09.03.02.08

.08 Remote Work for Employees of Licensees.

A. Scope.

(1) This regulation governs the conduct of any employee operating from a location other than that which appears on the employer’s license or licenses.

(2) Notwithstanding §A(1) of this regulation, this regulation does not apply to the conduct of an employee if:

(a) The employer is licensed under Financial Institutions Article, Title 11, Subtitle 5, Annotated Code of Maryland;

(b) The employee is licensed under Financial Institutions Article, Title 11, Subtitle 6, Annotated Code of Maryland; and

(c) The employee is taking a loan application or offering or negotiating the terms of a loan in compliance with COMAR 09.03.09.07.

(3) Nothing contained in this regulation shall be deemed to prohibit an employee of a licensee from conducting any business for which a license is required at a location other than the locations set forth on the employer’s license or licenses if applicable law or regulation does not limit that conduct to the location shown on the license.

(4) A licensee may not use this regulation to evade the requirements of any applicable law or regulation.

B. Definitions.

(1) Terms Defined.

(2) In this regulation, the following terms have the meanings indicated.

(a) “Affiliate” means a person that directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with another person.

(b) “Authorized delegate” has the meaning stated in Financial Institutions Article, §12-401, Annotated Code of Maryland.

(c) “Board” has the meaning stated in Business Regulation Article, §7-101, Annotated Code of Maryland.

(d) “Breach of the security of a system” has the meaning stated in Commercial Law Article, §14-3504, Annotated Code of Maryland.

(e) “Consumer” means an individual who resides in Maryland.

(f) “Employee” means an employee of a licensee who is not an independent contractor or an authorized delegate.

(g) “Independent contractor” has the meaning stated in Financial Institutions Article, §11-601, Annotated Code of Maryland.

(h) “License” means any of the following:

(i) A license issued by the Board under Business Regulation Article, Title 7, Annotated Code of Maryland, to do business as a collection agency;

(ii) A license issued by the Commissioner under Commercial Law Article, Title 14, Subtitle 19, Annotated Code of Maryland, to engage in the business of a credit services business;

(iii) A license issued by the Commissioner under Financial Institutions Article, Title 11, Subtitle 2, Annotated Code of Maryland, to make loans under the Maryland Consumer Loan Law;

(iv) A license issued by the Commissioner under Financial Institutions Article, Title 11, Subtitle 3, Annotated Code of Maryland, to make installment loans;

(v) A license issued by the Commissioner under Financial Institutions Article, Title 11, Subtitle 4, Annotated Code of Maryland, to engage in business as a sales finance company;

(vi) A license issued by the Commissioner under Financial Institutions Article, Title 11, Subtitle 5, Annotated Code of Maryland, to engage in business as a mortgage lender;

(vii) A license issued by the Commissioner under Financial Institutions Article, Title 12, Subtitle 1, Annotated Code of Maryland, to provide check cashing services;

(viii) A license issued by the Commissioner under Financial Institutions Article, Title 12, Subtitle 4, Annotated Code of Maryland, to engage in the business of money transmission; or

(ix) A license issued by the Commissioner under Financial Institutions Article, Title 12, Subtitle 9, Annotated Code of Maryland, to provide debt management services.

(i) “Licensee” means a person issued a license or licenses for the purpose of conducting the business for which the license or licenses are issued.

(j) “Personal information” has the meaning stated in Commercial Law Article, §14-3501, Annotated Code of Maryland.

(k) “Records” has the meaning stated in Commercial Law Article, §14-3501, Annotated Code of Maryland.

(l) “Security program” means a written program created by or on behalf of a licensee for the purpose of allowing the licensee’s employees to safely and securely access the licensee’s information technology systems, other systems, and data from a location authorized by this section.

C. Certain Remote Work Permitted. An employee of a licensee may work remotely and is not considered conducting business for which a license is required at a location other than the address that appears on the license or licenses of that licensee if the conditions set forth in this regulation are met.

D. Locations. The location from which the employee is working:

(1) May not be owned or leased by the licensee or an affiliate of a licensee, or for the benefit of the licensee or an affiliate of the licensee;

(2) May not be a location that offers temporary office space unless the employee is using the location on a temporary basis due to the unavailability of the employee’s regular work location;

(3) May not be held out to the public by use of signage, advertisement, or other means, as a location at which the licensee conducts business for which a license is required;

(4) May not provide work space, telephone service, or internet service maintained in the name of the licensee or an affiliate and that is not intended primarily for the purpose of conducting business for which a license is required;

(5) May not be a location where the employee will meet in person with nonemployees in connection with the business for which a license is required;

(6) May not be a location that will receive or dispense cash, negotiable instruments, or other monetary value in connection with the business for which a license is required, other than compensation paid to the employee by the licensee;

(7) May not be used for the receipt of mail relating to business for which a license is required;

(8) May not be used for storage of books or records, in any form, relating to business for which a license is required unless:

(a) The records were produced or used in the normal course of employment by the employee working at that location and the licensee maintains and administers procedures for the employee to promptly and securely transmit those records to its location for the storage of books and records; or

(b) The licensee is permitted by applicable law or regulation to store the books or records of the licensee at that location;

(9) Shall provide a workspace that is secure, provide for appropriate protection of personal information as required under applicable law, and have the appropriate technological security measures and physical safeguards in place to protect personal information;

(10) Shall be a location used only by a single employee unless:

(a) Other employees using the location maintain a common household with each other; or

(b) The location is used for a period not exceeding 2 weeks every calendar quarter to facilitate business or nonbusiness travel;

(11) May not be used to conduct a specific act that applicable law or regulation requires be conducted only at specified locations; and

(12) Shall be authorized by the licensee as a location from which the employee may work.

