August 12, 2022

CFPB reaffirms that nonbank fintechs must maintain adequate data security safeguards

FintechThe CFPB reaffirmed in a circular on Thursday that nonbank entities may violate the Consumer Financial Protection Act’s (CFPA) prohibition on unfair, deceptive, or abusive acts and practices (UDAAP) if they fail to maintain adequate data security safeguards.   

The CFPB stated that “In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), ‘covered persons’ and ‘service providers’ must comply with the prohibition on unfair acts or practices in the CFPA.” 

In its white paper on Data Privacy and Security, NAFCU says that “there is no reason that a small credit union should be subject to more stringent requirements than an organization like Equifax, or that an organization like Facebook should not be subject to any requirements. Similar data security requirements should be imposed for fintech companies, retailers, and other entities that handle personal and financial information.” 

NAFCU supports holding nonbank fintech companies to the same data security standards that apply to credit unions to create competitive equality. However, the broad applicability of the circular to “covered persons” and “service providers” means that the extension of UDAAP-related liability for inadequate data security practices could potentially impact credit unions.  

Under the GLBA, the NCUA is responsible for administering the law’s data safeguard provisions for federally-insured credit unions. NAFCU will continue to engage the bureau to emphasize the NCUA’s role as the primary functional regulator for examining credit union data security.