Consumer Financial Protection Circular 2022-04

Insufficient data protection or security for sensitive consumer information
  • Source:

Treliant Takeaway:

Treliant knows data security management.  If your financial services institution needs assistance with assessing your information security protocols, we can help.


On August 11, 2022, the Consumer Protection Finance Bureau (CFPB) issued Consumer Financial Protection Circular 2022-04 (Circular 2022-04), reminding financial services companies that failure to institute appropriate information security protocols and measures to keep their client’s data safe may be a violation of the prohibition on unfair acts or practices under the Consumer Finance Protection Act (CFPA).  Circular 2022-04 noted that data breaches have resulted in significant consumer harm, including identity theft and loss of time and money in resolving impacts of breaches.

In addition, Circular 2022-04 opined that failure to comply with laws and regulations governing information security, such as Section 501 of the Gramm-Leach-Bliley Act, as implemented by the Federal Trade Commission (FTC) Safeguards Rule or the Interagency Guidelines Establishing Information Security Standards, may amount to unfair acts or practices. As precedent, the CPFB cited several prior actions by the CFPB or the FTC related data security failures that were  alleged to be unfair acts or practices under either the FTC Act or the CFPA.

While not all-inclusive, or a guaranteed safe harbor if implemented, below are some examples of security measure practices that are discussed in the circular:

  • Multi-factor Authentication: Multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. Multi-factor authentication can protect against credential phishing, such as those using the Web Authentication standard supported by web browsers.
  • Adequate Password Management: Unauthorized use of passwords is a common data security issue, as is the use of default enterprise logins or passwords. Username and password combinations can be sold on the dark web or posted for free on the internet, creating risk of future breaches. For firms that are still using passwords, password management policies and practices allow for ways to monitor for breaches at other entities where employees may be re-using logins and passwords.
  • Timely Software Updates: Software vendors and creators, including open-source software libraries and projects, often send out patches and other updates to address continuously emerging threats. Upon announcement of these updates to address vulnerabilities, hackers immediately become aware that firms using older versions of software are potential targets to exploit. Protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.

Given the CFPB’s addition of information technology controls and compliance management systems to its examination procedures, regulated entities can expect consideration of controls related to information and data security in examinations. If your institution needs assistance in preparing for scrutiny, Treliant can help.