June 9, 2015

Dodd-Frank Agency’s Massive Data Collection

  • Far less scrutiny has been given to the massive data collection of the Consumer Financial Protection Bureau created by Dodd-Frank than to the data collection under the Patriot Act.

  • CFPB is currently amassing data on nearly 600 million consumer credit card accounts.

  • The CFPB is unchecked, unaccountable, and lacks real transparency in the collection of Americans’ financial information.

“The CFPB’s massive data collection effort is an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans … and it does not have the proper safeguards in place to protect the information being collected.”                                    

 – Senator Mike Crapo, September 22, 2014

Last week, the Senate voted to constrain the collection of telephone records on suspected terrorists under the USA PATRIOT Act. Less scrutiny has been given to the much larger data collection efforts by the Consumer Financial Protection Bureau, which is currently engaged in amassing data on nearly 600 million consumer credit card accounts.

The Patriot Act took tools that were previously available to law enforcement for investigating other crimes and applied them to the hunt for international terrorists. These included surveillance authorities and administrative subpoenas. In many cases, the government was required to obtain court orders to use these authorities, while their use in criminal cases could be done merely by subpoena. The government’s use of Patriot Act section 215 to obtain business records held by a third party was an example of this.

In contrast, there has been little public discussion of the CFPB’s unchecked use of new powers, violating the privacy of millions of Americans. Red flags have been raised about the agency since its creation, due to its enormous investigative and regulatory authority, its lack of accountability, and the unparalleled power of its director. The CFPB was established by the Dodd-Frank Act to “regulate the offering and provision of consumer financial products or services.” In pursuit of this, the CFPB ramped up demands for bank records and acquisition of consumer financial information.

Unprecedented Data Collection

Bloomberg News first brought attention to the large-scale data collection by the CFPB in an April 17, 2013, article. Among its revelations:

  • A $15 million contract to store and analyze credit card information from nine banks;
  • The requirement that banks provide records of credit card add-on products, such as credit monitoring and debt cancellation;
  • A separate requirement for banks to submit data on checking account overdraft activity;
  • Buying data from the credit-reporting company Experian on five to 10 million consumers “for use in a wide range of policy research projects” as well as plans to purchase auto loan information from the company; and
  • Another credit-reporting company being paid to provide data on payday loans.

A subsequent GAO investigation found that CFPB has access to account-level credit card data on as many as 596 million consumer accounts on a monthly basis – 87 percent of the credit card market – in addition to other information on American families.

CFRB Data Collection Table

Source: GAO

Additionally, in a joint effort with the Federal Housing Finance Agency, the CFPB built a mortgage database to integrate consumer credit information with loan and property records. Banks have been ordered to provide substantial amounts of data.

Concerns over Security

Recent headlines have called attention to security breaches of government information systems.

  • June 2015 – the Wall Street Journal reported that “hackers in China stole the personal records of as many as four million people in one of the most far-reaching breaches of government computers.”
  • May 2015 – the IRS said that hackers stole tax-return details on 100,000 households from the agency’s website.
  • February 2015 – the Wall Street Journal reported that the State Department was unable to remove Russian hackers from its unclassified email system, despite knowing about the breach for three months.

Concerns also have been raised specifically about data security issues at the CFPB. A 2013 report by the agency’s inspector general highlighted a series of concerns with the CFPB’s security controls over their contractor-operated systems. The IG found several “management, operational, and technical control weaknesses” with one such system. It also noted that “CFPB has not established a comprehensive information security strategy to guide the implementation of an agency-wide information security program.” A 2014 update found that while “corrective actions are underway, further improvements are needed in security training and contingency planning.” The 2014 GAO report also raised a series of concerns. One area needing a fix is that CFPB lacked written policies and procedures for data privacy.

GAO also found weaknesses in the CFPB’s ability to assess risks and vulnerabilities associated with data security and protection of consumer financial information. GAO noted that CFPB collects some credit card information on its own, and information on other accounts through an “information-sharing agreement” with the Office of the Comptroller of the Currency. GAO recommended that the two agencies should submit the credit card data collection plan for consultation and approval by the Office of Management and Budget, as required by law. Without such a review, there is not a reasonable assurance that these collections comply with the law.

Reforms Are Urgently Needed

Since the creation of the CFPB, Senate Republicans have sought needed reforms of the agency. The bureau is far too insulated from congressional oversight of its actions and its budget, and its director has few meaningful checks on his power. Among the reforms sought:

  • Establish a bipartisan board of directors to oversee the CFPB;
  • Subject the bureau to the appropriation process, similar to other federal regulators; and
  • Establish a safety and soundness check for the prudential regulators.

CFPB’s massive data collection of personally identifiable information requires greater accountability and greater transparency on how it uses and protects private consumer financial information.