraph (i) of subsection (9) of section
495 517.061, Florida Statutes, is amended to read:
496 517.061 Exempt transactions.—Except as otherwise provided
497 in subsection (11), the exemptions provided herein from the
498 registration requirements of s. 517.07 are self-executing and do
499 not require any filing with the office before being claimed. Any
500 person who claims entitlement to an exemption under this section
501 bears the burden of proving such entitlement in any proceeding
502 brought under this chapter. The registration provisions of s.
503 517.07 do not apply to any of the following transactions;
504 however, such transactions are subject to s. 517.301:
505 (9) The offer or sale of securities to:
506 (i) A family office as defined in Securities and Exchange
507 Commission Rule 202(a)(11)(G)-1(b) 202(a)(11)(G)-1 under the
508 Investment Advisers Act of 1940, 17 C.F.R. s. 275.202(a)(11)(G)
509 1(b) s. 275.202(a)(11)(G)-1, as amended, provided that:
510 1. The family office has assets under management in excess
511 of $5 million;
512 2. The family office is not formed for the specific purpose
513 of acquiring the securities offered; and
514 3. The prospective investment of the family office is
515 directed by a person who has knowledge and experience in
516 financial and business matters that the family office is capable
517 of evaluating the merits and risks of the prospective
518 investment.
519
520 In determining whether a person meets the definition of a family
521 office under this paragraph, the terms “affiliated family
522 office,” “control,” “executive officer,” “family client,”
523 “family entity,” “family member,” “former family member,” “key
524 employee,” and “spousal equivalent” have the same meaning as in
525 Securities and Exchange Commission Rule 202(a)(11)(G)-1(d) under
526 the Investment Advisers Act of 1940, 17 C.F.R. s.
527 275.202(a)(11)(G)-1(d), as amended.
528 Section 7. Paragraph (a) of subsection (1) of section
529 517.201, Florida Statutes, is amended, and paragraph (c) is
530 added to that subsection, to read:
531 517.201 Investigations; examinations; subpoenas; hearings;
532 witnesses.—
533 (1) The office:
534 (a) May make investigations and examinations within or
535 outside of this state as it deems necessary:
536 1. To determine whether a person has violated or is about
537 to violate any provision of this chapter or a rule or order
538 hereunder; or
539 2. To aid in the enforcement of this chapter; or
540 3. In accordance with a memorandum of agreement pursuant to
541 s. 415.106(4)(b), to aid the Department of Children and Families
542 with any protective investigations the Department of Children
543 and Families is required to conduct under s. 415.104.
544 (c) May consider or use as part of any investigation or
545 examination pursuant to this section the information contained
546 in any suspected financial exploitation report or any records
547 generated as a result of such report which is obtained pursuant
548 to s. 415.106(4).
549 Section 8. Paragraphs (b) and (c) of subsection (3) and
550 subsection (6) of section 517.34, Florida Statutes, are amended
551 to read:
552 517.34 Protection of specified adults.—
553 (3) A dealer or investment adviser may delay a disbursement
554 or transaction of funds or securities from an account of a
555 specified adult or an account for which a specified adult is a
556 beneficiary or beneficial owner if all of the following apply:
557 (b) Not later than 3 business days after the date on which
558 the delay was first placed, the dealer or investment adviser
559 complies with all of the following conditions:
560 1. Notifies in writing all parties authorized to transact
561 business on the account and any trusted contact on the account,
562 using the contact information provided for the account, with the
563 exception of any party the dealer or investment adviser
564 reasonably believes has engaged in, is engaging in, has
565 attempted to engage in, or will attempt to engage in the
566 suspected financial exploitation of the specified adult. The
567 notice, which may be provided electronically, must provide the
568 reason for the delay.
569 2. Notifies the office of the delay electronically on a
570 form prescribed by commission rule. The form must be consistent
571 with the purposes of this section and must contain, but need not
572 be limited to, the following information:
573 a. The date on which the delay was first placed.
574 b. The name, age, and address, or location, if different,
575 of the specified adult.
576 c. The business location of the dealer or investment
577 adviser.
578 d. The name, address, and telephone number and title of the
579 employee who reported suspected financial exploitation of the
580 specified adult.
581 e. The facts and circumstances that caused the employee to
582 report suspected financial exploitation.
583 f. The names, addresses, and telephone numbers of the
584 specified adult’s family members.
585 g. The name, address, and telephone number of each person
586 suspected of engaging in financial exploitation.
587 h. The name, address, and telephone number of the caregiver
588 of the specified adult, if different from the person or persons
589 suspected of engaging in financial exploitation.
590 i. A description of actions taken by the dealer or
591 investment adviser, if any, such as notification to a criminal
592 justice agency.
593 j. Any other information available to the reporting person
594 which may establish the cause of financial exploitation that
595 occurred or is occurring.
596 (c) Not later than 3 business days after the date on which
597 the delay was first placed, the dealer or investment adviser
598 Notifies the office of the delay electronically on a form
599 prescribed by commission rule. The form must be consistent with
600 the purposes of this section and may include only the following
601 information:
602 1. The date on which the notice is submitted to the office.
603 2. The date on which the delay was first placed.
604 3. The following information about the specified adult:
605 a. Gender.
606 b. Age.
607 c. Zip code of residence address.
