WASHINGTON The Consumer Financial Protection Bureau has agreed to ramp up its security policies on data collection in response to a recent Government Accountability Office report that raised nearly a dozen recommendations on the topic.
The GAO report released Monday said the CFPB has access to information on financial data including on 500 million credit card accounts mainly through an information-sharing agreement with the Office of the Comptroller of the Currency and has security protections in place.
However, it added that the CFPB "lacks written procedures and comprehensive documentation" with regard to data intake and security risk assessments.
The GAO gave 11 recommendations to the agency largely centered around having a written privacy plan that brings together all of the CFPB's security measures as well as having an independent review of its practices. It also gave one recommendation to the OCC, which it said agreed with the recommendations along with the CFPB.
"The GAO's report recognizes that the bureau collects data on a scale similar to other regulators and uses that data to carry out its mission to protect consumers," said Sam Gilford, a CFPB spokesperson. "The CFPB agrees with the GAO's recommendations, which focus primarily on documentation of processes related to data collection."
Still, the report added fuel to the fire for House lawmakers who originally requested the GAO investigation in January over concerns that the CFPB was collecting "big data" that had the potential to be personally identifiable or hacked.
"The American people are rightfully worried about the massive amounts of private information government collects on their personal lives, especially in this age of criminal hackers, data breaches and identity theft," said House Financial Services Committee Chairman Jeb Hensarling in a statement following the GAO report's release. "This report reveals troubling deficiencies in the CFPB's data security procedures and privacy controls, as well as an apparent effort by the CFPB to skirt the consumer privacy protections required by Congress in both the Dodd-Frank Act and the Paperwork Reduction Act."
Hensarling was referring to a section of the GAO report that said three out of the CFPB's 12 large-scale data collections under review by the GAO had included personally identifiable information. However, the report also said that "CFPB staff indicated that those 3 were not subject to statutory restrictions on collecting such information."
"Other regulators, such as the Board of Governors of the Federal Reserve System (Federal Reserve) and the Office of the Comptroller of the Currency (OCC), collect similarly large amounts of data," the report said.
It also recommended that the CFPB consult with the Office of Management and Budget about its credit card collection and data-sharing agreement with the OCC since agencies are supposed to get approval from the office when they collect data from 10 or more entities Under the Paperwork Reduction Act. The CFPB and the OCC share data on 500 million credit card accounts on a monthly basis which covers 87% of the outstanding balances as of March, the OMB said.
The report also said that the OCC did not obtain approval from the OMB to collect data on credit cards and mortgages, which it recommends the OCC do to reduce paperwork burdens.
"Without approval, OCC lacks reasonable assurance that its collections comply with [Paperwork Reduction Act] requirements intended to reduce burden," the report said. "GAO recommends OCC seek OMB approval for its credit card and mortgage data collections."
CFPB officials have repeatedly testified to Congress that the agency is data driven in order to better assess markets and make appropriate rules and actions.
The GAO report noted that there was a lack of data being collected on consumer financial products prior to the financial crisis that could have helped federal oversight in areas like mortgages and fair lending. The report said the CFPB has also collected data including on credit reports for 10.7 million individuals on an ongoing basis; mortgage data on about 173 million total loans (excluding private-label mortgages); 5.5 million total student loans; and 15 million to 40 million total payday loans.
"Data is essential for effective financial regulation," Gilford said. "It allows regulators to see how markets are functioning and monitor the impact of rules."