A Government Accountability Office comprehensive study released by the ranking member of the U.S. Senate Banking Committee confirms that the Consumer Financial Protection Bureau is collecting financial data on up to 600 million consumer credit card accounts, without sufficient security and privacy protections to ensure there is no risk of improper collection, use, or release of consumer financial data.
The nonpartisan GAO report, requested by U.S. Senator Mike Crapo, R-Idaho, details the CFPB’s large-scale collection of consumer financial data from 2012 through 2014.
It confirms the existence of personal identifiers in CFPB’s data collections, and raises the concern that CFPB lacks written policies and procedures for data privacy and protection.
“The CFPB’s massive data collection effort is an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans,” Crapo said in a written release. “This GAO report confirms what the Bureau would not — that it has been collecting information on up to 600 million American financial accounts, and it does not have the proper safeguards in place to protect the information it is collecting. At a time when data and identity-related crimes are at an all-time high, the last thing the American people need is one more federal agency collecting their private financial information.”
Asked for a response to the GAO report, a CFPB spokesperson directed HousingWire to a response to the report contained within the report from CFPB Director Rochard Cordray. His 10-page letter of response starts on page 76.
The CFPB has been collecting data on consumers since 2012, both for its larger credit database and the proposed National Mortgage Database, which it is building jointly with the Federal Housing Finance Agency.
House and Senate members from both parties have raised serious questions about this Big Data collection, and the CFPB has repeatedly failed to provide sufficient information regarding its protection.
Key findings from the GAO report include:
- CFPB has access to account-level credit card data on between 546-596 million consumer accounts on a monthly basis. This represents consumer data covering 87% of the credit card market. (p.28)
- CFPB conducts large-scale collections on consumer financial data, including data with personal identifiers. Data includes one-time and monthly collections on automobile sales, consumer credit report information, credit cards, credit scores, mortgages, student loans, and others. See charts here and here.
- CFPB lacks written policies and procedures for data privacy. GAO noted that the CFPB “. . . has not developed standard policies and written procedures to document the practices it uses for anonymizing data, including clarifying how data sensitivity will be assessed. . .” (p.42) For example, the CFPB retained sensitive data in two data collections reviewed by GAO, including religious data. (p.42-43)
- GAO found weaknesses in the Bureau’s ability to assess risks and vulnerabilities associated with data security and protection of consumer financial information. Both the GAO and the CFPB’s Inspector General previously found similar weaknesses in a separate report released last year. (p.58)
- GAO noted that the CFPB and OCC should submit its credit card data collection plan for consultation and approval by the Office of Management and Budget, as required by law. Without such review, CFPB and OCC lack reasonable assurance that these collections are in compliance with the law. (p.66)
“There are many outstanding questions and concerns following this report,” Crapo said. “For example, it is still unclear exactly what information the CFPB is collecting, how they are using it, and whether it can be easily reverse-engineered to identify an individual. I consider these to be very serious concerns at the very agency that was supposed to watch out for consumers, not watch them.”
Further, data security and the ease of hackers breaching even highly protected databases has come to the forefront of discussion, with recent major breaches at retailers like Target and Home Depot.
“It literally took an act of Congress to obtain this information because the unaccountable CFPB would not answer our questions,” said House Financial Services Chairman Jeb Hensarling, R-Texas. “The American people are rightfully worried about the massive amounts of private information government collects on their personal lives, especially in this age of criminal hackers, data breaches and identity theft. This report reveals troubling deficiencies in the CFPB’s data security procedures and privacy controls, as well as an apparent effort by the CFPB to skirt the consumer privacy protections required by Congress in both the Dodd-Frank Act and the Paperwork Reduction Act.
“As the GAO report notes, the CFPB is collecting information on hundreds of millions of credit card accounts. But the credit card database is just the tip of the iceberg. It is merely one of 13 massive data collection programs the CFPB has undertaken, and the numbers are staggering. These programs include the collection of 11 million credit reports monthly, 195 million mortgages monthly, 700,000 monthly auto sales transactions linked with consumer credit data, plus the National Mortgage Database, which was not fully examined by the GAO as part of this report," Hensarling said. “It seems the CFPB is trying to out-NSA the NSA when it comes to accumulating information on Americans. This is, without a doubt, an unwarranted and shocking intrusion into the privacy of American citizens. How exactly does the CFPB’s effort protect consumers?”
HousingWire has been covering the CFPB’s creation of its National Mortgage Database since it was first proposed.
The two agencies have called it "the first comprehensive repository of detailed mortgage loan information," and they say the purpose is to support policymaking and regulatory research.
The database, they have said from the beginning, will not contain personally identifiable information. Both the FHFA and CFPB said precautions will be in place so individual homeowners cannot be identified through the database or through any subsequent public datasets.
But from early on, members of Congress have been wary.
Rep. Sean Duffy, R-Wisconsin, voiced strong reservations about the CFPB's use of data going back to 2013.
"My concern here is that much of the info that we’ve received on your data collection or monitoring on financial info has come from news reports," said Duffy, after news reports came out that the CFPB had started collecting data on at least 10 million consumers.
Duffy said the CFPB has been less than forthright in explaining what information is being collected, where the data is coming from and how it's being used.
The issue most recently came to a head when Cordray testified before Congress this past June.
Republicans were particularly concerned about the CFPB’s collection of data for its National Mortgage Database on consumers including names, Social Security numbers, IP addresses, GPS coordinates, phone numbers, addresses, religious faith and political affiliation, education and employment records, and other personal data.
“…The joint database project by the CFPB and the FHFA will undeniably collect personally identifiable information on millions of Americans in the National Mortgage Database. I’m not speaking merely of names, addresses and phone numbers – though the database will certainly include those – but shockingly also people’s Social Security numbers, their race, religion, personal financial information, and even the GPS coordinates of their homes,” Hensarling said in that hearing. “A breach of this database could cause untold harm to consumers by the very agency that purports to protect them.”
Hensarling didn’t hold back in condemning the National Mortgage Database.
“Without a doubt, this National Mortgage Database is an unwarranted and shocking intrusion into the privacy of American citizens. It is a database I would fully expect to see in either Russia or China, but I’m appalled to see it in the United States of America,” he said.
Cordray said in June that personal information that the bureau will collect for the database will have some of that personal data removed, but only after the CFPB has collected the data.
"I’m not sure who’s going to win the race on collecting the most data, the NSA or your agency," said Rep. Randy Neugebauer, R-Texas.
Democrats joined Republicans in a show of bipartisan concern over CFPB data collection on American citizens.
“I don’t mind you collecting the data for your purposes, but I would object incredibly strongly to having it shared beyond those parameters and honestly, why do you want to keep it over time? I understand you would keep the results, but why keep the individual data?” asked Rep. Michael E. Capuano, D-Massachusetts, who supports the agency but doesn’t trust its data collection efforts.