Are you a consumer financial services provider? Do you tell your customers that your data security practices are “best in class”? If so, it had better be true, or Richard Cordray and his colleagues at the Consumer Financial Protection Bureau (CFPB) may want to talk with you.
On March 2, the CFPB initiated and settled by consent an administrative action against an online consumer payments provider (Respondent) for what the CFPB charged were deceptive acts and practices arising out of representations that the Respondent made about its data security practices.
In the Consent Order, the CFPB charged that Respondent (which offers funds transfer services to consumers) made numerous representations about its data security practices that were not true, including statements that
- its network and transactions were safe and secure,
- its transactions were safer than credit cards,
- its data security practices “exceeded industry standards,”
- customer information was safely encrypted, and
- its data security measures were Payment Card Industry (PCI) compliant.