Are you a consumer financial services provider? Do you tell your customers that your data security practices are “best in class”? If so, it had better be true, or Richard Cordray and his colleagues at the Consumer Financial Protection Bureau (CFPB) may want to talk with you.

On March 2, the CFPB initiated and settled by consent an administrative action against an online consumer payments provider (Respondent) for what the CFPB charged were deceptive acts and practices arising out of representations that the Respondent made about its data security practices.

In the Consent Order, the CFPB charged that Respondent (which offers funds transfer services to consumers) made numerous representations about its data security practices that were not true, including statements that

  • its network and transactions were safe and secure,
  • its transactions were safer than credit cards,
  • its data security practices “exceeded industry standards,”
  • customer information was safely encrypted, and
  • its data security measures were Payment Card Industry (PCI) compliant.

The CFPB also alleged that Respondent’s data security practices were deficient in other respects, including

  • a failure to adopt and maintain reasonable data security policies and procedures,
  • a failure to conduct regular risk assessments,
  • inadequate employee data security training,
  • inadequate customer data encryption, and
  • inadequate software development and testing practices.

The CFPB alleged that these activities constituted deceptive acts and practices in violation of the unfair, deceptive, or abusive acts or practices (UDAAP) provisions of Title X of the Dodd-Frank Act. The CFPB ordered Respondent to take a number of remedial measures to address these issues, including submitting a compliance plan to the CFPB for a non-objection determination and regular compliance progress reports, and assessed a $100,000 civil money penalty. The Consent Order will remain in effect for five years.

The critical importance of customer data security in the financial services industry is, for obvious reasons, painfully apparent, which is why financial services providers (and virtually all other online services providers of any kind) go to great lengths to reassure their customers about the security of their data and transactions. What is notable about the CFPB’s action, however, is that it is based exclusively on allegations of inadequate data security practices, coupled with charges that the Respondent made factually inaccurate public statements to the contrary; the Consent Order does not allege that consumers suffered any financial losses, or that there were consumer complaints about Respondent’s data security practices, nor does it order any consumer restitution. Notably, no complaints against Respondent appear to have been previously submitted to the CFPB’s Consumer Complaint Database.

Conclusion

The CFPB’s action in this matter plainly signals that data security issues in consumer financial services are an independently actionable enforcement and compliance matter even in the absence of consumer losses, and that the CFPB is scrutinizing financial services providers’ public statements on these matters.

Bottom line: if you claim that your data security practices are first class, be sure you can back it up.