The Consumer Financial Protection Bureau has made it increasingly clear that the agency’s enforcement unit will be less aggressive going forward.
But that move could actually expose fintechs to more risk, not less.
Late last month, acting Director Mick Mulvaney told a conference of state attorneys general that the CFPB would no longer be “pushing the envelope” or “look[ing] to create law where there isn’t” through enforcement actions. Instead, the acting director said, the CFPB will be “looking to the state regulators and state attorneys general for a lot more leadership when it comes to enforcement.” This would amount to a considerable change that comes with its own set of risks for companies that deal with consumers or the public.
For the emerging fintech space, one key area of concern in the pre-Mulvaney regime was the CFPB’s enforcement of the Dodd-Frank Act’s prohibition on unfair, deceptive, or abusive trade practices. Since many fintech companies rely heavily on the collection and analysis of consumer data — think payment companies and marketplace lenders — those companies’ practices and disclosures around protecting that data risked possible CFPB action.
Recall, for example, the CFPB’s enforcement action in 2016 against Dwolla for misrepresenting its data security practices. Dwolla had represented to its customers that its data protection practices surpassed the industry standard for protection, and that consumer information was “securely encrypted and stored.” In reality, the CFPB charged, Dwolla failed to encrypt sensitive personal information and did not perform adequate data security testing on its services. According to the CFPB, Dwolla’s misrepresentations concerning its data security environment amounted to deceptive trade practices, and the company was ordered to pay a penalty and address flaws in its data security scheme.
Under the new regime, it is not yet clear whether the CFPB’s overall scaling back of enforcement activity will affect its approach to the data-driven fintech space. But should the CFPB leave these issues to state authorities, fintech companies may, counterintuitively, have more to worry about.
The perception that federal enforcers have left a field open may embolden the agency’s state counterparts to step into the fray. It was not that long ago that Eliot Spitzer’s aggressive enforcement of New York law led news outlets to dub him the “Sheriff of Wall Street,” amid questions about the SEC’s scaled-back role in the securities markets. Indeed, state attorneys general have been indicating for months that they intend to step up to fill gaps left by federal authorities. (It is possible, of course, that other federal regulators, such as the FTC, could also seek to fill a perceived vacuum.)
For state authorities looking for an increased role in the market, fintech companies’ protection of consumer information could become an area of focus. All 50 states have statutes prohibiting unfair and deceptive practices. And state attorneys general know how to use their authority to bring enforcement actions for data-privacy-related failures. Acting Director Mulvaney has also indicated that he will generally not interfere with state actions to enforce provisions of Dodd-Frank itself, which the statute authorizes.
In all, with the CFPB encouraging state authorities to step into the fray, the consequence of the CFPB’s preference for less enforcement at the federal level may not mean less enforcement activity overall. Instead, it could lead to more inconsistent and unpredictable efforts by state authorities under a disparate set of views of what practices are acceptable.
In the meantime, fintech companies must remain vigilant regarding their privacy practices and disclosures to make sure they are up to snuff in all the jurisdictions in which they operate.
Hanscom Federal Credit Union in Massachusetts said it would acquire Peoples Bancorp and its insurance agency. It marked the 21st deal of the year involving a credit union buying a bank.
The OCC's 2024 annual report said that while the federal banking system remains stable, it faces challenges such as rising credit costs, declining net income and increasing nonperforming loans.
BNY announced expanded employee benefits and a boost in its minimum wage for all U.S.-based employees; Synovus has added former FIS executive Greg Montana to its executive board; National Bank Holdings sold off a fifth of its securities portfolio; and more in this week's banking news roundup.
The Capital One-Discover merger, the war against Visa and Mastercards' swipe fees and budding payment technologies were most popular with American Banker readers in 2024.
Financial institutions that build a presence on the social media platform could gain a first-mover advantage and a communications channel with potential customers, experts say.
The Consumer Financial Protection Bureau sued three of the largest U.S. banks for fraud perpetrated on the bank-owned payment network Zelle, alleging shoddy safeguards and millions in consumer losses.