In a wide-ranging speech yesterday before the Consumer Bankers Association, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray forcefully defended his agency’s approach to consumer financial regulation and supervision against critics who call it “regulation by enforcement.” Saying that criticism of this practice (and even the term) is “badly misplaced,” he argued for the need to work “toward a pattern of actions that conveys an intelligible direction to the marketplace, so as to create deterrence that can be readily understood and implemented.”

Director Cordray noted that the “vast majority” of CFPB enforcement actions involve some sort of deception or fraud and commented on the difficulty of creating specific rules to address fraud or untruth. In turn, he said, the CFPB has sought

to present specific enforcement orders that meticulously catalogue the facts we have found in our very thorough investigations and set out the legal conclusions that follow from those facts. These specific orders are also intended as guides to all participants in the marketplace to avoid similar violations and make an immediate effort to correct any such improper practices.

In this regard, the Director’s speech included an unambiguous warning to financial institution compliance officers and executives about the need to pay attention to CFPB enforcement actions:

These orders provide detailed guidance for compliance officers across the marketplace about how they should regard similar practices at their own institutions. If the same problems exist in their day-to-day operations, they should look closely at their processes and clean up whatever is not being handled appropriately. Indeed, it would be “compliance malpractice” for executives not to take careful bearings from the contents of these orders about how to comply with the law and treat consumers fairly.

Are you a consumer financial services provider? Do you tell your customers that your data security practices are “best in class”? If so, it had better be true, or Richard Cordray and his colleagues at the Consumer Financial Protection Bureau (CFPB) may want to talk with you.

On March 2, the CFPB initiated and settled by consent an administrative action against an online consumer payments provider (Respondent) for what the CFPB charged were deceptive acts and practices arising out of representations that the Respondent made about its data security practices.

In the Consent Order, the CFPB charged that Respondent (which offers funds transfer services to consumers) made numerous representations about its data security practices that were not true, including statements that

  • its network and transactions were safe and secure,
  • its transactions were safer than credit cards,
  • its data security practices “exceeded industry standards,”
  • customer information was safely encrypted, and
  • its data security measures were Payment Card Industry (PCI) compliant.