Mississippi Enacts Data Security and Consumer Protection Requirements for Money Transmitters, Effective July 1, 2026

April 15, 2026

Mississippi Enacts Data Security and Consumer Protection Requirements for Money Transmitters, Effective July 1, 2026

Yvonne Bowser-Caballero, Felix Shipkevich Shipkevich PLLC + Follow Contact LinkedIn Facebook X Send Embed

On April 8, 2026, Mississippi Governor Tate Reeves signed House Bill 1596 (“HB 1596” or the “Act”) into law, creating the “Data Security for Money Transmitters Act” (“DSMTA”), a new freestanding law imposing data security obligations on money transmitters and virtual currency kiosk operators licensed under the state’s Money Transmission Modernization Act (“MTMA”), and amending several existing MTMA provisions to address virtual currency kiosks, elder fraud protections, and consumer-facing disclosures. The Act takes effect July 1, 2026, and introduces meaningful new compliance obligations for licensed entities operating in the state.

Information Security Program Requirements

The new DSMTA is not an amendment to the MTMA but rather a new, freestanding law being codified into Title 75 of the Mississippi Code, applicable to all MTMA licensees. At its core, it requires each licensee to develop, implement, and maintain a comprehensive written information security program calibrated to the licensee’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. Licensees must designate a qualified individual to oversee, implement, and enforce the program. The qualified individual may be an employee of the licensee, an affiliate, or a third-party service provider, though the licensee itself remains responsible for compliance in all cases and must designate a senior internal officer to provide direction and oversight where the qualified individual is employed externally.

The information security program must be grounded in a written risk assessment that identifies reasonably foreseeable internal and external risks to customer information, evaluates the adequacy of existing safeguards, and establishes a plan for mitigating identified risks. Periodic reassessments are required on an ongoing basis. The Act also mandates specific technical and administrative safeguards, including access controls and multi-factor authentication (“MFA”) for individuals accessing information systems; encryption of customer information in transit and at rest (or approved alternative compensating controls); secure development and evaluation practices for applications used to transmit or store customer data; secure disposal of customer information within two years of last use; monitoring and logging of authorized user activity; annual penetration testing; and vulnerability assessments at least every six months.

Licensees must also maintain a written incident response plan, a written business continuity and disaster recovery plan, and a security awareness training program for personnel. At least annually, the licensee’s qualified individual must report in writing to the board of directors or equivalent governing body on the overall status of the information security program and any material risk, security event, or compliance concern.

Breach Notification to the Commissioner

Upon discovery of a “notification event,” defined as the acquisition of unencrypted customer information without the authorization of the affected individual, a licensee must notify the Mississippi Commissioner of Banking and Consumer Finance (“Commissioner”) as soon as possible, but in no event later than seventy-two (72) hours after discovery. The required notice must include the licensee’s contact information, a description of the types of information involved, the date or date range of the event, the number of consumers affected or potentially affected, and a general description of the event. Where law enforcement has determined that public notification would impede a criminal investigation, the Commissioner may permit a delay of up to thirty (30) days, extendable by an additional sixty (60) days.

Small Licensee Exception

The Act provides a limited exception for smaller operators. Licensees that maintain customer information concerning fewer than 5,000 consumers are exempt from certain requirements, specifically the written risk assessment, annual penetration testing and vulnerability assessments, the incident response plan, and the annual board reporting obligation. The core requirement to maintain a comprehensive information security program and to comply with the 72-hour breach notification requirement applies regardless of size.

MTMA Amendments: Virtual Currency Kiosks, Elder Fraud Protections, and New Disclosure Requirements

In addition to the new data security law, the Act amends several existing MTMA provisions. Virtual currency kiosks are expressly brought within the MTMA’s licensing and reporting framework, with kiosk locations required to be reported through the existing authorized delegate reporting process. Licensees are now required to provide authorized delegates with annual training materials by April 1 st of each year, covering how to recognize financial abuse and exploitation of elder adults and how to respond appropriately to suspected fraudulent transactions involving elder victims. Newly appointed delegates must receive these materials within one month of appointment.

The Act also introduces new disclosure requirements applicable to both licensees and authorized delegates, including the prominent display of licensee and delegate contact information, directions for consumers to contact the Department of Banking and Consumer Finance with complaints, and a clear, conspicuous, and multilingual fraud warning at points of transaction, whether in-person, electronic, or telephonic.

Implications for Licensed Money Transmitters

With an effective date of July 1, 2026, money transmitters and virtual currency kiosk operators licensed in Mississippi have a limited time to assess and build out their compliance infrastructure. The new data security law’s requirements, particularly the designation of a qualified individual, a written and risk-based information security program, and a 72-hour regulatory notification timeline, reflect a growing state-level trend toward imposing bank-like data security obligations on non-bank financial services providers. Licensees should evaluate their current information security posture, review service provider agreements for compliance with the Act’s third-party oversight requirements, and ensure that authorized delegate training and disclosure obligations are incorporated into their operational calendars ahead of the July 1 st effective date.

Send Print Report

Related Posts

• Florida Advances Legislation to Bring Cryptocurrency Kiosk Operators Under Money Transmitter Licensing
• Michigan Suspends FTX Lend Money Transmitter License and Orders FTX US License as Expired
• CFPB Issues Proposed Rule Imposing Reporting Requirements on Certain Non-Bank Entities: Possible Implications for Money Transmitter, Debt Relief and Credit Repair Service Providers

Latest Posts

• Mississippi Enacts Data Security and Consumer Protection Requirements for Money Transmitters, Effective July 1, 2026
• Default Judgments Are Not Precedent: Re-Examining the $5,000 Private Penalty Claim in Texas Telephone Solicitation Cases See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Shipkevich PLLC

Written by:

Shipkevich PLLC Contact + Follow Yvonne Bowser-Caballero + Follow Felix Shipkevich + Follow more less

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

Consumer Protection Laws + Follow Cybersecurity + Follow Data Protection + Follow Data Security + Follow Disclosure Requirements + Follow Money Transmitter + Follow New Legislation + Follow Regulatory Requirements + Follow Reporting Requirements + Follow State Privacy Laws + Follow Virtual Currency + Follow Consumer Protection + Follow Finance & Banking + Follow Privacy + Follow more less

Shipkevich PLLC on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide