•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

A09340 Summary:

BILL NOA09340
 
SAME ASSAME AS S08677
 
SPONSORLee
 
COSPNSR
 
MLTSPNSR
 
Add 399-jj, Gen Bus L; amd 403, Fin Serv L
 
Directs every peer-to-peer mobile service to require users to create a personal identification code associated with the user's account that is required to be used when certain actions are taken and to require users to set a monetary amount for intended transfers above which the use of a personal identification number will be required to authenticate the user's identity.
Go to top    

A09340 Actions:

BILL NOA09340
 
03/06/2024referred to consumer affairs and protection
Go to top

A09340 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          9340
 
                   IN ASSEMBLY
 
                                      March 6, 2024
                                       ___________
 
        Introduced by M. of A. LEE -- read once and referred to the Committee on
          Consumer Affairs and Protection
 
        AN  ACT  to  amend the general business law, in relation to peer-to-peer
          mobile payment service security; and to amend the  financial  services
          law,  in  relation  to  authorizing  the financial frauds and consumer
          protection unit to enforce such provisions

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section  1. This act shall be known and may be cited as the "Financial
     2  App Security Act".
     3    § 2. The general business law is amended by adding a new section  399-
     4  jj to read as follows:
     5    § 399-jj. Peer-to-peer  mobile  payment  service  security. 1. For the
     6  purposes of this section:
     7    (a) "Peer-to-peer mobile service" means any app or  app  service  that
     8  allows users to send and receive money from their mobile devices through
     9  a  linked bank account or credit card or debit card using only a recipi-
    10  ent's cell phone number or email address.
    11    (b) "Biometric authentication" means either fingerprint or face  iden-
    12  tification for access to a service, or verification of an in-app action.
    13    2.  Every  peer-to-peer mobile service shall require users to create a
    14  personal identification code associated with the user's account that  is
    15  a  minimum  of  four alpha-numeric characters associated with the user's
    16  account. When certain actions are taken, including but not  limited  to,
    17  actions  defined in subdivision four of this section, the personal iden-
    18  tification number must be used to authenticate the user's identity.  The
    19  use of such personal identification code may not be substituted for  any
    20  form of biometric authentication.
    21    3.  Every  peer-to-peer  mobile  service  shall require users to set a
    22  monetary amount for intended transfers above which the use of a personal
    23  identification number will be required to authenticate the user's  iden-
    24  tity.
    25    4.  The  following  actions  require  use of a personal identification
    26  number when using a peer-to-peer mobile service:
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD14473-02-4

        A. 9340                             2
 
     1    (a) any payment transaction initiated by the user exceeding the  mone-
     2  tary limit set by said user;
     3    (b)  payment  transactions initiated by the user that would bring said
     4  users twenty-four-hour payment transaction amount exceeding the monetary
     5  limit set by said user starting from the first transaction;
     6    (c) payment transactions initiated by the user to another  user  whose
     7  account  was  created  less  than twenty-four hours prior to said trans-
     8  action;
     9    (d) payment transactions initiated by the user that appear  suspicious
    10  based  on  said user's behavior and/or geolocation profile as determined
    11  by the service's existing behavioral analytics;
    12    (e) any  payment  transactions  initiated  by  the  user  after  three
    13  successful  payment  transactions  initiated  by the user have been made
    14  within sixty minutes for amounts under the user's set monetary limit;
    15    (f) any attempt to sign in to the service by the user to a new  and/or
    16  unrecognized device;
    17    (g)  any  attempt to sign in to the service after the account password
    18  has been reset in any manner, including but  not  limited  to,  password
    19  recovery service offered by the service; and
    20    (h) any attempt to sign in to the service by the user after the device
    21  password has been reset.
    22    5.  A  user's  account will be locked after five unsuccessful attempts
    23  within a twenty-four hour period to input said user's personal identifi-
    24  cation number when required. The peer-to-peer mobile service can  unlock
    25  said  account  after  twenty-four  hours  if said user is able to verify
    26  their identity through a telephone call.
    27    6. Any payment transactions initiated by the user after three success-
    28  ful payment transactions initiated by the user  have  been  made  within
    29  sixty  minutes  after  the first successful payment for amounts, despite
    30  the input of the user's correct  personal  identification  number,  will
    31  have  a  forty-eight  hour hold before the funds will be released to the
    32  recipient if:
    33    (a) any of the transactions exceeds the user's set monetary limit; or
    34    (b) the aggregate amount of the transactions exceeds  the  user's  set
    35  monetary limit.
    36    7.  Any transaction placed on a forty-eight-hour hold can be cancelled
    37  by the user making the payment in the event of fraud or user-error after
    38  timely notification is made to the peer-to-peer mobile service.
    39    8. Any peer-to-peer mobile service that  does  not  comply  with  this
    40  section  is  prohibited  from offering its services to users residing in
    41  the state of New York.
    42    § 3. Subsection (b) of section 403 of the financial  services  law  is
    43  amended to read as follows:
    44    (b) The financial frauds and consumer protection unit shall be a qual-
    45  ified  agency,  as  defined  in section eight hundred thirty-five of the
    46  executive law, to enforce the provisions of  this  article  and  article
    47  four  of  the  insurance  law  and  article  II-B of the banking law and
    48  section 399-jj of the general business law.
    49    § 4. This act shall take effect on the sixtieth  day  after  it  shall
    50  have become a law.
Go to top