608 4. The following information about the dealer or investment
609 adviser who placed the delay:
610 a. Name.
611 b. Title.
612 c. Firm name.
613 d. Business address.
614 5. A section with the following questions for which the
615 only allowable responses are “Yes” or “No”:
616 a. Is financial exploitation of a specified adult suspected
617 in connection with a disbursement or transaction?
618 b. Are funds currently at risk of being lost?
619
620 The form must contain substantially the following statement in
621 conspicuous type: “The office may take disciplinary action
622 against any person making a knowing and willful
623 misrepresentation on this form.”
624 (6) A dealer, an investment adviser, or an associated
625 person who in good faith and exercising reasonable care complies
626 with this section is immune from any administrative or civil
627 liability that might otherwise arise from such delay in a
628 disbursement or transaction in accordance with this section.
629 This subsection does not supersede or diminish any immunity
630 granted under chapter 415, nor does it substitute for the duty
631 to report to the central abuse hotline as required under s.
632 415.1034.
633 Section 9. Section 520.135, Florida Statutes, is created to
634 read:
635 520.135 Surrendered or repossessed vehicles.—The rights and
636 obligations of parties with respect to a surrendered or
637 repossessed motor vehicle are exclusively governed by part VI of
638 chapter 679.
639 Section 10. Subsections (1) and (2) of section 560.114,
640 Florida Statutes, are amended to read:
641 560.114 Disciplinary actions; penalties.—
642 (1) The following actions by a money services business, an
643 authorized vendor, or a affiliated party that was affiliated at
644 the time of commission of the actions constitute grounds for the
645 issuance of a cease and desist order; the issuance of a removal
646 order; the denial, suspension, or revocation of a license; or
647 taking any other action within the authority of the office
648 pursuant to this chapter:
649 (a) Failure to comply with any provision of this chapter or
650 related rule or order, or any written agreement entered into
651 with the office.
652 (b) Fraud, misrepresentation, deceit, or gross negligence
653 in any transaction by a money services business, regardless of
654 reliance thereon by, or damage to, a customer.
655 (c) Fraudulent misrepresentation, circumvention, or
656 concealment of any matter that must be stated or furnished to a
657 customer pursuant to this chapter, regardless of reliance
658 thereon by, or damage to, such customer.
659 (d) False, deceptive, or misleading advertising.
660 (e) Failure to maintain, preserve, keep available for
661 examination, and produce all books, accounts, files, or other
662 documents required by this chapter or related rules or orders,
663 by 31 C.F.R. ss. 1010.306, 1010.311, 1010.312, 1010.340,
664 1010.410, 1010.415, 1022.210, 1022.320, 1022.380, and 1022.410,
665 or by an agreement entered into with the office.
666 (f) Refusing to allow the examination or inspection of
667 books, accounts, files, or other documents by the office
668 pursuant to this chapter, or to comply with a subpoena issued by
669 the office.
670 (g) Failure to pay a judgment recovered in any court by a
671 claimant in an action arising out of a money transmission
672 transaction within 30 days after the judgment becomes final.
673 (h) Engaging in an act prohibited under s. 560.111 or s.
674 560.1115.
675 (i) Insolvency.
676 (j) Failure by a money services business to remove an
677 affiliated party after the office has issued and served upon the
678 money services business a final order setting forth a finding
679 that the affiliated party has violated a provision of this
680 chapter.
681 (k) Making a material misstatement, misrepresentation, or
682 omission in an application for licensure, any amendment to such
683 application, or application for the appointment of an authorized
684 vendor.
685 (l) Committing any act that results in a license or its
686 equivalent, to practice any profession or occupation being
687 denied, suspended, revoked, or otherwise acted against by a
688 licensing authority in any jurisdiction.
689 (m) Being the subject of final agency action or its
690 equivalent, issued by an appropriate regulator, for engaging in
691 unlicensed activity as a money services business or deferred
692 presentment provider in any jurisdiction.
693 (n) Committing any act resulting in a license or its
694 equivalent to practice any profession or occupation being
695 denied, suspended, revoked, or otherwise acted against by a
696 licensing authority in any jurisdiction for a violation of 18
697 U.S.C. s. 1956, 18 U.S.C. s. 1957, 18 U.S.C. s. 1960, 31 U.S.C.
698 s. 5324, or any other law or rule of another state or of the
699 United States relating to a money services business, deferred
700 presentment provider, or usury that may cause the denial,
701 suspension, or revocation of a money services business or
702 deferred presentment provider license or its equivalent in such
703 jurisdiction.
704 (o) Having been convicted of, or entered a plea of guilty
705 or nolo contendere to, any felony or crime punishable by
706 imprisonment of 1 year or more under the law of any state or the
707 United States which involves fraud, moral turpitude, or
708 dishonest dealing, regardless of adjudication.
709 (p) Having been convicted of, or entered a plea of guilty
710 or nolo contendere to, a crime under 18 U.S.C. s. 1956 or 31
711 U.S.C. s. 5318, s. 5322, or s. 5324, regardless of adjudication.
712 (q) Having been convicted of, or entered a plea of guilty
713 or nolo contendere to, misappropriation, conversion, or unlawful
714 withholding of moneys belonging to others, regardless of
715 adjudication.
716 (r) Having been convicted of, or entered a plea of guilty
717 or nolo contendere to, a violation of 31 C.F.R. chapter X, part
718 1022, regardless of adjudication.
