The Consumer Financial Protection Bureau (CFPB) has put financial services and financial technology (FinTech) companies on notice that it intends to play a significant role in protecting consumers from inadequate data security. The CFPB has ordered an online payment company to pay a $100,000 penalty, improve its data security practices, and undergo data security assessment twice per year and audits annually. Importantly, the order requires timely reporting by management to the Board of Directors on the status of data security compliance obligations, placing ultimate responsibility for the data security program squarely on the Board.
In its enforcement action, the CFPB alleged that the online payment company had “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access” and had misrepresented its data security practices, publicly stating that consumer data was “securely encrypted and stored.”
As the first such CFPB enforcement action, the move is widely seen as putting FinTechs and the entire financial services marketplace on notice of heightened data security oversight. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing,” said CFPB Director Richard Cordray following the announcement of the settlement. “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
The CFPB’s unfair, deceptive, or abusive acts or practices (UDAAP) authority under the Dodd-Frank Act provides it with a set of tools to protect consumers not only from intentional acts, such as misrepresenting to the public the levels of data security provided (a deceptive act), but also unintentional acts or oversights that may be deemed to be unfair. With this enforcement action, the CFPB has given a strong indication of future enforcement focus, and the agency can be expected to continue to pursue actions under its UDAAP authority against companies where the agency believes inadequate data security or misrepresentations about data security may pose consumer risk.
Time to Act
In the aftermath of the CFPB’s enforcement action, financial services companies—and fintechs in particular—should assess the adequacy of their current data security program. Specific action items should include:
Accuracy of Public Statements: Conducting a thorough review of publicly facing security statements to ensure that such statements accurately reflect the program itself. If they do not, actions should be taken in a prioritized manner to gain alignment.
Executive Sponsorship: Assigning an executive sponsor to maintain oversight of the data security program. The program should include technical controls appropriate to the data risks along with well-documented policies, procedures, training, and ongoing communication to ensure the program is adopted by employees and third parties alike.
Board Reporting: Implementing ongoing analysis and reporting to the Board, with corresponding reporting of corrective actions and program improvements. A solid data security program starts at the top, with the Board setting the tone and providing budget approvals necessary for program development.
Third-Party Risk Management: Conducting thorough due diligence about a potential vendor’s data security before engaging that party and sharing consumer data. Once engaged, third-party vendors must be subject to assessment or audit of their data security programs.
Security governance programs should be structured to facilitate continuous improvement and further optimization of the organization’s data security. Tailoring monitoring, testing, reporting, corrective action, and remediation processes that sufficiently account for the risk and complexity of the company’s operations is critical to maintaining a strong data security program.
Having brought its first data security enforcement action under its UDAAP authority, the CFPB can be expected to remain active in scrutinizing financial services providers as it seeks to protect consumers. Proactive measures to avert data breaches, rather than reactive measures, will be required. FinTechs may face slightly greater regulatory risk, given their emphasis on agility and speed to market, which may lead to inadequate data risk governance strategies and programs. In the fintech sector and conventional banking, the risks involved with data collection, processing, sharing, and storage must be well managed, and protections appropriate to those risks must be implemented. The CFPB’s intentions to ensure that this is the case are now clear.