Insufficient data protection can constitute an unfair act or practice under the CFPA

The Consumer Financial Protection Bureau’s new Circular suggests that not having enough data security practices in place might violate the Consumer Financial Protection Act (CFPA).

In Circular 2022-04, the CFPB has strongly emphasized that insufficient data protection or information security can constitute an unfair act or practice. To stay compliant with new guidelines, financial institutions should at least consider implementing multi-factor authentication alongside adequate password management and timely software update policies. The FTC’s Safeguards Rules for financial institutions under the Gramm-Leach-Bliley Act (GLBA) remain applicable, and these new requirements are in addition to those set forth under GLBA.

If you are not using MFA, there will be consequences

If you are not using Multifactor Authentication (“MFA”), there will be consequences. MFA requires multiple credential verifications before accessing an account. A common MFA procedure is requiring a password and a temporary numeric code to log in to an account. MFA increases the level of difficulty for bad actors trying to compromise an account and gain access to consumer data. The CFPB is urging consumers to reach out and file reports if their providers fail to offer MFA.

Scammers have found ways to phish or trick consumers into approving transactions on their mobile device, which has led the CFPB to reconsider its view toward MFA. Another threat is “MFA Fatigue,” where scammers use stolen credentials in scripts that constantly attack authentication applications. Financial institutions should adopt, at a minimum, multi-factor authentication and adequate password management policies. They should also update their software regularly.

CFPB is encouraging the financial services industry to implement FIDO Authentication. The FIDO (“Fast IDentity Online”) Alliance seeks to reduce over reliance on passwords. Password-only logins are no longer secure or fast enough for today’s websites and apps. The Cybersecurity and Infrastructure Security Agency (CISA), refers to FIDO Authentication as the “gold standard” in terms of protection against credential phishing attacks.

The sharing of customer information among banks and fintech firms is the underlying reason for the change with the goal of ensuring safe practices related to third-party management, information technology control and risk governance. The regulations also look as to whether firms are implementing password management processes.

Inadequate data security could still be considered an unfair practice

If authentication, password management, or software update policies and practices are inadequate, it is probable that consumers will suffer major hurt that cannot be reasonably avoided. Financial institutions will not be able to justify inferior data security practices based on benefits to consumers or competition. Even without a breach or intrusion occurring, the CFPB could still consider inadequate data security to be an unfair practice.

“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse. While many non-bank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common sense steps to protect personal financial data.”

— Rohit Chopra (CFPB Director)

The CFPB plans to promulgate a rule that will control how consumer data may be shared. The CFPB Final Rule is anticipated to be published by 2023, though additional regulatory compliance requirements are coming soon.

Contact Global Legal Law Firm

At Global Legal Law Firm, our lawyers are familiar with the rapidly changing nature of electronic payments processing, and the ever changing regulations involved, with decades of expertise in ISOs, processors, commercial collections, credit card brands, and other forms of electronic payment processing litigation. Let us guide you through this new and volatile environment, rather than attempting to navigate it on your own.