The Government Accountability Office (GAO), an independent agency which provides Congress with audit, evaluation, and investigative services, said this week that the CFPB needs to its improved privacy and security procedures. The determination came following a review of 12 of the CFPB’s “large-scale data collection efforts.”

The CFPB’s data collections examined by the GAO include a wide range of information such arbitration case records, consumer credit report mortgages, and student loans, some of which contained millions of records.

Despite the massive amount of data collected (some of which included information that identified individual consumers), the GAO concluded that the “CFPB has not yet fully implemented a number of privacy control steps and information security practices, which could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data.”

It also stated that the CFPB “lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments.”

House Financial Services Committee Chairman Jeb Hensarling responded to the report:

“The American people are rightfully worried about the massive amounts of private information government collects on their personal lives, especially in this age of criminal hackers, data breaches and identity theft.  This report reveals troubling deficiencies in the CFPB’s data security procedures and privacy controls, as well as an apparent effort by the CFPB to skirt the consumer privacy protections required by Congress in both the Dodd-Frank Act and the Paperwork Reduction Act.”

To read the GAO’s full report click here.