Skip to content

Insurance

CFPB's Statement on Data Security Signals new Compliance Concerns

← All articles
Filed under Insurance

Insufficient data protection or information security can violate the prohibition against unfair acts or practices according to a circular released last week by the federal Consumer Financial Protection Bureau.

This position is not new, as the Bureau has been pursuing covered entities for lax data security measures for some years.

In 2016 the Bureau brought its first data security enforcement action against Dwolla, a payment processor. What makes this action stand out is that Dwolla did not suffer a data breach nor was it accused of exposing consumer non-public information.

Instead, the Bureau claimed the company mispresented to consumers the quality of its encryption and data-security protections.

In addition, the Bureau alleged Dwolla did not have "reasonable and appropriate data-security policies and procedures governing the collection, maintenance, or storage of consumers' personal information." Dwolla was ordered to pay a $100,000 fine and take measures to fix its "security flaws."

In the intervening years, the Bureau has added information and data security to its examination procedures.

THE IMPORTANCE OF THE CIRCULAR

While the Bureau believes lax data security can be an unfair act when providing consumer financial services, the problem for covered entities is that the Bureau does not provide any detail on what are appropriate data security standards. In fact, the Bureau emphasizes that compliance with existing federal data security regulations might not be enough.

Last year, the Federal Trade Commission promulgated amendments to its Safeguards Rule addressing data security for entities subject to the federal Gramm-Leach-Bliley Act. Amendments that impose requirements on a covered entity's data security policies and procedures become effective on Dec. 9. Because the amended rule applies to entities that are also covered by the CFPB, you would expect compliance with the amended Safeguards Rule would satisfy the Bureau.

But you would be wrong. The circular points out that the Bureau's expectations concerning data security are "not coextensive" with the Safeguards Rule or "other federal laws governing data security."

The timing of the release of the circular is also important. On July 21, ACA International, the American Financial Services Association, the Consumer Data Industry Association. The National Automobile Dealers Association wrote the FTC requesting a one-year extension of the effective date of the new requirements.

On Aug. 5, the Office of Advocacy of the U.S. Small Business Administration made a similar letter request. So even if the implementation of the new Safeguards Rule standards is delayed for another year, as the Bureau sees it, covered entities are already expected to have sufficient data protection controls in place today.

THREE PRACTICES DESIGNED TO FAIL

And while the circular does not explain what these appropriate controls might be, it does provide examples of practices likely to get covered entities in hot water.

First, not requiring multi-factor authentication or its equivalent "for its employees or offer[ing] multifactor authentication as an option for consumers accessing systems and accounts."

Second, "not having adequate password management policies" will likely trigger a violation.

Finally, the failure to have policies and procedures for updates and patches to "systems, software and code" is likely to trigger liability.

But as often has been the case with the Bureau, understanding which compliance measures will work is often found in its past enforcement actions and the circular devotes significant text to those.

ENFORCEMENT, EXAMINATION, AND INVESTIGATION OF DATA SECURITY

When the Bureau releases a circular like this one, you can expect to see enforcement actions, more rigorous examinations, and investigations centered around the circular's subject matter.

Such was the case following a 2014 release of a circular concerning the Furnisher Rule which applies standards for furnishing to credit reporting agencies and dispute investigations under the Fair Credit Reporting Act. Following the release of the Furnisher Rule circular, several enforcement actions included allegations that the covered entity violated the rule and noted in its 2017 and 2019 reports that examinations of covered entities revealed non-compliance with the Furnisher Rule.

And since data security and privacy are hot news topics, the Bureau will want to capture some of those headlines for itself.


Editor’s Note: This article originally appeared in The Consumer Financial Services Blog (consumerfsblog.com).

Found This Useful? Let's Get You Set Up.

Start an application and an expert will tailor the next steps to your situation.

Related reading

May 2026

Newsletter

May 2026

COLORADO AI DECISIONING LAW REPLACED Colorado Governor Jared Polis signed Senate Bill 26-189 on May 14, 2026, repealing and replacing the state's earlier AI law with a narrower framework governing automated decision-making technology used in consequential decisions. Effective January 1, 2027, the law applies when automated tools materially influence decisions involving consumer access, eligibility, pricing, [...]

April 2026

Newsletter

April 2026

NY BNPL LICENSING FRAMEWORK ADVANCES WITH DETAILED REQUIREMENTS Following earlier movement to regulate Buy Now, Pay Later products, New York regulators are now advancing a proposed rule that outlines how the framework would operate in practice. The rule would require most BNPL providers to obtain a state license and comply with detailed requirements covering disclosures, [...]

15 Licensing Application Process Facts That Delay Approvals

Compliance

15 Licensing Application Process Facts That Delay Approvals

Most licensing delays come from small misses. A payment method that does not work, a stale certificate, the wrong signature, a missing ownership detail. These are the things that slow down filings, trigger deficiencies, and force teams to redo work they thought was finished. We pulled these from the webinar because they came up naturally [...]

Dissecting the Final Debt Collection Rule: What You Need to Know

Licensing

Dissecting the Final Debt Collection Rule: What You Need to Know

The CFPB Publishes the Remainder of its Final Debt Collection Rule - Here's What You Need to Know By: Caren D. Enloe The FDCPA defines a consumer as any natural person obligated or allegedly obligated to pay a consumer debt. Section 1006.2(c) of the Rule interprets 1692a(3) to include deceased natural persons. This definition dovetails [...]

Avoiding the Traps of Debt Validation Notices

Licensing

Avoiding the Traps of Debt Validation Notices

Picking Apart the Validation Notice Requirements Under the Debt Collection Rule By: Caren D. Enloe With the CFPB undergoing leadership changes, one thing that remains clear about the Debt Collection Rule is that collection agencies should begin readying themselves for a November 30th effective date. Now that the Rule has been fully published, this article [...]

Adjusting Procedures for Deceased Consumers

Licensing

Adjusting Procedures for Deceased Consumers

Adjusting Procedures for Deceased Consumers By: Caren D. Enloe Section 1692a(3) defines a consumer as any natural person obligated or allegedly obligated to pay a consumer debt. The final debt collection rule interprets the definition of a consumer to include deceased natural consumers, as well. Looking towards a November 30th effective date, here are some [...]

Browse the full insights library, meet our editorial team, or download our whitepapers.

Insights

Found This Useful? Let's Get You Set Up.

An expert will respond within one business day.