Acting Consumer Financial Protection Bureau Director Mick Mulvaney has cited hundreds of confirmed and suspected data breaches as justification for his halting the bureau's data collection activities last month.
In a letter sent Thursday to Sen. Elizabeth Warren, D-Mass., Mulvaney said there were 233 confirmed breaches tied to the bureau's consumer response system, plus 840 suspected breaches by financial institutions that use a company portal to send data to the CFPB. The CFPB also found, as recently as Nov. 13, that there were 101 complaint narratives with unredacted consumer or third-party names, he said.
"Breaches and redaction errors undermine consumer confidence in the bureau and its ability to safely handle consumer complaints," Mulvaney, who is also White House budget director, told Warren in the two-page letter.
But he noted that data collection has continued in some areas. Mulvaney said he is working with the CFPB's senior management to come up with "innovative ways to collect mission-critical data" while the agency's analysis of security threats continues.
On Dec. 4, Mulvaney put a halt to the collection of all personally identifiable information by the CFPB from supervised entities. The move raised concerns that the bureau's enforcement actions would be stalled.
Warren has called Mulvaney's actions "unjustified," and said he had inappropriately used Inspector General reports "as a pre-text to halt and weaken critical agency functions."
Warren founded the CFPB when she was a Harvard law professor and now is sparring with Mulvaney as he tries to reduce regulations and move the agency in a different direction.
Mulvaney told Warren that he has broad discretion in his oversight of the CFPB.
"As you know, by design, the Dodd-Frank Wall Street Reform and Consumer Protection Act provides the director or acting director near complete discretion and autonomy regarding how the bureau will meet its statutory obligations," Mulvaney said. "I do believe that the appropriate collection of personally identifiable information is important to meeting those obligations and for that reason, data collection has continued in instances where a collection pause would unduly hamper our ability to perform our duties."
The CFPB will investigate the data breaches that were self-reported by financial institutions and found in its complaint database. Mulvaney said he plans to conduct additional testing to identify other potential data security vulnerabilities.
Banks and other financial institutions have long complained about consumers sharing unverified details posted to the CFPB's consumer complaint database and have lobbied to have the database shut down.