The CFPB warned that financial institutions and their service providers can be held liable for maintaining insufficient data protection or information security.

OCC Acting Comptroller Michael J. Hsu encouraged financial institutions to continue investing in cybersecurity risk mitigation efforts, and to collaborate through financial industry joint efforts aimed at information sharing and collective defense.

The cryptocurrency trading company Robinhood Crypto, LLC settled charges by the New York Department of Financial Services that it failed to (i) maintain an effective BSA/AML program, (ii) comply with NYDFS cybersecurity regulations, and (iii) comply with provisions of a previously issued Supervisory Agreement.

Three broker-dealers settled separate SEC charges for failing to implement an adequate supervisory system designed to prevent identity theft for covered accounts.

Industry participants and state regulators disagree as to whether proposed federal legislation to standardize privacy and security protections for consumer data should preempt state law.