The Industry's Leading Source For F&I, Sales And Technology


CFPB Lacks Proper Data Security, Report Says

September 25, 2014

WASHINGTON, D.C. — In a report released Sept. 22, the United States Government Accountability Office (GAO) found that while the Consumer Financial Protection Bureau (CFPB) has taken steps to secure the data it has collected — including records from automobile sales, consumer credit report information, credit cards, credit scores, mortgages and student loans — the bureau is lacking in written policies and procedures for data privacy, as well as the ability to assess risk.

The report, requested by U.S. Banking Committee Ranking Member Mike Crapo (R-Idaho), found that the CFPB has account-level access to credit card data on between 546-596 million consumer accounts on a monthly basis, representing consumer data covering 87% of the credit card market.

“The CFPB’s massive data collection effort is an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans,” Crapo said in a press release issued Monday. “This GAO report confirms what the Bureau would not — that it has been collecting information on up to 600 million American financial accounts, and it does not have the proper safeguards in place to protect the information it is collecting. 

“At a time when data and identity-related crimes are at an all-time high, the last thing the American people need is one more federal agency collecting their private financial information,” he added.

Some of the data collected includes personal identifiers such as arbitration case records, storefront payday loan activity and records on the use of deposit advance products. In its report, the GAO recommended that the bureau develop written procedures and comprehensive documentation for data intake and security risk assessments to avoid inconsistent application of its practices.

“For example, [the] CFPB unnecessarily retained sensitive data in two collections GAO reviewed, but its staff said they plan to remove this information,” the report read, in part.

The bureau, which recently proposed a new rule that would allow it to oversee about 38 nonbank auto finance companies, also collects vehicle transaction-level data from 46 state motor vehicle departments matched with consumer credit data. This encompasses about 700,000 vehicles per month.

The GAO report also noted that the CFPB has not fully implemented a number of privacy control and information security practices, and has failed to submit its credit card data collection plan to the Office of Management and Budget for approval, which is required under the Paperwork Reduction Act.

“There are many outstanding questions and concerns following this report,” Crapo said. “For example, it is still unclear exactly what information the CFPB is collecting, how they are using it, and whether it can be easily reverse-engineered to identify an individual. I consider these to be very serious concerns at the very agency that was supposed to watch out for consumers, not watch them.”


  1. 1. Tim [ September 25, 2014 @ 12:49PM ]

    It's time for this agency to be abolished !! They can't do themselves what they govern others to do. When will the craziness STOP ?
    Watch,they will be the next data breach


Your Comment

Please note that comments may be moderated. 
Leave this field empty:
Your Name:  
Your Email:  



Help F&I and Showroom Select the 2014 F&Idol Winner

The magazine made available this week the voting page for the final round of the IAS-sponsored F&Idol competition. Review the five video entries and vote for the overall winner of the 2014 contest.