The Consumer Financial Protection Bureau has made it increasingly clear that the agency’s enforcement unit will be less aggressive going forward.

But that move could actually expose fintechs to more risk, not less.

Late last month, acting Director Mick Mulvaney told a conference of state attorneys general that the CFPB would no longer be “pushing the envelope” or “look[ing] to create law where there isn’t” through enforcement actions. Instead, the acting director said, the CFPB will be “looking to the state regulators and state attorneys general for a lot more leadership when it comes to enforcement.” This would amount to a considerable change that comes with its own set of risks for companies that deal with consumers or the public.

Acting CFPB Director Mick Mulvaney
The CFPB's overall scaling back of enforcement activity under acting Director Mick Mulvaney could give fintech companies more to worry about. Bloomberg News

For the emerging fintech space, one key area of concern in the pre-Mulvaney regime was the CFPB’s enforcement of the Dodd-Frank Act’s prohibition on unfair, deceptive, or abusive trade practices. Since many fintech companies rely heavily on the collection and analysis of consumer data — think payment companies and marketplace lenders — those companies’ practices and disclosures around protecting that data risked possible CFPB action.

Recall, for example, the CFPB’s enforcement action in 2016 against Dwolla for misrepresenting its data security practices. Dwolla had represented to its customers that its data protection practices surpassed the industry standard for protection, and that consumer information was “securely encrypted and stored.” In reality, the CFPB charged, Dwolla failed to encrypt sensitive personal information and did not perform adequate data security testing on its services. According to the CFPB, Dwolla’s misrepresentations concerning its data security environment amounted to deceptive trade practices, and the company was ordered to pay a penalty and address flaws in its data security scheme.

Under the new regime, it is not yet clear whether the CFPB’s overall scaling back of enforcement activity will affect its approach to the data-driven fintech space. But should the CFPB leave these issues to state authorities, fintech companies may, counterintuitively, have more to worry about.

The perception that federal enforcers have left a field open may embolden the agency’s state counterparts to step into the fray. It was not that long ago that Eliot Spitzer’s aggressive enforcement of New York law led news outlets to dub him the Sheriff of Wall Street, amid questions about the SEC’s scaled-back role in the securities markets. Indeed, state attorneys general have been indicating for months that they intend to step up to fill gaps left by federal authorities. (It is possible, of course, that other federal regulators, such as the FTC, could also seek to fill a perceived vacuum.)

For state authorities looking for an increased role in the market, fintech companies’ protection of consumer information could become an area of focus. All 50 states have statutes prohibiting unfair and deceptive practices. And state attorneys general know how to use their authority to bring enforcement actions for data-privacy-related failures. Acting Director Mulvaney has also indicated that he will generally not interfere with state actions to enforce provisions of Dodd-Frank itself, which the statute authorizes.

In all, with the CFPB encouraging state authorities to step into the fray, the consequence of the CFPB’s preference for less enforcement at the federal level may not mean less enforcement activity overall. Instead, it could lead to more inconsistent and unpredictable efforts by state authorities under a disparate set of views of what practices are acceptable.

In the meantime, fintech companies must remain vigilant regarding their privacy practices and disclosures to make sure they are up to snuff in all the jurisdictions in which they operate.