On September 25, the Consumer Financial Protection Bureau issued a report on its sources and uses of data. This report was followed by a Request for Information regarding its data collection practices, published in the Federal Register on September 28. In some respects, both documents are a follow-up to Acting Director Mick Mulvaney’s December 2017 order to CFPB staff to cease collecting personally identifying information, pending a review of and improvements to the Bureau’s overall data security systems.

The Dodd-Frank Act states that the CFPB “shall seek to implement and … enforce Federal consumer financial law consistently for the purpose of ensuring that all consumers have access to markets for consumer financial products and services and that [those markets] are fair, transparent, and competitive.” The CFPB regularly obtains data about consumers to fulfill these statutory functions and obligations and its data collection practices under the leadership of former Director Cordray had been the subject of strong criticism from Republican lawmakers.

The 199-page report describes the sources and uses of data collected, as well as the processes governing the intake, use, access, and disclosure of any data by the Bureau. Appendix B to the report includes a list of the Bureau’s 188 data collections to date from public sources, government agencies, commercial vendors, financial institutions, and consumers. The list generally does not include data collections from consumers on a voluntary basis, such as through focus groups, one-on-one interviews, or user testing. Contained in the report’s Appendix C is a list of the Memoranda of Understanding between the Bureau and other agencies that address the sharing of data. 81 different governmental and quasi-governmental agencies are named in the list.

During its review of its data security systems, the CFPB signed an interagency agreement under which the Department of Defense provided risk assessment services to identify potential gaps in the Bureau’s cybersecurity controls. The Bureau concludes in the report that its security protocol is currently “well-organized and maintained” with no critical issues found.

The CFPB is now seeking public input regarding the overall effectiveness and efficiency of the Bureau’s data collection practices. It is asking the public to provide comments on aspects of its data collection program, such as:

  • The sources, uses, and scope of information the Bureau collects;
  • Ways the Bureau should or should not reuse data collected for one purpose to inform the other functions of the Bureau;
  • Ways to reduce the burden on future furnishers of information;
  • Activities the Bureau could engage in to make data collections from financial institutions more effective and efficient; and
  • Other changes that may assist the Bureau to more effectively meet its statutory purpose and objectives.

Public comments are due to the CFPB by December 27, 2018.

Since Mick Mulvaney’s appointment by President Trump as CFPB Acting Director, there have been widespread media reports about Mr. Mulvaney’s plans to impose a freeze on the CFPB’s collection of personally identifiable information (PII), such as individual loan level data, until the CFPB improves its data security systems.  Mr. Mulvaney’s concerns about the CFPB’s data security systems were reportedly prompted in part by reports issued by the Office of Inspector General for the CFPB that found deficiencies in the CFPB’s data security practices.

Since the CFPB has not yet issued any information regarding the freeze’s implementation, its full scope and impact remain unclear.  However, in connection with assisting clients to prepare for CFPB exams, we have learned that the freeze is having a significant impact on the flow of information to CFPB examiners.  Moreover, it appears that because CFPB examiners may not yet have clear direction regarding how they should implement the freeze, they are taking different approaches.

Prior to the freeze, companies had been submitting information requested by CFPB examiners by uploading documents to the CFPB’s Extranet.  We understand the CFPB has temporarily halted use of the Extranet, however, apparently in response to Mr. Mulvaney’s concerns, and it appears that CFPB Supervision management is grappling with how to sufficiently address Mr. Mulvaney’s concerns so that scheduled examinations can proceed.  For example, examination teams have preliminarily described different approaches for how to establish workarounds, including providing all responses printed onto paper, to be shredded at the conclusion of the exam, or providing company computers for examiners to view company responses which may include PII.  The freeze and such workarounds will likely increase the burden for companies undergoing examinations but may also reduce the scope of what examiners will be able to review.

It also remains unclear how the freeze will impact other supervisory submissions, such as supporting documents submitted in connection with responses to Potential Action and Request for Response (PARR) letters.  We are working closely with clients to assist them with issues raised by the new “freeze”-related procedures.