UDAAP: Regulating the "Could've, Would've, Should've"
Yesterday's Consumer Financial Protection Bureau's (CFPB) Consent Order against Dwolla, Inc., a company that operates an online payment system, is yet more evidence of the murky world of Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) enforcement. The CFPB alleged that Dwolla falsely claimed that its data security practices exceeded or surpassed industry security practices and falsely claimed that the consumer information that it held was securely encrypted and stored. The alleged conduct took place from 2011 to 2014. Dwolla agreed to pay a civil penalty of $100,000.00.
This is the CFPB's first data security action and is based on its authority to prevent entities from engaging in unfair, deceptive or abusive acts or practices under the Dodd-Frank Act. Dodd-Frank states that the "Bureau may prescribe rules applicable to a covered person or service provider identifying as unlawful unfair, deceptive, or abusive acts or practices…." To date, the CFPB has not adopted any rules implementing its UDAAP authority. It has chosen instead to bring actions based on UDAAP as it sees fit, with no regulatory guidance as to what types of actions would constitute a UDAAP.
Even more striking in the Dwolla Consent Order is that there was no finding by the CFPB of any financial harm to any consumer as a result of Dwolla's actions. Further, there was no finding that any security breach occurred or that any consumer data was compromised. The Consent Order only makes a tenuous conclusion that Dwolla's actions "were likely to mislead a reasonable consumer into believing that Dwolla had incorporated reasonable and appropriate data-security practices when it had not" and that Dwolla's "representations were material because they were likely to affect a consumer's choice or conduct regarding whether to become a member of Dwolla's network." (Emphasis added.)
What's happening here? Dwolla's actions, if you believe them to be true, amount to nothing more than a failed audit, especially in light of the small civil fine. However, has the standard for UDAAP become so amorphous that we have to operate in the world of the subjective "what if"? "Likely" is not an objective standard by which a company can conduct its business and should not be the basis for any UDAAP violation.
With no regulatory guidance, the financial services industry is left with little choice but to invest a disproportionate amount of resources to ensure that all their operations, policies and procedures are, at all times, not unfair, deceptive or abusive, which is a standard that is not defined and exists only in the minds of the CFPB enforcers.
Clark Hill's Consumer Financial Services Regulatory & Compliance Group is a national leader in the field of consumer financial services law, providing strategic legal counsel to clients in all areas of consumer finance. We provide counsel, consultation and litigation services to financial institutions, law firms and debt buyers throughout the country. Our group can help you navigate this rapidly evolving regulatory environment. Our exceptional team of lawyers and government and regulatory advisors has extensive experience in – and an in – depth understanding of – the laws and regulations governing consumer financial products and services. We can assist you in developing and implementing compliance programs, as well as defending consumer litigation and regulatory enforcement actions.