§ 19-14.3-3.7. Mandated compliance programs and monitoring.
(a) An applicant, before submitting an application, shall create and, during licensure, maintain in a record, policies and procedures for:
(1) An information-security and operational-security program;
(2) A business-continuity program;
(3) A disaster-recovery program;
(4) An anti-fraud program;
(5) An anti-money-laundering program; and
(6) A program to ensure compliance with the Bank Secrecy Act and the USA Patriot Act.
(b) A licensee’s information-security and operational-security policy must include reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any non-public personal information or currency transmission it receives, maintains, or transmits.
(c) A licensee is not required to file with the department a copy of a report it makes to a federal authority unless the department specifically requires filing.
(d) After the policies and procedures required under this section are created by the licensee and approved by the department, the licensee shall engage a responsible individual with adequate authority and experience to monitor each policy and procedure, recommend changes as desirable, and enforce it.
(e) A licensee may:
(1) Request advice from the department as to compliance with this section; and
(2) With the department’s approval, outsource functions, other than compliance, required under this section.
(f) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.
History of Section.
P.L. 2019, ch. 226, § 4; P.L. 2019, ch. 246, § 4.