Consumer Financial Protection Bureau: Some Privacy and Security Procedures for Data Collections Should Continue Being Enhanced
Highlights
What GAO Found
To carry out its statutory responsibilities, the Consumer Financial Protection Bureau (CFPB) has collected consumer financial data on credit card accounts, mortgage loans, and other products through one-time or ongoing collections. As the following table shows, these large-scale data collections varied from about 11,000 consumer arbitration case records from a trade association to 173 million mortgage loans from a data aggregator. Of the 12 large-scale collections GAO reviewed, 3 included information that identified individual consumers, but CFPB staff indicated that those 3 were not subject to statutory restrictions on collecting such information. Other regulators, such as the Board of Governors of the Federal Reserve System (Federal Reserve) and the Office of the Comptroller of the Currency (OCC), collect similarly large amounts of data.
CFPB has taken steps to protect and secure these data collections. For example, it created a data intake process that brings together staff with relevant expertise to consider the statutory, privacy, and information security implications of proposed consumer financial data collections. CFPB staff described a process for anonymizing large-scale data collections that directly identify individuals. In addition, CFPB had taken steps to implement an information security program that is consistent with Federal Information Security Management Act requirements, according to the Office of Inspector General for the Federal Reserve and CFPB. GAO found that CFPB had implemented logical access controls for the information system that maintains the consumer financial data collections and was appropriately scanning for problems or vulnerabilities. CFPB also established a risk-management process for the information system that maintains consumer financial data consistent with guidelines developed by the National Institute of Standards and Technology (NIST).
However, GAO determined that additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data.
Written procedures and documentation: CFPB lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments. The lack of written procedures could result in inconsistent application of the established practices. For example, CFPB unnecessarily retained sensitive data in two collections GAO reviewed, but its staff said they plan to remove this information. GAO recommends CFPB establish or enhance written procedures for (1) data intake, including reviews of proposed data collections for compliance with applicable legal requirements and restrictions; (2) anonymizing data; (3) assessing and managing privacy risks; and (4) monitoring and auditing privacy controls; and (5) documenting results of information security risk-assessments consistently and comprehensively.
Implementation of privacy and security steps: CFPB has not yet fully implemented a number of privacy control steps and information security practices, which could hamper the agency's ability to identify and monitor privacy risks and protect consumer financial data. GAO recommends CFPB take or complete action to (1) develop a comprehensive written privacy plan that brings together existing privacy policies and guidance; (2) obtain periodic independent reviews of its privacy practices; (3) develop and implement targeted privacy training for staff responsible for working with sensitive personal information; (4) update remedial action plans to include all identified weaknesses and realistic planned remediation dates that reflect priorities and resources; and (5) include an evaluation of compliance with contract provisions relating to information security in CFPB's review of the service provider that processes consumer financial data on its behalf.
Paperwork Reduction Act compliance: Under the Paperwork Reduction Act (PRA), agencies generally must obtain Office of Management and Budget (OMB) approval when collecting data from 10 or more entities to minimize burden and maximize the practical utility of the information collected. CFPB and OCC collect, on an ongoing basis, credit card data from different institutions—representing about 87 percent of outstanding credit card balances—and agreed to share data. However, OMB staff said the agencies' collections and data-sharing agreement may warrant OMB review and approval. Additional consultation with OMB regarding these collections and the data-sharing agreement would help both agencies ensure they are fully complying with the law. Furthermore, OCC had not obtained OMB approval for its credit card and mortgage data collections, which each included more than nine entities. Without approval, OCC lacks reasonable assurance that its collections comply with PRA requirements intended to reduce burden. GAO recommends (1) CFPB consult further with OMB about its credit card collection and data-sharing agreement, and (2) OCC seek OMB approval for its credit card and mortgage data collections.
