Read the full stored bill text
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~ G3/5
26/SS26/R760
PAGE 1 (baf\tb)
To: Business and Financial
Institutions
MISSISSIPPI LEGISLATURE REGULAR SESSION 2026
By: Senator(s) Johnson
SENATE BILL NO. 2715
AN ACT TO AMEND SECTION 75-16-11, MISSISSIPPI CODE OF 1972, 1
TO REQUIRE THAT ALL FUNDS COMING INTO THE POSSESSION OF THE 2
COMMISSIONER OF THE DEPARTMENT OF BANKING AND CONSUMER FINANCE AS 3
A RESULT OF THE MONEY TRANSMISSION MODERNIZATION ACT SHALL BE 4
DEPOSITED INTO THE SPECIAL FUND IN THE STATE TREASURY KNOWN AS THE 5
"CONSUMER FINANCE FUND," AND SHALL BE EXPENDED BY THE COMMISSIONER 6
SOLELY AND EXCLUSIVELY FOR THE ADMINISTRATION AND ENFORCEMENT OF 7
THE ACT; TO AMEND SECTION 75-16-25, MISSISSIPPI CODE OF 1972, TO 8
REQUIRE APPLICATIONS FOR A LICENSE TO CONTAIN A LIST OF THE 9
APPLICANT'S VIRTUAL CURRENCY KIOSKS IN THIS STATE AT WHICH IT 10
PROPOSES TO PROVIDE VIRTUAL CURRENCY KIOSK TRANSACTIONS; TO AMEND 11
SECTION 75-16-31, MISSISSIPPI CODE OF 1972, TO REQUIRE RENEWAL 12
REPORTS TO CONTAIN A LIST OF THE LOCATIONS IN THIS STATE WHERE THE 13
LICENSEE OR AN AUTHORIZED DELEGATE OF THE LICENSEE ENGAGES IN 14
VIRTUAL CURRENCY KIOSK TRANSACTIONS; TO AMEND SECTION 75-16-43, 15
MISSISSIPPI CODE OF 1972, TO REQUIRE LICENSEES TO SUBMIT QUARTERLY 16
REPORTS CONTAINING CERTAIN INFORMATION ABOUT LOCATIONS AT WHICH 17
MONEY SERVICES ARE PROVIDED AND OF VIRTUAL CURRENCY KIOSKS; TO 18
AMEND SECTION 75-16-51, MISSISSIPPI CODE OF 1972, TO PROVIDE THAT 19
A LICENSEE'S WRITTEN CONTRACT SEEKING TO CONDUCT BUSINESS THROUGH 20
AN AUTHORIZED DELEGATE MUST BE MADE AVAILABLE TO THE COMMISSIONER 21
UPON REQUEST BEFORE THE LICENSEE IS AUTHORIZED TO CONDUCT SUCH 22
BUSINESS; TO AMEND SECTION 75-16-65, MISSISSIPPI CODE OF 1972, TO 23
PROVIDE THAT A LICENSEE SHALL ANNUALLY PROVIDE TRAINING MATERIALS 24
TO EACH AUTHORIZED DELEGATE THROUGH WHICH IT ENGAGES IN THE 25
BUSINESS OF MONEY TRANSMISSION ON RECOGNIZING FINANCIAL ABUSE AND 26
EXPLOITATION OF AN ELDER ADULT; TO CREATE NEW SECTION 75-16-89, 27
MISSISSIPPI CODE OF 1972, TO REQUIRE THAT A LICENSEE PROVIDE ITS 28
NAME AND MAILING ADDRESS OR TELEPHONE NUMBER TO THE PURCHASER IN 29
CONNECTION WITH EACH MONEY TRANSMISSION OR KIOSK TRANSACTION 30
CONDUCTED BY THE LICENSEE DIRECTLY OR THROUGH AN AUTHORIZED 31
DELEGATE; TO CREATE NEW SECTIONS TO BE CODIFIED AS A NEW CHAPTER 32
WITHIN TITLE 75, MISSISSIPPI CODE OF 1972, THAT MAY BE CITED AS 33
THE "DATA SECURITY FOR MONEY TRANSMITTERS ACT"; TO DEFINE TERMS; 34
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 2 (baf\tb)
TO CREATE STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION; TO SET 35
FORTH REQUIRED ELEMENTS FOR INFORMATION SECURITY PROGRAMS; TO 36
REQUIRE THAT A LICENSEE PROVIDE NOTIFICATION OF CERTAIN EVENTS TO 37
THE COMMISSIONER; TO PROVIDE CERTAIN EXCEPTIONS; TO SET FORTH THE 38
COMMISSIONER'S AUTHORITY RELATED TO THE ACT; AND FOR RELATED 39
PURPOSES. 40
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI: 41
SECTION 1. Section 75-16-11, Mississippi Code of 1972, is 42
amended as follows: 43
75-16-11. Implementation. (1) In order to carry out the 44
purposes of this chapter, the commissioner may, subject to the 45
provisions of Section 75-16-13(1) and (2): 46
(a) Enter into agreements or relationships with other 47
government officials or federal and state regulatory agencies and 48
regulatory associations in order to improve efficiencies and 49
reduce regulatory burden by standardizing methods or procedures, 50
and sharing resources, records or related information obtained 51
under this chapter; 52
(b) Use, hire, contract or employ analytical systems, 53
methods or software to examine or investigate any person subject 54
to this chapter; 55
(c) Accept, from other state or federal government 56
agencies or officials, licensing, examination or investigation 57
reports made by such other state or federal government agencies or 58
officials; and 59
(d) Accept audit reports made by an independent 60
certified public accountant or other qualified third-party auditor 61
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 3 (baf\tb)
for an applicant or licensee and incorporate the audit report in 62
any report of examination or investigation. 63
(2) The commissioner shall have the broad administrative 64
authority to administer, interpret and enforce this chapter, and 65
to promulgate rules or regulations implementing this chapter and 66
to recover the cost of administering and enforcing this chapter by 67
imposing and collecting proportionate and equitable fees and costs 68
associated with applications, examinations, investigations, and 69
other actions required to achieve the purpose of this chapter. 70
All funds coming into the possession of the commissioner as a 71
result of this chapter, including all annual fees, renewal fees, 72
examination fees, fines and penalties, shall be deposited by the 73
commissioner into the special fund in the State Treasury known as 74
the "Consumer Finance Fund," and shall be expended by the 75
commissioner solely and exclusively for the administration and 76
enforcement of this chapter. 77
SECTION 2. Section 75-16-25, Mississippi Code of 1972, is 78
amended as follows: 79
75-16-25. Application for license. (1) Applicants for a 80
license shall apply in a form and in a medium as prescribed by the 81
commissioner. Each such form shall contain content as set forth 82
by rule, regulation, instruction or procedure of the commissioner 83
and may be changed or updated by the commissioner in accordance 84
with applicable law in order to carry out the purposes of this 85
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 4 (baf\tb)
chapter and maintain consistency with NMLS licensing standards and 86
practices. The application must state or contain, as applicable: 87
(a) The legal name and residential and business 88
addresses of the applicant and any fictitious or trade name used 89
by the applicant in conducting its business; 90
(b) A list of any criminal convictions of the applicant 91
and any material litigation in which the applicant has been 92
involved in the ten-year period next preceding the submission of 93
the application; 94
(c) A description of any money transmission previously 95
provided by the applicant and the money transmission that the 96
applicant seeks to provide in this state; 97
(d) A list of the applicant's proposed authorized 98
delegates and the locations, including virtual currency kiosks, in 99
this state where the applicant and its authorized delegates 100
propose to engage in money transmission or provide other money 101
services, including, but not limited to, virtual currency kiosk 102
transactions; 103
