ARTICLE
30 April 2025

North Dakota Expands Data Security Requirements And Issues New Licensing Requirements For Brokers

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
On April 11, North Dakota enacted HB 1127, overhauling its regulatory framework for financial institutions and nonbank financial service providers.
United States North Dakota Technology

On April 11, North Dakota enacted HB 1127, overhauling its regulatory framework for financial institutions and nonbank financial service providers. The law amends multiple chapters of the North Dakota Century Code and creates a new data security mandate for financial corporations—a category that includes non-depository entities regulated by the Department of Financial Institutions (DFI). It also expands the licensing requirement for brokers to include "alternative financing products," potentially impacting a broad array of fintech providers.

The law introduces sweeping data protection obligations for nonbank financial corporations through new requirements created in Chapter 13-01.2. Specifically, covered entities must:

  • Implement an information security program. This includes administrative, technical, and physical safeguards, based on a written risk assessment.
  • Designate a qualified individual. Each financial corporation must designate a qualified individual responsible for overseeing the security program and report annually to its board or a senior officer.
  • Conduct regular testing. Annual penetration tests and biannual vulnerability assessments are mandatory unless continuous monitoring is in place.
  • Secure consumer data. Encryption of data in transit and at rest is required unless a compensating control is approved. Multifactor authentication is also mandatory.
  • Notify regulators of breaches. A data breach involving 500 or more consumers must be reported to the Commissioner within 45 days.

The bill also amends North Dakota's broker licensing laws to authorize the DFI to classify certain alternative financing arrangements as "loans."

Putting It Into Practice: Of the many amendments here, North Dakota's expansion of licensing requirements for brokers of alternative financing products may have the biggest impact for institutions, especially fintechs. Stay tuned to this space for more details.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More