CFPB Weighs in on Data Security; Will Firms with Poor Security Be in the Crosshairs?
October 14, 2022
Andrew E. Bigart Partner | + 1 202.344.4323 | [email protected]
Ross B. Nodurft Senior Director of Cybersecurity Services | +1 202.344.4403 | [email protected]
Review of CFPB Circular 2022-04: Insufficient data protection or security for sensitive consumer information, issued August 2022 What is a Consumer Financial Protection Circular? Existing legal framework for protecting consumer financial data on federal level Data security lapses as potential UDAAP liability
Multifactor authentication Password management Software updates Data security challenges presented by open banking, banking-as-a-service, and modern payments
2022 / Slide 2
CFPB Issues Circular 2022-04 in August 2022
2022 / Slide 3
What Is a Consumer Financial Protection Circular and What Is Its Effect?
Consumer Financial Protection Circulars are policy statements advising parties with authority to enforce federal consumer financial law, such as state attorneys general, state regulators, prudential regulators, FTC, and DOJ.
Intended to promote consistency in approach across various enforcement agencies and to provide transparency to partner agencies regarding CFPB's approach when it engages in joint investigatory work.
As general statements of policy under the Administrative Procedures Act, not subject to notice and comment like regulations. They are not supposed to impose any new legal requirement.
"The CFPB Director is instructing CPFB staff as described herein, and the CFPB will then make final decisions on individual matters based on an assessment of the factual record, applicable law, and
factors relevant to prosecutorial discretion."
2022 / Slide 4
CFPB Principles for Consumer Permissioned Data Sharing
Previously, the CFPB published nine principles for consumer financial data access; data scope and usability; control and informed consent; authorizing payments; security; transparency of access; accuracy; ability to dispute and resolve
unauthorized access; and efficient and effective accountability
2022 / Slide 5
Key Players in Open Banking
Data Holders: Banks and credit unions that have established customer relationships and access to customer financial data. The CFPB refers to these institutions as "data holders," because they hold information about the customer through their financial services relationship.
Data Aggregator: An entity that supports data users and/or data holders in enabling authorized data access. These entities access and transmit consumer financial data to data users pursuant to consumer authorization.
Data User: Means a third party that uses consumer-authorized data access to provide either (1) products or services to the authorizing consumer or (2) services used by entities that provide products or services to the authorizing consumer.
2022 / Slide 6
Section 1033 Rulemaking Consumer-Authorized Financial Data Sharing and Aggregation
Section 1033 of the Consumer Financial Protection Act requires a covered person to make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, to any series of transactions, or to the account, including costs, charges, and usage data.
The information must be made available in an electronic form that is usable by consumers, but there is no duty for the covered person to maintain any records.
Exceptions: A covered person may not be required by this section to make available to the consumer any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors; any information collected by the covered person for the purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct; any information required to be kept confidential by any other provision of law; or any information that the covered person cannot retrieve in the ordinary course of its business with respect to that information.
2022 / Slide 7
Section 1033 Rulemaking Timeline
November 22, 2016 Request for Information November 18, 2017 Principles Statement February 26, 2020 Symposium October 22, 2020 Advance Notice of Proposed Rulemaking February 4, 2021 ANPR comments closed (99 comments
received) July 9, 2021 Executive Order (EO) encourages CFPB to
commence rulemaking Present Pre-Rule Stage Final Rule?
2022 / Slide 8
Existing Legal Framework for Consumer Financial Data Nonbanks
Gramm-Leach-Bliley Act and FTC Safeguards Rule Applies to non-banking financial institutions, such as check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and credit reporting agencies.
Expands the scope of covered financial institutions to include "finders." Does not directly apply to service providers, but service providers should expect
covered financial institutions to impose similar requirements by contract. As compared with the previous Safeguards Rule, the final rule imposes more
detailed requirements for the development, establishment, and maintenance of information security programs. These measures closely track recently enacted regulations by NYDFS, which
enacted its own Cybersecurity Regulation in 2017. Compliance Deadline: October 27, 2022.
2022 / Slide 9
FTC Safeguards Final Rule: Key Changes
Provides more specificity on how financial institutions should develop and implement aspects of an information security program. For instance, the rule requires: Implementation and review of access controls; Encryption of customer information in transit and at rest; Development, implementation, and maintenance of information disposal practices; and Adoption of change management procedures.
Adds provisions designed to improve the accountability of financial institutions' information security programs. Requires a financial institution to designate a "Qualified Individual" to be responsible for the program who regularly reports to the financial institution's board of directors or governing body.
Exempts financial institutions that collect less customer information from certain requirements.
2022 / Slide 10
Existing Legal Framework for Consumer Financial Data Banks
The Interagency Guidelines Establishing Information Security Standards is a joint rule issued in February 2001 by OCC, Board of Reserves of Federal Reserve, FDIC, and Office of Thrift Supervision.
Set forth standards pursuant to Sections 501 and 505 of the Gramm-Leach-Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
The Guidelines apply to customer information maintained by or on behalf of bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisors), for which the Board has supervisory authority.
