Financial Fintechs Reminded of Data Protection Duties, CFPB Warns

The CFPB released a nine-page circular Thursday warning fintechs working in the financial space of their duties to maintain data security safeguards and standards as ordered by the Gramm-Leach-Bliley Act. If fintechs do not follow these standards, they may be in violation of the Consumer Financial Protection Act’s (CFPA) prohibition on unfair, deceptive or abusive acts and practices.

Thursday’s circular appeared to be another warning by the bureau to fintechs that despite their nonbank status and lack of financial regulatory oversight, fintechs will be monitored by the CFPB for unfair or abusive practices as it relates to shoddy cybersecurity policies.

“In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), ‘covered persons’ and ‘service providers’ must comply with the prohibition on unfair acts or practices in the CFPA,” the CFPB stated.

It continued, “Acts or practices are unfair when they cause or are likely to cause substantial injury that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition. Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. Inadequate data security can be an unfair practice in the absence of a breach or intrusion.”

In a post on its website, NAFCU was supportive of the CFPB’s reaffirmation of the issue.

“NAFCU supports holding nonbank fintech companies to the same data security standards that apply to credit unions to create competitive equality. However, the broad applicability of the circular to “covered persons” and “service providers” means that the extension of UDAAP-related liability for inadequate data security practices could potentially impact credit unions.

“Under the GLBA, the NCUA is responsible for administering the law’s data safeguard provisions for federally-insured credit unions. NAFCU will continue to engage the bureau to emphasize the NCUA’s role as the primary functional regulator for examining credit union data security,” NAFCU stated.

NAFCU sourced its own Data Privacy and Security white paper, which stated there’s “no reason that a small credit union should be subject to more stringent requirements than an organization like Equifax, or that an organization like Facebook should not be subject to any requirements. Similar data security requirements should be imposed for fintech companies, retailers, and other entities that handle personal and financial information.”