The American Bankers Association (ABA) has sent a letter to the Office of the Inspector General (OIG) urging it to expand two of its ongoing CFPB projects: an audit of the CFPB’s public consumer complaint database and a security control review of the CFPB’s DT complaints database (which supports the public consumer complaint database).

In its letter, the ABA makes the following key points:

  • To avoid the CFPB from becoming an “official purveyor of unsubstantiated, and potentially false, information,” the ABA encourages the OIG audit to evaluate the controls in place to ensure the accuracy of individual complaint data.  More specifically, the ABA believes the OIG should look at the degree to which published complaint data relates  to a legal or regulatory violation or a bank practice or policy failure, as opposed to a more generalized expression of consumer frustration or anger.  The ABA observes that “CFPB investigators and examiners evaluate complaints regularly to test their substantive validity and make conclusions about whether a law or regulation has been violated or a bank practice needs to be addressed” and distinguish among complaints that indicate provider violations and those that are unfounded.  The ABA urges the OIG to compare these supervisory evaluations with the data posted on the database.
  • Noting the CFPB’s proposal to expand the public database to include the publishing of consumer complaint narratives, the ABA wants the OIG’s review of the effectiveness of “controls over the accuracy and completeness of the public complaint database” to include “the effectiveness of proposed controls – or the lack thereof – to promote the objectivity, reliability, and utility of the consumer narratives the Bureau may publish.”  The ABA believes the OIG audit should also review CFPB testing, if any, “to evaluate whether consumers can glean salient information from complaint narratives that have been stripped of personal information and relevant attachments, such as account statements or other personal financial records (due to their confidential nature).”
  • The ABA urges the OIG to expand the scope of its security control review of the CFPB’s DT complaints database to include the risks presented by the proposal to publish complaint narratives.  The ABA believes that the security audit should encompass test results of the “scrubbing standard and methodology” to be used to remove personal information from complaint narratives and company responses as well as the consumer
    opt-in process described in the proposal.  The ABA also wants the OIG to look into the sufficiency of consumer response staffing levels, and the adequacy of their training, “to ensure the accuracy and security of a database that may include consumer narratives.”  The ABA notes that should the CFPB consider outsourcing the redaction process or other complaint handling, the OIG would need to audit the CFPB’s third-party risk management controls and capabilities, as well as the independent contractors procedures and controls, “to guarantee that the handling of the considerable volume of personally sensitive financial information by a third-party will meet data quality and security standards.”