Consumer Agency Needs Privacy Catch-UpFinancial Protection Bureau Faulted for Lack of Policy
The Consumer Financial Protection Bureau, responding to government auditors, is formalizing a comprehensive privacy plan that addresses how the federal agency will assess and manage privacy risks and monitor and audit privacy controls, Director Richard Cordray says.
CFPB, an independent federal agency responsible for consumer protection in the financial sector, also plans to develop additional role-based privacy training for its staff, review its remedial action plans to ensure appropriate details are documented and remediated on schedule, and review its information security risk-management process to further refine oversight of service providers, Cordray says.
Cordray's remarks came in response to a Government Accountability Office audit issued this week that contends CFPB needs to take steps to reduce the risk of improper collection, use and release of consumer financial data. GAO, however, credited CFPB for instituting a number of programs to protect and secure its collection of data.
"Recognizing the sensitivity of some of the consumer financial data it has collected, CFPB has taken steps to protect and secure these data collections, including adopting high-level privacy and security policies and processes," Nicole Clowers, GAO financial markets and community investment director, says in the report.
CFPB Focus Elsewhere
Still, staff at the 3Â½-year-old CFPB told GAO that they were mostly focused on taking necessary actions to effectively carry out their mission during the early years of agency operations. As a result, they said a number of policies and processes were not yet fully documented or implemented, as required by federal internal control guidelines and outlined in National Institute of Standards and Technology guidance.
GAO says CFPB lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments. "The lack of written procedures could result in inconsistent application of the established practices," Clowers says.
Concurring with the GAO's findings, Cordray says CFPB takes its role in protecting privacy seriously. "Prior to the creation of the bureau and during the 2007 to 2009 financial crisis, the lack of data on consumer financial products and services hindered federal oversight in areas such as mortgages and fair lending," he says. "Failing to ensure that financial regulators have access to sound data about the markets they oversee can have devastating results for consumers and the economy."
Sensitive Data Retained Unnecessarily
The GAO audit found that CFPB unnecessarily retains sensitive data in two collections auditors reviewed, but CFPB personnel told GAO that they plan to remove this information. The GAO also says CFPB has yet to fully implement a number of privacy controls and information security practices, which could hamper the agency's ability to identify and monitor privacy risks and protect consumer financial data.
Federal law requires agencies to get Office of Management and Budget permission when collecting data from 10 or more organizations to minimize the burden and maximize the practical use of collected information. CFPB and the Office of the Comptroller of the Currency, the Treasury Department agency that supervises national banks and thrift institutions, continuously collect credit card data from different institutions - representing 87 percent of outstanding credit card balances - and share that information.
But the GAO report says OMB isn't always consulted. "Additional consultation with OMB regarding these collections and the data-sharing agreement would help both agencies ensure they are fully complying with the law," the GAO's Clowers says.
Cordray says CFPB will consult with OMB regarding the sharing of credit card information it collects with the Office of the Comptroller of the Currency.
Comptroller of the Currency Thomas Curry says his agency, too, will consult with OMB. When OCC initiated its data collection program, Curry explains, it had planned to gather the information from fewer than 10 banks. OCC recently conducted its own review of its credit card, mortgage and home equity line of credit programs and discovered that it was collecting data from 171 programs. He says OCC will submit information clearance packages to OMB for approval of the data collection programs and expects OMB could clear the information collections by January.