719 (s)(r) Failure to inform the office in writing within 30
720 days after having pled guilty or nolo contendere to, or being
721 convicted of, any felony or crime punishable by imprisonment of
722 1 year or more under the law of any state or the United States,
723 or any crime involving fraud, moral turpitude, or dishonest
724 dealing.
725 (t)(s) Aiding, assisting, procuring, advising, or abetting
726 any person in violating a provision of this chapter or any order
727 or rule of the office or commission.
728 (u)(t) Failure to pay any fee, charge, or cost imposed or
729 assessed under this chapter.
730 (v)(u) Failing to pay a fine assessed by the office within
731 30 days after the due date as stated in a final order.
732 (w)(v) Failure to pay any judgment entered by any court
733 within 30 days after the judgment becomes final.
734 (x)(w) Engaging or advertising engagement in the business
735 of a money services business or deferred presentment provider
736 without a license, unless exempted from licensure.
737 (y)(x) Payment to the office for a license or other fee,
738 charge, cost, or fine with a check or electronic transmission of
739 funds that is dishonored by the applicant’s or licensee’s
740 financial institution.
741 (z)(y) Violations of 31 C.F.R. ss. 1010.306, 1010.311,
742 1010.312, 1010.340, 1010.410, 1010.415, 1022.210, 1022.320,
743 1022.380, and 1022.410, and United States Treasury Interpretive
744 Release 2004-1.
745 (aa)(z) Any practice or conduct that creates the likelihood
746 of a material loss, insolvency, or dissipation of assets of a
747 money services business or otherwise materially prejudices the
748 interests of its customers.
749 (bb)(aa) Failure of a check casher to maintain a federally
750 insured depository account as required by s. 560.309.
751 (cc)(bb) Failure of a check casher to deposit into its own
752 federally insured depository account any payment instrument
753 cashed as required by s. 560.309.
754 (dd)(cc) Violating any provision of the Military Lending
755 Act, 10 U.S.C. s. 987, or the regulations adopted under that act
756 in 32 C.F.R. part 232, in connection with a deferred presentment
757 transaction conducted under part IV of this chapter.
758 (ee) Failure to comply with the notification requirements
759 in s. 501.171(3) and (4).
760 (2) Pursuant to s. 120.60(6), The office shall issue an
761 emergency suspension order suspending may summarily suspend the
762 license of a money services business if the office finds that a
763 licensee poses a danger deemed by the Legislature to be an
764 immediate and, serious danger to the public health, safety, and
765 welfare. A proceeding in which the office seeks the issuance of
766 a final order for the summary suspension of a licensee shall be
767 conducted by the commissioner of the office, or his or her
768 designee, who shall issue such order.
769 (a) An emergency suspension order under this subsection may
770 be issued without prior notice and an opportunity to be heard.
771 An emergency suspension order must:
772 1. State the grounds on which the order is based;
773 2. Advise the licensee against whom the order is directed
774 that the order takes effect immediately and, to the extent
775 applicable, requires the licensee to immediately cease and
776 desist from the conduct or violation that is the subject of the
777 order or to take the affirmative action stated in the order as
778 necessary to correct a condition resulting from the conduct or
779 violation or as otherwise appropriate;
780 3. Be delivered by personal delivery or sent by certified
781 mail, return receipt requested, to the licensee against whom the
782 order is directed at the licensee’s last known address; and
783 4. Include a notice that the licensee subject to the
784 emergency suspension order may seek judicial review pursuant to
785 s. 120.68.
786 (b) An emergency suspension order is effective as soon as
787 the licensee against whom the order is directed has actual or
788 constructive knowledge of the issuance of the order.
789 (c) The office shall institute timely proceedings under ss.
790 120.569 and 120.57 after issuance of an emergency suspension
791 order.
792 (d) A licensee subject to an emergency suspension order may
793 seek judicial review pursuant to s. 120.68.
794 (e) The following acts are deemed by the Legislature to
795 constitute an immediate and serious danger to the public health,
796 safety, and welfare, and the office shall may immediately issue
797 an emergency suspension order to suspend the license of a money
798 services business if:
799 1.(a) The money services business fails to provide to the
800 office, upon written request, any of the records required by s.
801 560.123, s. 560.1235, s. 560.211, or s. 560.310 or any rule
802 adopted under those sections. The suspension may be rescinded if
803 the licensee submits the requested records to the office.
804 2.(b) The money services business fails to maintain a
805 federally insured depository account as required by s.
806 560.208(4) or s. 560.309.
807 3.(c) A natural person required to be listed on the license
808 application for a money services business pursuant to s.
809 560.141(1)(a)3. is criminally charged with, or arrested for, a
810 crime described in paragraph (1)(o), paragraph (1)(p), or
811 paragraph(1)(q).
812 Section 11. Section 560.1311, Florida Statutes, is created
813 to read:
814 560.1311 Information security programs.—
815 (1) DEFINITIONS.—As used in this section, the term:
816 (a) “Customer” means a person who seeks to obtain or who
817 obtains or has obtained a financial product or service from a
818 licensee.
819 (b) “Customer information” means any record containing
820 nonpublic personal information about a customer of a financial
821 transaction, whether on paper, electronic, or in other forms,
822 which is handled or maintained by or on behalf of the licensee
823 or its affiliates.
