CFPB Data Collection Practices Get a Mixed Review From GAO

Does the Consumer Financial Protection Bureau overstep its bounds collecting information for its public complaint database? That question has continually been asked by critics of the agency. A newly released study by the Government Accountability Office, however, says that its data collection policies are in line with those of other federal agencies, but does offer suggested improvements.

GAO was mandated by Congressional critics, notably House Financial Services Committee Chairman Jeb Hensarling (R-Texas) to examine CFPB’s collection of consumer financial data. The resulting report addresses: the scope, purposes, uses, and authorities of CFPB consumer financial data collections; and the CFPB’s compliance with laws and federal requirements, including government-wide privacy and information security requirements.

The review looked closely at laws, regulations, and contracts pertaining to CFPB’s data collections; reviewed privacy and information security policies; reviewed inspector general reports on CFPB’s information security program; assessed how the CFPB applied the National Institute of Standards and Technology’s (NIST) framework for managing risks of storing data; examined access controls on the system maintaining consumer financial data; and interviewed CFPB and other regulatory officials, privacy experts, and representatives from randomly selected financial institutions.

The GAO found that the large amount of data collected by the CFPB is in line with what is collected by other regulators, including the Federal Reserve and the Office of the Comptroller of the Currency. The agency has also “taken steps to protect and secure these data collections,” creating a data intake process that brings together staff with relevant expertise to consider the statutory, privacy, and information security implications of proposed consumer financial data collections.

In response to GAO inquiries, CFPB staff described their process for anonymizing large-scale data collections that directly identify individuals and steps to implement an information security program that is consistent with Federal Information Security Management Act requirements. GAO researchers additionally found that the CFPB implemented controls for the information system that appropriately scan for problems or vulnerabilities and established a risk-management process consistent with NIST guidelines.

The GAO report, however, detailed concerns and additional efforts it says are needed to reduce the risk of improper collection, use, or release of consumer financial data.

The CFPB lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments, the report says. The lack of written procedures could result in inconsistent application of the established practices. For example, CFPB unnecessarily retained sensitive data in two collections GAO reviewed, but its staff said they plan to remove this information.

The GAO recommends that the Bureau establish or enhance written procedures for: data intake;  anonymizing data; assessing and managing privacy risks; monitoring and auditing privacy controls; and documenting results of information security risk-assessments consistently and comprehensively.

The CFPB was also found to have not fully implemented a number of privacy control steps and information security practices. The GAO recommends: developing a comprehensive written privacy plan that brings together existing privacy policies and guidance; obtaining periodic independent reviews of its privacy practices; developing targeted privacy training for staff responsible for working with sensitive personal information; updating remedial action plans to include all identified weaknesses and realistic planned remediation dates; and including an evaluation of compliance with contract provisions relating to information security in CFPB's review of the service provider that processes consumer financial data on its behalf.

The report also points out that under the Paperwork Reduction Act, agencies must obtain Office of Management and Budget approval when collecting data from 10 or more entities in order to minimize burden and maximize the practical utility of the information collected. CFPB and OCC collect, on an ongoing basis, credit card data from different institutions—representing about 87 percent of outstanding credit card balances—and agreed to share data. However, OMB staff said the agencies’ collections and data-sharing agreement may warrant OMB review and approval to ensure compliance with the law. Also, the OCC had not obtained OMB approval for its credit card and mortgage data collections. The report GAO recommends that the CFPB consult with OMB about its credit card collection and data-sharing agreement, and that the OCC seek OMB approval for its data collections.