[author: Michael Flynn]*

Continuing a trend it has been pursuing, the CFPB on Thursday used a non-rulemaking circular (Consumer Financial Protection Circular 2022-04) to state that its UDAAP authority extends its enforcement authority to situations where financial institutions have insufficient data protection or information security. The circular may be found here.

Earlier this year, the CFPB announced that its UDAAP authority extended to fair lending issues beyond ECOA and the CFPB’s traditional fair lending coverage. See Buchalter March 31, 2022 Client Alert.

In this latest declaration of an extension of its UDAAP authority, the CFPB stated the failure of a bank or nonbank financial firm to adequately safeguard its customers’ personal data can meet the criteria for unfairness under the Consumer Financial Protection Act.

The circular also noted examples of basic security measures that the CFPB said could help firms minimize their risk of potential unfairness liability, specifically including implementing multifactor authentication, strong password management and timely software updates and patches.

In a statement, CFPB Director Chopra stated: “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse. While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”

This development further highlights the need for strong data security oversight and management, and also highlights the need to ensure that regulatory specialists are involved when data security issues arise.

*Michael Flynn* (*Admitted to practice in California, the District of Columbia, and Michigan, and in Colorado temporarily authorized pending admission under CRCP205.6)z