0

CFPB Circular Emphasizes Banks’ Responsibility to Protect Customer Data

CFPB Circular Emphasizes Banks’ Responsibility to Protect Customer Data

Mon Aug 22 2022

By Ken Chase

<p>In a new <a href="https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/">circular</a> published this week, the Consumer Financial Protection Bureau outlined financial companies’ responsibility to protect their customers’ personal and financial data. In a move that analysts viewed as a potential crackdown on financial firms, the CFPB noted that failure to adequately safeguard consumer data could place banks in violation of the Consumer Financial Protection Act.</p> <p>&nbsp;The circular was created to answer questions concerning financial entities’ possible violation of that Act due to a failure to provide adequate information security and data protection. The bureau’s response and analysis left no doubt about the CFPB’s position on that issue: when the regulatory bureau finds that an institution has neglected to implement any of three basic security controls, that institution is likely to face punitive action.</p> <p>Those three security controls include basic considerations recognized as the bare minimum in data safeguards: multifactor authentication to verify identities, password management, and regular timely updates to software systems. </p> <p>Multifactor authentication, or MFA, is becoming a priority for regulators concerned about data protection. The CFPB clearly expressed its belief that this security measure can help to reduce unauthorized access to customers’ accounts and personal data.</p> <p>Proper password management can help to eliminate one of the most common access points for data breaches. According to the CFPB, an organization’s failure to maintain adequate password management practices and systems would likely trigger a liability finding in the event that customer data security was negatively impacted.</p> <p>The CFPB’s position on software updates was equally straightforward. In its view, companies that fail to install regularly issued security patches could be liable for any resulting vulnerabilities that leave customer data unprotected from hackers and other bad actors. As a result, companies have an obligation to quickly install updates and patches as they are released, while also replacing any software systems that are no longer receiving vendor support and maintenance.</p>