Ranking Senate Banking Committee Member Seeks Investigation of CFPB’s ‘Big Data’ Collection
WASHINGTON, D.C. — How the Consumer Financial Protection
Bureau is conducting its business continues to be questioned by leaders on
Capitol Hill.
On Tuesday, Sen. Mike Crapo requested that the Government
Accountability Office (GAO) investigate what he called the "big data"
collection effort being undertaken by the CFPB on consumer spending habits.
Crapo, an Idaho Republican and ranking member of the Senate
Banking, Housing and Urban Affairs Committee first asked during a hearing and
subsequently a letter to CFPB for information regarding the legality and scope
of this data collection. Discovering the CFPB was spending millions to collect
information on millions of Americans' personal credit card, banking, mortgage
and student loan information triggered the inquiry, according to the lawmaker.
"I learned through news reports that the CFPB has allocated
more than $20 million for collecting and tracking spending habits of more than
10 million Americans," Crapo said.
"The size and scope of CFPB's data collection warrant proper
government oversight to both guard consumers' privacy and ensure that the CFPB
is acting within its existing authority," he continued.
More than 50 U.S. House Representatives from both sides of
the aisle have previously sent letters of inquiry to the CFPB about its
methods. SubPrime Auto Finance News recapped those developments here and here.
In his request to GAO, Crapo noted that it is still unknown
exactly what information is being collected by the CFPB, on how many accounts
and how it is being used. Crapo also
pointed to security issues, citing concerns by the CFPB's own inspector general
regarding what safeguards are in place to protect consumer data.
"We need to know what safeguards are in place to prevent the
collection or use of the data it is collecting," Crapo said.
The Senator sent quite a list of items for the GAO to consider
when studying CFPB's data collection efforts. The points include:
Statutory Limitations/Legal
Authority
—Under what legal authority is the CFPB requesting and
collecting consumer information?
—Does the CFPB differentiate data it obtains through its
supervisory authority from data collected vis-a-vis different authority, and if
so, how? Does its store data separately?
—What internal policies and procedures has the CFPB adopted
to ensure whether data collected pursuant to one authority can be used under a
separate authority?
—Does the CFPB inform institutions being examined when data
are collected for purposes unrelated to the exam?
—Are there internal firewalls for storing and using consumer
data CFPB collects for supervisory, enforcement, research and regulatory
purposes, or does the CFPB use data it collects for multiple purposes?
—How does the CFPB plan to utilize the data it collects in
each of the following areas: (i) research and analysis, (ii) supervision, (iii)
enforcement, and (iv) regulation?
—How does the CFPB plan to ensure that PII obtained through
the consumer complaint process is not used contrary to limitations on such
information under the CFPB's rulemaking authority?
Scope and Purpose
—How many accounts are being monitored and how many
Americans?
—How many financial institutions have been asked to provide
consumer data to the CFPB, and how many of them are currently doing so?
—Did any institutions refuse to provide consumer data to the
CFPB, and if so, what alternative methods is the CFPB employing to obtain such
data?
—How many pieces of information has the CFPB collected to
date? How many pieces of information is
the CFPB collecting on a monthly basis?
How many specific data points has the CFPB requested of the
participating banks?
—What data is the CFPB collecting in each category,
including but not limited to: mortgages, home equity lines of credit, credit
cards, checking accounts, overdrafts, student lending (private), student
lending (government), deposit advances, payday loans, remittances, prepaid
cards, medical debt?
—Who does the CFPB purchase consumer data from and how does
CFPB utilize vendors and third party contractors for data collection and
analysis purposes?
—What is the legal standing of third party contractors with
respect to CFPB and to the financial institutions from which the data is
collected?
—Does the CFPB use Memoranda of Understanding (MOUs) with
other federal banking regulators to access data that it does not have the
ability and/or authority to collect directly?
—Are CFPB's data collection efforts subject to the Paperwork
Reduction Act (PRA) which requires OMB review and does the use of MOUs bypass
PRA requirements?
—Why is it necessary to demand all consumer account data
instead of an anonymous representative sample?
—What does the CFPB intend to do with it?
—In what other areas does the CFPB collect, or plan to
collect, consumer data?
—Is the amount of data and the frequency of the data
collection appropriate for the specific stated purposes by CFPB for how the
agency intends to use the data? Does the
CFPB have the authority to collect data for sake of collecting data with no
intended stated purpose?
—How much does the agency spend annually on this data
collection?
—Is the data collected in the course of CFPB's supervision
duplicative or overlapping with data collected by the institutions' prudential
regulators? If so, has the CFPB coordinated with prudential regulators to
eliminate or minimize such duplication?
—Whether forcing financial institutions to disclose this
information would cause them to violate their legal obligations to protect the
privacy of their customers' personal information?
Privacy
—Is it possible for the CFPB, or any third party vendor
working on behalf of the CFPB, to reverse engineer raw data to identify
individual consumers?
—Does a third party data aggregator, working on behalf of
the CFPB, receive any PII?
—What are the policies and procedures of a third party data
aggregator, working on behalf of the CFPB, to aggregate data received from
institutions?
—Has the CFPB set a time period for retaining this data, and
will the individual consumer transaction information be purged from all federal
records after this retention period?
—With regard to medical debt data collected by the CFPB, is
the collection related to the supervisory or examination oversight of issuers
of debt? Does the type of data collected
reveal the type of medical procedures/conditions of consumers?
—Does the CFPB share this information with any outside third
parties? Are these outside third parties
under contract with the CFPB?
Data Security
—How is the CFPB ensuring that the consumer information it
collects is kept secure?
—Has the CFPB suffered any breaches of data, and has any
data breach reached consumer information?
—The CFPB's Office of the Inspector General 2012 Audit of
the CFPB's Information Security Program raised concerns with the CFPB's
internal data security. What is the progress of the CFPB's implementation of
information security recommendations from the OIG?
—What specific measures has the CFPB taken to ensure its
third-party vendors are protecting consumers' data?
Cost-Benefit Analysis
—Has the CFPB conducted any cost-benefit analysis to
determine the cost of the data requests and production on the institutions?
—Has the CFPB solicited feedback from any institutions about
the cost of these data requests and production? Have any financial institutions
volunteered or shared with the CFPB that information? What is the cost of this
data production, both initially and on-going, for institutions that are
furnishing data to the CFPB?
—With respect to the Paperwork Reduction Act and other laws,
Office of Management and Budget has set forth certain parameters for surveys
and data collection. Has the CFPB obtained the OMB approval document for this
data collection effort? If not, why not?
Continue the conversation with SubPrime Auto Finance News on LinkedIn and Twitter.
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}