2022 / Slide 11
Circular Declared That Data Security Practices--or Lack Thereof--Can Constitute a UDAAP
2022 / Slide 12
Multi-Factor Authentication (MFA)
Per CFPB: "Multi-factor authentication (MFA) is a security enhancement that requires multiple credentials
(factors) before an account can be accessed." "Factors fall into three categories: something you know, like a password; something you have, like a
token; and something you are, like your fingerprint." "A common MFA setup is supplying both a password and a temporary numeric code in order to log in.
Another MFA factor is the use of hardware identification devices. MFA greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data." "MFA solutions that protect against credential phishing, such as those using the Web Authentication standard supported by web browsers, are especially important." "If a covered person or service provider does not require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent, it is unlikely that the entity could demonstrate that countervailing benefits to consumers or competition outweigh the potential harms, thus triggering liability."
2022 / Slide 13
What's New Here?
FFIEC guidance on "Authentication and Access to Financial Institution Services and Systems" has historically focused on laying out criteria for FIs to take a risk-based approach to authentication.
CFPB is getting more prescriptive signaling that financial institutions that do not require MFA for their employees or offer multi-factor authentication as an option for consumers may face consequences.
CFPB is also signaling that financial institutions should offer "the right MFA" noting that some legacy MFA tools will not adequately guard against credential phishing attacks.
2022 / Slide 14
Going Beyond Guidance
FFIEC regulators have long issued guidance to financial institutions on authentication but this is the first time we've seen one urge consumers to file complaints if their FI doesn't offer it.
2022 / Slide 15
Multi-Factor Authentication (MFA)
Per CFPB: "Multi-factor authentication (MFA) is a security enhancement that requires multiple
credentials (factors) before an account can be accessed." "Factors fall into three categories: something you know, like a password; something you have,
like a token; and something you are, like your fingerprint." "A common MFA setup is supplying both a password and a temporary numeric code in order to
log in. Another MFA factor is the use of hardware identification devices. MFA greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data." "MFA solutions that protect against credential phishing, such as those using the Web Authentication standard supported by web browsers, are especially important." "If a covered person or service provider does not require MFA for its employees or offer multifactor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent, it is unlikely that the entity could demonstrate that countervailing benefits to consumers or competition outweigh the potential harms, thus triggering liability."
2022 / Slide 16
MFA & Web Authentication Why the Callout?
"Legacy" MFA tools that require a one-time passcode (OTP) or a response to a pushnotification sent to an authentication app is not as secure as it used to be.
Attackers have caught up and can easily phish OTP codes or trick someone into pushing "approve" when they get a prompt on their mobile device to verify a login.
With push-based apps, "MFA Fatigue" is an attack where an adversary has a stolen password and continues to "bomb" a target's app with login prompts often accompanied by emails, texts, or phone calls pretending to be the company verifying the login.
All it takes is one push of the "Approve" button for an adversary to take over an account.
2022 / Slide 17
MFA & Web Authentication Why the Callout?
Web Authentication (aka "FIDO Authentication") is a newer authentication standard that guards against these credential phishing attacks
CISA calls FIDO authentication the "gold standard" of MFA and has been highlighting that all MFA is not created equal
Support for FIDO/Web Authentication is built in "out of the box" in major browsers and tech operating systems meaning the barrier to implementing it both in the enterprise and for consumers is lower than other forms of MFA
Our take: Attackers have caught up with legacy MFA; FIs can best mitigate this risk by
implementing FIDO authentication internally and for consumers.
2022 / Slide 18
Notable snippets from the CFPB Circular
"If a covered person or service provider does not have adequate password management policies and practices, it is unlikely they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms, thus triggering liability." "This includes failing to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords (including notifying users when a password reset is required as a result), and includes use of default enterprise logins or passwords."
2022 / Slide 19
Password/User Account breaches continue to be one of the primary enablers for further identity theft and cyberattacks. An evolving threat landscape presents new challenges: Ongoing compromise of Password Manager applications (LastPass hack, 2022) Accumulated "bad passwords" from other breaches (~11.9 billion breached accounts) Increased hardware/software capabilities of attacks, making old hashing methods obsolete
2022 / Slide 20
Context and background
The CFPB Circular aligns with previous password guidance as published by NIST in SP 800-63B: Digital Identity Guidelines.
SP 800-63B, in particular the requirements in Section 5.1.1 and the informative guidance in Appendix A, is widely considered to be best practice.
However, the text of the CFPB focuses on password breaches and default passwords, only a small part of the NIST guidance. The suggestion to do continuous monitoring of password breaches at other entities goes above 800-63B recommendations.
2022 / Slide 21
Dealing with explicitly included issues Comparing newly requested passwords against a database of known breached passwords and
common or default passwords meets the first portion of the Circular's suggestion. In-depth password databases can be purchased or subscribed to as a service from many
security and identity vendors. Some free sources are available, with less guarantee of completeness, such as
https://haveibeenpwned.com. Ongoing monitoring of breaches at other entities is more difficult to quantify and deal with.
