Richard Cordray is officially out at the CFPB, and although the bureau and the White House are battling it out over who gets to name the interim director, a change in direction is all but assured. Whoever takes the helm at the bureau should use the opportunity to correct some of the most onerous practices at the regulator. Here are three critical steps:
1. Stop regulation by enforcement.
Under Cordray, the bureau declined to outline specific, measurable standards for various regulations, preferring to provide examples of how to interpret regulations through legal action against companies. Cordray explained this strategy in a speech he gave to the Consumer Bankers Association in 2016:
“Likewise, our public enforcement actions have been marked by orders, whether entered by our agency or by a court, which specify the facts and the resulting legal conclusions. These orders provide detailed guidance for compliance officers across the marketplace about how they should regard similar practices at their own institutions.
“If the same problems exist in their day-to-day operations, they should look closely at their processes and clean up whatever is not being handled appropriately. Indeed, it would be ‘compliance malpractice’ for executives not to take careful bearings from the contents of these orders about how to comply with the law and treat consumers fairly.”
Note that the onus here is on the mortgage industry to figure out what the bureau’s actions mean for their individual company. The admonition to “look closely” and “clean up whatever is not being handled appropriately” hardly provides precise, actionable information.
Why not just be clear about what the regulations require or forbid at the outset? The next leader of the bureau should make it a priority to provide distinct rules that outline what is and isn’t permitted.
2. Hold itself to the same high standard it has for the mortgage industry.
Early on, the bureau fostered a “toxic” culture that discriminated against its female and minority employees. In 2014 and 2015 the bureau was called to testify before several congressional committees to answer for its pattern of unequal treatment of African Americans, Hispanics, women and those over 40.
In 2016, a report from the Government Accountability Office found that although the CFPB had made some progress in changing its culture, 40% or more of black CFPB employees who responded to that survey still disagreed with the statement that success at the bureau is based more on merit than on personal connections or favoritism.
The hypocrisy of this kind of culture at the government institution charged with preventing discriminatory lending undermines its entire mission. New leadership at the bureau should vigorously work to change it.
3. Protect consumer data.
The CFPB collects information on 600 million credit accounts, including sensitive consumer information. A 2014 audit by the GAO found numerous problems with how it safeguarded this data and the latest report by the Federal Reserve Board's Office of Inspector General listed "ensuring an effective information security system" as one of the bureau’s top 10 challenges for 2017.
After noting some progress, the report states, “However, the CFPB has not fully implemented processes, such as data loss prevention technologies, within its internal network that would enable the agency to detect and better protect against unauthorized access to and disclosure of its sensitive information. Likewise, the CFPB is in the process of implementing multifactor authentication for its internal system users.”
The CFPB has been appropriately harsh on Equifax and other companies experiencing data breaches that put consumer information at risk, but how much worse would it be for consumers if the CFPB is hacked? The credit bureaus amass data on your loan types, payment history, etc., but the CFPB data goes far beyond that information to include arbitration case records, vehicle transaction-level data from departments of motor vehicles, information on deposit advance products, data on overdraft fees and more.
Unfortunately, the OIG report cited above specifically calls out the bureau's alerting capabilities and continuous monitoring processes, which makes you wonder how long it would take the CFPB to even know its security had been breached. When it comes to the bureau's data security, the new director should be as strict with its own internal processes as it has been with other companies.
There is no doubt that change is coming to the CFPB. Here's hoping its new leader seizes the opportunity to create an organization that truly lives up to its important mission to protect consumers.