Bureau says credit unions and other financial institutions could be cited for violations if information security is found lacking.
Financial institutions, including credit unions, may violate consumer protection prohibitions against unfair acts or practices if they have insufficient data protection or information security programs, the CFPB announced Thursday.
In a circular published on its website, the agency said that in such instances, financial institutions not only may be cited for violating the Gramm-Leach-Bliley Act, but could additionally be cited under consumer protection statutes.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” stated CFPB Director Rohit Chopra. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
Increased Focus on Financial Data
The agency noted it is increasing its focus on the use of personal financial data, saying, “Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents.”
The bureau explained that the Consumer Financial Protection Act defines an unfair act or practice as one “(1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition.”
Potential Specific Violations
Three examples of areas that could lead to a violation were cited.
For instance, if a financial institution does not use multi-factor authentication (MFA) for consumer accounts or an equivalent protection, it could violate consumer protection laws. “MFA greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. MFA solutions that protect against credential phishing, such as those using the Web Authentication standard supported by web browsers, are especially important,” the agency outlined.
It added that if a financial institution fails to have adequate password protections or update its software regularly, it could violate the prohibition against unfair acts or practices.
Pushback to CFPB
The CFPB has come under fire from critics who contend that the agency has overly broad discretion in defining what constitutes an unfair, deceptive, or abusive act or practice.