Washington, D.C. – Today, U.S. Senator Mike Crapo (R-Idaho), Ranking Member of the Senate Banking, Housing and Urban Affairs Committee, requested that the Government Accountability Office (GAO) investigate the “big data” collection effort being undertaken by the Consumer Financial Protection Bureau (CFPB) on consumer spending habits. After discovering the CFPB was spending millions of dollars to collect information on millions of Americans’ personal credit card, banking, mortgage and student loan information, Crapo asked during a hearing and subsequently a letter to CFPB for information regarding the legality and scope of this data collection. The size and scope of CFPB’s data collection warrant proper government oversight to both guard consumers’ privacy and ensure that the CFPB is acting within its existing authority.
In the request to GAO, Crapo notes that it is still unknown exactly what information is being collected by the CFPB, on how many accounts and how it is being used. Crapo also points to security issues, citing concerns by the CFPB’s own Inspector General regarding what safeguards are in place to protect consumer data.
Below is the full text of the letter:
To view a signed copy of the letter, click here
July 2, 2013
The Honorable Gene Dodaro
U.S. Government Accountability Office
441 G Street, NW
Washington, DC 20548
Dear Comptroller Dodaro:
As the Ranking Member of the Senate Committee on Banking, Housing and Urban Affairs, I recently participated in a hearing to gain insight into the Consumer Financial Protection Bureau’s (“CFPB”) actions, including its wide-spread data collection of consumers’ financial information. I learned through news reports that the CFPB has allocated more than $20 million for collecting and tracking spending habits of more than 10 million Americans. Subsequent information I have received indicates the scope of this data collection may be far greater than this. The size and scope of this data collection warrant proper government oversight to both guard consumers’ privacy and ensure that the CFPB is acting within its existing authority.
The law that established the CFPB expressly prohibits gathering or analyzing the personally identifiable financial information (“PII”) of consumers except for very limited purposes. While CFPB officials have stated the CFPB is not collecting PII, we do not know what information it collects, on how many accounts, or how this information is being used. We also need to know whether the CFPB is truly not collecting PII from the data it is collecting or purchasing. In addition to regulatory and privacy concerns, this also raises data security issues especially since the CFPB’s Inspector General has already identified deficiencies in this area. We need to know what safeguards are in place to prevent the collection or use of the data it is collecting.
For these reasons, I request that the GAO investigate CFPB’s data collection to determine its purpose, scope and intended use; specific legal authority pursuant to which the CFPB is collecting consumers’ data; how the CFPB secures and protects information it collects; the purchase and use of data from third parties and contractors; and the cost of this data collection for both the CFPB and the institutions that are providing information. For your reference, a non-exclusive list of specific issues for GAO to consider is attached to this letter.
Thank you for your prompt attention to these important matters. Should you have any questions, please contact me or Jelena McWilliams or Jared Sawyer of my staff at 224-7391.
List of Items for GAO to Consider When Studying
CFPB’s Data Collection Efforts
Statutory limitations / legal authority
- Under what legal authority is the CFPB requesting and collecting consumer information?
- Does the CFPB differentiate data it obtains through its supervisory authority from data collected vis-a-vis different authority, and if so, how? Does its store data separately?
- What internal policies and procedures has the CFPB adopted to ensure whether data collected pursuant to one authority can be used under a separate authority?
- Does the CFPB inform institutions being examined when data are collected for purposes unrelated to the exam?
- Are there internal firewalls for storing and using consumer data CFPB collects for supervisory, enforcement, research and regulatory purposes, or does the CFPB use data it collects for multiple purposes?
- How does the CFPB plan to utilize the data it collects in each of the following areas: (i) research and analysis, (ii) supervision, (iii) enforcement, and (iv) regulation?
- How does the CFPB plan to ensure that PII obtained through the consumer complaint process is not used contrary to limitations on such information under the CFPB’s rulemaking authority?
Scope and Purpose
- How many accounts are being monitored and how many Americans?
- How many financial institutions have been asked to provide consumer data to the CFPB, and how many of them are currently doing so?
- Did any institutions refuse to provide consumer data to the CFPB, and if so, what alternative methods is the CFPB employing to obtain such data?
- How many pieces of information has the CFPB collected to date? How many pieces of information is the CFPB collecting on a monthly basis? How many specific data points has the CFPB requested of the participating banks?
- What data is the CFPB collecting in each category, including but not limited to: mortgages, home equity lines of credit, credit cards, checking accounts, overdrafts, student lending (private), student lending (government), deposit advances, payday loans, remittances, prepaid cards, medical debt?
- Who does the CFPB purchase consumer data from and how does CFPB utilize vendors and third party contractors for data collection and analysis purposes?
- What is the legal standing of third party contractors with respect to CFPB and to the financial institutions from which the data is collected?
- Does the CFPB use Memoranda of Understanding (MOUs) with other federal banking regulators to access data that it does not have the ability and/or authority to collect directly?
- Are CFPB’s data collection efforts subject to the Paperwork Reduction Act (PRA) which requires OMB review and does the use of MOUs bypass PRA requirements?
- Why is it necessary to demand all consumer account data instead of an anonymous representative sample?
- What does the CFPB intend to do with it?
- In what other areas does the CFPB collect, or plan to collect, consumer data?
- Is the amount of data and the frequency of the data collection appropriate for the specific stated purposes by CFPB for how the agency intends to use the data? Does the CFPB have the authority to collect data for sake of collecting data with no intended stated purpose?
- How much does the agency spend annually on this data collection?
- Is the data collected in the course of CFPB’s supervision duplicative or overlapping with data collected by the institutions’ prudential regulators? If so, has the CFPB coordinated with prudential regulators to eliminate or minimize such duplication?
- Whether forcing financial institutions to disclose this information would cause them to violate their legal obligations to protect the privacy of their customers’ personal information?
- Is it possible for the CFPB, or any third party vendor working on behalf of the CFPB, to reverse engineer raw data to identify individual consumers?
- Does a third party data aggregator, working on behalf of the CFPB, receive any PII?
- What are the policies and procedures of a third party data aggregator, working on behalf of the CFPB, to aggregate data received from institutions?
- Has the CFPB set a time period for retaining this data, and will the individual consumer transaction information be purged from all federal records after this retention period?
- With regard to medical debt data collected by the CFPB, is the collection related to the supervisory or examination oversight of issuers of debt? Does the type of data collected reveal the type of medical procedures/conditions of consumers?
- Does the CFPB share this information with any outside third parties? Are these outside third parties under contract with the CFPB?
- How is the CFPB ensuring that the consumer information it collects is kept secure?
- Has the CFPB suffered any breaches of data, and has any data breach reached consumer information?
- The CFPB’s Office of the Inspector General (“OIG”) 2012 Audit of the CFPB’s Information Security Program raised concerns with the CFPB’s internal data security. What is the progress of the CFPB’s implementation of information security recommendations from the OIG?
- What specific measures has the CFPB taken to ensure its third-party vendors are protecting consumers’ data?
- Has the CFPB conducted any cost-benefit analysis to determine the cost of the data requests and production on the institutions?
- Has the CFPB solicited feedback from any institutions about the cost of these data requests and production? Have any financial institutions volunteered or shared with the CFPB that information? What is the cost of this data production, both initially and on-going, for institutions that are furnishing data to the CFPB?
- With respect to the Paperwork Reduction Act and other laws, Office of Management and Budget has set forth certain parameters for surveys and data collection. Has the CFPB obtained the OMB approval document for this data collection effort? If not, why not?