CFPB’s Consumer Data Collection Scrutinized for Lack of Privacy Controls
The Government Accountability Office (GAO) published a report on Monday, September 22, 2014, assessing the privacy and security controls employed by the Consumer Financial Protection Bureau (CFPB) as part of their massive data collection efforts. Since the CFPB was first conceived in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) in 2010, lawmakers, industry trade associations and even consumer advocates have expressed concern with the volume of consumer data collection that the CFPB is allowed to conduct.
In particular, the CFPB’s consumer complaint database has been a source of contention with the banking industry, which fears that the unverified information collected from consumer complaints about individual financial institutions would be made public. The CFPB launched its complaint database over two years ago and now collects complaints ranging from credit cards to mortgages, student loans and auto loans. Countless investigations, enforcement actions, studies, consumer refunds, and even regulatory initiatives have come off the back of the CFPB’s complaint collection efforts. The United Kingdom’s (UK) Financial Conduct Authority (FCA) announced plans to roll out a similar consumer survey model in its 2014/2015 Business Plan.
The GAO report provides mixed messages for the industry on the CFPB’s overall data collection programs, including its complaint database. The report quells some concerns from the banking industry and Republican members of Congress, such as Financial Services Committee Chairman Jeb Hensarling who compared the CFPB to the National Security Agency (NSA), saying the “CFPB is trying to out-NSA the NSA.” The report found that the CFPB was well within its regulatory authority to collect such data, comparing the CFPB’s programs to similar programs at the Federal Reserve and the Office of the Comptroller of the Currency (OCC).
Conversely, the report also provided some ammunition for future attacks on the CFPB’s massive data collection. The GAO found a lack of written procedures and documentation to support the agency’s data collection. The GAO also found that implementation of additional privacy control steps and information security practices were needed immediately to adequately protect consumer financial data. Finally, the report called into question the data sharing between the CFPB and OCC, which has also worried those in the banking industry. The two agencies share relevant complaint data and consumer financial data amongst one another to enforce violations that may fall outside of one another’s regulatory purview.