CFPB's Large-Scale Collections of Consumer Financial Data from January 2012 through July 1, 2014
Data collection |
Scope |
Ongoing or one-time |
Contains information that directly identifies individuals? |
Arbitration case records: consumer case records from January 2010 through early 2013 |
11,204 case records |
One-time |
✓ |
Automobile sales: vehicle transaction-level data from 46 state motor vehicle departments matched with consumer credit data |
700,000 vehicles per month |
Ongoing (monthly) |
|
Consumer credit report information: nationally representative sample panel of consumer credit information |
10.7 million individuals |
Ongoing (monthly and quarterly) |
|
Credit cards: individual consumers' credit card account-level data, with linkages to credit reporting data |
25-75 million total accountsa |
Ongoing (monthly) |
|
Credit scores: random samples of consumer reports and credit scores calculated on such reports |
600,000 consumer credit reports |
One-time |
|
Deposit advance products: deposit account and transaction-level data, including use of deposit advance products |
100,000-500,000 accounts |
One-time |
✓b |
Mortgages: loan-level data from large servicers for mortgages |
29 million active loans; 173 million total loans |
Ongoing (monthly) |
|
Online payday loans: loan summaries from a sample of borrower files from online payday lenders, matched with consumer credit data |
300,000 borrowers |
One-time |
|
Overdraft fees: account and transaction-level data based on random samples of consumer checking accounts |
2 million accounts and related transactions |
One-time |
|
Private-label mortgages: loan-level data on loans packaged into private-label mortgage-backed securities |
4 million active loans; 21.9 million total loans |
Ongoing (monthly) |
|
Private student loans: loan-level data on all educational loan originations from 2005 through 2011 |
5.5 million total loans |
One-time |
|
Storefront payday loans: borrower-level activity for all loans within a period of 12 or more months |
15-40 million total loans |
One-time |
✓b |
Source: GAO analysis of CFPB information. | GAO-14-758
Why GAO Did This Study
Congress created CFPB in 2010 as an independent agency to regulate the provision of consumer financial products and services, such as mortgages and student loans. CFPB has begun collecting consumer financial data from banks, credit unions, payday lenders, and other institutions. GAO was mandated to examine CFPB's collection of consumer financial data. This report addresses (1) the scope, purposes, uses, and authorities of CFPB consumer financial data collections and (2) CFPB's compliance with laws and federal requirements, including government-wide privacy and information security requirements.
GAO reviewed laws, regulations, and contracts pertaining to CFPB's data collections; reviewed privacy and information security policies; reviewed inspector general reports on CFPB's information security program; assessed how CFPB applied NIST's framework for managing risks of storing data; examined access controls on the system maintaining consumer financial data; and interviewed CFPB and other regulatory officials, privacy experts, and representatives from randomly selected financial institutions.
Recommendations
GAO makes 11 recommendations to enhance CFPB's privacy and information security and 1 recommendation to OCC to ensure its data collections comply with appropriate disclosure requirements. CFPB and OCC agreed with GAO's recommendations and noted steps they plan to take or have taken to address them.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Consumer Financial Protection Bureau | To help improve CFPB's efforts to protect and secure collected consumer financial data and to help ensure consistent implementation of its current processes and practices, the Director of CFPB should establish or enhance written procedures for the data intake process, including reviews of proposed data collections for compliance applicable legal requirements and restrictions and documentation requirements for consultations with OMB about PRA applicability. |
In September 2015, CFPB finalized written procedures for its data intake process. According to these procedures, CFPB staff are to submit data intake proposals to the data governance team, which will determine the need to involve the resources of the Data intake Group. The Data Intake Group will then review the proposed data collection for compliance with applicable legal, regulatory, or policy restrictions. This includes a review by the legal division to determine whether the data may involve personally identifiable information and the Paperwork Reduction Act team to determine whether the collection needs to be reviewed by the Office of Management and Budget. These procedures note that a record of any consultations with the legal division or the Office of Management and Budget are to be documented.
|
Consumer Financial Protection Bureau | To help improve CFPB's efforts to protect and secure collected consumer financial data and to help ensure consistent implementation of its current processes and practices, the Director of CFPB should establish or enhance written procedures for anonymizing data, including how staff should assess data sensitivity, which steps to take to anonymize data fields, and responsibilities for reviews of anonymized data collections. |
In September 2015, CFPB finalized written procedures for its data intake process which also describe its de-identification plans. These procedures noted that the agency would prefer to obtain de-identified data, but in the event that such data is required, the procedures require CFPB staff to develop a de-identification plan that will also be submitted to the agency's Data Intake Group and its Chief Information Officer, who must approve all such collections. De-identification plans are to take into account the sensitivity level assigned to the proposed intake that are to be determined using CFPB's Information Sensitivity Leveling Standard that identifies the sensitivity of the data based on its source and content. The de-identification plans also consider the authority under which the data is being brought in, the data fields (both individually and in particular groupings), technical requirements for execution of proposed de-identification plans, and the potential risk of re-identification. The agency's Privacy Team is to then review de-identified data collections to ensure that the de-identification process was accurately performed.
