Entrance to the Consumer Financial Protection Bureau, Washington, D.C. Entrance to the Consumer Financial Protection Bureau, Washington, D.C. (Source: Shutterstock)

The CFPB released a nine-page circular Thursday warning fintechs working in the financial space of their duties to maintain data security safeguards and standards as ordered by the Gramm-Leach-Bliley Act. If fintechs do not follow these standards, they may be in violation of the Consumer Financial Protection Act's (CFPA) prohibition on unfair, deceptive or abusive acts and practices.

Thursday's circular appeared to be another warning by the bureau to fintechs that despite their nonbank status and lack of financial regulatory oversight, fintechs will be monitored by the CFPB for unfair or abusive practices as it relates to shoddy cybersecurity policies.

Recommended For You

"In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), 'covered persons' and 'service providers' must comply with the prohibition on unfair acts or practices in the CFPA," the CFPB stated.

It continued, "Acts or practices are unfair when they cause or are likely to cause substantial injury that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition. Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. Inadequate data security can be an unfair practice in the absence of a breach or intrusion."

In a post on its website, NAFCU was supportive of the CFPB's reaffirmation of the issue.

"NAFCU supports holding nonbank fintech companies to the same data security standards that apply to credit unions to create competitive equality. However, the broad applicability of the circular to "covered persons" and "service providers" means that the extension of UDAAP-related liability for inadequate data security practices could potentially impact credit unions.

"Under the GLBA, the NCUA is responsible for administering the law's data safeguard provisions for federally-insured credit unions. NAFCU will continue to engage the bureau to emphasize the NCUA's role as the primary functional regulator for examining credit union data security," NAFCU stated.

NAFCU sourced its own Data Privacy and Security white paper, which stated there's "no reason that a small credit union should be subject to more stringent requirements than an organization like Equifax, or that an organization like Facebook should not be subject to any requirements. Similar data security requirements should be imposed for fintech companies, retailers, and other entities that handle personal and financial information."

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Michael Ogden

Editor-in-Chief at CU Times. To connect, email at [email protected]. As Editor-in-Chief of CU Times since 2016, Michael Ogden has led the editorial team in all aspects of content strategy and execution, including the creation of the publication’s exclusive and proprietary research database of the credit union industry’s economic landscape. Under Michael’s leadership, CU Times has successfully shifted to an all-digital editorial product with new focuses on the payments, fraud, lending and regulatory beats. Most recently, he introduced a data-focused editorial product for subscribers that breaks down credit union issues into hard data, allowing for a deeper and more factual narrative for readers. In 2024, he launched the "Shared Accounts With CU Times" podcast, which offers a fresh, inside-the-newsroom perspective through interviews with leaders from the credit union industry and the regulatory world. He dives into pressing credit union issues, while revealing the personalities working behind-the-scenes to push the credit union world forward. His background includes years as a radio and TV anchor/reporter and a public relations and digital/social media manager, where he covered the food and music industries, as well as cooperatives and credit unions. Over the years, he has launched numerous exclusive video and podcast series, including a successful series of interactive backstage interviews with musicians at music festivals, showcasing his social media and live streaming production skills.