The Consumer Financial Protection Bureau should take greater efforts to regulate credit reporting agencies, according to a recent report from the Government Accountability Office.
GAO recommended that the CFPB both identify additional sources of information on larger CRAs and reassess its prioritization of examinations to address CRA data security. CFPB neither agreed nor disagreed with GAO’s recommendations.
Since 2015, the CFPB has had five public settlements with CRAs. Four of these settlements included alleged violations of FCRA; and three included alleged violations of unfair, deceptive, or abusive practices provisions.
The agency has authority to supervise larger CRAs (those with more than $7 million in annual receipts from consumer reporting) but lacks the data needed to ensure identification of all CRAs that meet this threshold.
Identifying additional sources of information on these CRAs, such as by requiring them to register with the agency through a rulemaking or leveraging state registration information, could help CFPB ensure that it can comprehensively carry out its supervisory responsibilities.
According to CFPB staff, the bureau does not have authority to examine for or enforce the GLBA’s safeguards provisions. After the Equifax breach, however, CFPB used its existing supervisory authority to examine the data security of certain CRAs.
CFPB’s process for prioritizing which CRAs to examine does not routinely include an assessment of companies’ data security risks, but doing so could help CFPB better detect such risks and prevent the further exposure or compromise of consumer information.
The report also recommended that Congress consider giving the Federal Trade Commission civil penalty authority to enforce the GLBA’s safeguarding provisions.
While consumers can take steps to mitigate the fallout from a CRA data breach —such as implementing a fraud alert or credit freeze—they’re limited in the direct actions they can take against the CRA.
Consumers generally cannot exercise choice in the consumer reporting market, and they cannot remove themselves from the consumer reporting market entirely because they do not have a legal right to delete their records with CRAs.
This limited control by consumers, coupled with the large amount and sensitive nature of the information CRAs possess, underscores the importance of appropriate federal oversight of CRAs’ data security, the GAO said.