E. Security Standards.

(1) A licensee that allows any employee to work at a location authorized by this section shall develop, implement, and maintain a security program that is consistent with all applicable laws and regulations, meets or exceed standards of the industry in which the licensee conducts its business, addresses known vulnerabilities, and is commensurate with the licensee’s size and complexity.

(2) The licensee’s security program may be part of the licensee’s comprehensive data and cyber security program.

(3) A licensee’s security program shall consider the following objectives:

(a) Allowing employees working at locations authorized by this section to access the licensee’s information technology system, other systems, and data needed to perform the employee’s job functions in a safe and secure manner;

(b) Ensuring the security and confidentiality of the licensee’s data containing personal information and other sensitive information;

(c) Protecting the licensee’s information technology systems, other systems, and data against security breaches and unauthorized access, including unauthorized access by employees;

(d) Identifying the types of devices an employee may use to access the licensee’s information technology systems, other systems, and data, and protecting those devices from security breaches and unauthorized access; and

(e) Providing training and support of the licensee’s employees necessary to ensure compliance with the security program and establishing appropriate sanctions for failures to comply.

(4) A licensee shall have an established governance process in place to control and monitor the security program which shall include, as appropriate for the size and complexity of the licensee and its information technology systems, other systems, and data:

(a) The approval of the security program by the board of directors, ownership, or most senior level of management; and

(b) A management structure that encompasses:

(i) Assigning responsibilities and authorities for ensuring adherence to the security program;

(ii) Documenting accountability for functions to ensure compliance with the security program; and

(iii) Reporting to the board of directors, ownership, or most senior level of management, no less than annually, regarding the effectiveness of the security program.

(5) In connection with the security program, a licensee shall complete a comprehensive remote access and data security risk assessment, including:

(a) Identification and assessment of risks and vulnerabilities created by allowing employees to work at locations authorized by this section and to access the licensee’s information technology systems, other systems, and data from such locations; and

(b) Identification of the devices, data, information technology system, and other systems that need to be protected.

(6) A licensee shall perform periodic testing and monitoring of the security program as appropriate for the size and complexity of the licensee’s information technology and other systems, including:

(a) Evaluating the effectiveness of the security program;

(b) Evaluating employee compliance with the security program;

(c) Taking corrective action to address any significant deficiencies identified during the course of licensee’s evaluation of the effectiveness of the security program;

(d) Monitoring of external sources for new vulnerabilities;

(e) Updating, as appropriate, its remote access and data security risk assessment; and

(f) Developing and implementing additional control frame works for any new or changed threats or risks identified by the licensee.

(7) A licensee shall review the security program at least annually and make changes necessary to achieve the objectives of the security program.

(8) A licensee that adequately demonstrates compliance with standards issued by the National Institute of Standards and Technology, United States Department of Commerce, relating to remote workers and remote access, as such may be revised from time to time, shall be deemed to be in compliance with this section.

F. Supervision of Employees.

(1) A licensee shall at all times reasonably and adequately supervise the work-related activities of each employee working at a location authorized by this section.

(2) If the Commissioner determines that the licensee does not provide reasonable and adequate supervision of the employee, after written notice from the Commissioner, and within 5 business days of receiving such notice, the licensee will terminate the employee’s eligibility to work at a location provided for under this regulation.

(3) A licensee shall maintain and update, as appropriate, written records with respect to an employee working from locations provided for in this section, including the initial authorization to work from any such location, any updated authorization, and information regarding the location and any due diligence the license has undertaken to ensure compliance with this regulation.

(4) The licensee shall retain the records required by §F(3) of this regulation for the greater of 2 years from the date the employee ceases using such location in connection with the business for which a license is required or any retention period required by applicable law or regulation.

G. Identification of Licensee. The employee may not, in connection with the business for which a license is required, conceal, misrepresent or otherwise mislead any person with respect to the identity of the licensee.

H. Principal Executive Office. The licensee shall, at a minimum, maintain a principal executive office.

I. Security Breach. If a breach of the security of a system occurs at a location provided for in this regulation, the following steps shall be taken:

(1) Upon learning of the breach of the security of a system, the employee shall immediately notify the licensee;

(2) Upon learning of the breach of the security of a system, the licensee shall within 72 hours notify the Commissioner and make any other notifications that may be required under applicable law or regulation;

(3) The licensee shall investigate the breach of the security of a system and document its findings, including the remedial steps, if any, that have been undertaken by the licensee to remediate any harm to consumers and to update policies, procedures, and processes as a result of the findings; and

(4) If requested by the Commissioner, the licensee shall provide a copy of the documentation of the investigation required in this section.