CFPB to crack down on financial firms' protection of consumer data

Financial companies that don't protect consumer data may violate federal consumer protection law, a federal agency said. 

The Consumer Financial Protection Bureau issued a circular that outlines financial firms' responsibilities to guard consumer data, saying that failure to do so could be a violation of the Consumer Financial Protection Act.

The move is part of a set of broader policy statements and fines that signals a crackdown on tech and financial companies. On Wednesday, the agency said that digital marketing firms that use algorithms or other analytics to target specific customers can be held liable for violating federal law.

"Financial firms that cut corners on data security put their customers at risk of identity theft, fraud and abuse," CFPB Director Rohit Chopra said in a statement. "While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common sense steps to protect personal financial data."

The CFPB said it's increasing its focus on the "potential misuse and abuse of personal finance data." In the circular, the agency specifies that acts and practices are unfair when they're likely to cause substantial harm, and when the financial company wouldn't put itself at a competitive disadvantage by preventing that harm. 

Specifically, the agency listed multifactor authentication, password management and timely software updates as methods financial companies should use to prevent consumer harm regarding personal data. If a company doesn't have any of these preventative measures, the CFPB said that's unlikely to have any countervailing benefits, and could cause substantial consumer harm. 

Notably, the agency said that a company doesn't need to experience a data breach in order for its protection of consumer data to be deemed inadequate and for the firm to be violating the Consumer Financial Protection Act. 

"Actual injury is not required to satisfy this prong in every case," the CFPB said. "A significant risk of harm is also sufficient."

Practices that "are likely to cause" substantial injury, such as inadequate data security measures, may violate the law, the agency warned.

The CFPB cited Equifax, among other examples, as a relevant precedent. The 2017 Equifax breach resulted in the hacking of the data of "hundreds of millions" of people. The CFPB charged the firm with violating the Consumer Financial Protection Act in 2019 related to its data security. 

"While the prohibition on unfair practices is fact-specific, the experience of the agencies suggests that failure to implement common data security practices will significantly increase the likelihood that a firm may be violating the prohibition," the agency said. 

For reprint and licensing requests for this article, click here.
Regulation and compliance Industry News Data privacy Consumer banking
MORE FROM AMERICAN BANKER