On September 29th, the Office of the Inspector General (OIG) that oversees the CFPB released a memorandum detailing the major management challenges facing the CFPB. The memo identified four areas of improvement that, unless addressed, would otherwise hamper the CFPB’s ability to accomplish its strategic objectives:
- Ensuring an Effective Information Security Program
- Ensuring Comprehensive Policies and Procedures Are in Place and Followed
- Maturing the Human Capital Program
- Managing and Acquiring Sufficient Workspace to Support CFPB Activities
Despite the vast quantities of consumer information being collected by the CFPB as part of its consumer protection mission, the CFPB has not fully implemented an information security continuous monitoring program, including a comprehensive data loss prevention system and oversight of contractor-operated information systems. Furthermore, the CFPB has not fully implemented processes within its internal network that would enable the agency to detect and better protect against unauthorized access to and disclosure of its sensitive information. Not only must the CFPB be concerned about hackers, the CFPB must also address the risk of insider threats. A review of the CFPB website reveals that the CFPB makes very few representations about the level of security being provided for consumer information. In the wake of the CFPB’s data security enforcement action against Dwolla, Inc. (see our prior blog post), the CFPB should be prepared to satisfy the same data security requirements that it expects to see among the companies that it regulates.
Additionally, the CFPB expects companies to maintain comprehensive compliance management systems, including written policies and procedures as well as employee training on those policies and procedures. However, the OIG concluded that the CFPB does not have a comprehensive set of policies and procedures for some program areas, and that the CFPB did not fully ensure that its staff members were aware of and complied with its existing policies and procedures. Despite clear guidance provided to industry about the minimum requirements of an effective compliance management system, as described in the CFPB Supervision and Examination Manual, the CFPB appears to have similar struggles in establishing its own internal governance.