Serious concerns raised over CFPB data collection

The bureau has been working to acquire various data related to loans, bank accounts, debt repayment and other transactions in an effort to learn more about trends and issues that affect Americans.

Recent weeks have seen an increased interest in the consumer data collection efforts of the Consumer Financial Protection Bureau. The bureau has been working to acquire various data related to loans, bank accounts, debt repayment and other transactions in an effort to learn more about trends and issues that affect Americans. However, serious questions are being asked from a variety of sources.

In December, the House Financial Services Oversight and Investigations Subcommittee held a hearing on the CFPB’s data collection effort. That effort has taken the shape of 12 separate CFPB collection initiatives. The hearing followed on the heels of a report from the General Accounting Office that detailed the bureau’s most recent initiative, an agreement with the Office of the Comptroller of the Currency. That agreement gives the CFPB access to a staggering amount of consumer information, including more than 90 percent of outstanding credit card balances, 173 million mortgage loans, and 11,000 consumer arbitration records. Such a trove of private information has raised three main concerns.

First, many on the House subcommittee expressed the view that the CFPB is collecting far more information than is necessary to execute its regulatory mission. The CFPB has already collected information on 87 percent of the entire credit card market, and in the past has stated that it is seeking to enlarge this number to 95 percent. However, it only needs to sample approximately 1 percent of the market to achieve its stated goals. Some have stated the CFPB is actually in violation of Section 1022 of Dodd-Frank, which forbids the bureau from collecting personally identifiable information on Americans.

Further, the CFPB is alarmingly opaque about its mass data-collection program. The agency does not reveal to the public specifically what data it collects, nor does it notify specific consumers what information it has gathered about them or how it will be using it. The CFPB collects account-level and sometimes even transaction-level data that captures multiple aspects of consumers’ financial lives, such as information about deposits and balances in accounts and where consumers are swiping their credit cards.

Finally, the CFPB’s data security program has multiple security weaknesses. The bureau’s Information Security Continuous Monitoring program is rated at Level 1 out of 5, defined as “ad hoc,” and the data security protecting the bureau’s consumer complaint database was found by the Inspector General to be deficient in multiple areas. The CFPB lacks even internal written procedures for “anonymizing” the data is uses. Such poor care of personal information may run afoul of the Fourth Amendment, which limits the power of the government to enforce actions on individuals.

Fredrikson & Byron Law