FTC’s “Future of Consumer Financial Protection” Workshop: GLBA Pretexting and FTC Consumer Redress Priorities
On May 14, 2026, the FTC co-hosted a workshop with George Mason University Law School’s Institute for Consumer Financial Choice. The workshop examined developments in the financial services sector in the last five years, and featured opening remarks from Chris Mufarrige, Director of the FTC’s Bureau of Consumer Protection. The workshop provided an opportunity for Director Mufarrige to reiterate the FTC’s support for Gramm‑Leach‑Bliley Act (GLBA) pretexting as an enforcement tool in the wake of AMG Capital v. FTC.
Background
In April 2021, the Supreme Court’s decision in AMG Capital Management, LLC v. FTC significantly curtailed the FTC’s enforcement authority, holding that Section 13(b) of the FTC Act does not permit the agency to obtain equitable monetary relief. The decision eliminated what had been one of the FTC’s most potent tools for consumer redress, leaving a substantial gap in the agency’s remedial toolkit. In response, the FTC has pivoted to alternative statutory authorities that independently support equitable monetary relief. Chief among these are GLBA and the Restore Online Shoppers’ Confidence Act (ROSCA).
GLBA’s pretexting provisions make it unlawful for “any person” to obtain customer financial information through false, fictitious, or fraudulent statements. In 2023, the Southern District of New York validated the FTC’s expanded interpretation of this provision in FTC v. RCG Advances, LLC, holding that any misrepresentation, even about underlying products or services, coupled with the collection of financial information may constitute a pretexting violation. The court rejected arguments that the statute was limited to impersonation-style fraud, finding that “the plain text of the statutory provision controls.” The FTC has since invoked GLBA pretexting to obtain consumer redress in diverse cases, including challenges to cryptocurrency platforms, rental housing practices, and debt relief schemes.
That reading, however, may face durability questions when measured against Congress’s apparent target. Section 521 appears to trace to House legislation aimed at the then-emerging information-broker industry, where brokers obtained account information by impersonating consumers or using other ruses to induce unwitting disclosures. The accompanying reports described the provision as a specific response to that “gray area” brokering model, not as a general redress mechanism for any Section 5 deception claim that happens to involve payment information. That history gives defendants a ready limiting principle: GLBA pretexting may be strongest where the alleged deception resembles broker-style access to financial information, and less stable as a broad substitute for Section 13(b) monetary relief in ordinary Section 5 cases.
Under ROSCA, the FTC has also targeted negative-option marketing practices (i.e., automatic renewals, free-to-paid trial conversions, and subscription traps) to seek redress in cases involving inadequate disclosure, unauthorized charges, and difficult cancellation mechanisms.
Mufarrige’s Workshop Comments
At the Workshop, Director Mufarrige offered a spirited defense of the FTC’s use of GLBA and ROSCA as penalty‑bearing enforcement tools. The plain‑text argument is direct, he said. Section 521’s prohibition on obtaining financial information through “false, fictitious, or fraudulent” statements is not limited to obtaining customer data under false pretenses; rather, FTC believes, any misrepresentation combined with the collection of customer financial data is actionable under the statute. According to Mufarrige, the same reasoning applies to ROSCA’s requirements for express informed consent and clear disclosures in negative‑option transactions. Mufarrige framed this enforcement posture as a natural fit for an agency that sees itself as a law enforcer focused on “reinforcing markets, not replacing them”—a theme he returned to repeatedly.
Mufarrige’s broader remarks emphasized these themes. He stressed that competition remains the “first line of defense” for consumer protection—a framing aligned with Chairman Ferguson’s stated priorities and recent public remarks. On emerging issues, he identified impersonation cases as the agency’s most pressing concern, referencing the Impersonation Rule and the Take It Down Act as key tools. He also noted the agency’s continued focus on junk fees and price transparency. His comments largely echoed statements we’ve heard in recent months from the Commission, although Mufarrige’s defense of GLBA pretexting and ROSCA as redress tools was notably direct.
AI as a Vehicle for Fraud
Director Mufarrige’s comments on AI were brief but pointed. He emphasized that the FTC’s focus remains on enforcing existing laws and pursuing conduct where AI is used as a vehicle for fraud. This approach aligns with Chairman Ferguson’s stated priorities: the agency sees its role as targeting bad actors who weaponize new technology, not as a regulator of AI development itself. AI-enabled fraud schemes (i.e., synthetic identities and deepfake impersonations) remain squarely within the FTC’s enforcement crosshairs.
Workshop panelists highlighted how fraud has evolved into a sophisticated, industrialized enterprise. Synthetic identities, which blend fabricated data with real personal information, can slip past traditional verification systems. Account takeover schemes weave together phishing, automated bot attacks, and credentials harvested from data breaches to create what amounts to a criminal supply chain.
First-party fraud has also grown as dispute channels expand. Unlike traditional fraud, where a third party misuses stolen credentials, first-party fraud occurs when the customer who authorized or benefited from a transaction later disputes it. Institutions must then classify the case accordingly, which complicates both liability allocation and dispute resolution. Kelvin Chen, Head of Policy at the Consumer Bankers Association, cautioned that dispute and chargeback volumes could spike as new payment rails emerge and authorization boundaries blur, especially where consumer protections lag behind the established norms of card networks and ACH systems.
Conclusion
Post-AMG, the FTC has made its enforcement strategy plain. The agency will continue pairing Section 5 deception claims with redress-capable statutory hooks, where available. Although this workshop focused on the financial services sector, the FTC’s position on GLBA pretexting’s reach extends well beyond traditional financial institutions. Section 521’s pretexting prohibition applies to “any person” who makes a false statement to obtain customer financial information. Under the FTC’s expansive interpretation, any misrepresentation coupled with the collection of payment credentials could trigger an ostensible pretexting violation. The impact is significant: most consumer transactions involve obtaining financial information to complete a purchase or service. Companies outside the financial services industry that are not actively thinking about GLBA compliance may nonetheless find themselves subject to GLBA-pretexting claims if their challenged practices involve alleged misrepresentations and consumer payment information.