On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) announced an enforcement action against online payment system company Dwolla, Inc. for allegedly deceiving consumers about its data security practices. This enforcement action is significant in that it marks the CFPB's first ever data security enforcement action and, perhaps more importantly, demonstrates the CFPB's seemingly boundless regulatory authority.

Data Security Significance

Although many regulators and law enforcement agencies have been implementing rules and enforcing data security policies for some time, the Dwolla, Inc. action marks the CFPB's first, but unlikely last, step into this arena. Further, even though the Dwolla, Inc. enforcement action focused on the allegedly deceptive representations Dwolla, Inc. made about its data security practices, future CFPB enforcement actions may not be so limited. Thus, this enforcement action should serve as a reminder to companies to ensure that they are not misrepresenting their data security practices, and that they have actually developed and implemented thorough data security policies and procedures. It is also important to remember that effective data security programs require policies and procedures that not only effectively protect consumers' data, but also include thorough response plans in the event that data breaches occur. Given the increase in data breaches, in both size and number the CFPB will likely continue looking for ways it can take action—through enforcement and rule making—in this area. Therefore, although this enforcement action focuses on allegedly deceptive representations by a company about its data security practices, future actions are likely to go beyond that issue.

CFPB's Expanding Authority

Although the CFPB's authority is technically limited in terms of the types of bank and nonbank companies it regulates, the conduct it is authorized to regulate, and the laws it is permitted to enforce, the CFPB has gained a reputation for pushing the boundaries of those limitations.1 The Dwolla, Inc. enforcement action is another example of the CFPB's ever-expanding authority. For instance, the CFPB has been widely criticized for its repeated enforcement actions against the indirect automobile lending industry because the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd–Frank Act) expressly excludes the auto industry from the CFPB's regulatory and supervisory authority. To many, the CFPB's attack on the indirect auto lending industry is simply a backdoor way for the CFPB to regulate an industry that is otherwise outside its authority.

Similarly, the CFPB has taken multiple actions against debt collection law firms, despite the fact that the Dodd–Frank Act expressly prohibits the CFPB from regulating the practice of law. The CFPB has successfully argued that, despite Dodd–Frank's practice-of-law exception, it should be permitted to regulate debt collection law firms because many of the debt collection acts those firms perform are not related to the practice-of-law or are conducted by nonlawyers. Regardless of the technical arguments, it is clear from these actions that the CFPB sees itself as a superregulator whose authority is limited only perhaps by its own imagination. Therefore, all companies that are in, or that service, the financial industry in any way need to pay close attention to the CFPB's regulatory and enforcement actions to ensure that they do not end up in its crosshairs.