Complying with New York’s 23 NYCRR Part 500 Cybersecurity Regulation

Financial services organizations operating in New York State are subject to some of the most rigorous compliance requirements in the U.S. In no arena is this truer than cybersecurity, where the New York State Department of Financial Services (NYSDFS) has in recent years taken a more aggressive regulatory stance to help protect consumers and financial institutions from increasingly sophisticated and costly cyberattacks and data breaches.

Significantly, NYSDFS amended 23 NYCRR Part 500 (Part 500), its cybersecurity regulation, on Nov 1, 2023. This latest amendment includes more robust requirements for implementing multi-factor authentication (MFA) under section 500.12.

Beginning November 1, 2025, a broad group of financial services organizations designated as “Covered Entities” must enable multi-factor authentication (MFA) for “any individual accessing the Covered Entity’s internal networks from an external network,” unless a limited exemption applies. 

MFA comes in many different flavors, and under Part 500, Covered Entities must implement at least two of the following types of authentication:

• Type 1 – Something You Know: This category includes anything a user can remember and then type, recite, or perform, such as a password, PIN, combination, code word, or secret handshake

• Type 2 – Something You Have: This type includes using physical objects, such as keys, smartphones, smart cards, USB drives, and tokens (devices that produce a time-based PIN or can compute a response from a challenge number issued by the server) for authentication purposes

• Type 3 – Something You Are: Commonly referred to as biometric authentication, this category includes identity verification techniques that use any part of the human body, such as fingerprint recognition, palm scanning, facial recognition, retina and iris scanning, and voice verification

Docusign balances regulatory compliance and customer experience

Fortunately, financial institutions don’t have to choose between providing an outstanding customer experience and meeting the latest MFA requirements included in Part 500. Intelligent Agreement Management (IAM) offers a new, AI-powered way to help organizations achieve this critical balance between experience and regulatory compliance. 

Docusign eSignature has long been a leading solution that helps financial firms deliver a secure, seamless, and trusted signing experience to their customers. Now, Docusign IAM offers a wide range of identity verification capabilities that support the robust new MFA requirements that financial institutions must comply with.

Docusign offers several innovative solutions, including these modular authentication features in Docusign IAM:

ID Verification

Verify government-issued identity documents automatically with these integrated identity verification capabilities: 

• Risk-Based Verification: Balance security and customer experience by automatically adjusting the level of identity verification recipients must complete based on internal and external risk factors (coming later in 2025)

• Liveness Detection for ID Verification: Allow signers to verify their identities by completing AI-powered biometric checks in less than a minute, on average,* as part of the process of completing agreements secured with Docusign ID Verification

• Docusign ID Verification with CLEAR: Leverage CLEAR's strong brand recognition and reputation by enabling recipients to easily confirm their identity using their existing CLEAR profile (coming later in 2025)

• Knowledge-Based Authentication (KBA): Enable recipients to easily identify themselves by successfully answering a series of personal questions accessed from public databases (i.e., “What is the name of the street you purchased your first house on?”)

Phone Authentication

Allow signers to verify their identity by entering a one-time passcode delivered to their mobile device, a process that takes just seconds,* compared with traditional methods that could take several minutes or more

Custom Data Verification

Confirm signer-entered PII data is correct by verifying against internal data sources

Notary On-Demand

Deliver on-demand, 24/7 notarization experiences with a pool of notaries publicly available across all 50 U.S. states

Docusign IAM comes with low-code/no-code conditional workflow engines that enable financial services firms to integrate IDV seamlessly into their customer-facing workflows, helping them support compliance and adapt quickly to an evolving regulatory climate. This leaves organizations well equipped to adhere to strict compliance requirements and implement robust reporting and audit trail features—non-negotiables for this highly regulated industry. 

If you’re new to Docusign, schedule a demo today to see how our innovative solutions for multi-factor authentication can work for you. And if you’re a current Docusign customer, reach out to your account representative to learn how to activate these IDV solutions on your existing subscription.

*Based on Docusign product usage data. Individual results may vary.