824 (c) “Cybersecurity event” means an event resulting in
825 unauthorized access to, or disruption or misuse of, an
826 information system or customer information stored on such
827 information system. The term does not include the unauthorized
828 acquisition of encrypted customer information if the encryption
829 process or key is not also acquired, released, or used without
830 authorization. The term does not include an event with regard to
831 which the licensee has determined that the customer information
832 accessed by an unauthorized person has not been used or released
833 and has been returned or destroyed.
834 (d) “Encrypted” means the transformation of data into a
835 form that results in a low probability of assigning meaning
836 without the use of a protective process or key.
837 (e) “Financial product or service” means any product or
838 service offered by a licensee under this chapter.
839 (f) “Information security program” means the
840 administrative, technical, or physical safeguards used to
841 access, collect, distribute, process, protect, store, use,
842 transmit, dispose of, or otherwise handle customer information.
843 (g) “Information system” means a discrete set of electronic
844 information resources organized for the collection, processing,
845 maintenance, use, sharing, dissemination, or disposition of
846 electronic information, as well as any specialized system such
847 as an industrial process control system, telephone switching and
848 private branch exchange system, or environmental control system,
849 which contain customer information or which are connected to a
850 system that contains customer information.
851 (h)1. “Nonpublic personal information” means:
852 a. Personally identifiable financial information; and
853 b. Any list, description, or other grouping of customers
854 which is derived using any personally identifiable financial
855 information that is not publicly available, such as account
856 numbers, including any list of individuals’ names and street
857 addresses which is derived, in whole or in part, using
858 personally identifiable financial information that is not
859 publicly available.
860 2. The term does not include:
861 a. Publicly available information, except as included on a
862 list, description, or other grouping of customers described in
863 sub-subparagraph 1.b.;
864 b. Any list, description, or other grouping of consumers,
865 or any publicly available information pertaining to such list,
866 description, or other grouping of consumers, which is derived
867 without using any personally identifiable financial information
868 that is not publicly available; or
869 c. Any list of individuals’ names and addresses which
870 contains only publicly available information, is not derived, in
871 whole or in part, using personally identifiable financial
872 information that is not publicly available, and is not disclosed
873 in a manner that indicates that any of the individuals on the
874 list is a customer of a licensee.
875 3. As used in this paragraph, the term:
876 a.(I) “Personally identifiable financial information” means
877 any information that:
878 (A) A customer provides to a licensee to obtain a financial
879 product or service, such as information that a customer provides
880 to a licensee on an application to obtain a loan or other
881 financial product or service;
882 (B) A licensee receives about a consumer which is obtained
883 during or as a result of any transaction involving a financial
884 product or service between the licensee and the customer, such
885 as information collected through an information-collecting
886 device from a web server; or
887 (C) A licensee otherwise obtains about a customer in
888 connection with providing a financial product or service to the
889 customer, such as the fact that an individual is or has been one
890 of the licensee’s customers or has obtained a financial product
891 or service from the licensee.
892 (II) The term “personally identifiable financial
893 information” does not include:
894 (A) A list of names and addresses of customers of an entity
895 that is not a financial institution; or
896 (B) Information that does not identify a customer, such as
897 blind data or aggregate information that does not contain
898 personal identifiers such as account numbers, names, or
899 addresses.
900 b.(I) “Publicly available information” means any
901 information that a licensee has a reasonable basis to believe is
902 lawfully made available to the general public from:
903 (A) Federal, state, or local government records, such as
904 government real estate records or security interest filings;
905 (B) Widely distributed media, such as information from a
906 telephone records repository or directory, a television or radio
907 program, a newspaper, a social media platform, or a website that
908 is available to the general public on an unrestricted basis. A
909 website is not restricted merely because an Internet service
910 provider or a site operator requires a fee or a password, so
911 long as access is available to the general public; or
912 (C) Disclosures to the general public which are required to
913 be made by federal, state, or local law.
914 (II) As used in this sub-subparagraph, the term “reasonable
915 basis to believe is lawfully made available to the general
916 public” relating to any information means that the person has
917 taken steps to determine:
918 (A) That the information is of the type that is available
919 to the general public, such as information included on the
920 public record in the jurisdiction where a mortgage would be
921 recorded; and
922 (B) Whether an individual can direct that the information
923 not be made available to the general public and, if so, the
924 customer to whom the information relates has not done so, such
925 as when a telephone number is listed in a telephone directory
926 and the customer has informed the licensee that the telephone
927 number is not unlisted.
928 (i) “Third-party service provider” means a person, other
929 than a licensee, which contracts with a licensee to maintain,
930 process, or store nonpublic personal information, or is
931 otherwise permitted access to nonpublic personal information
932 through its provision of services to a licensee.
933 (2) INFORMATION SECURITY PROGRAM.—
934 (a) Each licensee shall develop, implement, and maintain a
935 comprehensive written information security program that contains
936 administrative, technical, and physical safeguards for the
937 protection of the licensee’s information system and nonpublic
938 personal information.
939 (b) Each licensee shall ensure that the information
940 security program meets all of the following criteria:
941 1. Be commensurate with the following measures:
942 a. Size and complexity of the licensee.
943 b. Nature and scope of the licensee’s activities, including
944 the licensee’s use of third-party service providers.
