Weekly Fintech Focus

  • CFPB warns firms about UDAAP violations for information security weaknesses.
  • CFPB issued an interpretive rule to clarify that digital marketing providers can be covered service providers under the CFPA for targeting and placement of advertisements for financial products and services.

CFPB Warns Firms on Information Security Weaknesses

On August 11, 2022, the Consumer Financial Protection Bureau (CFPB) released a circular confirming that financial companies can violate consumer financial protection laws if they fail to safeguard consumer data. The circular cites the CFPB’s Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) authority which prohibits unfair acts or practices that cause substantial injury to a consumer that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition. Without adequate data safeguards, the CFPB notes that consumers could be subject to unfairness by the firm’s services. The CFPB further states that it is unaware of a court finding in an unfairness analysis that poor data security practices were outweighed by countervailing benefits to consumers or competition. As a result, the CFPB explains that inadequate data security could be an unfair practice in the absence of a breach or intrusion.

The circular provides numerous examples of security measures that the CFPB thinks could help companies safeguard data and minimize the risk of liability for violating the unfairness prong of UDAAP. These include:

  • Multifactor authentication (MFA). MFA is a security process that requires multiple credentials before a consumer can access their account, requiring more than one of the following categories of information: something you know, something you have, and something you are. Common MFA processes require a password and temporary code to log in.
  • Adequate password management. If a firm is still using passwords, then its password management policies should allow for ways to monitor for breaches of security of the passwords.
  • Timely software updates. Firms should have procedures in place to immediately update software to address vulnerabilities once those vulnerabilities become publicly known and patches are available.

To support its position, the CFPB cites rules and enforcement actions taken by the Federal Trade Commission (FTC). In particular, the FTC recently updated its Safeguards Rule implementing Section 501(b) of GLBA to set forth certain safeguards nonbanks must implement to secure consumer financial data. Recent FTC enforcement actions like the 2019 Equifax action and the 2022 CafePress action, which held that the companies acted unfairly by failing to provide reasonable security when it used software with known unpatched vulnerabilities and failing to disclose security incidents.

CFPB Issues Rule on Digital Marketing of Financial Services

The CFPB issued a rule that clarifies that digital marketers of financial products and services are subject to consumer protection regulations. The interpretive rule addresses digital marketing providers that provide both the targeting and delivery of advertisements to consumers. For example, big tech companies that use algorithms or other models and analytics to target recipients of ads and provide the “time or space” to those advertisements. As a result, if a digital marketing provider is “involved in the identification or selection of prospective customer or the selection or placement or content to affect consumer engagement, including purchase or adoption behavior,” then that entity could be a service provider under the Consumer Financial Protection Act (CFPA or Act). The interpretive rule focuses on entities that “commingle” the targeting and placement of advertisements and those that are involved in “content strategy.”

Under the CFPA, a “service provider” to a covered person under the Act is “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” A “service provider” includes a person that “participates in designing, operating, or maintaining the consumer financial product or service” or “processes transactions relating to the consumer financial product or service.” A “service provider” is not subject to the CFPA by virtue of providing a covered person with “a support service of a type provided to businesses generally or similar ministerial service,” or “time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.”

The interpretive rule clarifies that some digital marketing providers are “service providers” under the CFPA. Unlike traditional media like newspapers or radio, the CFPB’s rule explains that digital marketing providers go beyond the mere provision of “time or space” and offer a material service to covered persons are subject to the CFPA. A material service includes the commingling of the targeting and delivery of advertisements. Digital marketing providers that provide more material services like lead generation, customer acquisition, marketing analysis or strategy, and data and modeling for targeting and placement are providing services that “increasingly resemble[] [the] functions … often performed by covered persons themselves.”