(e) A list of other states in which the applicant is 104
licensed to engage in money transmission and any license 105
revocations, suspensions or other disciplinary action taken 106
against the applicant in another state; 107
(f) Information concerning any bankruptcy or 108
receivership proceedings affecting the licensee or a person in 109
control of a licensee; 110
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 5 (baf\tb)
(g) A sample form of contract for authorized delegates, 111
if applicable; 112
(h) A sample form of payment instrument or stored 113
value, as applicable; 114
(i) The name and address of any federally insured 115
depository financial institution through which the applicant plans 116
to conduct money transmission; and 117
(j) Any other information the commissioner or NMLS 118
requires with respect to the applicant. 119
(2) If an applicant is a corporation, limited liability 120
company, partnership or other legal entity, the applicant shall 121
also provide: 122
(a) The date of the applicant's incorporation or 123
formation and state or country of incorporation or formation; 124
(b) If applicable, a certificate of good standing from 125
the state or country in which the applicant is incorporated or 126
formed; 127
(c) A brief description of the structure or 128
organization of the applicant, including any parents or 129
subsidiaries of the applicant, and whether any parents or 130
subsidiaries are publicly traded; 131
(d) The legal name, any fictitious or trade name, all 132
business and residential addresses and the employment, as 133
applicable, in the ten-year period next preceding the submission 134
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 6 (baf\tb)
of the application of each key individual and person in control of 135
the applicant; 136
(e) A list of any criminal convictions and material 137
litigation in which a person in control of the applicant that is 138
not an individual has been involved in the ten-year period next 139
preceding the submission of the application; 140
(f) A copy of audited financial statements of the 141
applicant for the most recent fiscal year and for the two-year 142
period next preceding the submission of the application; 143
(g) A certified copy of unaudited financial statements 144
of the applicant for the most recent fiscal quarter; 145
(h) If the applicant is a publicly traded corporation, 146
a copy of the most recent report filed with the United States 147
Securities and Exchange Commission under Section 13 of the U.S. 148
Securities Exchange Act of 1934, 15 USC § 78m, as amended or 149
recodified from time to time; 150
(i) If the applicant is a wholly owned subsidiary of: 151
(i) A corporation publicly traded in the United 152
States, a copy of audited financial statements for the parent 153
corporation for the most recent fiscal year or a copy of the 154
parent corporation's most recent report filed under Section 13 of 155
the U.S. Securities Exchange Act of 1934, 15 USC § 78m, as amended 156
or recodified from time to time; or 157
(ii) A corporation publicly traded outside the 158
United States, a copy of similar documentation filed with the 159
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 7 (baf\tb)
regulator of the parent corporation's domicile outside the United 160
States; 161
(j) The name and address of the applicant's registered 162
agent in this state; and 163
(k) Any other information the commissioner requires 164
with respect to the applicant. 165
(3) A nonrefundable license fee of One Thousand Five Hundred 166
Dollars ($1,500.00) must accompany an application for a license 167
under this section. However, beginning with calendar year 2025 168
and for each subsequent calendar year, on or before July 1 of the 169
following year, the Mississippi Department of Banking and Consumer 170
Finance will issue a memo authorizing a new license fee under this 171
section. The new amount will be calculated by applying any 172
increase or decrease in the United States Bureau of Labor 173
Statistics Consumer Price Index for All Urban Consumers (CPI-U) 174
for the previous calendar year to the previous fee amount and 175
rounding that amount upward to the nearest One-Hundred-Dollar 176
increment. 177
(4) The commissioner may waive one or more requirements of 178
subsections (1) and (2) of this section or permit an applicant to 179
submit other information in lieu of the required information. 180
SECTION 3. Section 75-16-31, Mississippi Code of 1972, is 181
amended as follows: 182
75-16-31. Renewal of license. (1) A license under this 183
chapter shall be renewed annually. 184
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 8 (baf\tb)
(a) An annual renewal fee of Eight Hundred Dollars 185
($800.00) plus One Hundred Dollars ($100.00) for each location in 186
excess of one in Mississippi through which the licensee plans to 187
conduct money transmission during the license year for which the 188
fee is paid, shall be paid, provided that in no event shall the 189
annual renewal fee exceed Five Thousand Eight Hundred Dollars 190
($5,800.00). Such renewal fee shall be paid no more than sixty 191
(60) days before the license expiration. 192
(b) The renewal term shall be for a period of one (1) 193
year and shall begin on January 1 of each year after the initial 194
license term and shall expire on December 31 of the year the 195
renewal term begins. 196
(2) A licensee shall submit a renewal report with the 197
renewal fee, in a form and in a medium prescribed by the 198
commissioner. The renewal report must state or contain a 199
description of each material change in information submitted by 200
the licensee in its original license application which has not 201
been reported to the commissioner. The report must also contain a 202
list of the locations in this state where the licensee or an 203
authorized delegate of the licensee engages in virtual currency 204
kiosk transactions. 205
(3) The commissioner, for good cause, may grant an extension 206
of the renewal date. 207
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 9 (baf\tb)
(4) The commissioner is authorized and encouraged to utilize 208
NMLS to process license renewals provided that such functionality 209
is consistent with this section. 210
SECTION 4. Section 75-16-43, Mississippi Code of 1972, is 211
amended as follows: 212
75-16-43. Authorized delegate reporting. (1) Each licensee 213
shall submit a report of all authorized delegates and locations in 214
this state where the licensee or an authorized delegate of the 215
licensee provides money services, including, but not limited to, 216
virtual currency kiosks. Such report must be provided within 217
