CFPB guidance warns nonbank financial firms on data security

The Consumer Financial Protection Bureau published a circular yesterday explaining that nonbank financial firms—such as fintech companies and credit reporting agencies—may violate the Consumer Financial Protection Act’s prohibition on “unfair acts or practices” if they fail to protect sensitive consumer financial information. The circular notes that insufficient data protection may also violate the Gramm-Leach-Bliley Act’s Safeguards Rule, but states “while these requirements often overlap, they are not coextensive.” The circular provides examples of when financial firms can be held liable for lax data security protocols. It also names three data security measures that, if lacking, could increase the risk that a firm’s conduct triggers liability under CFPA: multi-factor authentication, adequate password management and timely software updates.

Banks are already subject to and routinely examined for compliance with vigorous federal privacy and data protection laws, including the Gramm-Leach-Bliley Act. In a statement accompanying the release of the circular, CFPB Director Rohit Chopra noted, however, that many nonbank actors and financial technology companies have not been subject to careful oversight of their data security.