NYDFS Enforcement Actions in 2025: A Year of Heightened Cybersecurity and Compliance Vigilance

Compliance Hub

Compliance Hub

6 min read
NYDFS Enforcement Actions in 2025: A Year of Heightened Cybersecurity and Compliance Vigilance
Photo by Michael Discenza / Unsplash

Executive Summary

The New York Department of Financial Services (NYDFS) has demonstrated unprecedented enforcement vigor in 2025, imposing significant penalties across multiple sectors while sending clear signals about evolving regulatory expectations. The year's enforcement actions, totaling over $82 million in fines across major cases, highlight critical gaps in email retention policies, multi-factor authentication implementation, and anti-money laundering compliance programs.

UK Banking Enforcement 2025: Record Penalties Signal New Era of Regulatory Vigilance
Executive Summary UK financial regulators delivered their strongest enforcement message in years during 2025, with the Financial Conduct Authority (FCA) and Bank of England imposing over £75 million ($96 million) in penalties across landmark cases. The Bank of England made history with its first-ever fine against a financial market infrastructure
Compliance Hub WikiCompliance Hub

The Healthplex Email Retention and MFA Enforcement Action

Background and Incident

On August 14, 2025, NYDFS entered into a consent order with Healthplex, Inc., imposing a $2 million penalty for violations of the NYDFS Cybersecurity Regulation. The case originated from a November 2021 phishing attack that exposed over 100,000 emails containing sensitive consumer information.

The incident began when a 20-year Healthplex employee clicked on a phishing email requesting business email credentials to receive a fax message. Because multi-factor authentication (MFA) was not enabled for Outlook Web Access, this action gave the threat actor complete access to the employee's Office 365 account.

Key Violations and Findings

NYDFS identified four primary violations:

  1. Failure to implement email retention policies - NYDFS found that Healthplex's lack of any data retention policy for the O365 environment violated Section 500.13 of the NYDFS cybersecurity regulation, which requires companies to maintain policies for "secure disposal on a periodic basis of any nonpublic information" no longer necessary for business operations.
  2. Inadequate MFA implementation - While Healthplex had MFA on its previous email environment, the company failed to verify that MFA was fully operational when migrating to O365 earlier in 2021, allowing external web browser access without MFA controls.
  3. Delayed incident reporting - Healthplex reported the security incident to NYDFS on April 8, 2022, well beyond the required 72-hour timeline mandated by the NYDFS Cybersecurity Regulation.
  4. False compliance certifications - The company had filed annual compliance certifications for multiple years preceding the incident despite not being in compliance.

Regulatory Impact and Industry Implications

This consent order is particularly significant as it represents the first time NYDFS has specifically found that the lack of an email retention policy constitutes a violation of the Cybersecurity Regulation. The enforcement action emphasizes that indefinite email retention creates unnecessary cyber risk, especially for older data lacking business value.

NYDFS has previously suggested that retention of email for more than six years may be considered excessive, providing guidance for organizations developing their own retention policies.

Poland’s Banking Sector Under Fire: ING Bank Śląski’s €4.3 Million Fine Signals Tougher Data Protection Enforcement
Updated as of: September 17, 2025 Poland’s data protection authority continues its aggressive enforcement campaign against major banks, with ING Bank Śląski receiving an 18.4 million zloty fine for excessive identity document scanning—marking the second-largest privacy penalty in Polish history. UK Banking Enforcement 2025: Record Penalties Signal New
My Privacy BlogMy Privacy Blog

PayPal's $2 Million Penalty: Policy Implementation Failures

In January 2025, NYDFS announced a $2 million penalty against PayPal for violations of its cybersecurity regulations following a 2022 incident that exposed sensitive customer information on over 34,000 user accounts.

The Core Issue: Implementation Over Documentation

Unlike many enforcement actions focusing on missing policies, the PayPal case highlighted implementation failures. NYDFS found that PayPal had relevant policies in place for change management, user authentication, and access controls, but failed "to ensure the proper implementation of its cybersecurity policies and procedures."

The incident arose when PayPal made changes to its data collection flows for IRS Form 1099-Ks without properly training the engineering team responsible for implementation, resulting in the exposure of unmasked personal information including Social Security numbers.

Training and Awareness Requirements

The PayPal enforcement emphasizes training as a critical component, with NYDFS requiring security and awareness training to be completed annually and include social engineering components since April 29, 2024.

Block Inc.'s $40 Million AML and Compliance Settlement

Largest 2025 Enforcement Action

On April 10, 2025, NYDFS imposed a $40 million penalty on Block Inc., the parent company of Cash App, for significant deficiencies in its anti-money laundering (AML) and compliance programs related to virtual currency operations.

Critical Compliance Failures

The Block enforcement revealed several serious deficiencies:

Transaction Monitoring Gaps:
Block's compliance system failed to flag Bitcoin transactions tied to wallets associated with illicit or sanctioned activity unless specific thresholds were exceeded. Transactions involving wallets with under 1% exposure to terrorist-linked wallets did not trigger alerts, and transfers were only blocked once exposure surpassed 10%.