945 c. Sensitivity of nonpublic personal information that is
946 used by the licensee or that is in the licensee’s possession,
947 custody, or control.
948 2. Be designed to do all of the following:
949 a. Protect the security and confidentiality of nonpublic
950 personal information and the security of the licensee’s
951 information system.
952 b. Protect against threats or hazards to the security or
953 integrity of nonpublic personal information and the licensee’s
954 information system.
955 c. Protect against unauthorized access to or the use of
956 nonpublic personal information and minimize the likelihood of
957 harm to any customer.
958 3. Define and periodically reevaluate the retention
959 schedule and the mechanism for the destruction of nonpublic
960 personal information if retention is no longer necessary for the
961 licensee’s business operations or is no longer required by
962 applicable law.
963 4. Regularly test and monitor systems and procedures for
964 the detection of actual and attempted attacks on, or intrusions
965 into, the licensee’s information system.
966 5. Be monitored, evaluated, and adjusted, as necessary, to
967 meet all of the following requirements:
968 a. Determine whether the licensee’s information security
969 program is consistent with relevant changes in technology.
970 b. Confirm the licensee’s information security program
971 accounts for the sensitivity of nonpublic personal information.
972 c. Identify changes that may be necessary to the licensee’s
973 information system.
974 d. Mitigate any internal or external threats to nonpublic
975 personal information.
976 e. Amend the licensee’s information security program for
977 any material changes to the licensee’s business arrangements,
978 including, but not limited to, mergers and acquisitions,
979 alliances and joint ventures, and outsourcing arrangements.
980 (c)1. As part of a licensee’s information security program,
981 the licensee shall establish a written incident response plan
982 designed to promptly respond to, and recover from, a
983 cybersecurity event that compromises:
984 a. The confidentiality, integrity, or availability of
985 nonpublic personal information in the licensee’s possession;
986 b. The licensee’s information system; or
987 c. The continuing functionality of any aspect of the
988 licensee’s operations.
989 2. The written incident response plan must address all of
990 the following:
991 a. The licensee’s internal process for responding to a
992 cybersecurity event.
993 b. The goals of the licensee’s incident response plan.
994 c. The assignment of clear roles, responsibilities, and
995 levels of decisionmaking authority for the licensee’s personnel
996 who participate in the incident response plan.
997 d. External communications, internal communications, and
998 information sharing related to a cybersecurity event.
999 e. The identification of remediation requirements for
1000 weaknesses identified in information systems and associated
1001 controls.
1002 f. The documentation and reporting regarding cybersecurity
1003 events and related incident response activities.
1004 g. The evaluation and revision of the incident response
1005 plan, as appropriate, following a cybersecurity event.
1006 h. The process by which notice must be given as required
1007 under subsection (3) and s. 501.171(3) and (4).
1008 (d)1. This section does not apply to a licensee that has
1009 fewer than:
1010 a. Twenty individuals on its workforce, including employees
1011 and independent contractors; or
1012 b. Five hundred customers during a calendar year.
1013 2. A licensee that no longer qualifies for exemption under
1014 subparagraph 1. has 180 calendar days to comply with this
1015 section after the date of the disqualification.
1016 (e) Each licensee shall maintain a copy of the information
1017 security program for a minimum of 5 years and shall make it
1018 available to the office upon request or as part of an
1019 examination.
1020 (3) NOTICE TO OFFICE OF SECURITY BREACH.—Each licensee
1021 shall provide notice to the office of any breach of security, as
1022 defined in s. 501.171(1), affecting 500 or more individuals in
1023 this state at a time and in the manner prescribed by commission
1024 rule.
1025 (4) CONSTRUCTION.—This section may not be construed to
1026 relieve a covered entity from complying with s. 501.171. To the
1027 extent a licensee is a covered entity, as defined in s.
1028 501.171(1), the licensee remains subject to s. 501.171.
1029 (5) RULES.—The commission shall adopt rules to administer
1030 this section, including rules that allow a licensee that is in
1031 compliance with the Federal Trade Commission’s Standards for
1032 Safeguarding Customer Information, 16 C.F.R. part 314, to be
1033 deemed in compliance with subsection (2).
1034 Section 12. Subsection (10) of section 560.309, Florida
1035 Statutes, is amended to read:
1036 560.309 Conduct of business.—
1037 (10) If a check is returned to a licensee from a payor
1038 financial institution due to lack of funds, a closed account, or
1039 a stop-payment order, the licensee may seek collection pursuant
1040 to s. 68.065. In seeking collection, the licensee must comply
1041 with the prohibitions against harassment or abuse, false or
1042 misleading representations, and unfair practices in the Florida
1043 Consumer Collection Practices Act under part VI of chapter 559,
1044 including s. 559.77. The licensee must also comply with the Fair
1045 Debt Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and
1046 1692f if the licensee uses a third-party debt collector or any
1047 name other than its own to collect such debts. A violation of
1048 this subsection is a deceptive and unfair trade practice and
1049 constitutes a violation of the Deceptive and Unfair Trade
1050 Practices Act under part II of chapter 501. In addition, a
1051 licensee must comply with the applicable provisions of the
1052 Consumer Collection Practices Act under part VI of chapter 559,
1053 including s. 559.77.
