So you're a fintech startup, buying a fintech company, or expanding the technical capabilities of your financial business. Or you're a tech company that is getting into the payments space. Where do you start when it comes to figuring out what consumer protection laws apply to you? You should be aware that, for the past several years, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) have been actively enforcing consumer protection laws in the fintech space. For example, the FTC has recently brought cases involving an online lender that allegedly charged undisclosed fees, a mobile banking app that falsely promised high interest rates and 24/7 access to funds, promoters of cryptocurrency money-making schemes, and tech platforms offering in-app purchases. The CFPB most recently shuttered a VC-backed online lender for false advertising related to interest rates and loan amounts. Earlier last year, the CFPB had obtained refunds and a civil penalty against a fintech company for enabling merchants to obtain loans for consumers without their authorization.

Of late, one of the key concerns driving regulators' interest in fintech companies is how these companies will use and protect consumers' data. Here are some regulatory developments fintech companies should be watching:

• Increased regulatory scrutiny of privacy practices: Keep an eye on the FTC's upcoming privacy rulemaking proceeding, which could apply to a range of economic sectors, including fintech. The CFPB has also launched some privacy inquiries into fintech:
  • Tech platforms: In October, the CFPB ordered six major tech companies—Google, Apple, Facebook, Amazon, Square, and PayPal—to turn over information about their P2P payment and mobile wallet apps like Venmo, Cash App, Apple Pay, Amazon Pay, and Google Pay. The CFPB also announced that it will study the practices of Chinese tech giants that offer payment services, such as WeChat Pay and Alipay. The CFPB is asking for information on whether these companies will combine the data they collect on consumers with their geolocation and browsing data to target ads to consumers.
  • Buy Now, Pay Later (BNPL) companies: The CFPB also sent orders to Affirm, Afterpay, Klarna, PayPal, and Zip, companies that offer "buy now, pay later" credit, a type of deferred payment option. Among other things, the CFPB is concerned about "data harvesting" by BNPL lenders who have access to their customers' payment histories, and is seeking to better understand practices around data collection, behavioral targeting, data monetization, and the risks these practices may create for consumers.
• Updates to GLBA Safeguards Rule regulating financial institutions' security practices: The FTC amended its Safeguards Rule in October 2021, which requires non-bank financial institutions to implement information security safeguards. The amendments create prescriptive rules on issues such as encryption and multi-factor authentication. With fintech companies being an attractive target for cybercriminals, setting up a compliance program under GLBA is a must-do. See our alert here for more information on the key provisions of the updated Rule. Fintech companies are also subject to the GLBA Privacy Rule, which requires disclosures about privacy practices.
• Forthcoming rules on access to financial data: In its Fall 2021 Rulemaking Agenda, the CFPB highlighted as one of its key activities a rule to address consumer access to their own electronic financial account data. This rulemaking is particularly timely given the explosion of data aggregators that access consumers' data from their financial accounts with their authorization and share it with other entities (e.g., by compiling consumers' financial information for a mortgage application). In an earlier proposed rulemaking on this issue, the CFPB sought information on potential risks associated with such access, including risks related to security, privacy consumer control, and accountability for data errors and unauthorized access. These issues were also the subject of discussion at a recent House Financial Services Committee hearing.
• Potential application of the Fair Credit Reporting Act: Fintech companies should be familiar with the Fair Credit Reporting Act (FCRA), which applies not only to credit bureaus and background screening companies, but also anyone who: 1) assembles or evaluates consumer data and shares it for purposes of determining eligibility for credit, insurance, employment, housing, or other eligibility purposes; 2) buys credit reports, including credit scores; or 3) supplies consumer information to credit bureaus. Some examples of fintech companies that should consider application of the FCRA include:
  • Lead generators: In its recent case against financial lead generator IT Media, the FTC alleged that the company obtained consumers' credit scores from credit bureaus and used them for marketing purposes in violation of the FCRA. The FTC further alleged that IT Media was a "reseller" of consumer reports, and as such, violated its obligations to ensure that any end-users of those reports had a permissible purpose to obtain them.
  • Data aggregators: If you assemble consumer-authorized financial data and share it for eligibility purposes (e.g., credit, insurance), the FCRA probably applies to you.
  • Companies that buy or use algorithms: Certain sharing or uses of algorithms to deny credit, housing, employment, or other benefits to consumers could implicate the FCRA.
  • Debt collectors: Of course, fintech startups in the debt-collection space must comply with the Fair Debt Collection Practices Act and new CFPB rules that became effective under that Act as of November 30, 2021. But many debt collectors also furnish information to the credit bureaus and are thus subject to FCRA obligations to maintain the accuracy of this information and to allow consumers to dispute inaccuracies. Indeed, just last week the CFPB released a bulletin warning companies that if they furnish information to credit bureaus about medical debt stemming from charges that exceed the amount permitted by federal legislation, the CFPB will take action.
• Special attention to algorithms: In addition to raising FCRA compliance issues, the FTC has warned that use of algorithms that discriminate against protected classes can be considered an unfair practice and can also trigger liability under statutes like the Equal Credit Opportunity Act. The CFPB has also gotten into the action: It just redesigned its whistleblower web page and shared a post from its Chief Technology Officer encouraging whistleblowers with knowledge of "potential discrimination or other misconduct within the CFPB's authority to report it to us." Companies should test their algorithms prior to launching them and proceed with caution when their practices could result in disparate treatment or have a demonstrable disparate impact based on protected characteristics.
• Interest in protection of small business: Think you're out of the woods if you don't market your products to consumers? Think again. The FTC and CFPB are thinking about consumer protection and privacy expansively, with keen interests in protecting not only consumers of products and services, but also workers and small businesses. For example, although the FCRA applies only to consumer credit, the FTC just announced a settlement challenging Dun & Bradstreet's business credit reports under the FTC Act, alleging that they were inaccurate and did not give businesses a reasonable process to challenge these inaccuracies. The upshot? Consumer protection and privacy laws may apply even if you're selling products and services to small businesses.

The bottom line for fintech companies: Think about why you collect personal data, how you collect, use, and store it, and whether and how you share or provide access to it. Do you use this data to facilitate decision-making about consumers? If so, consider application of the FCRA. In general, the less data you collect and share, the lower your regulatory exposure. If you need additional assistance with regulatory compliance regarding privacy, security, and consumer protection laws, contact Wilson Sonsini attorneys Laura Ahmed, Maneesha Mithal, or Libby Weingarten.