forty-five (45) days of the end of the calendar quarter. The 218
commissioner is authorized and encouraged to utilize NMLS for the 219
submission of the report required by this subsection provided that 220
such functionality is consistent with the requirements of this 221
section. Such utilization shall include the NMLS Uniform 222
Authorized Agent Reporting (UAAR) process, or such other similar 223
process as designated by NMLS. 224
(2) The authorized delegate report shall include, at a 225
minimum, each authorized delegate's: 226
(a) Company legal name; 227
(b) Taxpayer employer identification number; 228
(c) Principal provider identifier; 229
(d) Physical address; 230
(e) Mailing address; 231
(f) Any business conducted in other states; 232
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 10 (baf\tb)
(g) Any fictitious or trade name; 233
(h) Contact person name, phone number, and email; 234
(i) Start date as licensee's authorized delegate; 235
(j) End date acting as licensee's authorized delegate, 236
if applicable; and 237
(k) Any other information the commissioner requires 238
with respect to the authorized delegate. 239
SECTION 5. Section 75-16-51, Mississippi Code of 1972, is 240
amended as follows: 241
75-16-51. Relationship between licensee and authorized 242
delegate. (1) In this section, "remit" means to make direct 243
payments of money to a licensee or its representative authorized 244
to receive money or to deposit money in a bank in an account 245
specified by the licensee. 246
(2) Before a licensee is authorized to conduct business 247
through an authorized delegate or allows a person to act as the 248
licensee's authorized delegate, the licensee must: 249
(a) Adopt, and update as necessary, written policies 250
and procedures designed to ensure that the licensee's authorized 251
delegates comply with applicable state and federal law; 252
(b) Enter into a written contract, which shall be made 253
available to the commissioner upon request, that complies with 254
subsection (4) of this section; and 255
(c) Conduct a risk-based background investigation 256
sufficient for the licensee to determine whether the authorized 257
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 11 (baf\tb)
delegate has complied and will likely comply with applicable state 258
and federal law. 259
(3) An authorized delegate must operate in full compliance 260
with this chapter. 261
(4) The written contract required by subsection (2) of this 262
section must be signed by the licensee and the authorized delegate 263
and, at a minimum, must: 264
(a) Appoint the person signing the contract as the 265
licensee's authorized delegate with the authority to conduct money 266
transmission on behalf of the licensee; 267
(b) Set forth the nature and scope of the relationship 268
between the licensee and the authorized delegate and the 269
respective rights and responsibilities of the parties; 270
(c) Require the authorized delegate to agree to fully 271
comply with all applicable state and federal laws, rules, and 272
regulations pertaining to money transmission, including this 273
chapter and regulations implementing this chapter, relevant 274
provisions of the Bank Secrecy Act and the USA PATRIOT ACT; 275
(d) Require the authorized delegate to remit and handle 276
money and monetary value in accordance with the terms of the 277
contract between the licensee and the authorized delegate; 278
(e) Impose a trust on money and monetary value net of 279
fees received for money transmission for the benefit of the 280
licensee; 281
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 12 (baf\tb)
(f) Require the authorized delegate to prepare and 282
maintain records as required by this chapter or regulations 283
implementing this chapter, or as requested by the commissioner; 284
(g) Acknowledge that the authorized delegate consents 285
to examination or investigation by the commissioner; 286
(h) State that the licensee is subject to regulation by 287
the commissioner and that, as part of that regulation, the 288
commissioner may suspend or revoke an authorized delegate 289
designation or require the licensee to terminate an authorized 290
delegate designation; and 291
(i) Acknowledge receipt of the written policies and 292
procedures required under subsection (2)(a) of this section. 293
(5) If the licensee's license is suspended, revoked, 294
surrendered or expired, the licensee must, within five (5) 295
business days, provide documentation to the commissioner that the 296
licensee has notified all applicable authorized delegates of the 297
licensee whose names are in a record filed with the commissioner 298
of the suspension, revocation, surrender or expiration of a 299
license. Upon suspension, revocation, surrender or expiration of 300
a license, applicable authorized delegates shall immediately cease 301
to provide money transmission as an authorized delegate of the 302
licensee. 303
(6) An authorized delegate of a licensee holds in trust for 304
the benefit of the licensee all money net of fees received from 305
money transmission. If any authorized delegate commingles any 306
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 13 (baf\tb)
funds received from money transmission with any other funds or 307
property owned or controlled by the authorized delegate, all 308
commingled funds and other property shall be considered held in 309
trust in favor of the licensee in an amount equal to the amount of 310
money net of fees received from money transmission. 311
(7) An authorized delegate may not use a subdelegate to 312
conduct money transmission on behalf of a licensee. 313
(8) On or before April 1 of each year, a licensee shall 314
provide to each authorized delegate through which it engages in 315
the business of money transmission training materials on how to: 316
(a) Recognize financial abuse and financial 317
exploitation of an elder adult; and 318
(b) Respond appropriately if the authorized delegate 319
suspects that the authorized delegate is being asked to engage in 320
the business of money transmission for a fraudulent transaction in 321
which an elder adult is the victim of financial abuse or financial 322
exploitation. 323
A licensee shall provide the training materials required 324
under this subsection (8) to each newly appointed authorized 325
delegate within one (1) month after appointment of the authorized 326
delegate. 327
SECTION 6. Section 75-16-65, Mississippi Code of 1972, is 328
amended as follows: 329
75-16-65. Maintenance of permissible investments. (1) A 330
licensee shall maintain at all times permissible investments that 331
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 14 (baf\tb)
