The CFPB Expands Its UDAAP Authority Further Into Data Security Issues 

August, 2022 - Michael C. Flynn

August 15, 2022

By: Michael Flynn*

Continuing a trend it has been pursuing, the CFPB on Thursday used a non-rulemaking circular (Consumer Financial Protection Circular 2022-04) to state that its UDAAP authority extends its enforcement authority to situations where financial institutions have insufficient data protection or information security. The circular may be found here.

Earlier this year, the CFPB announced that its UDAAP authority extended to fair lending issues beyond ECOA and the CFPB’s traditional fair lending coverage. See Buchalter March 31, 2022 Client Alert.

In this latest declaration of an extension of its UDAAP authority, the CFPB stated the failure of a bank or nonbank financial firm to adequately safeguard its customers' personal data can meet the criteria for unfairness under the Consumer Financial Protection Act.

The circular also noted examples of basic security measures that the CFPB said could help firms minimize their risk of potential unfairness liability, specifically including implementing multifactor authentication, strong password management and timely software updates and patches.

In a statement, CFPB Director Chopra stated: "Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse. While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data."

This development further highlights the need for strong data security oversight and management, and also highlights the need to ensure that regulatory specialists are involved when data security issues arise.

Buchalter is a leading nationally recognized financial services law firm, having served large, medium and small financial institutions for over 90 years. Its Privacy & Data Security Practice Group and its Financial Services Regulatory Industry Group are ideally situated to assist in this area. The combined expertise of these Group’s lawyers can assist any financial institution address data protection and information security issues and their regulatory fallout.  You can reach out to any members of Privacy & Data Security Practice Group and the Financial Services Regulatory Industry Group for assistance.

Michael Flynn* (*Admitted to practice in California, the District of Columbia, and Michigan, and in Colorado temporarily authorized pending admission under CRCP205.6)

Willmore Holbrow

Steven Nakasone

Benjamin Heuer

Ernie Bootsma

Melissa Richards

This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit


Link to article


WSG Member: Please login to add your comment.