PayPal, Inc.
New York, NY
On January 23, 2025, the New York Department of Financial Services imposed a $2 million fine on PayPal for cybersecurity violations under 23 NYCRR Part 500. A December 2022 incident involving a new tax feature exposed sensitive consumer data such as SSNs in Form 1099-Ks. NYDFS found that PayPal misclassified code changes to skip required testing, failed to adequately train personnel, and did not mandate multi-factor authentication. The action underscores NYDFS expectations for rigorous risk assessments, asset management, and mandatory MFA for licensed entities including money transmitters and BitLicense holders. While PayPal is not a traditional BaaS bank, its money transmitter license under NYDFS makes this relevant to the broader fintech compliance landscape.
Verified from source: NYDFS Superintendent Adrienne A. Harris secured a $2 million cybersecurity settlement with PayPal for violations of DFS's Cybersecurity Regulation, after an investigation found PayPal's cybersecurity failures led to exposure of customers' Social Security numbers via IRS Form 1099-Ks due to inadequately trained personnel, failure to follow proper procedures, and lack of multifactor authentication requirements.
- Licensed fintech entities operating under NYDFS must ensure mandatory MFA and rigorous change-management testing procedures
- Cybersecurity enforcement against non-bank financial services firms signals heightened scrutiny of all licensed entities in the BaaS ecosystem
- BaaS partners relying on fintechs for consumer-facing features should verify partner compliance with state cybersecurity regulations