This week, the Government Accountability Office (“GAO”) released a report recommending eleven actions the Consumer Financial Protection Bureau (“CFPB”) should take to enhance the privacy and security of its ongoing data collections. The report also provides a detailed look at the increasingly large volume of information that CFPB collects, and how the agency’s data collection practices compare to those of other regulators.
To carry out its role in overseeing financial institutions and issuing reports on consumer financial issues, the CFPB began large-scale collection of financial data in January 2012. The agency uses that data to inform rulemaking, create statutorily-required studies, determine where to allocate supervisory resources, and understand the markets they oversee, according to the GAO report. Between January 2012 and July 2014, CFPB undertook 12 large-scale data collection efforts, spanning products including mortgages, student loans, credit cards.
The large-scale ongoing collections include:
- Automobile Sales Records on 700,000 vehicles, obtained on a monthly basis to monitor car sales volume and financing.
- Consumer credit report information on 10.7 million consumers, co-signers, and co-borrowers, obtained monthly to analyze changes in consumer behavior relating to debt.
- Credit card information on 25 to 75 million accounts, obtained monthly to identify risks in the credit card market.
- Mortgage information on 29 million active loans and 173 million total loans, obtained monthly monitor emerging trends in the mortgage market.
- Private-label mortgage information on 4 million active loans and 21.9 million total loans, obtained monthly to monitor emerging trends in the mortgage market
The report also reviewed one-time collections of more than 11,000 arbitration case records voluntarily provided by the American Arbitration Association; 600,000 consumer credit reports provided by credit reporting agencies; deposit advance product information relating to 100,000 to 500,000 accounts, provided by depository institutions; online payday loan information relating to 300,000 borrowers; overdraft fee information relating to 2 million accounts; private student loan information relating to 5.5 million total loans, and information on 14 to 40 million storefront payday loans.
Most of the data maintained by CFPB is de-identified. The arbitration, deposit advance, and storefront payday loan information, however, contained data that directly identified individuals. The agency removed identifying information from the payday loan and deposit advance data before making it available for staff analysis, the report said, although GAO criticized the agency for not having written procedures governing that de-identification process. Dodd-Frank’s restrictions on collecting personally identifiable financial information did not apply to the arbitration records, because the entity providing them was not covered under that law, the report said.
Like CFPB, prudential regulators such as the Federal Deposit Insurance Corporation, the Federal Reserve, the Office of the Comptroller of the Currency (“OCC”) and the National Credit Union Administration also collect consumer financial data, including mortgage data, loan origination dates, and outstanding balances from commercial aggregators similar to those used by CFPB. However, the report noted that other agencies with consumer protection responsibilities, including the Securities and Exchange Commission, Commodity Futures Trading Commission, and Federal Trade Commission, generally had “less extensive” collections than CFPB. For example, the FTC compiles a nonpublic database of consumer complaints, but generally does not compile other information to detect fraud and deception in consumer markets, the report said.
The report looked at CFPB’s data security obligations in light of Dodd-Frank Act requirements, Office of Management and Budget guidance, and recommendations of the National Institute for Standards and Technology (NIST), as well as requirements under the Paperwork Reduction Act (PRA), the Privacy Act, and the e-Government act, all of which require agencies to conduct certain steps when collecting data that includes personal or direct identifiers of individuals.
While the CFPB has taken steps to protect and security its data collections, the agency has not fully documented or implemented several internal controls, the GAO found. Nearly half of the report’s recommendations focused on the agency’s lack of written procedures. The GAO recommended CFPB establish or enhance written procedures for (1) data intake, including reviews of proposed data collections for compliance with legal requirements, (2) anonymization of data, including how staff should assess data sensitivity, (3) assessing and managing privacy risks, (4) monitoring and auditing privacy controls, and (5) documenting information security risk-assessment results.
The report also questions the data-sharing agreement between CFPB and OCC, which provides information on 87% of outstanding credit card balances. The report found that OCC had not obtained OMB approval for its collection of credit card and mortgage data. Without that approval, the GAO said, OCC lacks reasonable assurance its collections comply with legal requirements. The report therefore recommends that CFPB consult with the GAO further about its credit card collection and data-sharing agreement, and that OCC seek OMB approval for the collections.
CFPB’s data collection efforts have been criticized by lawmakers, and in January Congress directed the GAO to examine the agency’s data privacy and security measures. The GAO report also responds to similar requests from individual lawmakers, including Sen. Mike Crapo (R-ID), Rep. Shelley Moore Capito (R-WV) and Rep. Carolyn Maloney (D-NY). Rep. Jeb Hensarling (R-TX), chairman of the House Financial Services Committee, said the report reveals “troubling deficiencies” in CFPB’s data security processes and called the amount of information collected by the agency “an unwarranted and shocking intrusion into the privacy of American citizens.”