WASHINGTON, D.C. — In a report released Sept. 22, the United States Government Accountability Office (GAO) found that while the Consumer Financial Protection Bureau (CFPB) has taken steps to secure the data it has collected — including records from automobile sales, consumer credit report information, credit cards, credit scores, mortgages and student loans — the bureau is lacking in written policies and procedures for data privacy, as well as the ability to assess risk.

The report, requested by U.S. Banking Committee Ranking Member Mike Crapo (R-Idaho), found that the CFPB has account-level access to credit card data on between 546-596 million consumer accounts on a monthly basis, representing consumer data covering 87% of the credit card market.

“The CFPB’s massive data collection effort is an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans,” Crapo said in a press release issued Monday. “This GAO report confirms what the Bureau would not — that it has been collecting information on up to 600 million American financial accounts, and it does not have the proper safeguards in place to protect the information it is collecting. 

“At a time when data and identity-related crimes are at an all-time high, the last thing the American people need is one more federal agency collecting their private financial information,” he added.

Some of the data collected includes personal identifiers such as arbitration case records, storefront payday loan activity and records on the use of deposit advance products. In its report, the GAO recommended that the bureau develop written procedures and comprehensive documentation for data intake and security risk assessments to avoid inconsistent application of its practices.

“For example, [the] CFPB unnecessarily retained sensitive data in two collections GAO reviewed, but its staff said they plan to remove this information,” the report read, in part.

The bureau, which recently proposed a new rule that would allow it to oversee about 38 nonbank auto finance companies, also collects vehicle transaction-level data from 46 state motor vehicle departments matched with consumer credit data. This encompasses about 700,000 vehicles per month.

The GAO report also noted that the CFPB has not fully implemented a number of privacy control and information security practices, and has failed to submit its credit card data collection plan to the Office of Management and Budget for approval, which is required under the Paperwork Reduction Act.

“There are many outstanding questions and concerns following this report,” Crapo said. “For example, it is still unclear exactly what information the CFPB is collecting, how they are using it, and whether it can be easily reverse-engineered to identify an individual. I consider these to be very serious concerns at the very agency that was supposed to watch out for consumers, not watch them.”