You are probably aware that the new Bureau of Consumer Financial Protection (CFPB) will come into existence on July 21, 2011, unless the Secretary of the Treasury extends that date. The CFPB will enforce the laws involving consumer financial products and will also have supervisory authority over large banks, mortgage loan product and service providers, and other larger participants in the market for consumer financial products or services (but generally not auto dealers).
Most people would think that “consumer financial protection” laws include those that govern the security of consumers’ financial information and the laws that protect against identity theft. Congress, however, has drawn an important distinction between those kinds of data security laws and laws involving financial privacy.
As a result, not all laws protecting consumer financial information will transfer to the CFPB. The new Bureau will have no jurisdiction over the Fair Credit Reporting Act (FCRA) provisions that involve data security and identity theft prevention. The Federal Trade Commission (FTC) and the federal financial institution regulatory agencies (the Agencies) will retain their current rulemaking and enforcement authority under the Red Flags Rule, issued pursuant to FCRA section 615(e), and the consumer information disposal rule prescribed under FCRA section 628.
There is a similar dichotomy for the Gramm Leach Bliley Act (GLBA) safeguards provisions. The CFPB will write and enforce the privacy rules issued under GLBA Section 504(a), but the FTC and the Agencies will continue to prescribe and enforce the GLBA safeguards provisions under GLBA section 501(b). Thus, the FTC and the federal banking agencies retain exclusive enforcement responsibility as to persons within their respective jurisdictions with respect to the GLBA safeguard provisions and the portions of the FCRA that are not transferred to the CFPB.
This dichotomy appears designed to address the arguments advanced during debate over the CFPA, that financial institutions’ prudential regulators should retain jurisdiction over laws affecting the institutions’ safety and soundness. Laws involving data security and identity theft prevention protect financial institutions, as well as consumers, and for that reason will continue to be enforced by the FTC and the Agencies with respect to persons under their respective jurisdictions.
The FTC’s enforcement actions involving data security breaches at non-financial institutions raises an interesting issue as to how the CFPB might react to a security breach involving persons under its supervisory and enforcement jurisdiction. The FTC has alleged that the failure to maintain adequate data security standards could be an “unfair” practice in violation of Section 5 of the FTC Act (remember the cases against BJ’s Wholesale Club and DSW, Inc.?). The Bureau will have concurrent authority with the FTC to enforce FTC Act Section 5 as to entities within the Bureau’s jurisdiction, and may also write rules proscribing unfair acts or practices, based on a standard derived from the FTC Act. It remains to be seen whether the Bureau will try to use that authority to expand into areas that Congress may not have foreseen.
Anne Fortney is a partner in the Washington, D.C., office of Hudson Cook, LLP. Anne can be reached at 202-327-9709 or by email at afortney@hudco.com.
Copyright © 2024 CounselorLibrary.com, LLC. All rights reserved.