have a market value computed in accordance with United States 332
Generally Accepted Accounting Principles of not less than the 333
aggregate amount of all of its outstanding money transmission 334
obligations. 335
(2) Except for permissible investments enumerated in Section 336
75-16-67(1), the commissioner, with respect to any licensee, may 337
by rule, regulation or order limit the extent to which a specific 338
investment maintained by a licensee within a class of permissible 339
investments may be considered a permissible investment, if the 340
specific investment represents undue risk to customers, not 341
reflected in the market value of investments. 342
(3) Permissible investments, even if commingled with other 343
assets of the licensee, are held in trust for the benefit of the 344
purchasers and holders of the licensee's outstanding money 345
transmission obligations in the event of insolvency, the filing of 346
a petition by or against the licensee under the United States 347
Bankruptcy Code, 11 USC Sections 101-110, as amended or recodified 348
from time to time, for bankruptcy or reorganization, the filing of 349
a petition by or against the licensee for receivership, the 350
commencement of any other judicial or administrative proceeding 351
for its dissolution or reorganization, or in the event of an 352
action by a creditor against the licensee who is not a beneficiary 353
of this statutory trust. No permissible investments impressed 354
with a trust pursuant to this subsection (3) shall be subject to 355
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 15 (baf\tb)
attachment, levy of execution or sequestration by order of any 356
court, except for a beneficiary of this statutory trust. 357
(4) Upon the establishment of a statutory trust in 358
accordance with subsection (3) of this section or when any funds 359
are drawn on a letter of credit pursuant to Section 75-16-67(1), 360
the commissioner shall notify the applicable regulator of each 361
state in which the licensee is licensed to engage in money 362
transmission, if any, of the establishment of the trust or the 363
funds drawn on the letter of credit, as applicable. Notice shall 364
be deemed satisfied if performed pursuant to a multistate 365
agreement or through NMLS. Funds drawn on a letter of credit, and 366
any other permissible investments held in trust for the benefit of 367
the purchasers and holders of the licensee's outstanding money 368
transmission obligations, are deemed held in trust for the benefit 369
of such purchasers and holders on a pro rata and equitable basis 370
in accordance with statutes pursuant to which permissible 371
investments are required to be held in this state, and other 372
states, as applicable. Any statutory trust established hereunder 373
shall be terminated upon extinguishment of all of the licensee's 374
outstanding money transmission obligations. 375
(5) The commissioner, by rule, regulation or by order may 376
allow other types of investments that the commissioner determines 377
are of sufficient liquidity and quality to be a permissible 378
investment. The commissioner is authorized to participate in 379
efforts with other state regulators to determine that other types 380
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 16 (baf\tb)
of investments are of sufficient liquidity and quality to be a 381
permissible investment. 382
SECTION 7. The following shall be codified as Section 383
75-16-89, Mississippi Code of 1972: 384
75-16-89. (1) A licensee shall provide its name and mailing 385
address or telephone number to the purchaser in connection with 386
each money transmission or virtual currency kiosk transaction 387
conducted by the licensee directly or through an authorized 388
delegate. 389
(2) An authorized delegate shall display prominently in a 390
form and in a medium prescribed by the commissioner a notice that 391
states or contains the following information: 392
(a) The name, mailing address and telephone number of 393
the authorized delegate; 394
(b) For each licensee of the authorized delegate: 395
(i) A statement that the authorized delegate is an 396
agent conducting business on behalf of the licensee under this 397
chapter; and 398
(ii) The name, mailing address and telephone 399
number of the licensee; and 400
(c) A statement: 401
(i) Directing consumers with complaints to contact 402
the Department of Banking and Consumer Finance; and 403
(ii) Containing the current mailing address and 404
telephone number of the department. 405
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 17 (baf\tb)
(3) (a) A licensee or authorized delegate shall include a 406
clear, concise and conspicuous fraud warning that is posted in a 407
conspicuous area or included on a transmittal form used by a 408
consumer to send money to another individual. 409
(b) The fraud warning required under subsection (3)(a) 410
of this section shall: 411
(i) Include a toll-free telephone number for 412
consumers to call to report fraud or suspected fraud; and 413
(ii) Be in clear, conspicuous, and legible writing 414
in English and in the language principally used by the licensee or 415
authorized delegate to advertise, solicit or negotiate, either 416
orally or in writing, for a transaction conducted in person, 417
electronically or by telephone, if other than English. 418
(c) A licensee shall monitor the activities of its 419
authorized delegates relating to transmittals by consumers. 420
(d) If a licensee or authorized delegate conducts money 421
transmission activity through a website or a mobile application 422
that is not in a physical location, the commissioner may authorize 423
an alternative form of the fraud notice required under subsection 424
(3)(a) of this section. 425
SECTION 8. This chapter may be cited as the "Data Security 426
for Money Transmitters Act." 427
SECTION 9. Definitions. As used in this chapter, the 428
following terms shall have the meaning ascribed herein: 429
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 18 (baf\tb)
(a) "Authorized user" means an employee, contractor, 430
agent, or other person that participates in a licensee's business 431
operations and is authorized to access and use a licensee's 432
information systems and data. 433
(b) "Consumer" means an individual who obtains or has 434
obtained a financial product or service from a licensee that is to 435
be used primarily for personal, family or household purposes, or 436
that individual's legal representative. 437
(c) "Customer" means a consumer who has a customer 438
relationship with a licensee. 439
(d) "Customer information" means a record containing 440
nonpublic personal information about a customer of a licensee, 441
