CFPB Steps Up Scrutiny of Fintech Companies

DataOn March 7, 2016, the Consumer Financial Protection Bureau (CFPB) announced that it will begin collecting complaints from consumers about online marketplace lenders, signaling its intention to increasingly regulate the evolving and growing Financial Technology (Fintech) industry.  The CFPB announcement emphasized that marketplace lending is “a relatively new kind of online model” and CFPB director, Richard Cordray, warned that “[a]ll lenders, from startups to large banks, must follow consumer protection laws.  By accepting  these consumer complaints, we are giving people a greater voice in these markets and a place to turn to when they encounter problems.”  The announcement was accompanied by a bulletin for consumers about what to consider when shopping for a loan, risks in refinancing certain types of debt, and advising consumers that marketplace lending is a “young industry” that does not have the same level of oversight and supervision as banks and credit unions.  The industry should expect that the CFPB will use the complaint database to analyze trends within the industry or red flags concerning a particular company, and act accordingly.

The CFPB’s announcement follows on the heels of a March 2, 2016 consent order with Dwolla Inc., a prominent online payment provider, for allegedly misrepresenting its data security practices as “safe,” “secure,” “safer [than credit cards],” and “exceeding industry standards.” The CFPB asserted that the online payment provider made false representations regarding the strength of its data-security practices, which the CFPB found lacking in several key respects, including inadequate data policies and procedures, failure to conduct regular risk assessments, inadequate employee training, inadequate encryption practices and lack of oversight and testing of third-party software developers.  Marking its first enforcement action in the data security space and one of its first actions against a Fintech company, the CFPB alleged that the payment platform provider’s representations constituted a deceptive act under the Dodd-Frank Wall Street Reform and Consumer Protection Act.  The action serves as a warning to the Fintech industry that it is subject to the same scrutiny as traditional consumer financial service institutions, including most importantly the prohibition on unfair, deceptive, and abusive acts and practices.

The CFPB’s recent actions signal increased focus on the rapidly growing Fintech industry, both in its potential benefits and risks to consumers. Last month we reported on the CFPB’s final policy on No-Action Letters for innovative financial products.  With its actions this week, the CFPB has also signaled its intention to hold such companies accountable for alleged violations of law, and potentially set the groundwork for future rulemaking and informal guidance.  Given the certitude of the CFPB’s increased presence in this space, Fintech companies should review their existing practices to ensure compliance with all applicable law, including particularly risk of unfair, deceptive, and abusive acts and practices. Companies should ensure that the claims it makes in advertisements and marketing  – particularly concerning key features of its product that distinguish it from traditional lending institutions  – are accurate, verifiable, and reflected across its institution and product offerings.