Share:
"During our audit of CFPB’s fiscal year 2011 financial statements, we found that CFPB, contrary to the provisions of FISMA, had not developed, documented, and implemented an agency-wide program to provide information security for the information and information systems that support the financial reporting, operations, and assets of the bureau, including those systems provided or managed by its service provider organizations."
—Government Accountability Office
back to Effectiveness

Insecurity and CFPB’s Demand for Data

With the recent revelations regarding government collection of massive amounts of individual data, the Consumer Financial Protection Bureau has come under increased scrutiny for its data collection program. While the CFPB is authorized under the Dodd-Frank Act to collect vast amounts of financial data on American citizens as part of its mission to regulate the financial data, critics have noted that there are many troubling issues with the CFPB’s current data collection procedures.

Scope of Data

One of the biggest criticisms financial institutions have levied against the CFPB is the wide breadth of its data requests. Rather than tailoring requests to specifically target the type of information needed for the CFPB’s analysis, the agency has made broad requests from banks. For instance, complying with CFPB requests has become a “very laborious exercise” according to officials with the American Bankers Association. The U.S. Chamber of Commerce noted that the agency’s requests are “extremely onerous” and are “often unfocused, overly inclusive, and not coordinated with other regulators.”

Another letter from the Chamber raised further concerns about the scope of the agency’s data requests, noting: “We understand that the Bureau is directing at least some credit card issuers to provide — on a real-time, continuous basis — a monthly summary of cardholder transactions on an account-by-account basis. We have heard from companies that the scope may range from dozens to as many as hundreds of pieces of data for each consumer on at least a monthly (and perhaps more frequent) basis.”

The Bureau is spending millions of dollars a year to purchase data from other financial institutions regarding customer habits and finances. Known contracts include $8.5 million to Experian for credit data, $790,000 to CoreLogic Inc. for data on mortgages, and $443,260 to Clarity Services, Inc for data on payday loans. In FY 2012, the CFPB spent approximately $7.1 million on obtaining data from contracted financial institutions and has spent approximately $3.1 million up to the beginning of July FY 2013.

The CFPB is reported to have purchased information on at least 10 million customers.

Concerns have also arisen surrounding the scope of information contained in the National Mortgage Database, which the CFPB runs jointly with the Federal Housing Finance Agency (FHFA). In April 2014, the FHFA announced in the Federal Register that records in the National Mortgage Database may include detailed information on borrowers and co-borrowers such as “name, address, zip code, telephone numbers, date of birth, race/ethnicity, gender, language, religion, social security number, education records, military status/records, employment status/records” in addition to account numbers, marital status, and other financial information.

And although the Dodd-Frank Act prohibits the CFPB from collecting personally identifiable financial information, the Bipartisan Policy Center noted that “it has been reported that unique identifiers are being attached so that the Bureau can track the same consumer’s transactions over a prolonged period of time” leading “to increasing concerns regarding the privacy of this information.”

Security Concerns

To collect its desired information, the CFPB is contracting with third parties to purchase and analyze consumer financial data. This decision to outsource CFPB work to contractors was intensely scrutinized by members of the House Financial Institutions and Consumer Credit Subcommittee during a 2013 hearing due to the concerns about contractor security raised following the leak of top level national security data. The CFPB responded to these concerns by stating that all third party contractors are subject to the same rules and regulations regarding data security as all other CFPB personnel.

Despite these assurances, a previous audit of the CFPB’s data security system by the Government Accountability Office (GAO) found flaws in the Bureau’s procedures. The GAO identified several problems, stating that “these issues increase the risk of CFPB not preventing or promptly detecting and correcting (1) misappropriation of assets because of reliance on insufficient internal controls; (2) unauthorized access, modification, or both of its data; and (3) misstatements in its financial statements.”

The report further states that:

During our audit of CFPB’s fiscal year 2011 financial statements, we found that CFPB, contrary to the provisions of FISMA [Federal Information Security Management Act of 2002], had not developed, documented, and implemented an agency-wide program to provide information security for the information and information systems that support the financial reporting, operations, and assets of the bureau, including those systems provided or managed by its service provider organizations. We identified several information systems vulnerabilities related to its controls over financial reporting.

The Federal Reserve’s Office of the Inspector General also issued a 2013 report examining the CFPB’s data security procedures, and found that “improvements are needed to ensure that the requirements of FISMA are met.”

Due to concerns about data security, U.S. Senator Mike Crapo (R-Idaho) sent a letter to the GAO in July 2013 requesting another audit of the CFPB’s data collection systems. The letter notes that “The size and scope of this data collection warrant proper government oversight to both guard consumers’ privacy and ensure that the CFPB is acting within its existing authority.”

Regardless of concerns from Congress, the CFPB is moving forward with contracts to collect, store, and analyze consumer data. A $15 million contract to store and analyze credit card information from nine unnamed banks has been awarded to New York-based Argus Information & Advisory Services LLC.

A 2014 audit by the Office of Inspector General of the determined that problems with the CFPB’s information security program persisted. The report specifically expressed concerns that the CFPB was lacking in areas of security control and techniques. It also found insufficient vulnerability management practices for database and other security configurations.

The IG found that CFPB employees were granted access to information beyond those that were required and that no security tools had been implemented to check these configurations, making potentially sensitive data improperly available.

Further, the CFPB had not developed sufficient procedures for detecting, reporting and responding to security incidents, or for “mitigating risks before substantial damage is done.” The absence of such procedures  left the CFPB unable to “fully detect and respond to information security incidents in a timely manner.”

The IG also determined that the CFPB’s security training program was insufficient to “provide assurance that employees and contractor staff with significant security responsibilities have adequate knowledge and expertise” to implement its information security program.

Lack of Transparency

While the CFPB mission states that the agency is dedicated to promoting transparency, not even the Congressional committee charged with overseeing the agency’s activities is privy to information on its data requests. After Rep. Sean Duffy (R-Wisc.) requested that the CFPB provide members of the House Financial Institutions and Consumer Credit Subcommittee with the specific data requests it has made from banks and other financial institutions, CFPB Acting Director Steve Antonakes claimed that it cannot disclose such data under the agency’s confidential supervisory examination program.

Though most of the consumer data is anonymized, data obtained from bank investigations is not and may include “personally identifiable information” (PII). The CFPB has not created a standard definition as to what constitutes PII and has neither issued nor announced plans to issue a rulemaking to define the standard, thereby gathering public input on the agency’s definition. This lack of a standard to protect sensitive consumer information was  highlighted by Sen. Crapo’s request to the GAO and by members of the House Financial Institutions and Consumer Credit Subcommittee.