whether in paper, electronic or other form, that is handled or 442
maintained by or on behalf of a licensee or the licensee's 443
affiliates. 444
(e) "Customer relationship" means a continuing 445
relationship between a consumer and a licensee under which the 446
licensee provides to the consumer one or more financial products 447
or services that are used primarily for personal, family or 448
household purposes. 449
(f) "Encryption" means the transformation of data into 450
a form that results in a low probability of assigning meaning 451
without the use of a protective process or key, consistent with 452
current cryptographic standards and accompanied by appropriate 453
safeguards for cryptographic key material. 454
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 19 (baf\tb)
(g) "Licensee" means a money transmitter or virtual 455
currency kiosk licensed under the Money Transmission Modernization 456
Act. 457
(h) "Financial product or service" means a product or 458
service that a financial holding company could offer by engaging 459
in a financial activity under section 4(k) of the Bank Holding 460
Company Act of 1956, 12 USC § 1843(k), as it existed on January 1, 461
2025. A "financial product or service" includes a licensee's 462
evaluation or brokerage of information that a licensee collects in 463
connection with a request or an application from a consumer for a 464
financial product or service. 465
(i) "Information security program" means the 466
administrative, technical or physical safeguards a licensee uses 467
to access, collect, distribute, process, protect, store, use, 468
transmit, dispose of or otherwise handle customer information. 469
(j) "Information system" means a discrete set of 470
electronic information resources organized for the collection, 471
processing, maintenance, use, sharing, dissemination or 472
disposition of electronic information, including any specialized 473
system, such as industrial controls systems or process controls 474
systems, telephone switching and private branch exchange systems 475
and environmental controls systems, that contains customer 476
information or that is connected to a system that contains 477
customer information. 478
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 20 (baf\tb)
(k) "Multifactor authentication" means authentication 479
through verification of at least two (2) of the following types of 480
authentication factors: 481
(i) Knowledge factors, including, without 482
limitation, a password; 483
(ii) Possession factors, including, without 484
limitation, a token; or 485
(iii) Inherence factors, including, without 486
limitation, biometric characteristics. 487
(l) (i) "Nonpublic personal information" means: 488
1. Personally identifiable financial 489
information; and 490
2. A list, description or other grouping of 491
consumers, and publicly available information pertaining to a 492
consumer, that is derived using personally identifiable financial 493
information that is not publicly available. 494
(ii) "Nonpublic personal information" includes, 495
without limitation, a list of individuals' names and street 496
addresses that is derived in whole or in part using personally 497
identifiable financial information that is not publicly available. 498
(iii) "Nonpublic personal information" does not 499
include: 500
1. Publicly available information, except as 501
included on a list described in subparagraph (i)2 of this 502
paragraph (l); 503
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 21 (baf\tb)
2. A list, description or other grouping of 504
consumers, and publicly available information pertaining to the 505
list, description or other grouping of consumers, that is derived 506
without using personally identifiable financial information that 507
is not publicly available; or 508
3. A list of individuals' names and addresses 509
that contains only publicly available information and is not: 510
a. Derived, in whole or in part, using 511
personally identifiable financial information that is not publicly 512
available; and 513
b. Disclosed in a manner that indicates 514
that any of the individuals on the list is a consumer of a 515
licensee. 516
(m) (i) "Notification event" means acquisition of 517
unencrypted customer information without the authorization of an 518
individual to which the information pertains. 519
(ii) For purposes of this paragraph (m): 520
1. Customer information is considered 521
unencrypted if the encryption key was accessed by an unauthorized 522
person; and 523
2. Unauthorized acquisition will be presumed 524
to include unauthorized access to unencrypted customer information 525
unless a licensee has reliable evidence showing that there has not 526
been, or could not reasonably have been, unauthorized acquisition 527
of the customer information. 528
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 22 (baf\tb)
(n) "Penetration testing" means a test methodology in 529
which assessors attempt to circumvent or defeat the security 530
features of an information system by attempting penetration of 531
databases or controls from outside or inside a licensee's 532
information systems. 533
(o) (i) "Personally identifiable financial 534
information" means information: 535
1. A consumer provides to a licensee to 536
obtain a financial product or service from a licensee; 537
2. About a consumer resulting from a 538
transaction involving a financial product or service between a 539
licensee and a consumer; or 540
3. A licensee otherwise obtains about a 541
consumer in connection with providing a financial product or 542
service to that consumer. 543
(ii) "Personally identifiable financial 544
information" includes: 545
1. Information a consumer provides to a 546
licensee on an application to obtain a loan, credit card or other 547
financial product or service; 548
2. Account balance information, payment 549
history, overdraft history, and credit or debit card purchase 550
information; 551
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 23 (baf\tb)
3. The fact that an individual is or has been 552
a licensees' customer or has obtained a financial product or 553
service from a licensee; 554
4. Information about a licensee's consumer if 555
the information is disclosed in a manner that indicates that the 556
individual is or has been the licensee's consumer; 557
5. Information that a consumer provides to a 558
licensee or that a licensee or a licensee's agent otherwise 559
obtains in connection with collecting on, or servicing, a credit 560
account; 561
6. Information a licensee collects through an 562
internet cookie or the information-collecting device from a 563
