Consumer Financial Protection Bureau Needs to Protect Consumer Data Better

The Consumer Financial Protection Bureau has taken steps to ensure the privacy and security of the enormous amount of data it collects, but it should be doing more, including formalizing its procedures in these areas, according to a government report released Monday.

Tasked with overseeing the markets for consumer financial products -- such as mortgages, student loans and credit cards -- the three-year-old agency gathers data on hundreds of millions of individuals’ accounts, an activity that has stirred deep unease in some conservative lawmakers.

Sen. Mike Crapo, R-Idaho, described the collection as “an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans.” Crapo, who requested the Government Accountability Office study the issue, said he felt the report released Monday showed his concerns were warranted.

Indeed, the agency needs better written procedures for how it collects the data, GAO said. The agency also needs to provide employees with better instruction on how to anonymize data and assess privacy risks.

The agency needs a “comprehensive written privacy plan,” the report said. It should provide privacy training to employees and evaluate how it complies with security-related contract requirements.

But the report also noted that to fulfill its mission, CFBP must collect, research, monitor and publish information relevant to consumer financial markets.

“Prior to and during the 2007-2009 financial crisis, we and others noted that the lack of data on consumer financial products and services hindered federal oversight in areas such as mortgages and fair lending,” the report said.

CFPB Director Richard Cordray highlighted that observation in his response to the report, in which he agreed with all the recommendations and noted where the agency had already made progress implementing them.