The Consumer Financial Protection Bureau (“CFPB”) recently instituted a cybersecurity enforcement action against an online payment platform, Dwolla, Inc., in the form of a consent order. This consent order is significant because it is the first time the CFPB has sought to institute an enforcement action in the cybersecurity arena after it was given the authority to do so under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), highlighting the increasing emphasis being placed by financial regulators on cybersecurity practices. The Securities and Exchange Commission (“SEC”), Financial Industry Regulatory Authority (“FINRA”), and the Federal Trade Commission (“FTC”), among others, have all been quite active in policing data security practices of financial institutions in recent years. The SEC even listed cybersecurity control procedures of registered broker-dealers and investment advisers as one of its examination priorities for 2016.
The Dodd-Frank Act gives CFPB supervisory authority over providers of consumer financial products or services. It also authorizes CFPB to take enforcement action to prevent unfair, deceptive or abusive acts or practices from these providers. In this case, Dwolla allegedly made several exaggerated claims regarding the strength of its data security practices that the CFPB found to be deceptive within the meaning of the Dodd-Frank Act.