CFPB Must Improve Financial Data Security: GAO
If you’re one of the 25 million to 75 million U.S. credit cardholders whose account information has been gathered by the CFPB, your financial data may not be as safe as it should be.
The U.S. Governmental Accountability Office recently analyzed the bureau’s data security practices and was not pleased with the agency’s data management practices when it came to credit cards and 12 other financial services areas.
The September issue of GAO Highlights identified three major areas in which the CFPB’s large-scale data collections tactics and information management methodologies leave significant room for improvement.
“It literally took an act of Congress to obtain this information because the unaccountable CFPB would not answer our questions,” Financial Services Committee Chairman Jeb Hensarling (R-Texas) said following Monday’s release of the GAO report.
As part of its government mandate, the GAO examined laws, regulations and contracts pertaining to the CFPB’s data collection methodologies, risk management in storing data and other security issues regarding U.S. consumer financial information.
While the CFPB does have some control mechanisms in place, the agency needs to take even greater steps to keep consumer financial information secure, according to the report.
“The American people are rightfully worried about the massive amounts of private information government collects on their personal lives, especially in this age of criminal hackers, data breaches and identity theft,” Hensarling said.
He added, “This report reveals troubling deficiencies in the CFPB’s data security procedures and privacy controls, as well as an apparent effort by the CFPB to skirt the consumer privacy protections required by Congress in both the Dodd-Frank Act and the Paperwork Reduction Act.”
The GAO study revealed that the CFPB lacked written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments.
The lack of written procedures could result in inconsistent application of the established practices, the study noted, and indicated several steps necessary for the CFPB to bring its data collection management and security in line.
The GAO recommended that the CFPB establish or enhance written procedures for data intake, including reviews of proposed data collections for compliance with applicable legal requirements and restrictions; better anonymization of data; assessing and managing privacy risks; monitoring and auditing privacy controls; and documenting results of information security risk-assessments consistently and comprehensively.
The CFPB was also tagged for not implementing adequate privacy control steps and information security practices, which could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data.
The GAO recommended that the CFPB develop a comprehensive privacy plan, undergo periodic independent privacy reviews, develop necessary staff privacy training and take other steps necessary to improve its overall data security.
Finally, the report suggested that both the CFPB and the Office of the Comptroller of Currency work more closely together under consultation from the Office of Management and Budget to more effectively and securely share credit card data that each collects to make sure each office is in compliance with PRA.
In addition to credit card transaction information, Hensarling said the CFPB’s programs include the monthly collection of 11 million credit reports, 195 million mortgage loans and 700,000 auto sales transactions linked with consumer credit data. Those numbers don’t include the National Mortgage Database, which was not fully examined by the GAO as part of this report.
“It seems the CFPB is trying to out-NSA the NSA when it comes to accumulating information on Americans,” Hensarling said. “This is, without a doubt, an unwarranted and shocking intrusion into the privacy of American citizens.”