Fintech Legal Report – August 2022 | Perkins Coie

The circular provides a number of examples of safeguards that the CFPB believes can help companies protect data and minimize the risk of liability for violations of the unfairness of the UDAAP. These include:

• Multi-factor authentication (MFA). MFA is a security process that requires multiple credentials before a consumer can access their account, and requires more than one of the following categories of information: something you know, something you have, and something you are. Standard MFA processes require a password and a temporary code to log in.
• Adequate password management. If a company still uses passwords, its password management policies should allow for ways to monitor for breaches of the security of the passwords.
• Timely software update. Companies should have procedures in place to promptly update software to address vulnerabilities when those vulnerabilities become publicly known and patches are available.

To support its position, the CFPB cites rules and enforcement actions taken by the Federal Trade Commission (FTC). In particular, the FTC recently updated its security rule implementing section 501(b) of the GLBA to set forth certain safeguards that nonbanks must implement to secure consumer financial data. Recent FTC enforcement actions as of 2019 Equifax action and 2022 CafePress action, which held that the companies acted unfairly by failing to provide reasonable security when using software with known unpatched vulnerabilities and failing to disclose security incidents.

CFPB issues rule on digital marketing of financial services

The CFPB issued a rule clarifying that digital marketers of financial products and services are subject to consumer protection provisions. The interpretation rule applies to providers of digital marketing who offer both targeting and delivery of advertisements to consumers. For example, large technology companies that use algorithms or other models and analytics to target recipients of ads and give “time or space” to those ads. As a result, if a digital marketing provider is “involved in the identification or selection of potential customers or the selection or placement or content to influence consumer engagement, including purchase or adoption behavior,” that entity may be a service provider under the Consumer Financial Protection Act (CFPA or Act). The interpretation rule focuses on entities that “mix” ad targeting and placement and those involved in “content strategy.”

Under the CFPA, a “service provider” to a covered person under the Act is “any person who provides a material service to a covered person in connection with the offering or provision by a covered person of a consumer financial product or service.” A “service provider” includes a person who “participates in the design, operation or maintenance of the consumer financial product or service” or “processes transactions related to the consumer financial product or service”. A “service provider” is not subject to the CFPA by virtue of providing a covered person “a support service of a type provided for businesses generally or similar ministerial service,” or “time or space for an advertisement for a consumer financial product or service through print, newspapers or electronic media.”

The interpretive rule clarifies that some digital marketing providers are “service providers” under the CFPA. Unlike traditional media such as newspapers or radio, the CFPB’s rule explains that digital marketing providers go beyond simply providing “time or space” and offer a tangible service to persons covered by the CFPA. A material service includes the intermingling of targeting and delivery of advertisements. Digital marketing vendors that provide more tangible services such as lead generation, customer acquisition, market analysis or strategy, and data and modeling for targeting and placement offer services that “increasingly resemble[] [the] functions … often performed by covered persons themselves.”

[View source.]