UDAAP: Regulating the "Could've, Would've, Should've"

Joann Needleman
Clark Hill PLC
Contact
LinkedIn
Facebook
X
Send
Embed

Yesterday's Consumer Financial Protection Bureau's (CFPB) Consent Order against Dwolla, Inc., a company that operates an online payment system, is yet more evidence of the murky world of Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) enforcement. The CFPB alleged that Dwolla falsely claimed that its data security practices exceeded or surpassed industry security practices and falsely claimed that the consumer information that it held was securely encrypted and stored. The alleged conduct took place from 2011 to 2014. Dwolla agreed to pay a civil penalty of $100,000.00.

This is the CFPB's first data security action and is based on its authority to prevent entities from engaging in unfair, deceptive or abusive acts or practices under the Dodd-Frank Act. Dodd-Frank states that the "Bureau may prescribe rules applicable to a covered person or service provider identifying as unlawful unfair, deceptive, or abusive acts or practices...." To date, the CFPB has not adopted any rules implementing its UDAAP authority.  It has chosen instead to bring actions based on UDAAP as it sees fit, with no regulatory guidance as to what types of actions would constitute a UDAAP. 

Even more striking in the Dwolla Consent Order is that there was no finding by the CFPB of  any financial harm to any consumer as a result of Dwolla's actions. Further, there was no finding that any security breach occurred or that any consumer data was compromised. The Consent Order only makes a tenuous conclusion that  Dwolla's actions "were likely to mislead a reasonable consumer into believing that Dwolla had incorporated reasonable and appropriate data-security practices when it had not" and that Dwolla's "representations were material because they were likely to affect a consumer's choice or conduct regarding whether to become a member of Dwolla's network."  (Emphasis added.)

What's happening here? Dwolla's actions, if you believe them to be true, amount to nothing more than a failed audit, especially in light of the small civil fine. However, has the standard for UDAAP become so amorphous that we have to operate in the world of the subjective "what if"?  "Likely" is not an objective standard by which a company can conduct its business and should not be the basis for any UDAAP violation. 

With no regulatory guidance, the financial services industry is left with little choice but to invest a disproportionate amount of resources to ensure that all their operations, policies and procedures are, at all times, not unfair, deceptive or abusive, which is a standard that is not defined and exists only in the minds of the CFPB enforcers.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC
Clark Hill PLC
Contact
more
less

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide