Editor’s Note: This story has been updated with a statement from the Consumer Financial Protection Bureau.
A Government Accountability Office report released Monday calls for the Consumer Financial Protection Bureau to better protect the massive amount of data the agency collects.
The report states the three-year-old agency has taken appropriate measures to meet Federal Information Security Management Act (FISMA) requirements and appropriately scans for problems and vulnerabilities, but “additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data.”
Among the improvements GAO calls for are comprehensive written documentation of data intake and security risks, better training for staff on how to handle sensitive personal data and further consultation with the Office of Management and Budget to ensure its data collection practices are legal.
“Recognizing the sensitivity of some of the consumer financial data it has collected, CFPB has taken steps to protect and secure these data collections, including adopting high-level privacy and security policies and processes,” the GAO report states. “However, CFPB staff said they were primarily focused on taking necessary actions to effectively carry out their mission during these early years of agency operations and as a result, a number of policies and processes were not fully documented or implemented, as required by federal internal control guidelines or outlined in NIST guidance.”
The report came at the request of Sen. Mike Crapo, R-Idaho, who said CFPB failed to respond to his request for information related to its data collection policies in 2013.
“The CFPB’s massive data collection effort is an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans,” Crapo said in a release Monday. “At a time when data and identity-related crimes are at an all-time high, the last thing the American people need is one more federal agency collecting their private financial information.”
The bureau, created in 2010 under the Dodd-Frank Act, was found to be collecting data that has personally-identifiable information, including data related to 11,204 consumer arbitration cases. Personal identifiers were also found in data related to deposit advance products and storefront payday loans, but CFPB told GAO it removed that information before it was used by staff.
In a response to the report, CFPB Director Richard Cordray agreed with all of GAO’s assessments and highlighted a number of actions the bureau is taking to implement their recommendations.
The CFPB sent a statement to Fedscoop after the initial publication of this story:
Data is essential for effective financial regulation. It allows regulators to see how markets are functioning and monitor the impact of rules. As GAO stated in its report, “[p]rior to and during the 2007-2009 financial crisis, [GAO] and others noted that the lack of data on consumer financial products and services hindered federal oversight in areas such as mortgages and fair lending.”
The GAO’s report recognizes that the Bureau collects data on a scale similar to other regulators and uses that data to carry out its mission to protect consumers. The CFPB agrees with the GAO’s recommendations, which focus primarily on documentation of processes related to data collection.
As the report notes, the majority of the large datasets maintained by the CFPB are de-identified, and many of the largest datasets maintained by the CFPB use data procured from commercial aggregators, which is also available for purchase by private companies.
The CFPB has disclosed details of its market-monitoring on numerous occasions over the past several years, including in Congressional testimony and correspondence, and in public documents such as its Strategic Plan, Budget, and Performance Plan and Report.
You can read the full GAO report below: