Directs every peer-to-peer mobile service to require users to create a personal identification code associated with the user's account that is required to be used when certain actions are taken and to require users to set a monetary amount for intended transfers above which the use of a personal identification number will be required to authenticate the user's identity.
STATE OF NEW YORK
________________________________________________________________________
9340
IN ASSEMBLY
March 6, 2024
___________
Introduced by M. of A. LEE -- read once and referred to the Committee on
Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to peer-to-peer
mobile payment service security; and to amend the financial services
law, in relation to authorizing the financial frauds and consumer
protection unit to enforce such provisions
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "Financial
2 App Security Act".
3 § 2. The general business law is amended by adding a new section 399-
4 jj to read as follows:
5 § 399-jj. Peer-to-peer mobile payment service security. 1. For the
6 purposes of this section:
7 (a) "Peer-to-peer mobile service" means any app or app service that
8 allows users to send and receive money from their mobile devices through
9 a linked bank account or credit card or debit card using only a recipi-
10 ent's cell phone number or email address.
11 (b) "Biometric authentication" means either fingerprint or face iden-
12 tification for access to a service, or verification of an in-app action.
13 2. Every peer-to-peer mobile service shall require users to create a
14 personal identification code associated with the user's account that is
15 a minimum of four alpha-numeric characters associated with the user's
16 account. When certain actions are taken, including but not limited to,
17 actions defined in subdivision four of this section, the personal iden-
18 tification number must be used to authenticate the user's identity. The
19 use of such personal identification code may not be substituted for any
20 form of biometric authentication.
21 3. Every peer-to-peer mobile service shall require users to set a
22 monetary amount for intended transfers above which the use of a personal
23 identification number will be required to authenticate the user's iden-
24 tity.
25 4. The following actions require use of a personal identification
26 number when using a peer-to-peer mobile service:
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD14473-02-4
A. 9340 2
1 (a) any payment transaction initiated by the user exceeding the mone-
2 tary limit set by said user;
3 (b) payment transactions initiated by the user that would bring said
4 users twenty-four-hour payment transaction amount exceeding the monetary
5 limit set by said user starting from the first transaction;
6 (c) payment transactions initiated by the user to another user whose
7 account was created less than twenty-four hours prior to said trans-
8 action;
9 (d) payment transactions initiated by the user that appear suspicious
10 based on said user's behavior and/or geolocation profile as determined
11 by the service's existing behavioral analytics;
12 (e) any payment transactions initiated by the user after three
13 successful payment transactions initiated by the user have been made
14 within sixty minutes for amounts under the user's set monetary limit;
15 (f) any attempt to sign in to the service by the user to a new and/or
16 unrecognized device;
17 (g) any attempt to sign in to the service after the account password
18 has been reset in any manner, including but not limited to, password
19 recovery service offered by the service; and
20 (h) any attempt to sign in to the service by the user after the device
21 password has been reset.
22 5. A user's account will be locked after five unsuccessful attempts
23 within a twenty-four hour period to input said user's personal identifi-
24 cation number when required. The peer-to-peer mobile service can unlock
25 said account after twenty-four hours if said user is able to verify
26 their identity through a telephone call.
27 6. Any payment transactions initiated by the user after three success-
28 ful payment transactions initiated by the user have been made within
29 sixty minutes after the first successful payment for amounts, despite
30 the input of the user's correct personal identification number, will
31 have a forty-eight hour hold before the funds will be released to the
32 recipient if:
33 (a) any of the transactions exceeds the user's set monetary limit; or
34 (b) the aggregate amount of the transactions exceeds the user's set
35 monetary limit.
36 7. Any transaction placed on a forty-eight-hour hold can be cancelled
37 by the user making the payment in the event of fraud or user-error after
38 timely notification is made to the peer-to-peer mobile service.
39 8. Any peer-to-peer mobile service that does not comply with this
40 section is prohibited from offering its services to users residing in
41 the state of New York.
42 § 3. Subsection (b) of section 403 of the financial services law is
43 amended to read as follows:
44 (b) The financial frauds and consumer protection unit shall be a qual-
45 ified agency, as defined in section eight hundred thirty-five of the
46 executive law, to enforce the provisions of this article and article
47 four of the insurance law and article II-B of the banking law and
48 section 399-jj of the general business law.
49 § 4. This act shall take effect on the sixtieth day after it shall
50 have become a law.