Editor's note: Edited Sept. 23, 2014, to include a response from the CFPB.
Add another item to the list of the Consumer Financial Protection Bureau’s ongoing problems – only this item is an even bigger problem for consumers.
A recent report by the Government Accountability Office concluded that the CFPB isn’t doing an adequate job of protecting the private financial information it’s collected on millions of consumers.
The CFPB has collected data on millions of Americans’ mortgage loans, credit card accounts and other financial products. While the GAO found that the agency had “implemented logical access controls” to protect the information, “additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data,” the report found.
According to the report, the CFPB doesn’t have written procedures or documentation for several processes, including data intake and security risk assessments. The agency also has yet to implement several privacy and security procedures, leaving consumer data potentially vulnerable, according to the report.
Congress ordered the GAO to investigate the CFPB’s data collection program in January after the agency refused to disclose information about the scope of the program.
“It literally took an act of Congress to obtain this information because the unaccountable CFPB would not answer our questions,” said House Financial Services Committee Chairman Jeb Hensarling. “The American people are rightfully worried about the massive amounts of private information government collects on their personal lives, especially in this age of criminal hackers, data breaches and identity theft. This report reveals troubling deficiencies in the CFPB’s data security procedures and privacy controls, as well as an apparent effort by the CFPB to skirt the consumer privacy protections required by Congress in both the Dodd-Frank Act and the Paperwork Reduction Act.”
Hensarling lashed out at the agency not only for its deficiencies in protecting consumer information, but for the sheer amount of information collected.
“As the GAO report notes, the CFPB is collecting information on hundreds of millions of credit card accounts. But the credit card database is just the tip of the iceberg,” he said. “It is merely one of 13 massive data collection programs the CFPB has undertaken, and the numbers are staggering. These programs include the collection of 11 million credit reports monthly, 195 million mortgages monthly, 700,000 monthly auto sales transactions linked with consumer credit data, plus the National Mortgage Database, which was not fully examined by the GAO as part of this report. It seems the CFPB is trying to out-NSA the NSA when it comes to accumulating information on Americans. This is, without a doubt, an unwarranted and shocking intrusion into the privacy of American citizens. How exactly does the CFPB’s effort protect consumers?”
CFPB spokesman Samuel Gilford, however, says the data collection is necessary in order for the CFPB to fulfill its function, and not far off from the data-collection practices of other government regulators.
"The GAO's report recognizes that the Burea collects data on a scale similar to other regulators and uses that data to carry out its mission to protect consumers," Gilford wrote in an email to MPA. "The CFPB agrees with the GAO's recommendations, which focus primarily on documentation of processes related to data collection.
"As the report notes, the majority of the large datasets maintained by the CFPB are de-identified, and many of the largest datasets maintained by the CFPB use data procured from commercial aggregators, which are also available for purchase by private companies," Gilford added.