Republicans Hammer CFPB Over Data Collection Efforts

WASHINGTON — House Republicans attacked the Consumer Financial Protection Bureau on Wednesday, arguing the agency is not able to safely secure the anonymous bulk data it collects on consumers' financial activities.

The agency has been gathering data on credit cards, mortgages and other products, but lawmakers said it could potentially be breached and reversed engineered to obtain personal information.

"Increasingly our cyber infrastructure and private records are becoming the target of both state and non-state actors alike," Rep. Michael Fitzpatrick, R-Pa., said at a House Financial Services hearing.

He pointed to a recent Office of Personnel Management data breach which resulted in millions of government employees' personal information being stolen.

"For these reasons it is alarming that any organization… would collect any consumer data and store it in a single location like the Consumer Financial Protection Bureau does," he said.

But one of the witnesses said the CFPB goes to great lengths to protect the data it collects and ensure it is not personally identifiable, which would render it useless for identifying individuals if it was stolen.

"A constellation of data can certainly be used to identify someone without their name. The CFPB is really concerned about that and that is why…they have a data intake team that carefully, carefully scrubs the data before it even enters the bureau," said Deepak Gupta, a founding principal at Gupta Wessler and a former CFPB official.

The CFPB, which was not invited to participate at the hearing, has argued that it attempts to secure all data and emphasized that what it collects is similar to what other agencies already gather.

A September 2014 Government Accountability Office report concluded that the agency "has taken steps to protect and secure these data collections, including adopting high-level privacy and security policies and processes."

The agency gathers the data "to make certain that the Bureau carries out statutorily mandated supervisory and enforcement activities with a thorough understanding of the markets it oversees," CFPB Director Richard Cordray wrote to the GAO.

But Mark Calabria, director of financial regulation studies at the Cato Institute testified at the hearing that some of the CFPB's methods of storing the data raise some security concerns.

"A significant amount of the CFPB data collection is maintained by contractors on cloud computing which…leaves particular vulnerable to hacking," Calabria said, and suggested the CPFB should rely less on contractors in this instance.

Rep. Maxine Water, the panel's lead Democrat, contended that the majority of the data the CFPB collects is publicly available and the criticisms were more politically motivated than out of genuine concern.

"This hearing is simply another blatant attempt to mischaracterize the bureau's data collection activities to consumers," Waters said.

Yet the CFPB could also leverage the data collection for its own political gain, according to Wayne Abernathy, executive vice president for regulatory affairs at the American Bankers Association.

"They gather enormous amounts of information, keep the data in-house and then they parse out only the pieces of it that establish the positions that they have already taken," he said. "It is like being in court case where the prosecutor says here is the information I am going to share that shows that you are guilty but I am not going to share the information I have that might tell a different story."

Newt Gingrich, former Speaker of the House, who also testified at the hearing, said the agency's structure, with a single director, makes it vulnerable to abuse.

"When you put total power in one person's hands and they can operate in remarkable secrecy you are creating a natural pattern that leads to very dangerous behavior," he said.

Still, Gupta argued that was not the case.

"We're having a hearing about a set of imagined problems that exist only in the minds of the CFPB's political opponents," he said. "If you ask the actual privacy groups, they voice support for the CFPB's acquisition and analysis of commercial databases to help it ensure the public is fairly treated by the financial marketplace."

For reprint and licensing requests for this article, click here.
Law and regulation Cyber security Bank technology Data breaches
MORE FROM AMERICAN BANKER