|
Consumer Financial Protection Bureau | To help improve CFPB's efforts to protect and secure collected consumer financial data and to help ensure consistent implementation of its current processes and practices, the Director of CFPB should establish or enhance written procedures for assessing and managing privacy risks, including documentation requirements to support statements about potential privacy risks in privacy impact assessments (PIA) and for determinations that PIAs are not required. |
CFPB finalized its privacy plan and its data intake procedures in September 2015. The data intake procedures discuss the review process that the agency's Privacy Team will use to determine whether the agency must prepare a privacy impact assessment (PIA) for the proposed data collection. According to the privacy plan, CFPB's Privacy Policy requires system owners and managers to "conduct a risk assessment to identify privacy risks and determine the appropriate security controls to protect against risk." The privacy plan states that if the Privacy Team determines that a PIA is not needed, it would document this determination, including the rationale for the determination, using a privacy assessment report. To assist with this, CFPB has developed checklists for its staff to review the appropriateness of existing PIAs, including identifying the need to develop any new PIAs. In addition, the privacy plan states that the Privacy Team will perform reviews of third-party entities not controlled or operated by the government that collect or make personally identifiable information available to CFPB. The plan also states that CFPB will evaluate third-party tools to ensure they meet federal security, privacy, and statutory requirements. CFPB has developed a document outlining the privacy evaluation criteria its staff will use to evaluate third-party tools, including whether CFPB needs to prepare any PIAs.
|
Consumer Financial Protection Bureau | To help improve CFPB's efforts to protect and secure collected consumer financial data and to help ensure consistent implementation of its current processes and practices, the Director of CFPB should establish or enhance written procedures for monitoring and auditing privacy controls. |
CFPB finalized its privacy plan in September 2015 that describes steps that the agency will undertake to ensure it is complying with its privacy requirements. This plan notes that CFPB's Privacy Team will work with the cybersecurity staff to ensure that monitoring of the privacy controls is occurring. The plan also notes that the agency's Privacy Team monitors and audits some privacy controls as part of daily operations. It also conducts annual reviews of the various disclosure documents, which use various review checklists to ensure compliance with privacy disclosure requirements and to ensure that the Privacy Impact Assessments and System of Records Notices CFPB has issued remain accurate and up-to-date. Rather than conduct point-in-time reviews, CFPB has developed procedures for continuous monitoring of compliance, and as part of reviewing information security controls, these procedures also require ongoing assessments of compliance with privacy controls. According to the Chief Privacy Officer, this is a continuous process intended to determine if any changes have been made to information being collected, and whether any changes to the disclosures and relevant controls are needed. The agency has also had external audits of its privacy practices and notes that it is committed to periodic audits of its privacy function.
|
Consumer Financial Protection Bureau | To help improve CFPB's efforts to protect and secure collected consumer financial data and to help ensure consistent implementation of its current processes and practices, the Director of CFPB should establish or enhance written procedures for documenting information security risk-assessment results consistently and comprehensively to include all NIST-recommended elements. |
CFPB issued a new risk management process policy in December 2015 that includes procedures for various steps in assessing the information security risks of its information, including steps relating to intake, risk assessments, risk decisions, implementation of controls, and monitoring of compliance. It also addresses roles and responsibilities of various CFPB staff involved in these processes. In February 2016, CFPB finalized a new Risk Assessment Methodology publication which defines a methodology derived from NIST Special Publication 800-30. This methodology outlines the tasks CFPB staff are to complete in documenting the information security risk assessment. These tasks include addressing specific NIST-recommended elements, including those we had identified as missing in documentation we reviewed for our report.
