A new report from the Government Accountability Office on the CFPB’s data collection efforts finds that the CFPB needs to do more to reduce the risk of improper collection, use or release of such data. The CFPB’s data collection efforts have been the focus of criticism from lawmakers during several hearings at which Director Cordray and Deputy Director Antonakes testified. In its background discussion, the GAO indicates that it conducted the review in response to requests from lawmakers and to fulfill a statutory mandate for such a review in the Consolidated Appropriations Act of 2014.
The GAO reviewed the CFPB’s 12 large-scale ongoing and one-time data collections undertaken from January 2012 to July 2014. Subjects of the collections included mortgages, student loans, overdraft fees, online and storefront payday loans, deposit advance products, and arbitration case records. Of the 12 collections, 3 included information that identified individual consumers (arbitration case records, deposit advance products and storefront payday loans). The GAO indicates that it was told by CFPB staff that while most of the 12 collections were conducted under the CFPB’s supervisory authority, several were conducted using its market monitoring authority. The report reviews large-scale data collections conducted by the Fed, OCC and FDIC and finds that such other regulators collect “similarly large amounts of data” as the CFPB but that the other regulators’ collections generally do not contain information that directly identifies consumers. It also reviews the CFPB’s information sharing agreements with other regulators and finds overlap in the data collected by the CFPB, Fed and OCC.
The GAO’s key conclusions are:
- The CFPB lacks written procedures for its data intake process, including for evaluating whether statutory restrictions related to collecting personally identifiable financial information apply to a large-scale data collection, documenting determinations of whether these collections are subject to Paperwork Reduction Act requirements (such as the need for OMB approval and to seek comments on a proposed collection), and assessing and managing privacy risks of these collections.
- Although it has informal procedures for anonymizing data collections that contain personally identifiable financial information, the CFPB has not established written procedures for anonymizing data. (The report cites specific instances in which the CFPB failed to remove sensitive information in some of its collections.)
- The CFPB did not consistently or comprehensively document its information security risk-assessment results.
- The CFPB has not yet developed a comprehensive privacy plan that brings together existing policies and guidance, has not established a regular schedule of periodic reviews of its privacy program, or completed development of a role-based privacy training program.
- The CFPB did not comprehensively evaluate the service provider that processes consumer financial data on its behalf for compliance with contract provisions.
The report contains 11 specific recommendations for executive action by the CFPB to remedy the weaknesses identified by the GAO. It also contains a letter from Director Cordray concurring with the GAO’s recommendations and outlining the actions being taken by the CFPB in response.
The report’s conclusions seem particularly ironic given the importance the CFPB places on implementation of data security procedures and service provider oversight by the entities it supervises. We expect Director Cordray to hear more from lawmakers about the GAO’s conclusions when he next appears before Congress for an oversight hearing. Indeed, House Financial Services Committee Chair Jeb Hensarling has already issued a statement on the report commenting that it “reveals troubling deficiencies in the CFPB’s data security procedures and privacy controls, as well as an apparent effort by the CFPB to skirt the consumer privacy protections required by Congress in both the Dodd-Frank Act and the Paperwork Reduction Act. ”