Skip to main content
Go-To Guide:
  • New CFPB Circular indicates that failure to implement sufficient data security practices may violate the Consumer Financial Protection Act
  • Financial institutions may wish to adopt, at a minimum, multi-factor authentication, adequate password management policies, and timely software update policies to comply with new guidance
  • These requirements are in addition to, and do not replace, the FTC’s Safeguards Rule for financial institutions under the GLBA

On Aug. 11, 2022, the U.S. Consumer Financial Protection Bureau (CFPB) issued Circular 2022-04, (Circular) indicating that financial institutions and service providers that fail to adopt sufficient data security measures to protect consumer financial data may violate the Consumer Financial Protection Act (CFPA) provision prohibiting unfair acts and practices. The CFPB indicates that whether a financial institution’s security program is adequate under the CFPA is a fact-intensive question, but the agency does offer some basic examples of what it may consider required.

The CFPA prohibits unfair acts or practices, which are defined as an act or practice that:

  • causes or is likely to cause substantial injury to consumers,
  • is not reasonably avoidable by consumers, and
  • is not outweighed by countervailing benefits to consumers or competition.

The CFPB warns that inadequate data security measures that fail to protect consumer data can cause all three results, and that actual injury is not required to find an unfair or deceptive act. Additionally, a breach or intrusion is not necessary for the CFPB to find that a financial institution’s data security practices are unfair.

Specifically, the Circular provides three examples of data security measures that, if absent, may indicate a financial institution has inadequate data security measures. These include:

  • Multi-factor authentication (MFA)
  • Password management policies and practices
  • Timely software updates

These concepts will not be surprising to financial institutions if they already are subject to the Federal Trade Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule contains more specific and stringent data security requirements than those the CFPB recommends in the Circular. The CFPB notes that while the Safeguards Rule’s requirements may overlap with the standard set in the Circular, they are not coextensive. Financial institutions and service providers may wish to take steps to ensure compliance with both the Safeguards Rule and the CFPB’s new guidance.