Why banks need to act now or risk non-compliance with new Consumer Financial Protection Bureau (CFPB) guidance

Josh Cigna

Josh Cigna

4 minute read

If the gauntlet hadn’t been thrown before to protect financial and banking customers’ data, it’s definitely lying on the floor now. The recent circular bulletin from the CFPB makes it clear that financial institutions can’t slow-walk any security upgrades: “Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation” of CFPB regulations or even the Dodd-Frank act. It also provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols, and recently issued a statement via Twitter urging consumers to report financial institutions that do not offer sufficient multi-factor authentication (MFA) options.

Given the weight of the news, the circular is getting the attention of legal departments at banks and other financial institutions around the country. Some may have implemented phishing-resistant multi-factor authentication (MFA) solutions like security keys already across their employee network, but others may still be searching for a solution – especially at distant locations like local bank branch offices. 

To better understand how organizations can take action to avoid future violations, the circular goes on to define exactly what a violation is:

  1. “(Something) that causes or is likely to cause substantial injury to consumers.
  2. (Something) which is not reasonably avoidable by consumers.
  3. (Something) not outweighed by countervailing benefits to consumers or competition.”

The language here is important, especially the “likely to cause” phrase in the first sentence. That means, as the circular itself says, that “this prong of unfairness is met even in the absence of a data breach.” So banks could be in violation of the law today, even before any problem becomes public, just by tolerating a situation where a breach is “likely” to happen. 

In messaging that closely mirrored guidance provided for federal agencies and their third party suppliers by last year’s Executive order, this move from the CFPB shows how adoption of strong MFA can also be expanded via regulation in the private sector. In order to not only stay secure from increasingly sophisticated phishing attacks, phishing-resistant MFA should be part of banks’ plans for everybody in the organization – not just employees at a headquarters building. Now that CFPB has entered into the realm of MFA regulation, this may be the start of a movement where other regulators also start to focus on this issue.

The 2017 Equifax data breach was particularly called out as an example of something that constituted an “unfair practice,” and Equifax has had to pay the price for putting 147 million consumers’ information in jeopardy. 

Here are a few other “unfair practices” that were explicitly named in the circular as liabilities for a company: 

  • Not requiring MFA for employees or not offering MFA as an option for consumers. 
  • Not having adequate password management policies and practices. In practice that means you should have processes in place to flag employees who are re-using or using default logins and passwords. 
  • Not routinely updating systems, software, and code or failing to make critical vulnerability updates when alerted. In practice, that means keeping track of what software is no longer maintained by vendors and understanding how your systems rely on particular third-party software packages. Equifax famously failed to patch a known vulnerability for four months, which gave hackers the access they needed. 

How can you avoid risk if you’re tasked with guarding your employees’ and customers’ most sensitive data? Even if you are not working in the financial services sector, the standards that have now been set for them are a best practice for any company that wants robust security. Take these steps:

  • Read the CFPB circular and have your own legal team assess your company’s liability (or presumed future liability) based on the standards. 
  • If you have not done so in two years, run a full-scale audit of how all employees authenticate and what areas need to be bolstered through phishing-resistant MFA. The audit should extend beyond privileged users to include everybody, especially those working at remote locations or with hybrid work schedules. The audit should include the software updating process to make sure there are no “Equifax-sized” holes in your system.
  • Lay out a roadmap that schedules regular security audits in the future as well as planned security upgrade rollouts. The roadmap should include a communications plan with employees and customers so that no one is caught off guard by a new authentication process or routine. 

——

For more information on how YubiKey can bring modern authentication to financial services companies, read Yubico’s Financial Services White Paper.

, , , , ,
Talk to our teamTalk to our team

Share this article:
  • CEO Corner: Entering the second half of 2025 with momentumAs we continue to move further into the second half of 2025, I want to share a look back at our journey so far this year and as well as lay out Yubico’s strategic path ahead.  Resurgence in order growth and key segment wins While net sales declined for Q2, the end of the quarter […]Read moreCEOCEO CornerEarningsMattias Danielsson
  • Survey says: Your dog’s name isn’t a passwordWe all know we should be protecting our digital lives, but what are Americans actually doing? Yubico recently commissioned a survey, conducted by Talker Research, which asked 5,000 Americans in 10 major metro cities across the U.S. about their online security habits. Here’s a closer look at what they found (hint: they’re not as secure as they […]Read moreCompany Newssurvey
  • Passkeys are winning, but security leaders must raise the barPasswords are on their way out. In their place is a new form of login called passkeys that promises stronger security and less frustration. All passkeys offer the rare combination of improved usability and stronger security, especially when compared to passwords alone. But unless we act now, millions could be left more vulnerable than ever. […]Read moreDevice-bound passkeysHardware passkeypasskeyssynced passkeys
  • Your top YubiKey questions, answeredOver the 10+ years I’ve been at Yubico, I’ve had the pleasure of meeting customers, partners and many others talking about digital security. While every conversation is different, I am often asked many of the same questions about YubiKeys. One thing remains consistent: many people know they need better security, but they’re not sure what […]Read moreFAQYubiKey