In response to the Consumer Financial Protection Bureau (CFPB) facing ongoing scrutiny regarding its data collection practices, the U.S. Government Accountability Office (GAO) has issued 11 recommendations for the CFPB in a recent report following the GAO’s investigation of the agency.
“CFPB lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments,” the GAO says in the report, adding that the CFPB has not yet fully implemented a number of privacy control steps and information security practices, “which could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data.”
Lawmakers have long expressed outrage at the agency’s research into consumers’ finances, with even Senator Mike Johanns (R-Neb.) previously calling the CFPB’s tactics “downright creepy.”
Congress passed legislation in January requiring the GAO to examine the CFPB’s data collection, and the report also satisfies requests made by Senator Mike Crapo (R-ID) and Reps. Shelley Moore Capito (R-WV) and Carolyn Maloney (D-NY) to examine the CFPB’s collection of consumer financial data.
The CFPB’s large-scale data collections varied from about 11,000 consumer arbitration case records from a trade association to 173 million mortgage loans from a data aggregator. Of the 12 large-scale collections GAO reviewed, three included information that identified individual consumers, but CFPB staff indicated that those three were not subject to statutory restrictions on collecting such information.
“This report reveals troubling deficiencies in the CFPB’s data security procedures and privacy controls, as well as an apparent effort by the CFPB to skirt the consumer privacy protections required by Congress in both the Dodd-Frank Act and the Paperwork Reduction Act,” says Financial Services Committee Chairman Jeb Hensarling (R-TX) in a written statement. “[The CFPB’s] programs include the collection of 11 million credit reports monthly, 195 million mortgages monthly, 700,000 monthly auto sales transactions linked with consumer credit data, plus the National Mortgage Database, which was not fully examined by the GAO as part of this report.”
While the GAO notes the CFPB has taken some steps to protect and secure data collections, the GAO determined that additional efforts are needed in several areas to reduce the risk of improper collection, use or release of consumer financial data.
The GAO’s recommendations include that the CFPB should establish or enhance written procedures for the data intake process; anonymizing data, including how staff should assess data sensitivity; assessing and managing privacy risks; monitoring and auditing privacy controls; and documenting information security risk-assessment results consistently and comprehensively to include all National Institute of Standards and Technology (NIST)-recommended elements.
In addition, the CFPB should develop a comprehensive written privacy plan that brings together existing privacy policies and guidance; obtain periodic reviews of the privacy program’s practices as part of the independent audit of CFPB’s operations and budget; develop and implement role-based privacy training; update remedial plans for the information system that maintains consumer financial data and related components; and include an evaluation of compliance with contract provisions relating to information security in CFPB’s review of the service provider that processes consumer financial data for CFPB.
In response, the CFPB outlined actions the agency is taking or plans to take in response to the GAO’s recommendations, such as developing written procedures for the de-identification of data containing personal identifiers.
“Information received by the Bureau and reviewed by GAO in this engagement has been used, as intended by the Dodd-Frank Act, to inform the Bureau’s rulemakings, supervise covered persons and service providers, and enforce federal consumer financial law,” the CFPB says in a written statement.
The GAO report also included one recommendation to the Office of the Comptroller of the Currency (OCC) to ensure its data collections comply with appropriate disclosure requirements.
Access the full report here.
Written by Cassandra Dowell