Directs every peer-to-peer mobile service to require users to create a personal identification code associated with the user's account that is required to be used when certain actions are taken and to require users to set a monetary amount for intended transfers above which the use of a personal identification number will be required to authenticate the user's identity.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A9340A
SPONSOR: Lee
 
TITLE OF BILL:
An act to amend the general business law, in relation to peer-to-peer
mobile payment service security; and to amend the financial services
law, in relation to authorizing the financial frauds and consumer
protection unit to enforce such provisions
 
PURPOSE OR GENERAL IDEA OF BILL:
To require companies that offer peer-to-peer mobile payment services to
enact security measures designed to protect consumers from financial
frauds and theft
 
SUMMARY OF SPECIFIC PROVISIONS:
Section 1 adds a new section 399-jj to the General Business Law which:
1. Defines terms used in the new section
2. Requires mobile payment services to create a user PIN system that
must be used for certain actions
3. Requires these services to have users set a monetary amount above
which use of the PIN is required
4. Sets out specified actions for which the services must require the
user to enter their PIN
5. Requires services to lock accounts if incorrect PIN is entered under
specified circumstances 6 and 7. Establishes situations that will
require services to hold funds for 48 hours and how it can be canceled
8. Prohibits any service that does not comply with this section from
offering its services to users residing in New York
Section 2 amends subsection 3 of section 403 of the Financial Services
Law to assign the Financial Frauds and Consumer Protection Unit to the
enforcement of the newly created section.
Section 3 provides the effective date.
 
JUSTIFICATION:
The Financial App Security Act seeks to amend the General Business Law
by adding additional security requirements for mobile financial apps,
including certain measures found in traditional banking, in order to
continue offering their services in New York.
According to New York law enforcement, financial app thefts have signif-
icantly increased in recent years. While these apps are popular and
widely used, the corporations have a responsibility to limit fraud and
abuse of their consumers. Thefts via financial apps often involves an
incident where an unauthorized user gains access to unlocked devices and
drains bank accounts of significant sums of money. These apps, more than
the smartphone itself, is an increasingly lucrative target for scammers
and robbers. Thousands of dollars can be taken in mere seconds putting
New Yorkers' financial, and sometimes physical safety, at risk. This law
would impose commonsense security measures in place to deter future
thefts.
 
LEGISLATIVE HISTORY:
New bill.
 
FISCAL IMPLICATIONS:
None.
 
EFFECTIVE DATE:
This act shall take effect on the sixtieth day after it shall have
become law.
STATE OF NEW YORK
________________________________________________________________________
9340--A
IN ASSEMBLY
March 6, 2024
___________
Introduced by M. of A. LEE, OTIS -- read once and referred to the
Committee on Consumer Affairs and Protection -- committee discharged,
bill amended, ordered reprinted as amended and recommitted to said
committee
AN ACT to amend the general business law, in relation to peer-to-peer
mobile payment service security; and to amend the financial services
law, in relation to authorizing the financial frauds and consumer
protection unit to enforce such provisions
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "Financial
2 App Security Act".
3 § 2. The general business law is amended by adding a new section 399-
4 jj to read as follows:
5 § 399-jj. Peer-to-peer mobile payment service security. 1. For the
6 purposes of this section:
7 (a) "Peer-to-peer mobile service" means any app or app service
8 provided directly to users by an entity that is not an insured deposito-
9 ry institution and that:
10 (1) directly or indirectly receives and holds money belonging to
11 users, or that facilitates transactions between insured depository
12 institutions but exists separately from said institutions; and
13 (2) whose primary functionality is to allow users to send and receive
14 money through their mobile devices from a linked bank account or credit
15 card or debit card using a recipient's cell phone number or email
16 address or username.
17 (b) "Biometric authentication" means either fingerprint or face iden-
18 tification for access to a service, or verification of an in-app action.
19 2. Every peer-to-peer mobile service shall require users to create a
20 personal identification code associated with the user's account that is
21 a minimum of four numeric characters associated with the user's account.
22 When certain actions are taken, including but not limited to, actions
23 defined in subdivision four of this section, the personal identification
24 number must be used to authenticate the user's identity. The use of
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD14473-08-4
A. 9340--A 2
1 such personal identification code may not be substituted for any form of
2 biometric authentication.
3 3. Every peer-to-peer mobile service shall require users to set a
4 monetary amount for intended transfers above which the use of a personal
5 identification number will be required to authenticate the user's iden-
6 tity and provide an option for users to opt-in of such requirement.
7 4. The following actions require use of a personal identification
8 number when using a peer-to-peer mobile service:
9 (a) any payment transaction initiated by the user exceeding the mone-
10 tary limit set by said user;
11 (b) payment transactions initiated by the user that would bring said
12 users twenty-four-hour payment transaction amount exceeding the monetary
13 limit set by said user starting from the first transaction;
14 (c) payment transactions initiated by the user to another user whose
15 account was created less than twenty-four hours prior to said trans-
16 action;
17 (d) any payment transactions initiated by the user after three
18 successful payment transactions initiated by the user have been made
19 within sixty minutes for amounts under the user's set monetary limit;
20 (e) any attempt to sign in to the service by the user to a new and/or
21 unrecognized device; and
22 (f) any attempt to sign in to the service after the account password
23 has been reset in any manner, including but not limited to, password
24 recovery service offered by the service.
25 5. A user's account will be locked after five unsuccessful attempts
26 within a twenty-four hour period to input said user's personal identifi-
27 cation number when required. The peer-to-peer mobile service can unlock
28 said account after twenty-four hours if said user is able to verify
29 their identity through a telephone call or security questions created by
30 the user.
31 6. Any payment transactions initiated by the user after three success-
32 ful payment transactions initiated by the user have been made within
33 sixty minutes after the first successful payment to the same recipient
34 for amounts, despite the input of the user's correct personal identifi-
35 cation number, will require additional identity verification of the
36 recipient if:
37 (a) any of the transactions exceed the greater amount of either the
38 user's set monetary limit or one thousand dollars; or
39 (b) the aggregate amount of the transactions exceed the greater amount
40 of either the user's set monetary limit or one thousand dollars; or
41 (c) the recipient is a first time transaction to the user.
42 7. Any transaction that could be the result of fraud can be cancelled
43 by the user making the payment after timely notification is made to the
44 peer-to-peer mobile service.
45 8. Any peer-to-peer mobile service that does not comply with this
46 section is prohibited from offering its services to users residing in
47 the state of New York.
48 § 3. Subsection (b) of section 403 of the financial services law is
49 amended to read as follows:
50 (b) The financial frauds and consumer protection unit shall be a qual-
51 ified agency, as defined in section eight hundred thirty-five of the
52 executive law, to enforce the provisions of this article and article
53 four of the insurance law and article II-B of the banking law and
54 section three hundred ninety-nine-jj of the general business law.
55 § 4. This act shall take effect on the one hundred eightieth day after
56 it shall have become a law.