Committee advances bill requiring cybersecurity programs for mortgage lenders and money‑services businesses
Get AI-powered insights, summaries, and transcripts
Subscribe
Summary
The Information Technology Budget and Policy Subcommittee unanimously voted to report CS for House Bill 381 favorably after sponsors and the Office of Financial Regulation described new information‑security program and breach‑notice duties for lenders, mortgage brokers, credit unions and money‑service businesses. Members pressed sponsors to clarify third‑party testing and compliance burdens before the bill reaches Commerce Committee.
TALLAHASSEE — The Information Technology Budget and Policy Subcommittee voted 12‑0 on Feb. 16 to report CS for House Bill 381 favorably to the Commerce Committee, advancing a measure that would require mortgage lenders, loan originators, mortgage brokers and money‑services businesses to adopt comprehensive written information security programs and written incident‑response plans.
Representative Barnaby, the bill sponsor, summarized a package of changes that includes new breach‑notice requirements to the Office of Financial Regulation and other recipients, revisions to credit‑union and bank organization rules, and a provision treating debit‑card transactions the same as cash transactions for certain purposes. "This bill requires loan originators, mortgage brokers, and mortgage lenders, and money services businesses to develop, implement, and maintain comprehensive written information security programs," Barnaby said in his presentation to the subcommittee.
The bill, Barnaby said, also revises grounds for disciplinary action against money‑services businesses and establishes rules for emergency orders that can suspend money‑service business licenses. He told the committee he expects to offer technical amendments before the bill reaches the Commerce Committee.
Members pressed the sponsor on implementation details. Representative Blanco asked whether the bill meaningfully differs from federal information‑security requirements; Barnaby responded that the measure "aligns with federal law" and said he would provide more detailed comparisons offline. Vice Chair Steele pressed a separate operational concern: he said the language may require mortgage lenders to perform software testing or penetration testing even when the lender uses vendor‑provided systems. "This might be a purchased asset," Steele said, arguing that vendors typically conduct testing and that responsibility for penetration testing should be clarified.
Barnaby and supporters acknowledged those concerns and pledged to work with members and the Office of Financial Regulation on clarifying language. "I must say that from the knowledge that I've gathered so far, I do not believe that the mortgage companies are gonna be made to pay for the for the software," Barnaby said, adding that he expects further clarification offline and amendments before Commerce Committee consideration.
Three stakeholders waived in support during the public‑testimony period: Scott Jenkins of the American Financial Services Association, Christopher Hodge of the Florida Credit Union Association, and Ash Mason of the Office of Financial Regulation.
The committee took no amendments during the meeting and then took a roll call vote. Tamara, the clerk, recorded 12 yeas and 0 nays; Chair McFarland announced CS for House Bill 381 would be reported favorably. With no further business, Representative Gil Lombardo moved to adjourn; the meeting was adjourned without objection.
What happens next: The bill is scheduled to proceed to the Commerce Committee, where lawmakers said sponsor and agency staff will present updated amendment language addressing the outstanding questions.