1054 Section 13. Subsection (3) of section 560.405, Florida
1055 Statutes, is amended to read:
1056 560.405 Deposit; redemption.—
1057 (3) Notwithstanding subsection (1), in lieu of presentment,
1058 a deferred presentment provider may allow the check to be
1059 redeemed at any time upon payment of the outstanding transaction
1060 balance and earned fees. A redemption transacted using a debit
1061 card shall be treated the same as a redemption transacted using
1062 cash. However, payment may not be made in the form of a personal
1063 check or through a credit card transaction. Upon redemption, the
1064 deferred presentment provider must return the drawer’s check and
1065 provide a signed, dated receipt showing that the drawer’s check
1066 has been redeemed.
1067 Section 14. Subsection (2) of section 560.406, Florida
1068 Statutes, is amended to read:
1069 560.406 Worthless checks.—
1070 (2) If a check is returned to a deferred presentment
1071 provider from a payor financial institution due to insufficient
1072 funds, a closed account, or a stop-payment order, the deferred
1073 presentment provider may pursue all legally available civil
1074 remedies to collect the check, including, but not limited to,
1075 the imposition of all charges imposed on the deferred
1076 presentment provider by the financial institution. In its
1077 collection practices, a deferred presentment provider must
1078 comply with the prohibitions against harassment or abuse, false
1079 or misleading representations, and unfair practices that are
1080 contained in the Florida Consumer Collection Practices Act under
1081 part VI of chapter 559, including s. 559.77. A deferred
1082 presentment provider must also comply with the Fair Debt
1083 Collections Practices Act, 15 U.S.C. ss. 1692d, 1692e, and 1692f
1084 if the deferred presentment provider uses a third-party debt
1085 collector or any name other than its own to collect such debts.
1086 A violation of this act is a deceptive and unfair trade practice
1087 and constitutes a violation of the Deceptive and Unfair Trade
1088 Practices Act under part II of chapter 501. In addition, a
1089 deferred presentment provider must comply with the applicable
1090 provisions of the Consumer Collection Practices Act under part
1091 VI of chapter 559, including s. 559.77.
1092 Section 15. Section 655.0171, Florida Statutes, is created
1093 to read:
1094 655.0171 Requirements for customer data security and for
1095 notices of security breaches.—
1096 (1) DEFINITIONS.—As used in this section, the term:
1097 (a) “Breach of security” or “breach” means unauthorized
1098 access of data in electronic form containing personal
1099 information. Good faith access of personal information by an
1100 employee or agent of a financial institution does not constitute
1101 a breach of security, provided that the information is not used
1102 for a purpose unrelated to the business or subject to further
1103 unauthorized use. As used in this paragraph, the term “data in
1104 electronic form” means any data stored electronically or
1105 digitally on any computer system or other database and includes
1106 recordable tapes and other mass storage devices.
1107 (b) “Department” means the Department of Legal Affairs.
1108 (c)1. “Personal information” means:
1109 a. An individual’s first name, or first initial, and last
1110 name, in combination with any of the following data elements for
1111 that individual:
1112 (I) A social security number;
1113 (II) A driver license or identification card number,
1114 passport number, military identification number, or other
1115 similar number issued on a government document used to verify
1116 identity;
1117 (III) A financial account number or credit or debit card
1118 number, in combination with any required security code, access
1119 code, or password that is necessary to permit access to the
1120 individual’s financial account;
1121 (IV) The individual’s biometric data as defined in s.
1122 501.702; or
1123 (V) Any information regarding the individual’s geolocation;
1124 or
1125 b. A username or e-mail address, in combination with a
1126 password or security question and answer that would permit
1127 access to an online account.
1128 2. The term does not include information about an
1129 individual which has been made publicly available by a federal,
1130 state, or local governmental entity. The term also does not
1131 include information that is encrypted, secured, or modified by
1132 any other method or technology that removes elements that
1133 personally identify an individual or that otherwise renders the
1134 information unusable.
1135 (2) REQUIREMENTS FOR DATA SECURITY.—Each financial
1136 institution shall take reasonable measures to protect and secure
1137 data that are in electronic form and that contain personal
1138 information.
1139 (3) NOTICE TO OFFICE AND DEPARTMENT OF SECURITY BREACH.—
1140 (a)1. Each financial institution shall provide notice to
1141 the office of any breach of security affecting 500 or more
1142 individuals in this state. Such notice must be provided to the
1143 office as expeditiously as practicable, but no later than 30
1144 days after the determination of the breach or the determination
1145 of a reason to believe that a breach has occurred.
1146 2. The written notice to the office must include the items
1147 required under s. 501.171(3)(b).
1148 3. A financial institution must provide the following
1149 information to the office upon its request:
1150 a. A police report, incident report, or computer forensics
1151 report.
1152 b. A copy of the policies in place regarding breaches.
1153 c. Steps that have been taken to rectify the breach.
1154 4. A financial institution may provide the office with
1155 supplemental information regarding a breach at any time.
1156 (b) Each financial institution shall provide notice to the
1157 department of any breach of security affecting 500 or more
1158 individuals in this state. Such notice must be provided to the
1159 department in accordance with s. 501.171.
