The CFPB’s recent announcements are clear: an organization that does not protect consumer data and use it fairly violates the Unfair and Deceptive Acts and Practices Act (UDAAP). It may not be so simple though. To survive the current regulatory environment, ARM entities should pay attention to the substance of each announcement and the method by which the CFPB is expanding UDAAP.
Within the last 30 days, the CFPB has declared that digital marketing, an algorithm, and data security issues can violate UDAAP. However, instead of using notice and comment rulemaking to gain insight from stakeholders, the CFPB has used interpretive rules, circulars, and an enforcement action to reshape UDAAP’s reach.
Digital Marketing Interpretive Rule
According to the CFPB’s August 10, 2022 announcement, digital marketers who are materially involved in developing content strategies for those subject to CFPB scrutiny can face UDAAP liability for unfair, deceptive acts or practices and other consumer financial protection violations. The CFPB reasoned that these service providers must adhere to consumer financial protection laws because financial firms rely on their expertise in machine learning and advanced algorithms to process personal data.
Read the complete interpretive rule here.
Consent Order- UDAAP violation from use of algorithm
On August 10, 2022, the CFPB took action against a financial company, Hello Digit, LLC. As explained in more detail in this article, Hello Digit used a proprietary algorithm to help people put aside money for vacations or rainy days. However, according to the CFPB, the algorithm was faulty and caused consumers to overdraft their accounts. Notably, the CFPB’s press release mentioned the faulty algorithm as the cause of consumer harm; neither policies, procedures, nor human oversight were listed as contributing factors.
Read the complete consent order here.
Data Security Circular
On August 11, 2022, the CFPB published a circular regarding the requirement to safeguard consumer data. As further detailed in this article, practices that “are likely to cause” substantial injury include inadequate data security measures that have not yet resulted in a breach. Where companies forgo reasonable cost-efficient measures to protect consumer data, the CFPB expects the risk of substantial injury to consumers will outweigh any purported countervailing benefits to consumers or competition.
Though there was little to no detail provided, the CFPB listed the following as reasonable cost-efficient measures to protect data:
- Required Multifactor authentication
- Proper Password management
- Timely software updates
These announcements by the CFPB are relevant to everyone in the ARM industry. Even if your organization doesn’t have a digital marketing program, you may have service providers that provide insight regarding your data. If you think you don’t use algorithms, note that the CFPB did not define “algorithm.” Could the definition of “algorithm” include any automatic decisioning tool? It might. Finally, the lack of clarity and definition in the August 11, 2022 circular regarding data security is concerning.
The CFPB is playing a long game, and its recent announcements should not be considered in a vacuum. In June 2022, the CFPB focused on improving customer service (see here and here). The CFPB wants more human-to-human interaction with consumers, not less. They’ve also said on multiple occasions that the entities they supervise need to have proper audit procedures in place, and they cannot blame their vendors for things that go awry. We also already know that the CFPB believes its UDAAP authority allows it to review for discrimination and, in its view, technology impacts compliance. Notably, the CFPB is not seeking input from the industry as it stretches UDAAP.
Putting it all together, if CFPB-supervised entities seek to implement new technology, they should tread carefully. Though new technology can help operations, it is not a cure-all or a way to be absolved of all decisions and human interaction. When considering new technology, ARM entities need to do more than simply look at the business benefits. To be on the right side of UDAAP, compliance departments should communicate freely with operations and I.T. and pay close attention to the impact new technology has on consumers. Further, beyond simply auditing vendors’ policies and procedures, vendor output needs to be analyzed too. While compliance, I.T., and operations may have been siloed in the past, to survive in the future these walls must be broken down and these groups must work together.