Alert Processing Backlogs:
Between 2018 and 2020, Block's backlog of unresolved alerts soared from 18,000 to more than 169,000, with some suspicious activity reports filed over a year after initial alerts, significantly delaying investigations into potential financial crimes.

Crypto Mixer Treatment:
NYDFS criticized Block's treatment of crypto mixer transactions—tools that obscure fund origins and destinations commonly used in illicit finance—highlighting the company's failure to treat such anonymized transactions as high-risk.

Enforcement Consequences

Block is required to pay the fine within 10 days and will be placed under independent monitor supervision for 12 months, during which it must overhaul its AML controls, sanctions screening, and transaction monitoring processes.

Auto Insurance Industry Enforcement: $20 Million in Collective Penalties

NYDFS fined three dozen auto insurers a collective $20 million for failing to timely report new and terminated auto insurance policies, demonstrating the department's commitment to holding insurers accountable across all compliance areas.

The enforcement actions resulted from multi-year market conduct investigations, with NYDFS Superintendent Adrienne Harris emphasizing that "accurate and timely reporting by insurers is critical to protecting New Yorkers on the road, ensuring compliance with state laws, and maintaining the integrity of our enforcement systems."

Looking Forward: NYDFS 2.0 and Enhanced Requirements

November 2025 Implementation Deadlines

Beginning November 1, 2025, MFA will become a required component of covered entities' cybersecurity toolkit for all individuals accessing any information systems, regardless of location, user type, or data involved, unless a CISO approves equivalent compensating controls in writing.

Enhanced Access Control Requirements

As of May 1, 2025, covered entities must impose limits on privileged accounts, allow only secure connections for remotely controlled devices, promptly terminate access when employees leave, and maintain written password policies meeting industry standards.

Class A Company Designations

The amendments create "Class A Companies"—entities with $20 million in gross annual revenue in each of the last two fiscal years with over 2,000 employees, or over $1 billion in gross revenue—which face more stringent requirements.

1. Data Retention as Cybersecurity Risk

The Healthplex case establishes email retention policies as a fundamental cybersecurity requirement. Organizations should:

  • Implement automated email deletion policies
  • Review retention periods for business necessity
  • Consider NYDFS guidance suggesting six-year maximum retention periods
  • Document retention decisions and business justifications

2. Implementation Over Documentation

The PayPal enforcement demonstrates that having written policies is insufficient—organizations must ensure effective implementation through:

  • Comprehensive staff training on cybersecurity policies
  • Regular testing of policy implementation
  • Clear communication between teams during system changes
  • Ongoing monitoring of policy effectiveness

3. Scaled Compliance for Growth

The Block case illustrates that compliance programs must scale with business growth:

  • Transaction monitoring systems must handle volume increases
  • Alert processing capabilities should match transaction volumes
  • Risk-based approaches require continuous calibration
  • Any threshold-based screening requires solid risk justification

4. Proactive Reporting Culture

All 2025 enforcement actions emphasize timely reporting:

  • Incident notification within 72 hours remains non-negotiable
  • Suspicious activity reporting cannot be delayed due to operational constraints
  • Regular compliance certifications must accurately reflect actual compliance status

Conclusion

NYDFS enforcement in 2025 signals a broader shift across the industry: compliance is no longer about having good intentions or written policies but requires demonstrated outcomes, measurable control, and leadership accountability.

The year's enforcement actions demonstrate NYDFS's commitment to protecting consumers and maintaining financial system integrity through rigorous oversight. Organizations subject to NYDFS jurisdiction should prioritize comprehensive compliance programs that address not just policy development but effective implementation, regular testing, and continuous improvement.

With additional requirements taking effect in late 2025, financial institutions must prepare for enhanced MFA requirements, stricter access controls, and more demanding oversight. The message is clear: regulatory compliance requires ongoing vigilance, adequate resourcing, and genuine commitment to cybersecurity excellence.

Total 2025 NYDFS penalties discussed: $82 million across major enforcement actions

Major 2025 NYDFS Enforcement Actions:

  • Block Inc.: $40 million (AML/compliance failures)
  • Auto Insurance Industry (36 companies): $20 million (reporting failures)
  • Healthplex, Inc.: $2 million (email retention/MFA failures)
  • PayPal, Inc.: $2 million (implementation/training failures)

Read more

Compliance Challenges in Indian Gaming: The FINTRAC Fine and the Broader Landscape of Regulatory Penalties for Tribal Casinos

Compliance Challenges in Indian Gaming: The FINTRAC Fine and the Broader Landscape of Regulatory Penalties for Tribal Casinos

An analysis of cybersecurity and compliance fines affecting Indian reservation casinos in 2024-2025 Executive Summary The recent $1,175,000 fine imposed by FINTRAC against Saskatchewan Indian Gaming Authority (SIGA) represents more than just a regulatory enforcement action—it signals a broader trend of heightened scrutiny on compliance standards across

By Compliance Hub
Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates