The CFPB's Data Collection Is to Be Applauded
The Consumer Financial Protection Bureau's massive collection of consumer data continued to raise concerns with lawmakers on Wednesday despite assurances from the agency's director that the data is anonymized. Lawmakers also voiced worries that the agency is inappropriately targeting auto dealers.
Community bankers are up in arms after one of the largest core processors told institutions it will likely raise costs because of a data collection effort undertaken by the Consumer Financial Protection Bureau.
WASHINGTON The Consumer Financial Protection Bureau has agreed to ramp up its security policies on data collection in response to a recent Government Accountability Office report that raised nearly a dozen recommendations on the topic.
There's good reason to be wary of government data collection. Data can allow the government to abuse citizens' privacy, and data is also vulnerable to theft by cybercriminals. But not all government data collection is problematic. Some is actually good, and the facts about particular government data collection programs matter.
Unfortunately, the critics of the Consumer Financial Protection Bureau's data collection haven't bothered to learn the basic facts about the data the agency collects before veering off into black helicopter paranoia. And this shows the criticism of the CFPB's data collection for what it really is: a politically motivated attack on the CFPB.
A quick look at the facts of the CFPB's data collection shows that there's really nothing to fear. Much of the data gathered by the Bureau is already public: mortgages are recorded in county land records and auto sales with state DMVs. Most of the data that is not publicly available is commercially available and routinely used by businesses and academics. This just isn't secret or sensitive data.
Very little of the data is publicly identifiable when the CFPB obtains it, and the Bureau anonymizes that data, so Bureau personnel are never working with personally identifiable data. Even if the data were personally identifiable, the nature of the data is that it doesn't reveal anything especially personal. The CFPB collects aggregate account-level data, showing account balances, interest rates and fees. The data collected by the CFPB does not contain transaction-level data, so the CFPB has no idea what someone has purchased or even where the purchase took place. Consumers can rest easy that the CFPB does not know about their subscriptions to Ashley Madison or donations to the People's Liberation Front. The CFPB knows less about consumers' purchases than the banks it regulates know. All of this means that there are no legitimate Big Brother concerns about the CFPB's data collection.
What about data security? Data breaches are a fact of modern commercial life. Consumers have to assume that any data they give to merchants, financial institutions, or the government may be compromised. Data breaches don't matter very much, however, unless the data is sensitive, meaning that it is readily monetizeable. Hackers target credit card data for the same reason Willie Sutton held up banks: "That's where the money is."
As it turns out, the credit card data collected by the CFPB is useless to cybercriminals. It does not include account numbers, expiration dates, or security codes. It doesn't even include consumer names and addresses. In short, the CFPB has nothing that a cybercriminal would want. But you wouldn't know that from reading the rantings of CFPB critics.
You also wouldn't know from the complaints of CFPB data critics that government collection of consumer financial data is nothing new the OCC, FDIC, and Federal Reserve have been doing it for years (often with larger data sets). Indeed, much of the data the CFPB gets is through Memoranda of Understanding with other regulatory agencies. The CFPB's critics have not a word to say about the collection of the same data by other agencies. Apparently, data collection is a problem only when done by the CFPB.
The CFPB's data collection is something that should be applauded rather than criticized. Most of the CFPB's data collection is one-time collections in support of specific rulemakings. Isn't evidence-based policy something we want? A responsible rulemaking on overdraft or payday or arbitration requires knowing something about the state of the market, and that requires data.
Likewise, the CFPB's ongoing data collection is critical to ensuring that the Bureau does not end up behind the ball with market developments, as federal regulators were during the housing bubble. And enforcement of the fair-lending laws is not possible without data collection and analysis. Attacks on CFPB data collection are effectively assaults on the fair-lending laws.
Evidence-based policymaking is the essence of the CFPB's approach to consumer finance regulation. Unfortunately, the Bureau's implacable ideological opponents are so quick to find fault with the Bureau that they won't let facts get in the way of leveling unfounded and irresponsible charges about abusive data collection.
Adam J. Levitin is a professor of Law at Georgetown University. The views expressed here are his own.