September 22, 2014

GAO Confirms CFPB Massive Data Collection

Report cites weaknesses with data security and privacy

Washington, D.C. - Today, the Government Accountability Office (GAO) released the results of a comprehensive study confirming that the Consumer Financial Protection Bureau (CFPB) is collecting financial data on up to 600 million consumer credit card accounts, and that the Bureau's privacy and security controls for data collection should be enhanced to reduce the risk of improper collection, use, or release of consumer financial data.  

The report, requested by U.S. Banking Committee Ranking Member Mike Crapo (R-Idaho), documents CFPB's large-scale collection of consumer financial data from 2012 through 2014, confirms the existence of personal identifiers in CFPB's data collections, and raises the concern that CFPB lacks written policies and procedures for data privacy and protection.

"The CFPB's massive data collection effort is an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans," Crapo said.  "This GAO report confirms what the Bureau would not-that it has been collecting information on up to 600 million American financial accounts, and it does not have the proper safeguards in place to protect the information it is collecting.  At a time when data and identity-related crimes are at an all-time high, the last thing the American people need is one more federal agency collecting their private financial information."  

After discovering the CFPB was spending millions of dollars to collect information on millions of Americans' personal credit card, banking, mortgage and student loan information, Crapo began to raise serious concerns with the CFPB's "big data" collection.  When the Bureau repeatedly failed to provide sufficient information regarding the data collection, Crapo turned to the non-partisan GAO to investigate, requesting an official review of the CFPB's data collection efforts.

Key findings from the GAO report:

  • CFPB has access to account-level credit card data on between 546-596 million consumer accounts on a monthly basis.   This represents consumer data covering 87 percent of the credit card market. (p.28)
  • CFPB conducts large- scale collections on consumer financial data, including data with personal identifiers.  Data includes one-time and monthly collections on automobile sales, consumer credit report information, credit cards, credit scores, mortgages, student loans, and others. See charts here and here .  
  • CFPB lacks written policies and procedures for data privacy.   GAO noted that the CFPB ". . . has not developed standard policies and written procedures to document the practices it uses for anonymizing data, including clarifying how data sensitivity will be assessed. . ." (p.42)  For example, the CFPB retained sensitive data in two data collections reviewed by GAO, including religious data. (p.42-43)
  • GAO found weaknesses in the Bureau's ability to assess risks and vulnerabilities associated with data security and protection of consumer financial information .  Both the GAO and the CFPB's Inspector General previously found similar weaknesses in a separate report released last year. (p.58)
  • GAO noted that the CFPB and OCC should submit its credit card data collection plan for consultation and approval by the Office of Management and Budget, as required by law.   Without such review, CFPB and OCC lack reasonable assurance that these collections are in compliance with the law. (p.66)

"There are many outstanding questions and concerns following this report," Crapo continued.  "For example, it is still unclear exactly what information the CFPB is collecting, how they are using it, and whether it can be easily reverse-engineered to identify an individual.  I consider these to be very serious concerns at the very agency that was supposed to watch out for consumers, not watch them."

To view a full copy of the GAO report on recommended enhancements for the privacy and security controls for the CFPB's data collection, click HERE .  To view Senator Crapo's original request to the GAO, click HERE .