Continuous breach monitoring is a service offered by many security and identity vendors. Regularly checking the same lists used at password creation time may qualify as an "adequate
2022 / Slide 22
Potentially implied further requirements The CFPB Circular does not provide an exhaustive list of what qualifies as "adequate password
management policies," though it does provide a link to a CISA Good Security Habits page. Groups looking to take a more cautious approach may wish to enforce a wider set of password
requirements as laid out in NIST SP 800-63B, such as: Using secure cryptographic practices (encryption, salting, and hashing) to protect user
passwords in transit and at rest Implementing rate-limiting and server/network cybersecurity Using proven composition and complexity rules Avoiding arbitrary password requirements and password expiration timelines
2022 / Slide 23
Timely Software Updates
Notable snippets from the CFPB Circular
"If covered persons or service providers do not routinely update systems, software, and code (including those utilized by contractors) or fail to update them when notified of a critical vulnerability, it is unlikely they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms, thus triggering liability." "This includes not having asset inventories of which systems contain dependencies on certain software to make sure software is up to date and highlight needs for patches and updates. It also includes the use of versions of software that are no longer actively maintained by their vendors."
2022 / Slide 24
Timely Software Updates
Background and context
The circular makes explicit reference to CFPB's legal complaint against Equifax in 2017, in which Equifax was accused of using antiquated and poorly maintained software that contained known vulnerabilities.
Given the above complaint reference to Common Vulnerability Enumeration (CVE), "critical vulnerability" likely refers to a given vulnerability's Common Vulnerability Scoring System (CVSS) score as provided by NIST at the National Vulnerability Database (NVD).
2022 / Slide 25
Timely Software Updates
Addressing CFPB concerns Perfect asset, vulnerability, and patch management is likely impossible for any moderately large
enterprise. The CFPB Circular implies a minimum level of due diligence to mitigate the potential for being
found liable in the case of a breach: Routinely check for updates for the software and assets that you and your contractors use. This
includes applications, operating systems, web browsers, and IoT firmware. Maintain a reliable inventory of the software assets in use at your enterprise, along with their
versions. Routinely cross-check your asset inventory against lists of known vulnerabilities, such as the
2022 / Slide 26
Timely Software Updates
Recent developments There has been an increased focus on this issue in the federal government, including the NIST
Cyber Security Framework (CSF), the National Telecommunications and Information Administration (NTIA)'s Software Bill of Materials (SBOM) publications, and the inclusion of cyber provisions in the National Defense Authorization Act for FY2022 (NDAA). The minimum level of due diligence as described previously is roughly common practice across industry, but it is possible that action from the CFPB or other agencies will hold financial organizations to a higher standard.
2022 / Slide 27
Developments in open banking, banking-as-a-service, and payments change the way consumers and businesses interact with financial services providers.
Underlying all of these changes is the sharing of customer data between fintechs, traditional financial institutions, and data aggregators.
Examples of open banking use cases Making and receiving payments Loan underwriting Account ownership validation / identity verification Budgeting / personal financial account management products and services Financial advisory services
2022 / Slide 28
Reasons Why Bank Partnerships Are Used for Many Fintech Products and Services
All fintechs need a bank partner in some way: Leveraging of existing bank platforms and services Establishing products and services in a way that minimizes licensing requirements for fintechs
Money transmission Lending / usury Payment network requirements Access to data
2022 / Slide 29
Increased Regulatory Scrutiny of BaaS: OCC Agreement with Blue Ridge Bank (August 2022)
Focus on unsafe and unsound practices related to third-party risk management, AML, suspicious activity reporting, and information technology control and risk governance.
Required bank to create a compliance committee to oversee and report to OCC on compliance with the agreement. Specific requirements / areas for improvement included:
Implement a written program to manage the risks posed by third-party fintech relationships. Obtain "no objection" confirmation from OCC prior to onboarding new fintechs or expanding current
relationships. Improve AML compliance Audits Staffing Customer due diligence Suspicious activity monitoring and reporting (including a look back review) Implement written program to manage information technology (IT) activities, including those activities conducted through fintech relationships.
2022 / Slide 30
Importance of Third-Party Risk Management
The federal bank regulatory agencies have requested public comment on proposed guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology-focused entities. The proposed guidance is intended to assist banking organizations in identifying and addressing the risks associated with third-party relationships and responds to industry feedback requesting alignment among the agencies with respect to thirdparty risk management guidance.
"Third-party relationships can include relationships with entities such as vendors, financial technology (fintech) companies, affiliates, and the banking organization's holding company."
July 19, 2021 NPRM issued September 17, 2021 Public comment period closed
2022 / Slide 31
Andrew E. Bigart
Partner + 1 202.344.4323 [email protected]
Jeremy A. Grant
Managing Director of Technology Business Strategy + 1 202.344.4646
Partner +1 212.370.6210 [email protected]
Ross B. Nodurft
Senior Director of Cybersecurity Services +1 202.344.4403
2022 / Slide 32
2022 Venable LLP. This document is published by the law firm Venable LLP. It is not intended to provide legal advice or opinion. Such advice may only be given when related to specific fact situations that Venable has accepted an engagement as counsel to address.