computer server; and 564
7. Information from a consumer report. 565
(iii) "Personally identifiable financial 566
information" does not include: 567
1. A list of names and addresses of customers 568
of an entity that is not a licensee; or 569
2. Information that does not identify a 570
consumer, including aggregate information or blind data that does 571
not contain personal identifiers such as account numbers, names, 572
or addresses. 573
(p) (i) "Publicly available information" means 574
information that a licensee has a reasonable basis to believe is 575
lawfully made available to the public from: 576
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 24 (baf\tb)
1. Federal, state or local government 577
records; 578
2. Widely distributed media; or 579
3. Disclosures to the public that are 580
required to be made by federal, state or local law. 581
(ii) "Publicly available information" includes, 582
without limitation: 583
1. Information in government records, 584
including information in government real estate records and 585
security interest filings; and 586
2 Information from widely distributed media, 587
including information from a telephone book, a television or radio 588
program, a newspaper, or a website that is available to the public 589
on an unrestricted basis. 590
(iii) A website is not restricted under 591
subparagraph (ii)2 of this paragraph (p) merely because an 592
internet service provider or a site operator requires a fee or a 593
password, so long as access is available to the public. 594
(iv) For purposes of this paragraph (p), a 595
licensee has a reasonable basis to believe that: 596
1. Information is lawfully made available to 597
the public if the licensee has taken steps to determine: 598
a. That the information is of the type 599
that is available to the public; and 600
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 25 (baf\tb)
b. Whether an individual can direct that 601
the information not be made available to the public and, if so, 602
that the licensee's consumer has not directed that the information 603
not be made available to the public; 604
2. Mortgage information is lawfully made 605
available to the public if the licensee determines that the 606
information is of the type included on the public record in the 607
jurisdiction where the mortgage would be recorded; and 608
3. An individual's telephone number is 609
lawfully made available to the public if the licensee has located 610
the telephone number in a telephone directory or the consumer has 611
informed the licensee that the telephone number is not unlisted. 612
(q) "Qualified individual" means an individual 613
designated by a licensee to oversee, implement and enforce the 614
licensee's information security program. 615
(r) "Security event" means an event resulting in 616
unauthorized access to, or disruption or misuse of: 617
(i) An information system or information stored on 618
the information system; or 619
(ii) Customer information held in physical form. 620
(s) "Service provider" means a person or entity that 621
receives, maintains, processes, or otherwise is permitted access 622
to customer information through its provision of services directly 623
to a licensee that is subject to this chapter. 624
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 26 (baf\tb)
SECTION 10. Standards for safeguarding customer information. 625
(1) A licensee shall develop, implement and maintain a 626
comprehensive information security program. 627
(2) The information security program under subsection (1) of 628
this section shall: 629
(a) Be written in one or more readily accessible parts; 630
and 631
(b) Contain administrative, technical, and physical 632
safeguards that are appropriate to the licensee's size and 633
complexity, the nature and scope of the licensee's activities, and 634
the sensitivity of any customer information at issue. 635
(3) The information security program shall include the 636
information required under Section 9 of this act. 637
SECTION 11. Information security program required elements. 638
(1) In order for a licensee to develop, implement and maintain an 639
information security program, the licensee shall comply with the 640
provisions of this section. 641
(2) (a) A licensee shall designate a qualified individual 642
responsible for overseeing and implementing the licensee's 643
information security program and enforcing an information security 644
program. 645
(b) (i) The qualified individual may be employed by 646
the licensee, an affiliate or a service provider. 647
(ii) If a licensee designates an individual 648
employed by an affiliate or service provider, the licensee shall: 649
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 27 (baf\tb)
1. Retain responsibility for compliance with 650
this chapter; 651
2. Designate a senior member of the 652
licensee's personnel to be responsible for direction and oversight 653
of the qualified individual; and 654
3. Require the service provider or affiliate 655
to maintain an information security program that protects the 656
licensee in accordance with the requirements of this chapter. 657
(3) (a) A licensee shall base the licensee's information 658
security program on a risk assessment that: 659
(i) Identifies reasonably foreseeable internal and 660
external risks to the security, confidentiality and integrity of 661
customer information that could result in the unauthorized 662
disclosure, misuse, alteration, destruction or other compromise of 663
the information; and 664
(ii) Assesses the sufficiency of any safeguards in 665
place to control these risks. 666
(b) The risk assessment shall be written and include: 667
(i) Criteria for the evaluation and categorization 668
of identified security risks or threats the licensee faces; 669
(ii) Criteria for the assessment of the 670
confidentiality, integrity and availability of the licensee's 671
information systems and customer information, including the 672
adequacy of the existing controls in the context of the identified 673
risks or threats the licensee faces; and 674
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 28 (baf\tb)
(iii) Requirements describing how identified risks 675
will be mitigated or accepted based on the risk assessment and how 676
the information security program will address the risks. 677
(c) A licensee shall periodically perform additional 678
risk assessments that: 679
(i) Reexamine the reasonably foreseeable internal 680
and external risks to the security, confidentiality, and integrity 681
of customer information that could result in the unauthorized 682
disclosure, misuse, alteration, destruction or other compromise of 683
customer information; and 684
