Yesterday's Consumer Financial Protection Bureau's (CFPB) Consent Order against Dwolla, Inc., a company that operates an online payment system, is yet more evidence of the murky world of Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) enforcement. The CFPB alleged that Dwolla falsely claimed that its data security practices exceeded or surpassed industry security practices and falsely claimed that the consumer information that it held was securely encrypted and stored. The alleged conduct took place from 2011 to 2014. Dwolla agreed to pay a civil penalty of $100,000.00.
This is the CFPB's first data security action and is based on its authority to prevent entities from engaging in unfair, deceptive or abusive acts or practices under the Dodd-Frank Act. Dodd-Frank states that the "Bureau may prescribe rules applicable to a covered person or service provider identifying as unlawful unfair, deceptive, or abusive acts or practices…." To date, the CFPB has not adopted any rules implementing its UDAAP authority. It has chosen instead to bring actions based on UDAAP as it sees fit, with no regulatory guidance as to what types of actions would constitute a UDAAP.
Even more striking in the Dwolla Consent Order is that there was no finding by the CFPB of any financial harm to any consumer as a result of Dwolla's actions. Further, there was no finding that any security breach occurred or that any consumer data was compromised. The Consent Order only makes a tenuous conclusion that Dwolla's actions "were likely to mislead a reasonable consumer into believing that Dwolla had incorporated reasonable and appropriate data-security practices when it had not" and that Dwolla's "representations were material because they were likely to affect a consumer's choice or conduct regarding whether to become a member of Dwolla's network." (Emphasis added.)
What's happening here? Dwolla's actions, if you believe them to be true, amount to nothing more than a failed audit, especially in light of the small civil fine. However, has the standard for UDAAP become so amorphous that we have to operate in the world of the subjective "what if"? "Likely" is not an objective standard by which a company can conduct its business and should not be the basis for any UDAAP violation.
With no regulatory guidance, the financial services industry is left with little choice but to invest a disproportionate amount of resources to ensure that all their operations, policies and procedures are, at all times, not unfair, deceptive or abusive, which is a standard that is not defined and exists only in the minds of the CFPB enforcers.
Clark Hill's Consumer Financial Services Regulatory & Compliance Group is a national leader in the field of consumer financial services law, providing strategic legal counsel to clients in all areas of consumer finance. We provide counsel, consultation and litigation services to financial institutions, law firms and debt buyers throughout the country. Our group can help you navigate this rapidly evolving regulatory environment. Our exceptional team of lawyers and government and regulatory advisors has extensive experience in – and an in – depth understanding of – the laws and regulations governing consumer financial products and services. We can assist you in developing and implementing compliance programs, as well as defending consumer litigation and regulatory enforcement actions.
For further information, please contact Thomas Brooks at 202.552. 2356 I email@example.com or Joann Needleman at 215.640.8536 I firstname.lastname@example.org.
Legal, Tax and Infrastructure Requirements for Fleet EV Charging
Organizations that currently own or intend to acquire electric vehicles can gain insights into tax, legal, and infrastructure requirements by understanding best practices and common mistakes. The panel will also discuss new EV laws and charging technology.
For companies considering a full or partial transition to EV fleets, the webinar will discuss how to maximize tax rebates, determine optimal legal contracts, and identify funding opportunities. The presentation will also cover infrastructure considerations with regard to electrical and cyber requirements.
Recreational Windfall: How to Prepare for Outside Players in Montana’s Cannabis Industry
Join national cannabis service providers Clark Hill, MGO, and eXp Commercial for a deep dive into the challenges and opportunities facing operators in Montana’s new adult-use cannabis industry.