The Consumer Financial Protection Bureau is among several agencies conducting an "ongoing investigation" of Equifax related to last year's data breach, the credit reporting firm said in a securities filing Friday.
The filing contradicts a recent press report indicating that the CFPB had dropped a probe into the credit bureau over the data breach in September that compromised the personal information of over 147 million Americans.
The CFPB's press office sent an email to reporters Friday notifying them of Equifax's filing with the Securities and Exchange Commission, but declined to comment further.
"A number of U.S. federal, state, local and foreign governmental officials and agencies, including Congressional committees, the [Federal Trade Commission], the CFPB, the SEC, the U.S. Department of Justice and state attorneys general offices in the U.S. … continue to investigate events related to the 2017 cybersecurity incident, including how it occurred, the consequences thereof and our response thereto," Equifax said in the filing.
Last month, Reuters reported that acting CFPB Director Mick Mulvaney was not investigating Equifax, citing sources who said the agency had not ordered any subpoenas of the company or taken any sworn testimony from its executives.
Yet, far from abandoning its supervisory oversight of Equifax, the CFPB likely has taken a back seat to the Federal Trade Commission, which has jurisdiction over data breaches. The FTC issued a civil investigative demand to Equifax last year in coordination with the CFPB, which is why the bureau did not issue its own, separate subpoena, lawyers said.
"We cooperate with CFPB supervisory examinations," Equifax said in the filing, adding that it "cannot predict the ultimate impact on our business of new or proposed CFPB," rules, supervisory exams or government investigations or enforcement actions.
The Dodd-Frank Act gave the CFPB examination and supervisory authority over credit reporting agencies including Equifax.
"The CFPB may pursue administrative proceedings or litigation to enforce the laws and rules subject to its jurisdiction," Equifax said in the filing.
The company said the CFPB "can obtain cease and desist orders," which can include orders for restitution to consumers or rescission of contracts, as well as other types of affirmative relief, and "monetary penalties ranging from $5,000 per day for ordinary violations and up to $1 million per day for knowing violations."
On Thursday, Equifax reported that it will notify an additional 2.4 million customers affected by the hack. Equifax initially had said that 145.5 million Americans had their identities stolen in September 2017.