Finding liability for "unfair and deceptive trade practices" has been the linchpin of a series of high profile Federal Trade Commission ("FTC") settlements for years. Now Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank") has given the Consumer Financial Protection Bureau of the Treasury Department a new mandate to "protect families from unfair, deceptive, and abusive financial practices" in the context of bank data breaches. In short, this mandate, along with the CFPB's new rulemaking authority over the privacy provisions of the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, makes it an effective new player in the protection of bank security field. For unwary banks, the result could be an unfair deceptive trade practice allegation.

The History of Financial Services Regulation

Before Dodd-Frank most depository institutions were governed by federal bank regulators including the Office of the Comptroller of the Currency ("OCC"), the Federal Reserve ("the Fed"), the National Credit Union Association ("NCUA"), and the Federal Deposit Insurance Corporation ("FDIC"). The OCC, the Fed, NCUA, and FDIC were primarily supervisory and regulatory. Rarely did such agencies use enforcement power.

Dodd-Frank and UDTP

Dodd-Frank transfers much of the privacy rulemaking authority of Gramm-Leach-Bliley Act and the Fair Credit Reporting Act to the newly created Consumer Financial Protection Bureau ("CFPB"). The CFPB's jurisdiction extends to any insured depository institution or credit union with over $10 billion in assets. Nonetheless, banks with under $10 billion in assets do not practically escape the CFPB. Dodd-Frank allows the CFPB to recommend to the FDIC or other prudential bank regulator that it undertake an enforcement action against a smaller bank.

The CFPB: The Newest Consumer Protection Agency on the Block

The goal of CFPB is to focus directly on consumers, rather than on bank safety and soundness or on monetary policy. According to the agency:

[Its role is to] heighten government accountability by consolidating in one place responsibilities that had been scattered across government. [The CFPB has] responsibility for supervision and enforcement with respect to the laws over providers of consumer financial products and services that escaped regular Federal oversight. This agency would protect families from unfair, deceptive, and abusive financial practices. (emphasis added)

This new regulatory obligation to protect consumers from "unfair, deceptive, and abusive financial practices"—echos the FTC's existing and long-standing use of UDTP to bring enforcement actions for sloppy security practices and data privacy breaches. The FTC regulates non-depository institutions primarily through its enforcement authority and has created a large body "security failure" and "data-breach" settlements under § 5 of the Federal Trade Commission Act, which created regulatory liability for breaches that the FTC considered "unfair or deceptive acts or practices affecting commerce."

The CFPB says it will focus on "compliance management systems," "third-party oversight (such as IT vendors), and "internal monitoring." Data breaches flowing from failed "internal controls and oversight, training, internal monitoring, customer complaint response, independent testing and audit, [and] third-party service provider oversight..." are subject to regulatory examination by the CFPB. With newly delegated enforcement authority over the privacy provisions of Gramm-Leach-Bliley and the Fair Credit Reporting Act, the CFPB, like the FTC, has the tools to bring enforcement actions for improper privacy notices, data breaches, or inappropriate data transfers. Add to that Dodd-Frank's UDTP language and we have an agency vested with immense enforcement power.

What are unfair and deceptive trade practices under Dodd-Frank?

  • Practices that materially interfere with the ability of a consumer to understand a term or condition of a consumer financial product or service; or
  • Practices that take unreasonable advantage of:
  • a consumer's lack of understanding;
  • the inability of the consumer to protect his own interests; or
  • Situations where the financial institution is shown to have taken advantage of the consumer's reasonable reliance on the bank's promised protection of the consumer's interest.

Note the focus on "the consumer." It appears that Dodd-Frank's UDTP turns not so much on what the bank does, but on what the consumer understands. This means that banks compliance systems will have to focus on external reliance more than in the past where review of internal systems was sufficient. The civil penalties for a violation for Dodd-Frank vary from $5,000 per day for non-egregious violations, to $25,000 per day for reckless violations, and $1 million per day for knowing violations.

Originally published in Carolina Banker, Spring 2014.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.