Vedder Thinking | Articles The CFPB Takes Aim at FinTech
As republished on March 15, 2016 by The National Law Review.
Over the last several years, financial technology ("FinTech") companies have captured the attention of the marketplace with innovative financial products and processes. Now FinTech companies are capturing the attention of the Consumer Financial Protection Bureau ("CFPB"). Two recent actions by the CFPB within the last fourteen days make clear that FinTech companies can expect some of the same regulatory burdens as faced by Federal Deposit Insurance Corporation ("FDIC") insured banks. In the first action, the CFPB assessed a civil money penalty against a FinTech company for data security deficiencies, the first-ever such action brought by the CFPB. In the second action, the CFPB announced to the public that it would begin accepting consumer complaints regarding online marketplace lenders.
Data Security Protections
On March 2, 2016, the CFPB and Dwolla, Inc., an Iowa-based online peer-to-peer payment system provider ("Dwolla"), entered into a Consent Order that imposed the CFPB's first-ever civil money penalty for data security violations under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the "Dodd-Frank Act").
In the Consent Order, the CFPB alleged that Dwolla made misrepresentations relating to Dwolla's data security practices that otherwise constituted deceptive acts and practices likely to cause substantial consumer harm, in violation of the Dodd-Frank Act. Specifically, the CFPB alleged that between 2010 and 2014, Dwolla advertised falsely on its website that all its payment transactions were "safe and secure," and that its data security processes and protections "met or exceeded" industry standards. The CFPB claimed that Dwolla failed to employ reasonable and appropriate measures to protect sensitive consumer data from unauthorized access by failing to:
- adopt and implement data security policies and procedures reasonable and appropriate for the organization;
- use appropriate measures to identify reasonably foreseeable security risks;
- ensure that employees who had access to consumer information receive adequate training and guidance about security risks;
- use encryption technologies to properly safeguard sensitive consumer information (at rest and in transit); and
- practice secure software development, particularly with regard to consumer facing applications developed at an affiliated website.
There were no CFPB allegations of a data breach or specific harm to any consumer. The CFPB order makes no mention of consumer complaints. In fact, there is no insight into how Dwolla became a target of the CFPB.
The Consent Order requires Dwolla, in addition to paying a $100,000.00 civil money penalty, to enact the following measures to improve the safety of its data security procedures and protections:
- establish, implement and maintain a written, comprehensive data security plan that is reasonably designed to protect sensitive consumer information that is appropriate to Dwolla's size and the complexity of its operations;
- adopt and implement reasonable and appropriate data security policies and procedures;
- designate a qualified person to coordinate and be accountable for the data security program;
- conduct data security risk assessments semiannually;
- conduct regular, mandatory employee training on Dwolla's data security policies, the safe handling of consumers' sensitive information and secure software design, development and testing;
- develop, implement and update, as required, security patches to fix any security vulnerabilities identified in any web or mobile application;
- develop, implement and maintain an appropriate method of customer identity authentication at the registration phase and before effecting a funds transfer; and
- obtain an annual data security audit from an independent, qualified third party, using procedures and standards generally accepted in the profession.
Now Accepting Consumer Complaints
On March 7, 2016, the CFPB announced that it is now accepting complaints from consumers encountering problems with loans from online marketplace lenders. The CFPB defines an online marketplace lender as a lender that uses an online interface to connect a consumer or business seeking to borrow money with investors willing to buy or invest in the loan. Once the loan is originated, the online marketplace lender may keep the loan on its books, or make arrangements to transfer the loan’s ownership to the investors while it continues to service the loan.
The CFPB currently accepts complaints on many consumer financial products, including: mortgages, bank accounts and services, credit cards, student loans, auto and other consumer loans, credit reporting, debt collection and payday loans. Generally, this consumer complaint mechanism allows the CFPB to gather information on problem areas within a targeted industry. Typically, it is the first step by the CFPB in expanding its regulatory oversight over a given practice or industry.
What Does This Mean?
Overall, the CFPB's actions over this past week give notice of the CFPB's increasing supervision over the FinTech industry. The Dodd-Frank Act requires all companies that provide or offer a financial product or service, from online startups to large banks, to adhere to the consumer financial protection laws. These recent CFPB actions reinforce the regulator’s recent commentary that FinTech companies’ access to sensitive consumer information represents a unique threat to consumers in a world of ever-increasing data breaches.
To meet their obligations, FinTech companies should have data security protections in place that are typical of an institution of like size and complexity prior to launch. These data security procedures that a FinTech company must establish, implement and maintain are directly comparable to those required of FDIC-insured banks pursuant to the Interagency Guidelines Establishing Information Security Standards ("Interagency Guidelines"). The idea that FinTech companies face the same obligations as FDIC-insured banks is brought home by comparing the order entered against Dwolla to the Interagency Guidelines. When a FinTech company fails to establish such data security protections, the FinTech company must not misrepresent their product as being "secure" or "safe" when it in fact is not.
Over the coming months, FinTech companies should be aware that the CFPB has positioned itself through these recent actions to take additional enforcement and rulemaking action(s) that are likely to impact the FinTech industry. Importantly, the FinTech industry must take note that the CFPB’s scrutiny of FinTech data security protections are likely to increase, regardless of whether there has been a data breach or not.
To view the full text of the CFPB Dwolla Consent Order, click here.
To view the full text of the CFPB Online Marketplace Lender Bulletin, click here.
For more information about the CFPB's actions, or the current state of FinTech regulation and what it could mean for your institution, please contact James M. Kane at +1 (312) 609 7533, Daniel C. McKay, II at +1 (312) 609 7762, James W. Morrissey at +1 (312) 609 7717, or your Vedder Price attorney.