1160 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—Each
1161 financial institution shall give notice to each individual in
1162 this state whose personal information was, or the financial
1163 institution reasonably believes to have been, accessed as a
1164 result of the breach, in accordance with s. 501.171(4). The
1165 notice must be provided no later than 30 days after the
1166 determination of the breach or the determination of a reason to
1167 believe that a breach has occurred. A financial institution may
1168 receive 15 additional days to provide notice to individuals of a
1169 security breach as required in this subsection if good cause for
1170 delay is provided in writing to the office within 30 days after
1171 determination of the breach or determination of the reason to
1172 believe that a breach has occurred.
1173 (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a financial
1174 institution discovers circumstances requiring notice pursuant to
1175 this section of more than 1,000 individuals at a single time,
1176 the financial institution shall also notify, without
1177 unreasonable delay, all consumer reporting agencies that compile
1178 and maintain files on consumers on a nationwide basis, as
1179 defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p),
1180 of the timing, distribution, and content of the notices.
1181 Section 16. Present subsections (3), (4), and (5) of
1182 section 655.032, Florida Statutes, are redesignated as
1183 subsections (4), (5), and (6), respectively, and a new
1184 subsection (3) is added to that section, to read:
1185 655.032 Investigations, subpoenas, hearings, and
1186 witnesses.—
1187 (3) The office may consider or use as part of any
1188 investigation or other action pursuant to this section the
1189 information contained in any suspected financial exploitation
1190 report or any records generated as a result of such report which
1191 is obtained pursuant to s. 415.106(4).
1192 Section 17. Present paragraphs (c) through (f) of
1193 subsection (1) of section 655.045, Florida Statutes, are
1194 redesignated as paragraphs (d) through (g), respectively, a new
1195 paragraph (c) is added to that subsection, and present paragraph
1196 (d) of that subsection is amended, to read:
1197 655.045 Examinations, reports, and internal audits;
1198 penalty.—
1199 (1) The office shall conduct an examination of the
1200 condition of each state financial institution at least every 18
1201 months. The office may conduct more frequent examinations based
1202 upon the risk profile of the financial institution, prior
1203 examination results, or significant changes in the institution
1204 or its operations. The office may use continuous, phase, or
1205 other flexible scheduling examination methods for very large or
1206 complex state financial institutions and financial institutions
1207 owned or controlled by a multi-financial institution holding
1208 company. The office shall consider examination guidelines from
1209 federal regulatory agencies in order to facilitate, coordinate,
1210 and standardize examination processes.
1211 (c) The office may consider or use as part of any
1212 examination or other action conducted pursuant to this section
1213 the information contained in any suspected financial
1214 exploitation report or any records generated as a result of such
1215 report which is obtained pursuant to s. 415.106(4).
1216 (e)(d) As used in this section, the term “costs” means the
1217 salary and travel expenses directly attributable to the field
1218 staff examining the state financial institution, subsidiary, or
1219 service corporation, and the travel expenses of any supervisory
1220 staff required as a result of examination findings. The mailing
1221 of any costs incurred under this subsection must be postmarked
1222 within 45 30 days after the date of receipt of a notice stating
1223 that such costs are due. The office may levy a late payment of
1224 up to $100 per day or part thereof that a payment is overdue,
1225 unless excused for good cause. However, for intentional late
1226 payment of costs, the office may levy an administrative fine of
1227 up to $1,000 per day for each day the payment is overdue.
1228 Section 18. Subsection (2) of section 657.005, Florida
1229 Statutes, is amended to read:
1230 657.005 Application for authority to organize a credit
1231 union; investigation.—
1232 (2) Any five or more individuals, a majority of whom are
1233 residents of this state and all of whom who represent a limited
1234 field of membership, may apply to the office for permission to
1235 organize a credit union. The fact that individuals within the
1236 proposed limited field of membership have credit union services
1237 available to them through another limited field of membership
1238 shall not preclude the granting of a certificate of
1239 authorization to engage in the business of a credit union.
1240 Section 19. Subsection (1) of section 657.024, Florida
1241 Statutes, is amended to read:
1242 657.024 Membership meetings.—
1243 (1) The members shall receive timely notice of the annual
1244 meeting and any special meetings of the members, which shall be
1245 held at the time, place, and in the manner provided in the
1246 bylaws. The annual meeting and any special meetings of the
1247 members may be held virtually without an in-person quorum, and
1248 virtual attendance may satisfy quorum requirements, subject to
1249 the bylaws.
1250 Section 20. Paragraph (b) of subsection (3) and present
1251 subsection (5) of section 657.042, Florida Statutes, are amended
1252 to read:
1253 657.042 Investment powers and limitations.—A credit union
1254 may invest its funds subject to the following definitions,
1255 restrictions, and limitations:
1256 (3) INVESTMENT SUBJECT TO LIMITATION OF TWO PERCENT OF
1257 CAPITAL OF THE CREDIT UNION.—
1258 (b) Commercial paper and bonds of any corporation within
1259 the United States which have a fixed maturity, as provided in
1260 subsection (6) (7), except that the total investment in all such
1261 paper and bonds may not exceed 10 percent of the capital of the
1262 credit union.
1263 (5) INVESTMENTS IN REAL ESTATE AND EQUIPMENT FOR THE CREDIT
1264 UNION.—
1265 (a) Up to 5 percent of the capital of the credit union may
1266 be invested in real estate and improvements thereon, furniture,
1267 fixtures, and equipment utilized or to be utilized by the credit
1268 union for the transaction of business.
