WASHINGTON—The Consumer Financial Protection Bureau has issued warnings around violations of financial consumer laws due to not safeguarding consumer data, while separately telling digital marketing providers for financial institutions they must comply with federal consumer financial protection laws.
In the first action, the CFPB has published a new circular cautioning that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data.
The circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols, according to the Bureau.
Can’t ‘Cut Corners’
"Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse," said CFPB Director Rohit Chopra in a statement. "While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data."
The CFPB said it is increasing its focus on potential misuse and abuse of personal financial data. As part of this effort, the Bureau said the circular explains how and when firms may be violating the Consumer Financial Protection Act with respect to data security.
Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents, according to the CFPB.
Prior Instances Cited
“Past data security incidents, including the 2017 Equifax data breach, have led to the harvesting of the sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act,” the CFPB said.
“(The) circular also provides examples of widely implemented data security practices. The circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act,” according to the CFPB. “However, the circular notes some examples where the failure to implement the following data security measures might increase the risk that a firm’s conduct triggers liability under the Consumer Financial Protection Act.”
The Measures
The CFPB said those measures include:
- Multi-factor Authentication. “Multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. Multi-factor authentication can protect against credential phishing, such as those using the Web Authentication standard supported by web browsers.”
- Adequate Password Management. “Unauthorized use of passwords is a common data security issue, as is the use of default enterprise logins or passwords. Username and password combinations can be sold on the dark web or posted for free on the internet, creating risk of future breaches. For firms that are still using passwords, password management policies and practices allow for ways to monitor for breaches at other entities where employees may be re-using logins and passwords.”
- Timely Software Updates. “Software vendors and creators, including open-source software libraries and projects, often send out patches and other updates to address continuously emerging threats. Upon announcement of these updates to address vulnerabilities, hackers immediately become aware that firms using older versions of software are potential targets to exploit. Protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.”
Warning For Digital Marketing Providers
Separately, the CFPB issued a new interpretive ruling telling digital Marketing providers for financial firms must comply with federal consumer financial protection laws where applicable, according to a new interpretive ruling from the CFPB.
“Digital marketers that are involved in the identification or selection of prospective customers or the selection or placement of content to affect consumer behavior are typically service providers for purposes of the law,” the Bureau said. “Digital marketers acting as service providers can be held liable by the CFPB or other law enforcers for committing unfair, deceptive, or abusive acts or practices as well as other consumer financial protection violations.”
Added CFPB Director Rohit Chopra, "When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws. Federal and state law enforcers can and should hold these firms accountable if they break the law."
Advertising Has Been ‘Transformed’
According to the CFPB, digital marketing providers have transformed advertising. Traditional advertising relies on getting a product or service out to as wide an audience as possible.
“A traditional marketer, for example, may try to purchase time and space for a TV commercial on the most watched station or show. Digital marketers, on the other hand, seek to maximize individuals’ interactions with ads,” the Bureau said. “They may harvest personal data to feed their behavioral analytics models that can target individuals or groups that they predict are more likely to interact with an ad or sign up for a product or service.”
The Bureau further noted that when digital marketing providers go beyond traditional advertising, they are typically covered by the Consumer Financial Protection Act as service providers.
“The Act contains an exception for companies that solely provide time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media,” the CFPB said. “However, the CFPB stated that the exception does not cover firms that are materially involved in the development of content strategy.
Relying on Expertise
The CFPB statement noted financial firms rely on the expertise and tools of digital marketing providers that offer sophisticated analytic techniques, aided by machine learning and advanced algorithms, to process large amounts of personal data and deliver highly targeted ads.
“Financial firms use behavioral analytics to connect with potential customers. However, depending on how these practices are designed and implemented, behavioral marketing and advertising could subject firms to legal liability,” the CFPB said.
What Rule Explains
The CFPB said its new interpretive rule explains:
- Digital marketers provide material services to financial firms: “A material service is one that is significant or important. Digital marketing providers are typically materially involved in the development of content strategy when they identify or select prospective customers or select or place content in order to encourage consumer engagement with advertising. Digital marketers engaged in this type of ad targeting and delivery are not merely providing ad space and time, and they do not qualify under the “time or space” exception.”
- The CFPB, states, and other consumer protection enforcers can sue digital marketers to stop violations of consumer financial protection law: “Service providers are liable for unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. When digital marketers act as service providers, they are liable for consumer protection law violations.”