(ii) Reassess the sufficiency of any safeguards in 685
place to control these risks. 686
(4) A licensee shall design and implement safeguards to 687
control the risks the financial institution identifies through the 688
risk assessment as required under subsection (3) of this section, 689
including, without limitation: 690
(a) Implementing and periodically reviewing access 691
controls, including technical and, as appropriate, physical 692
controls, to: 693
(i) Authenticate and permit access only to 694
authorized users to protect against the unauthorized acquisition 695
of customer information; and 696
(ii) Limit authorized users' access only to 697
customer information that the authorized user needs to perform the 698
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 29 (baf\tb)
authorized user's duties and functions, or in the case of 699
customers, to access the customer's own customer information; 700
(b) Identifying and managing the data, personnel, 701
devices, systems, and facilities that enable the licensee to 702
achieve business purposes according to the licensee's relative 703
importance to business objectives and the licensee's risk 704
strategy; 705
(c) Protecting by encryption all customer information 706
held or transmitted by the licensee both in transit over external 707
networks and at rest. To the extent the licensee determines that 708
encryption of customer information, either in transit over 709
external networks or at rest, is infeasible, the licensee may 710
instead secure the customer information using effective 711
alternative compensating controls reviewed and approved by the 712
licensee's qualified individual; 713
(d) Adopting secure development practices for in-house 714
developed applications utilized by the licensee for transmitting, 715
accessing, or storing customer information and procedures for 716
evaluating, assessing, or testing the security of externally 717
developed applications the licensee utilizes to transmit, access 718
or store customer information; 719
(e) Implementing multifactor authentication for an 720
individual accessing an information system, unless the licensee's 721
qualified individual has approved in writing the use of reasonably 722
equivalent or more secure access controls; 723
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 30 (baf\tb)
(f) Developing, implementing, and maintaining 724
procedures for the secure disposal of customer information in any 725
format no later than two (2) years after the last date the 726
customer information is used in connection with the provision of a 727
financial product or service to the customer, unless the customer 728
information is: 729
(i) Necessary for business operations or for other 730
legitimate business purposes; 731
(ii) Otherwise required to be retained by state 732
law or rule, or federal law or regulation; or 733
(iii) Where targeted disposal is not reasonably 734
feasible due to the manner in which the information is maintained; 735
(g) Periodically reviewing the licensee's data 736
retention policy to minimize the unnecessary retention of data; 737
(h) Adopting procedures for change management; and 738
(i) Implementing policies, procedures and controls 739
designed to monitor and log the activity of authorized users and 740
detect unauthorized access or use of, or tampering with, customer 741
information by these users. 742
(5) (a) A licensee shall regularly test or otherwise 743
monitor the effectiveness of the safeguards' key controls, systems 744
and procedures, including those to detect actual and attempted 745
attacks on or intrusions into information systems. 746
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 31 (baf\tb)
(b) (i) For information systems, monitoring and 747
testing shall include continuous monitoring or periodic 748
penetration testing and vulnerability assessments. 749
(ii) Absent effective continuous monitoring or 750
other systems to detect, on an ongoing basis, changes in 751
information systems that may create vulnerabilities, the licensee 752
shall conduct: 753
1. Annual penetration testing of a licensee's 754
information systems determined each given year based on relevant 755
identified risks according to the risk assessment; and 756
2. Vulnerability assessments, including a 757
systemic scan or review of an information system reasonably 758
designed to identify publicly known security vulnerabilities in 759
the licensee's information systems based on the risk assessment, 760
at least every six (6) months, and whenever there are: 761
a. Material changes to the licensee's 762
operations or business arrangements; and 763
b. Circumstances the licensee knows or 764
has reason to know may have a material impact on the licensee's 765
information security program. 766
(6) A licensee shall implement policies and procedures to 767
ensure that personnel are able to enact the licensee's information 768
security program by: 769
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 32 (baf\tb)
(a) Providing the licensee's personnel with security 770
awareness training that is updated as necessary to reflect risks 771
identified by the risk assessment; 772
(b) Utilizing qualified information security personnel 773
employed by the licensee or an affiliate or service provider 774
sufficient to manage the licensee's information security risks and 775
to perform or oversee the information security program; 776
(c) Providing information security personnel with 777
security updates and training sufficient to address relevant 778
security risks; and 779
(d) Verifying that key information security personnel 780
take steps to maintain current knowledge of changing information 781
security threats and countermeasures. 782
(7) A licensee shall oversee service providers by: 783
(a) Taking reasonable steps to select and retain 784
service providers that are capable of maintaining appropriate 785
safeguards for the customer information at issue; 786
(b) Requiring the licensee's service providers by 787
contract to implement and maintain such safeguards; and 788
(c) Periodically assessing the licensee's service 789
providers based on the risk they present and the continued 790
adequacy of their safeguards. 791
(8) A licensee shall evaluate and adjust the licensee's 792
information security program to reflect: 793
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 33 (baf\tb)
(a) The results of the testing and monitoring required 794
by subsection (5) of this section; 795
(b) Upon any material change to the licensee's 796
operations or business arrangements or other circumstances; 797
(c) The results of risk assessments performed under 798
