North Dakota has enacted significant regulatory changes with HB 1127, signed into law on April 11, 2025. The legislation introduces stricter data security requirements and expands licensing rules for financial brokers, impacting both traditional institutions and fintech providers. This overhaul aligns North Dakota with states like New York and California, addressing gaps in nonbank financial service oversight1.
TL;DR: Key Provisions of HB 1127
- Data Security Mandates: Covered entities must implement risk-based safeguards, encryption, and annual penetration testing.
- Licensing Expansion: Brokers of “alternative financing products” (e.g., BNPL, EWA) may now require DFI licenses.
- Breach Reporting: Notify the North Dakota Department of Financial Institutions (DFI) within 45 days if a breach affects 500+ consumers.
Expanded Data Security Requirements
HB 1127 mandates that financial institutions and nonbank service providers adopt comprehensive information security programs. These must include administrative, technical, and physical safeguards based on a written risk assessment2. A designated individual must oversee the program and report annually to senior leadership. Technical measures include:
- Encryption for data in transit and at rest, with exceptions only for compensating controls approved by the DFI.
- Annual penetration testing and biannual vulnerability assessments (or continuous monitoring).
Non-compliance risks penalties, including operational restrictions. The law’s breach reporting clause requires entities to notify the DFI within 45 days if a breach affects 500 or more consumers, mirroring federal timelines under laws like HIPAA and GDPR3.
Broker Licensing and Fintech Implications
The law expands licensing requirements to brokers of “alternative financing products,” a category that may include fintech offerings like buy-now-pay-later (BNPL) and earned wage access (EWA). The DFI retains authority to classify certain arrangements as “loans,” subjecting them to existing broker regulations4. Legal experts caution that smaller fintech firms may face disproportionate compliance burdens due to resource constraints5.
Relevance to Security Professionals
For security teams, HB 1127’s data security provisions necessitate:
- Gap Analysis: Compare existing controls against the law’s requirements, particularly encryption and testing protocols.
- Policy Updates: Revise incident response plans to meet the 45-day breach reporting deadline.
- Third-Party Risk Management: Ensure vendors handling financial data comply with the new standards.
The DFI is expected to release further guidance on enforcement timelines, with full compliance likely required by 2026.
Conclusion
North Dakota’s HB 1127 reflects a broader trend of state-level financial regulation tightening. Organizations operating in the state should prioritize compliance assessments, especially for data security and licensing classifications. Proactive adaptation will mitigate risks of penalties and operational disruptions.
References
- “North Dakota Expands Data Security Requirements and Issues New Licensing Requirements for Brokers,” Consumer Finance and Fintech Blog, Apr. 2025.
- North Dakota Century Code Amendments (HB 1127), North Dakota Legislative Assembly, 2025.
- Cybersecurity Reporting Guidelines, North Dakota Insurance Department, 2025.
- “North Dakota Data Broker Study,” Clarip, 2021.
- A.J. Dhaliwal, Sheppard Mullin Analysis, Malware.news, Apr. 2025.
