Auditor Dings CFPB Complaint System for Poor Identity Management

The web tool the Consumer Financial Protection Bureau uses to track consumer complaints about financial firms and their products should improve its identity management controls, according to the summary of a recent audit report.

The agency’s inspector general is not releasing the full report, according to the summary, because of concerns hackers could use it to target the agency.

The auditor made one identity management suggestion, which the agency agreed with, according to the summary.

Identity access generally describes how a computer system determines the people accessing it are who they say they are.

Poor identity management can make it easier for hackers to impersonate someone with legitimate access to a system. It can also make it easier for legitimate users of one portion of a system or one set of data to access and remove information they shouldn’t.

The complaint management system's other security controls are generally operating effectively, the inspector general found. Those controls include scanning for and remediating computer code vulnerabilities and continuously monitoring the system for anomalies.

The bureau also developed a business case for the management system before turning it on, which included a thorough risk-benefit analysis, the inspector general said.

The complaint management system was mandated by the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, which also created the CFPB. The goal is to manage consumer complaints about financial products and services and to track how well financial firms are responding to those complaints.

Editor's Note: This story has been updated to clarify that the audit focused on CFPB's internal compliant management system.