An independent audit of the Consumer Financial Protection Bureau shows it needs to update information privacy policies and procedures to better protect consumers. The recently released audit report can be found here.
The audit was ordered in accordance with the Dodd-Frank Act as a required annual review of the CFPB’s operations and budget, and as a source of objective analysis about program improvements, cost reductions, decision-making and public accountability. The audit objectives were to evaluate the CFPB’s Investment Review Board process relative to the CFPB’s policies and procedures; budget process relative to its policies and procedures established over budget formulation, execution and monitoring; information privacy function relative to CFPB policies and procedures over the compliance with privacy laws and applicable regulations and guidance; and corrective actions taken to resolve findings and recommendations from the 2014 audit, according to the report.
The report’s findings on the bureau’s privacy policies and procedures show that the process to assess and obtain data sets to ensure compliance with those policies is “manually intensive.” The CFPB’s chief data office is in the process of transitioning the manual process to the use of an automated tool. Also, the CFPB needs to create a documented project timeframe to complete the automated data cataloging activities and establish policies and procedures to regularly review the data set inventory, according to the report. The CFPB has a chief privacy officer responsible for all of the bureau’s privacy compliance and operational activities. Those duties include employee training, management of incident response activities and ongoing auditing and monitoring.
The audit also evaluated the CFPB’s budget process, risk management plan and Investment Review Board, which is the executive advisory body for all major investment decisions. In the words of the report, the “CFPB could benefit from introducing improvements to its cost estimation methodology and expanding the use of the program performance in its budget activities.”
The CFPB said on its website that it is preparing to implement the proposed recommendations to its privacy procedures and is evaluating the budget recommendations. The website also indicated that the bureau will establish policies and procedures for the regular review of its data set inventory.
The report noted that the CFPB had completed remediation for all of the findings in the 2014 audit, such as improvements to the records management and annual self-assessment process, and the mid-year review process.