The U.S. consumer finance watchdog agency is expected to punish Equifax for its cyber breach with the wide-ranging powers it has used with Wall Street, former agency officials and lawyers said this week. The credit-reporting company is subject to five federal laws governing listed companies, the use of public data and the fair treatment of customers, and the Federal Trade Commission and the Department of Justice are examining the hacking theft of personal information on up to 143 million people.
But because Equifax is not strictly a financial company, questions arose whether the Consumer Financial Protection Bureau, the agency created after the 2008 financial crisis, has the power to penalize the firm for the breach.
Legal experts said the CFPB is likely to weigh in using powers it wields under the 2010 Dodd-Frank Act.
“Its Dodd-Frank mandate gives the CFPB authority to investigate Equifax even without cyber security rules,” said Quyen Truong, a partner at law firm Stroock & Stroock & Lavan who was the assistant director and deputy general counsel for the CFPB until early 2016.
Equifax is one of the country’s three major credit bureaus which, along with TransUnion and Experian PLC, gather data on consumer spending habits which is then purchased by banks to determine a customer’s creditworthiness.
The CFPB and legal experts said the regulator could pursue Equifax under an aspect of the Dodd-Frank Act banning unfair, deceptive and abusive acts and practices (UDAAP).
Get Data Sheet, Fortune’s technology newsletter.
CFPB spokesman Sam Gilford pointed to fines the CFPB levied on Equifax in January for allegedly deceiving consumers about the usefulness and cost of credit score information they bought, using this aspect of the law.
He declined to comment on whether the regulator has already or plans to open an investigation. An Equifax spokesman did not respond to a request for comment.
The UDAAP provision does not specifically address cyber incidents, but because it is “very broad and very vague,” the CFPB could argue Equifax breached the law, said Alan Kaplinsky of law firm Ballard Spahr.
Data from law firm Morrison Foerster show almost 80 percent of the agency’s enforcement actions included a UDAAP claim in 2015, and the agency pursued online payment system Dwolla over cyber issues.
In addition to forcing companies to take certain actions or desist from damaging behavior, the CFPB can fine them up to $1 million per day if a company knowingly violated the law.
“If they think Equifax treated consumers unfairly or misled, or did something that caused consumer harm, they’d use it,” said Kaplinsky.