Why banks need to act now or risk non-compliance with new Consumer Financial Protection Bureau (CFPB) guidance

If the gauntlet hadn’t been thrown before to protect financial and banking customers’ data, it’s definitely lying on the floor now. The recent circular bulletin from the CFPB makes it clear that financial institutions can’t slow-walk any security upgrades: “Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation” of CFPB regulations or even the Dodd-Frank act. It also provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols, and recently issued a statement via Twitter urging consumers to report financial institutions that do not offer sufficient multi-factor authentication (MFA) options.

Given the weight of the news, the circular is getting the attention of legal departments at banks and other financial institutions around the country. Some may have implemented phishing-resistant multi-factor authentication (MFA) solutions like security keys already across their employee network, but others may still be searching for a solution – especially at distant locations like local bank branch offices. 

To better understand how organizations can take action to avoid future violations, the circular goes on to define exactly what a violation is:

  1. “(Something) that causes or is likely to cause substantial injury to consumers.
  2. (Something) which is not reasonably avoidable by consumers.
  3. (Something) not outweighed by countervailing benefits to consumers or competition.”

The language here is important, especially the “likely to cause” phrase in the first sentence. That means, as the circular itself says, that “this prong of unfairness is met even in the absence of a data breach.” So banks could be in violation of the law today, even before any problem becomes public, just by tolerating a situation where a breach is “likely” to happen. 

In messaging that closely mirrored guidance provided for federal agencies and their third party suppliers by last year’s Executive order, this move from the CFPB shows how adoption of strong MFA can also be expanded via regulation in the private sector. In order to not only stay secure from increasingly sophisticated phishing attacks, phishing-resistant MFA should be part of banks’ plans for everybody in the organization – not just employees at a headquarters building. Now that CFPB has entered into the realm of MFA regulation, this may be the start of a movement where other regulators also start to focus on this issue.

The 2017 Equifax data breach was particularly called out as an example of something that constituted an “unfair practice,” and Equifax has had to pay the price for putting 147 million consumers’ information in jeopardy. 

Here are a few other “unfair practices” that were explicitly named in the circular as liabilities for a company: 

  • Not requiring MFA for employees or not offering MFA as an option for consumers. 
  • Not having adequate password management policies and practices. In practice that means you should have processes in place to flag employees who are re-using or using default logins and passwords. 
  • Not routinely updating systems, software, and code or failing to make critical vulnerability updates when alerted. In practice, that means keeping track of what software is no longer maintained by vendors and understanding how your systems rely on particular third-party software packages. Equifax famously failed to patch a known vulnerability for four months, which gave hackers the access they needed. 

How can you avoid risk if you’re tasked with guarding your employees’ and customers’ most sensitive data? Even if you are not working in the financial services sector, the standards that have now been set for them are a best practice for any company that wants robust security. Take these steps:

  • Read the CFPB circular and have your own legal team assess your company’s liability (or presumed future liability) based on the standards. 
  • If you have not done so in two years, run a full-scale audit of how all employees authenticate and what areas need to be bolstered through phishing-resistant MFA. The audit should extend beyond privileged users to include everybody, especially those working at remote locations or with hybrid work schedules. The audit should include the software updating process to make sure there are no “Equifax-sized” holes in your system.
  • Lay out a roadmap that schedules regular security audits in the future as well as planned security upgrade rollouts. The roadmap should include a communications plan with employees and customers so that no one is caught off guard by a new authentication process or routine. 

——

For more information on how YubiKey can bring modern authentication to financial services companies, read Yubico’s Financial Services White Paper.

Talk to our teamTalk to our team

Share this article:


  • Works with YubiKey Spotlight: Passkeys are here – are you ready?With 2025 at its midpoint, enterprises worldwide are grappling with how to protect their users and data against emerging challenges around user security. Since 2022, generative AI has fueled a 4,000% surge in phishing – exploiting human vulnerability in 68% of breaches. It’s no longer a question – the world has a password problem that […]Read morepartnerspasskeysWorks with YubiKeywwyk
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service
  • An inside look at Yubico’s transition to passwordlessBefore “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses.  As long as it’s been […]Read moreOktapasswordless