CFPB Circular Emphasizes Banks’ Responsibility to Protect Customer Data

CFPB Circular Emphasizes Banks’ Responsibility to Protect Customer Data

By: Ken Chase.

Estimated reading time: 3 minutes

In a new circular published this week, the Consumer Financial Protection Bureau outlined financial companies’ responsibility to protect their customers’ personal and financial data. In a move that analysts viewed as a potential crackdown on financial firms, the CFPB noted that failure to adequately safeguard consumer data could place banks in violation of the Consumer Financial Protection Act.

 The circular was created to answer questions concerning financial entities’ possible violation of that Act due to a failure to provide adequate information security and data protection. The bureau’s response and analysis left no doubt about the CFPB’s position on that issue: when the regulatory bureau finds that an institution has neglected to implement any of three basic security controls, that institution is likely to face punitive action.

Those three security controls include basic considerations recognized as the bare minimum in data safeguards: multifactor authentication to verify identities, password management, and regular timely updates to software systems.

Multifactor authentication, or MFA, is becoming a priority for regulators concerned about data protection. The CFPB clearly expressed its belief that this security measure can help to reduce unauthorized access to customers’ accounts and personal data.

Proper password management can help to eliminate one of the most common access points for data breaches. According to the CFPB, an organization’s failure to maintain adequate password management practices and systems would likely trigger a liability finding in the event that customer data security was negatively impacted.

The CFPB’s position on software updates was equally straightforward. In its view, companies that fail to install regularly issued security patches could be liable for any resulting vulnerabilities that leave customer data unprotected from hackers and other bad actors. As a result, companies have an obligation to quickly install updates and patches as they are released, while also replacing any software systems that are no longer receiving vendor support and maintenance.

As the CFPB notes in its circular, “In certain circumstances, failure to comply with these specific requirements may also violate the CFPA’s prohibition on unfair acts or practices. The CFPA defines an unfair act or practice as an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition.”

Learn more on this topic

Related Insights

Capital One Announces $35B Megamerger with Discover

Capital One Announces $35B Megamerger with Discover

Capital One recently confirmed its intent to purchase Discover Financial for $35.3 billion. Regulators will still need to approve the megamerger before the sale can proceed. If that approval happens, Capital One would become the nation’s largest credit card issuer,...

Banking Groups Sue to Block New CRA Rules

Banking Groups Sue to Block New CRA Rules

A group of industry organizations have filed suit to block regulators’ new Community Reinvestment Act rules. According to the plaintiffs in the case, regulators are exceeding their authority with the proposed rules. Additionally, the plaintiffs argue that the new CRA...

Fed Signals No Imminent Rate Cuts Ahead

Fed Signals No Imminent Rate Cuts Ahead

Despite market expectations for imminent rate cuts, the Federal Reserve today confirmed its intent to leave interest rates at their current level. That marks the fourth straight pause on those rates, as inflation has continued to plague American consumers. Inflation...