At the beginning of 2016, the Consumer Financial Protection Bureau (CFPB) announced its consent order against Dwolla, Inc., an online payment service. The CFPB claims that this enforcement action is due to Dwolla’s “deceiving consumers about its data security practices and the safety of its online payment system.”
Specifically, although Dwolla admits no wrongdoing as a part of the order, the bureau found Dwolla “misrepresented its data-security practices.”
That is, between January of 2011 and March of 2014, the company “failed to take reasonable and appropriate measures to protect consumer data from unauthorized access or comply with PCI standards” and failed to encrypt “some sensitive consumer personal information.”
Compliance professionals at financial institutions have much on their plate: fighting money laundering, knowing their customers and vendors, ensuring the highest levels of online security for its consumers and depositors. The CFPB and investigations and enforcement actions like this is yet another regulatory agency demanding time and resources.
Given how active the CFPB has been in regards to enforcement actions in its five-year history so far, this action shouldn’t come as a major surprise to any industry observers. Nonetheless, if you’re familiar with the CFPB’s statutory authority, you may be wondering how the agency has the power to take such enforcement action and why it is becoming active in this area. After all, these charges sound an awful lot like violations of the Gramm-Leach-Bliley Act’s (GLBA) data privacy regulations – which require financial institutions to safeguard their consumers’ “personally identifiable financial information” – and these rules were specifically excluded from the CFPB’s enforcement responsibilities by Congress.
Considering how closely some of the CFPB’s complaints about Dwolla’s practices with regard to handling its customers’ information mirror GLBA requirements, the CFPB is clearly aware of GLBA’s privacy regulations. But the reason that no one is crying “foul” is because of the carefully crafted language that the CFPB used in its enforcement action.
That is, the agency purports to be taking action against Dwolla not because of its mishandling of consumer data per se, but instead because the CFPB claims that the company made “false representations” about its data-security practices. And naturally, framed this way, the action falls squarely into the CFPB’s primary regulatory role of preventing “unfair, deceptive, or abusive” practices “in connection with any transaction with a consumer for a consumer financial product or service.”
In spite of the CFPB’s statements that it’s sticking to its bread-and-butter enforcement territory, this action is significant for a number of reasons.
For one, this is the bureau’s first action on data security, which is significant not only because of the CFPB’s aforementioned specific lack of congressional delegation of enforcement authority in this area, but also because of the number of other federal actors, including the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and the Federal Communications Commission (FCC), which already purport to regulate this area.
Apparently, the CFPB isn’t content to wait for another regulatory body to take action when it comes to data privacy, at least as it relates to unfair, deceptive, or abusive practices. This then raises the question of where the CFPB will strike next: If the CFPB is willing to wade into the regulation of data security, which other areas of regulation will it venture into? That is to say, this action may only be the beginning of the CFPB’s foray into a broader regulatory landscape that will greatly impact a large array of financial institutions – and it should thus serve as notice that the agency will proactively pursue action against any unfair, deceptive, or abusive practices that it identifies.
Then again, the CFPB only has statutory authority to regulate “covered persons,” which is defined as either:
(1) any person that engages in offering or providing a consumer financial product or service;
(2) any affiliate of a such a person described above if such affiliate acts as a service provider to such person.
While those definitions certainly carve out specific boundaries over the agency’s jurisdiction, in light of the CFPB’s aggressive enforcement strategies and how broadly the second definition is worded – which essentially allows actions against any party that is knowingly involved in the financial product or service being regulated – the agency’s reach extends far beyond those who provide consumer financial products or services.
And if that weren’t enough, the CFPB took this action against Dwolla without there being any evidence of an actual data breach or consumer harm – making the CFPB the quintessential proactive regulator. While it’s probably good that the CFPB stepped in before any customer data was lost or stolen (which may have given rise to civil liability to consumers), companies should be aware that the CFPB won’t necessarily wait until after consumers are harmed before taking action.
In sum, the CFPB seems to be a new breed of regulatory animal – one that seems to execute its responsibilities with a sense of vigor not seen in other agencies and one that financial organizations need to pay attention to. Despite its dynamic nature, though, the CFPB is nonetheless limited to punishing only “unfair, deceptive, or abusive” practices in the consumer finance field. Thus, companies seeking to avoid any unnecessary attention from the bureau would do well to minimize these practices to the best of their ability.