subsection (3)(c) of this section; and 799
(d) Any other circumstances that the licensee knows or 800
has reason to know may have a material impact on the licensee's 801
information security program. 802
(9) (a) A licensee shall establish a written incident 803
response plan designed to promptly respond to, and recover from, 804
any security event materially affecting the confidentiality, 805
integrity, or availability of customer information in the 806
licensee's control. 807
(b) The incident response plan under paragraph (a) of 808
this subsection (9) shall address: 809
(i) The goals of the incident response plan; 810
(ii) The internal processes for responding to a 811
security event; 812
(iii) The definition of clear roles, 813
responsibilities and levels of decision-making authority; 814
(iv) External and internal communications and 815
information sharing; 816
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 34 (baf\tb)
(v) Identification of requirements for the 817
remediation of any identified weaknesses in information systems 818
and associated controls; 819
(vi) Documentation and reporting regarding 820
security events and related incident response activities; and 821
(vii) The evaluation and revision as necessary of 822
the incident response plan following a security event. 823
(10) (a) The licensee's qualified individual shall report 824
in writing at least annually, to the licensee's board of directors 825
or equivalent governing body. 826
(b) If a board of directors or equivalent governing 827
body does not exist, the report required under paragraph (a) of 828
this subsection (10) shall be timely presented to a senior officer 829
responsible for the licensee's information security program. 830
(c) The report required under paragraph (a) of this 831
subsection (10) shall include: 832
(i) The overall status of the information security 833
program and the licensee's compliance with this chapter and 834
associated rules; and 835
(ii) Material matters related to the information 836
security program, addressing issues such as risk assessment, risk 837
management and control decisions, service provider arrangements, 838
results of testing, security events or violations and management's 839
responses to security events or violations, and recommendations 840
for changes in the information security program. 841
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 35 (baf\tb)
(11) A licensee shall establish a written plan addressing 842
business continuity and disaster recovery. 843
SECTION 12. Notification to the commissioner. (1) A 844
licensee shall provide notice to the commissioner about 845
notification events according to subsection (2)(a) and (b) of this 846
section. 847
(2) (a) Upon discovery of a notification event as described 848
in paragraph (b) of this subsection (2), if the notification event 849
involves the information of any consumers in this state, the 850
licensee shall notify the commissioner as soon as possible, but in 851
no event later than seventy-two (72) hours after discovery of the 852
notification event. The notice shall: 853
(i) Be made in a format specified by the 854
commissioner; and 855
(ii) Include the following information: 856
1. The name and contact information of the 857
reporting licensee; 858
2. A description of the types of information 859
that were involved in the notification event; 860
3. If the information is possible to 861
determine, the date or date range of the notification event; 862
4. The number of consumers affected or 863
potentially affected by the notification event; 864
5. A general description of the notification 865
event; and 866
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 36 (baf\tb)
6. Whether a law enforcement official has 867
provided the licensee with a written determination that notifying 868
the public of the notification event would impede a criminal 869
investigation or cause damage to national security, and a means 870
for the commissioner to contact the law enforcement official. A 871
law enforcement official may request an initial delay of up to 872
thirty (30) days following the date when notice was provided to 873
the commissioner. The delay may be extended for an additional 874
period of up to sixty (60) days if the law enforcement official 875
seeks an extension in writing. Additional delay may be permitted 876
only if the commissioner determines that public disclosure of a 877
notification event continues to impede a criminal investigation or 878
cause damage to national security. 879
(b) A notification event under this section shall be 880
treated as discovered as of the first day on which the 881
notification event is known to the licensee. The licensee shall 882
be deemed to have knowledge of a notification event if the 883
notification event is known to any person, other than the person 884
committing the notification event, who is the licensee's employee, 885
officer or other agent. 886
(c) In the case of a notification event in a system 887
maintained by a service provider, of which the licensee has become 888
aware, the licensee shall treat such event as it would under 889
paragraph (a) of this subsection (2). However, the computation of 890
the licensee's deadlines shall begin on the day after the service 891
S. B. No. 2715 *SS26/R760* ~ OFFICIAL ~
26/SS26/R760
PAGE 37 (baf\tb)
ST: Money Transmission Modernization Act;
revise various provisions of and create new
provisions related to.
provider notifies the licensee of the notification event or the 892
licensee otherwise has actual knowledge of the event, whichever is 893
sooner. 894
SECTION 13. Exceptions. Section 11(3)(b), (5)(b), (9) and 895
(10) of this act shall not apply to a licensee who maintains 896
customer information concerning fewer than five thousand (5,000) 897
consumers. 898
SECTION 14. Authority of the commissioner. (1) The 899
commissioner shall have power to examine and investigate into the 900
affairs of any covered licensee to determine whether the licensee 901
has been or is engaged in any conduct in violation of this 902
chapter. This authority is in addition to the powers which the 903
commissioner has under the Money Transmission Modernization Act. 904
(2) Whenever the commissioner has reason to believe that a 905
licensee has been or is engaged in conduct in this state that 906
violates this chapter, the commissioner may take action that is 907
necessary or appropriate to enforce the provisions of this 908
chapter. 909
SECTION 15. Sections 8 through 14 of this act shall be 910
codified as a new Chapter within Title 75, Mississippi Code of 911
1972. 912
SECTION 16. This act shall take effect and be in force from 913
and after July 1, 2026. 914