|
Consumer Financial Protection Bureau | To enhance the protection of collected consumer financial data, the Director of CFPB should develop a comprehensive written privacy plan that brings together existing privacy policies and guidance. |
CFPB finalized its privacy plan in September 2015. This plan discusses its integration of CFPB policies regarding privacy, disclosure of information, and framework for information governance with its standards, procedures, and processes that facilitate the integration of privacy into CFPB activities.
|
Consumer Financial Protection Bureau | To enhance the protection of collected consumer financial data, the Director of CFPB should obtain periodic reviews of the privacy program's practices as part of the independent audit of CFPB's operations and budget. |
In December 2015, CFPB obtained the results of an additional external audit that included a review of CFPB information privacy policies and procedures relating to compliance with privacy laws, regulations, and guidance. This audit noted that CFPB had developed various policies and procedures. It recommended that CFPB complete its automated data cataloguing activities and establish policies to regularly review its data set inventory. It also recommended that CFPB update its privacy policies to include procedures to ensure destruction of storage media that contain personally identifiable information. CFPB staff noted that they have an external audit of the agency's financial controls conducted annually and that their staff will consider whether to have the auditors conduct additional audit steps to review compliance with privacy controls as part of the planning for these annual reviews.
|
Consumer Financial Protection Bureau | To enhance the protection of collected consumer financial data, the Director of CFPB should develop and implement role-based privacy training. |
During November 2014, CFPB conducted role-based privacy training sessions provided to staff in different offices. Additional role-based privacy training sessions have been scheduled, according to CFPB.
|
Consumer Financial Protection Bureau | To enhance the protection of collected consumer financial data, the Director of CFPB should update remedial plans for the information system that maintains consumer financial data and related components to include all identified weaknesses and realistic scheduled completion dates that reflect current priorities and available resources. |
CFPB issued a new policy addressing its remedial action plans process in December 2015 that includes procedures for various steps in developing plans for addressing weaknesses in its information security environment, including steps relating to the development, maintenance, and reporting on progress of these plans. It also addresses roles and responsibilities of various CFPB staff involved in managing these plans. CFPB staff meet every 2 weeks to review these plans. A weekly status report is provided to the Chief Information Security Officer that summarizes by system the total number of weaknesses, a breakdown of risk levels, and a due date window for an expected resolution. CFPB also updated the remedial action plans for the information system that maintains consumer financial data to reflect more realistic completion dates for any outstanding weaknesses.
|
Consumer Financial Protection Bureau | To enhance the protection of collected consumer financial data, the Director of CFPB should include an evaluation of compliance with contract provisions relating to information security in CFPB's review of the service provider that processes consumer financial data for CFPB. |
CFPB indicated that past reviews of the service provider in question had been evaluated and that CFPB is working with the service provider to ensure they are in compliance with existing provisions. In early 2016, CFPB conducted an evaluation of the service provider's compliance with information security provisions in the existing contract and they expected this review to be completed shortly. In addition, under the contract, they have the right to make inquiries about practices and compliance at any time and would take that step when warranted. CFPB officials noted that the provisions of the contract discussed in our report were standard for all service contracts at the time it was awarded, but that the risk level of the contract did not warrant annual reviews as spelled out in the contract. CFPB has indicated that a revision of its cybersecurity risk management process was in progress and would incorporate new and updated procurement practices, including reviews tailored to the inherent risk of the contracted service.
|
Consumer Financial Protection Bureau | To provide greater assurance of compliance with Paperwork Reduction Act (PRA), the Director of CFPB should also consult further with OMB about whether requirements apply to its credit card data collection and information-sharing agreement with OCC, and document the result of this consultation. |
CFPB consulted with OMB regarding its credit card data collection and, in October 2014, CFPB received written notice that OMB had determined that the data collection effort did not trigger Paperwork Reduction Act requirements.
|
Office of the Comptroller of the Currency | To ensure compliance with federal law, the Comptroller of the Currency should seek timely approval from OMB under PRA for OCC's credit card and mortgage collections, including the information-sharing agreement with CFPB for credit card data. |
In June 2015, OCC provided submissions to OMB seeking approval of the data collection programs they have for credit cards, mortgages, and home equity lines of credit. In its supporting statement for the credit card data collection program, OCC discussed its information-sharing agreement with CFPB.
|