WASHINGTON, D.C. -

How the Consumer Financial Protection Bureau is conducting its business continues to be questioned by leaders on Capitol Hill.

On Tuesday, Sen. Mike Crapo requested that the Government Accountability Office (GAO) investigate what he called the "big data" collection effort being undertaken by the CFPB on consumer spending habits.

Crapo, an Idaho Republican and ranking member of the Senate Banking, Housing and Urban Affairs Committee first asked during a hearing and subsequently a letter to CFPB for information regarding the legality and scope of this data collection.

Discovering the CFPB was spending millions to collect information on millions of Americans' personal credit card, banking, mortgage and student loan information triggered the inquiry, according to the lawmaker.

"I learned through news reports that the CFPB has allocated more than $20 million for collecting and tracking spending habits of more than 10 million Americans," Crapo said.

"The size and scope of CFPB's data collection warrant proper government oversight to both guard consumers' privacy and ensure that the CFPB is acting within its existing authority," he continued.

More than 50 U.S. House Representatives from both sides of the aisle have previously sent letters of inquiry to the CFPB about its methods. SubPrime Auto Finance News recapped those developments here and here.

In his request to GAO, Crapo noted that it is still unknown exactly what information is being collected by the CFPB, on how many accounts and how it is being used. Crapo also pointed to security issues, citing concerns by the CFPB's own inspector general regarding what safeguards are in place to protect consumer data.

"We need to know what safeguards are in place to prevent the collection or use of the data it is collecting," Crapo said.

The Senator sent quite a list of items for the GAO to consider when studying CFPB's data collection efforts. The points include:

Statutory Limitations/Legal Authority

—Under what legal authority is the CFPB requesting and collecting consumer information?

—Does the CFPB differentiate data it obtains through its supervisory authority from data collected vis-a-vis different authority, and if so, how? Does its store data separately?

—What internal policies and procedures has the CFPB adopted to ensure whether data collected pursuant to one authority can be used under a separate authority?

—Does the CFPB inform institutions being examined when data are collected for purposes unrelated to the exam?

—Are there internal firewalls for storing and using consumer data CFPB collects for supervisory, enforcement, research and regulatory purposes, or does the CFPB use data it collects for multiple purposes?

—How does the CFPB plan to utilize the data it collects in each of the following areas: (i) research and analysis, (ii) supervision, (iii) enforcement, and (iv) regulation?

—How does the CFPB plan to ensure that PII obtained through the consumer complaint process is not used contrary to limitations on such information under the CFPB's rulemaking authority?

Scope and Purpose

—How many accounts are being monitored and how many Americans?

—How many financial institutions have been asked to provide consumer data to the CFPB, and how many of them are currently doing so?

—Did any institutions refuse to provide consumer data to the CFPB, and if so, what alternative methods is the CFPB employing to obtain such data?

—How many pieces of information has the CFPB collected to date?  How many pieces of information is the CFPB collecting on a monthly basis? How many specific data points has the CFPB requested of the participating banks?

—What data is the CFPB collecting in each category, including but not limited to: mortgages, home equity lines of credit, credit cards, checking accounts, overdrafts, student lending (private), student lending (government), deposit advances, payday loans, remittances, prepaid cards, medical debt?

—Who does the CFPB purchase consumer data from and how does CFPB utilize vendors and third party contractors for data collection and analysis purposes?

—What is the legal standing of third party contractors with respect to CFPB and to the financial institutions from which the data is collected?

—Does the CFPB use Memoranda of Understanding (MOUs) with other federal banking regulators to access data that it does not have the ability and/or authority to collect directly?

—Are CFPB's data collection efforts subject to the Paperwork Reduction Act (PRA) which requires OMB review and does the use of MOUs bypass PRA requirements?

—Why is it necessary to demand all consumer account data instead of an anonymous representative sample?

—What does the CFPB intend to do with it?

—In what other areas does the CFPB collect, or plan to collect, consumer data?

—Is the amount of data and the frequency of the data collection appropriate for the specific stated purposes by CFPB for how the agency intends to use the data? Does the CFPB have the authority to collect data for sake of collecting data with no intended stated purpose?

—How much does the agency spend annually on this data collection?

—Is the data collected in the course of CFPB's supervision duplicative or overlapping with data collected by the institutions' prudential regulators? If so, has the CFPB coordinated with prudential regulators to eliminate or minimize such duplication?

—Whether forcing financial institutions to disclose this information would cause them to violate their legal obligations to protect the privacy of their customers' personal information?

Privacy

—Is it possible for the CFPB, or any third party vendor working on behalf of the CFPB, to reverse engineer raw data to identify individual consumers?

—Does a third party data aggregator, working on behalf of the CFPB, receive any PII?

—What are the policies and procedures of a third party data aggregator, working on behalf of the CFPB, to aggregate data received from institutions?

—Has the CFPB set a time period for retaining this data, and will the individual consumer transaction information be purged from all federal records after this retention period?

—With regard to medical debt data collected by the CFPB, is the collection related to the supervisory or examination oversight of issuers of debt? Does the type of data collected reveal the type of medical procedures/conditions of consumers?

—Does the CFPB share this information with any outside third parties?  Are these outside third parties under contract with the CFPB?

Data Security

—How is the CFPB ensuring that the consumer information it collects is kept secure?

—Has the CFPB suffered any breaches of data, and has any data breach reached consumer information?

—The CFPB's Office of the Inspector General 2012 Audit of the CFPB's Information Security Program raised concerns with the CFPB's internal data security. What is the progress of the CFPB's implementation of information security recommendations from the OIG?

—What specific measures has the CFPB taken to ensure its third-party vendors are protecting consumers' data?

Cost-Benefit Analysis

—Has the CFPB conducted any cost-benefit analysis to determine the cost of the data requests and production on the institutions?

—Has the CFPB solicited feedback from any institutions about the cost of these data requests and production? Have any financial institutions volunteered or shared with the CFPB that information? What is the cost of this data production, both initially and on-going, for institutions that are furnishing data to the CFPB?

—With respect to the Paperwork Reduction Act and other laws, Office of Management and Budget has set forth certain parameters for surveys and data collection. Has the CFPB obtained the OMB approval document for this data collection effort? If not, why not?

Continue the conversation with Auto Remarketing on both LinkedIn and Twitter.