The Consumer Financial Protection Bureau (CFPB) recently made two announcements: It (1) asserted jurisdiction over a larger group of non-bank “service providers” and (2) made it clear that lax security standards are subject to enforcement of unjust acts or practices and provided minimum standards. .

what happened?

• On August 10, 2022, the CFPB warned that digital marketing providers must comply with federal consumer financial protections.
• On August 11, 2022, the CFPB issued a circular defining what it considers to be “poor data security practices” that may violate the Prohibition on Unfair Conduct and Practices.

This expansion of the CFPB’s reach beyond traditional financial services businesses is faced not only by fintech companies, but also by many technology companies that may have never considered how the CFPB applies to their companies. It adds to an already complex web of financial services and data privacy regulations.

1. Digital marketers are now subject to the Federal Consumer Financial Protection Act.

The Dodd-Frank Act defines a “service provider” to include “a person who provides material services to a subject in connection with the provision or provision of consumer financial products or services by the subject.” . § 1002(26). The service provider falls under his CFPB jurisdiction and is subject to various consumer finance laws, including the Fair Credit Reporting Act (FCRA), the Fair Lending Act, and the Unfair, Deceptive, or Abusive Acts or Practices (UDAAP). You may be held liable below. In the past, digital marketing providers could rely on the Dodd-Frank Act’s “time and space exception” to avoid the scope of the CFPB. The law exempts companies that provide only “time or space for the advertisement of consumer financial products or services through print, newspaper, or electronic media.”

The CFPB Interpretation Rule of August 10 (the “Rule”) broadened the definition of “service provider” by significantly limiting its exceptions. A recent interpretation of this exemption states that many of the day-to-day tasks performed by modern digital marketers, such as lead generation, customer acquisition, marketing analytics or marketing strategy, qualify for significant involvement in the development of content and placement strategies. I am concluding. His CFPB’s decision that these functions amount to “critical services” means that the firms that provide these services to covered financial services firms are considered “service providers.” The Bureau believes that external companies performing the same functions should fall under his CFPB’s jurisdiction in the same manner as financial services firms, as in-house marketing groups often perform similar functions. increase. The rule defines the following activities to be within his CFPB jurisdiction and not subject to the service provider exemption:

• Lead Generation – Uses a marketer’s own knowledge of user characteristics and behavior to identify or select prospects for a target person’s business.
• Customer Acquisition – Implement a marketing plan, even if the target financial services company chooses target user characteristics (such as demographics and online or offline behavior).
• Marketing Analytics or Strategy – Companies that measure the effectiveness of a particular marketing effort by calculating a “customer acquisition rate” are considered to perform functions similar to those of the target audience and are not included in the interpretation of the CFPB exception .

According to the CFPB, companies engaged in digital marketing functions can circumvent service provider jurisdiction only if they perform “ministry” services. For example, a company that offers a covered financial services company “the ability to choose to advertise on specific web pages or applications” of the company’s choosing generally falls within the “time or space” exception. To do. This very limited example goes beyond very basic agency action to the potential application of powers to enforce the Consumer Financial Services Act, including the UDAAP powers, to any activity a marketing company undertakes. shows his CFPB view that there is.

With this transition, the CFPB has informed that digital marketing companies may come under the jurisdiction of not only the CFPB, but also other state and federal consumer protection enforcement regulators. This means digital marketing companies can be held liable under the FCRA, the Fair Lending Act, and the UDAAP.

2. Do not implement any particular data security practice as an example of unfair conduct or practices.

Following its expanded jurisdiction, the CFPB issued a data circular (the “Circular”) urging companies that have not implemented certain security measures to potentially violate its prohibitions on unfair conduct and practices. I warned you that there is a risk. The Circular points out that poor security practices may violate the prohibition of (1) unjust acts or practices that cause or may cause serious harm to consumers; Offsetting interests against consumers or competition. 12 USC § 5531(c).

The CFPB warns businesses that failing to implement common data security practices “significantly increases the likelihood” of a breach. The CFPB defines “common data security practices” that include multi-factor authentication, password management, or timely software updates. Companies that do not adopt these processes “are likely to cause serious harm to consumers that cannot reasonably be avoided.”

what’s next?

These recent actions demonstrate the CFPB’s intent to assert jurisdiction over digital marketing firms and scrutinize data security practices across the wider enterprise, thereby extending its enforcement beyond financial products and services into technology and data markets. It clearly shows that we are expanding our range. These announcements demonstrate the CFPB’s intent to make a decisive move in the already crowded arena of federal and state data privacy regulators. These announcements also serve as CFPB guidance for other regulators to follow when considering how to approach data aggregation, marketing, and security.

For some, this recent guidance may come as a surprise. Others who have been monitoring these developments have said that as a policy statement gleaned from an October 2021 order sent by the CFPB to “tech giants,” including some of the largest online marketing and social media companies. Among other things, these orders seek detailed information to analyze how these companies access and use consumer financial data to support their payment products and services. I was. Information gleaned from these orders is now used as an anchor for expanding jurisdiction and setting floors for minimum data security practices.

The CFPB may issue additional guidance based on information from the October 2021 order. Future activities may include both additional inspections and enforcement actions. Digital marketing and fintech companies must negotiate carefully amid an increasingly complex set of overlapping state and federal consumer protection and data/privacy laws.

Why is this important?

• The expansion of the CFPB’s definition of digital marketing and service provider jurisdiction will allow it to exercise stronger and broader powers over a wider range of technology companies, including certain social media sites and online retail platforms.
• The CFPB has published its position on minimum data security standards for businesses to avoid unfair conduct or violations of common law of federal and state law.
• Fintechs and marketing companies that do not consider how consumer protection laws apply should start reviewing their policies, procedures, and products to comply with consumer protection laws.