Bill Text: NY S08677 | 2023-2024 | General Assembly | Introduced
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Directs every peer-to-peer mobile service to require users to create a personal identification code associated with the user's account that is required to be used when certain actions are taken and to require users to set a monetary amount for intended transfers above which the use of a personal identification number will be required to authenticate the user's identity.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced) 2024-06-05 - SUBSTITUTED BY A9340A [S08677 Detail]
Download: New_York-2023-S08677-Introduced.html
Bill Title: Directs every peer-to-peer mobile service to require users to create a personal identification code associated with the user's account that is required to be used when certain actions are taken and to require users to set a monetary amount for intended transfers above which the use of a personal identification number will be required to authenticate the user's identity.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced) 2024-06-05 - SUBSTITUTED BY A9340A [S08677 Detail]
Download: New_York-2023-S08677-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 8677 IN SENATE February 28, 2024 ___________ Introduced by Sen. HOYLMAN-SIGAL -- read twice and ordered printed, and when printed to be committed to the Committee on Internet and Technol- ogy AN ACT to amend the general business law, in relation to peer-to-peer mobile payment service security; and to amend the financial services law, in relation to authorizing the financial frauds and consumer protection unit to enforce such provisions The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. This act shall be known and may be cited as the "Financial 2 App Security Act". 3 § 2. The general business law is amended by adding a new section 399- 4 jj to read as follows: 5 § 399-jj. Peer-to-peer mobile payment service security. 1. For the 6 purposes of this section: 7 (a) "Peer-to-peer mobile service" means any app or app service that 8 allows users to send and receive money from their mobile devices through 9 a linked bank account or credit card or debit card using only a recipi- 10 ent's cell phone number or email address. 11 (b) "Biometric authentication" means either fingerprint or face iden- 12 tification for access to a service, or verification of an in-app action. 13 2. Every peer-to-peer mobile service shall require users to create a 14 personal identification code associated with the user's account that is 15 a minimum of four alpha-numeric characters associated with the user's 16 account. When certain actions are taken, including but not limited to, 17 actions defined in subdivision four of this section, the personal iden- 18 tification number must be used to authenticate the user's identity. The 19 use of such personal identification code may not be substituted for any 20 form of biometric authentication. 21 3. Every peer-to-peer mobile service shall require users to set a 22 monetary amount for intended transfers above which the use of a personal 23 identification number will be required to authenticate the user's iden- 24 tity. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD14473-02-4S. 8677 2 1 4. The following actions require use of a personal identification 2 number when using a peer-to-peer mobile service: 3 (a) any payment transaction initiated by the user exceeding the mone- 4 tary limit set by said user; 5 (b) payment transactions initiated by the user that would bring said 6 users twenty-four-hour payment transaction amount exceeding the monetary 7 limit set by said user starting from the first transaction; 8 (c) payment transactions initiated by the user to another user whose 9 account was created less than twenty-four hours prior to said trans- 10 action; 11 (d) payment transactions initiated by the user that appear suspicious 12 based on said user's behavior and/or geolocation profile as determined 13 by the service's existing behavioral analytics; 14 (e) any payment transactions initiated by the user after three 15 successful payment transactions initiated by the user have been made 16 within sixty minutes for amounts under the user's set monetary limit; 17 (f) any attempt to sign in to the service by the user to a new and/or 18 unrecognized device; 19 (g) any attempt to sign in to the service after the account password 20 has been reset in any manner, including but not limited to, password 21 recovery service offered by the service; and 22 (h) any attempt to sign in to the service by the user after the device 23 password has been reset. 24 5. A user's account will be locked after five unsuccessful attempts 25 within a twenty-four hour period to input said user's personal identifi- 26 cation number when required. The peer-to-peer mobile service can unlock 27 said account after twenty-four hours if said user is able to verify 28 their identity through a telephone call. 29 6. Any payment transactions initiated by the user after three success- 30 ful payment transactions initiated by the user have been made within 31 sixty minutes after the first successful payment for amounts, despite 32 the input of the user's correct personal identification number, will 33 have a forty-eight hour hold before the funds will be released to the 34 recipient if: 35 (a) any of the transactions exceeds the user's set monetary limit; or 36 (b) the aggregate amount of the transactions exceeds the user's set 37 monetary limit. 38 7. Any transaction placed on a forty-eight-hour hold can be cancelled 39 by the user making the payment in the event of fraud or user-error after 40 timely notification is made to the peer-to-peer mobile service. 41 8. Any peer-to-peer mobile service that does not comply with this 42 section is prohibited from offering its services to users residing in 43 the state of New York. 44 § 3. Subsection (b) of section 403 of the financial services law is 45 amended to read as follows: 46 (b) The financial frauds and consumer protection unit shall be a qual- 47 ified agency, as defined in section eight hundred thirty-five of the 48 executive law, to enforce the provisions of this article and article 49 four of the insurance law and article II-B of the banking law and 50 section 399-jj of the general business law. 51 § 4. This act shall take effect on the sixtieth day after it shall 52 have become a law.