1269 (b) The limitations provided by this subsection may be
1270 exceeded with the prior written approval of the office. The
1271 office shall grant such approval if it is satisfied that:
1272 1. The proposed investment is necessary.
1273 2. The amount thereof is commensurate with the size and
1274 needs of the credit union.
1275 3. The investment will be beneficial to the members.
1276 4. A reasonable plan is developed to reduce the investment
1277 to statutory limits.
1278 Section 21. Paragraphs (b) and (c) of subsection (4) of
1279 section 658.21, Florida Statutes, are amended to read:
1280 658.21 Approval of application; findings required.—The
1281 office shall approve the application if it finds that:
1282 (4)
1283 (b) At least two of the proposed directors who are not also
1284 proposed officers must have had within the 10 years before the
1285 date of the application at least 1 year of direct experience as
1286 an executive officer, regulator, or director of a financial
1287 institution as specified in the application within the 5 years
1288 before the date of the application. However, if the applicant
1289 demonstrates that at least one of the proposed directors has
1290 very substantial experience as an executive officer, director,
1291 or regulator of a financial institution more than 5 years before
1292 the date of the application, the office may modify the
1293 requirement and allow the applicant to have only one director
1294 who has direct financial institution experience within the last
1295 5 years.
1296 (c) The proposed president or chief executive officer must
1297 have had at least 1 year of direct experience as an executive
1298 officer, director, or regulator of a financial institution
1299 within the last 10 5 years. In making a decision, the office
1300 must also consider may waive this requirement after considering:
1301 1. The adequacy of the overall experience and expertise of
1302 the proposed president or chief executive officer;
1303 2. The likelihood of successful operation of the proposed
1304 state bank or trust company pursuant to subsection (1);
1305 3. The adequacy of the proposed capitalization under
1306 subsection (2);
1307 4. The proposed capital structure under subsection (3);
1308 5. The experience of the other proposed officers and
1309 directors; and
1310 6. Any other relevant data or information.
1311 Section 22. Subsection (2) of section 658.33, Florida
1312 Statutes, is amended to read:
1313 658.33 Directors, number, qualifications; officers.—
1314 (2) Not less than a majority of the directors must, during
1315 their whole term of service, be citizens of the United States,
1316 and at least a majority of the directors must have resided in
1317 this state for at least 1 year preceding their election and must
1318 be residents therein during their continuance in office. In the
1319 case of a bank or trust company with total assets of less than
1320 $150 million, at least one, and in the case of a bank or trust
1321 company with total assets of $150 million or more, two of the
1322 directors who are not also officers of the bank or trust company
1323 must have had at least 1 year of direct experience as an
1324 executive officer, regulator, or director of a financial
1325 institution within the last 10 5 years.
1326 Section 23. Subsection (4) of section 662.141, Florida
1327 Statutes, is amended to read:
1328 662.141 Examination, investigations, and fees.—The office
1329 may conduct an examination or investigation of a licensed family
1330 trust company at any time it deems necessary to determine
1331 whether the licensed family trust company or licensed family
1332 trust company-affiliated party thereof has violated or is about
1333 to violate any provision of this chapter, any applicable
1334 provision of the financial institutions codes, or any rule
1335 adopted by the commission pursuant to this chapter or the codes.
1336 The office may conduct an examination or investigation of a
1337 family trust company or foreign licensed family trust company at
1338 any time it deems necessary to determine whether the family
1339 trust company or foreign licensed family trust company has
1340 engaged in any act prohibited under s. 662.131 or s. 662.134
1341 and, if a family trust company or a foreign licensed family
1342 trust company has engaged in such act, to determine whether any
1343 applicable provision of the financial institutions codes has
1344 been violated.
1345 (4) For each examination of the books and records of a
1346 family trust company, licensed family trust company, or foreign
1347 licensed family trust company as authorized under this chapter,
1348 the trust company shall pay a fee for the costs of the
1349 examination by the office. As used in this section, the term
1350 “costs” means the salary and travel expenses of field staff
1351 which are directly attributable to the examination of the trust
1352 company and the travel expenses of any supervisory and support
1353 staff required as a result of examination findings. The mailing
1354 of payment for costs incurred must be postmarked within 45 30
1355 days after the receipt of a notice stating that the costs are
1356 due. The office may levy a late payment of up to $100 per day or
1357 part thereof that a payment is overdue unless waived for good
1358 cause. However, if the late payment of costs is intentional, the
1359 office may levy an administrative fine of up to $1,000 per day
1360 for each day the payment is overdue.
1361 Section 24. Subsection (21) of section 517.12, Florida
1362 Statutes, is amended to read:
1363 517.12 Registration of dealers, associated persons,
1364 intermediaries, and investment advisers.—
1365 (21) The registration requirements of this section do not
1366 apply to any general lines insurance agent or life insurance
1367 agent licensed under chapter 626, with regard to the sale of a
1368 security as defined in s. 517.021(34)(g) s. 517.021(33)(g), if
1369 the individual is directly authorized by the issuer to offer or
1370 sell the security on behalf of the issuer and the issuer is a
1371 federally chartered savings bank subject to regulation by the
1372 Federal Deposit Insurance Corporation. Actions under this
1373 subsection constitute activity under the insurance agent’s
1374 license for purposes of ss. 626.611 and 626.621.
1375 Section 25. This act shall take effect July 1, 2026.