CFPB Data Collection Effort Sparks Privacy, Security Concerns

WASHINGTON — The Consumer Financial Protection Bureau's effort to analyze the mortgage market has touched off a debate about privacy and whether the agency is getting too personal in its collection of financial data.

On one side are House Republicans and other critics who have gone so far as to liken the CFPB's activities to the National Security Agency's alleged eavesdropping on American citizens. They say the CFPB is collecting too much data in its efforts to build a national mortgage database and raise fears about both how the agency will use the data as well as whether it is adequately protected.

"Without a doubt, this national mortgage database is an unwarranted and shocking intrusion into the privacy of American citizens," said House Financial Services Committee Chairman Jeb Hensarling at a hearing on June 18. "It is a database I would fully expect to see in either Russia or China, but I'm appalled to see it in the United States of America. And I predict as more Americans become aware of this, they, too, will be appalled, and will demand accountability from this administration."

On the other side is the CFPB as well as others who say the agency is collecting data already owned and circulated by the private sector — and that it is taking steps to ensure it does not retain information on individuals. CFPB Director Richard Cordray has said that its information is "scrubbed" by a third party.

"We're working with a credit reporting agency — not employees of the bureau or FHFA — to de-identify that information and take out things like name, address, Social Security number," Cordray said at the same June 18 hearing. "None of our employees who work with the database will have any of that information available. We don't need it, and it would not be appropriate. And that's my commitment to you."

At issue is a notice filed earlier this year by the Federal Housing Finance Agency and the CFPB that permits the agencies to gather mortgage data that can include a myriad of personal information such as religion or social security numbers. In order to get the data, the CFPB must first buy it "off the shelf" from commercial sources and have a third party remove personal identifiers before it reaches the CFPB.

Some observers said most of the data the agency is collecting is already being shared in the private sector or submitted directly to the government-sponsored enterprises when a borrower receives a mortgage. They note that the FHFA, the CFPB's partner in developing the database, could receive that data anyway.

Outside of the mortgage database, the CFPB has also obtained personal information from consumers who voluntarily file complaints about specific accounts or in gathering data from a bank for an exam or an enforcement action — a common practice for any financial regulator.

"There's a lot being gathered at the CFPB, but I think the general concern about individual consumer data seems overstated," said Jo Ann Barefoot, chief executive of Jo Ann Barefoot Group and the former co-chair of Treliant Risk Advisors. "The private companies generally have much more access to customer data as well as data buying so there's probably a lot more data in private hands than at the CFPB."

Some observers also said it's in the CFPB's interest, both for political and mission-related issues, to ensure any data it collects is also secure.

"As far as I'm aware — whether it was at the Department of Housing and Urban Development, the CFPB or other agencies — regulators are concerned about data security generally and safeguarding personal information specifically, regardless of the political climate," said Bart Shapiro, a former Senior Advisor at the CFPB and former HUD official.

Still, questions remain about whether the CFPB is collecting too much data and how it would be used at a government agency versus how banks employ the information.

While banks collect massive amounts of data, much of that is used for the purposes of understanding their customer better and staying in compliance with required federal and state laws. For example, banks are required by law to track customer transactions to prevent illegal activity such as money laundering.

In many cases, customers are aware that their bank is collecting such data and must be sent privacy notices.

Typically, "the consumer did not decide to a have a direct relationship with a government agency and one could argue that the consumer does not have the ability to provide input on what it's being used for or who it's being shared with," said Timothy Nagle, a counsel at Reed Smith within its data security, privacy and management practice group. "On the other hand, one could make the argument that look, you have a government agency that's collecting this data and you need to trust them to do certain things with it like protect you and the economy."

But there are also questions about just how securely the CFPB holds the data. During another hearing June 18 before a House Financial Services subcommittee, a former CFPB employee testified that there were incidents in which a consumer accidentally received another consumer's personal identifiable information after filing a complaint.

"We might see three this week. We might see five. We might not see any for a few weeks. But then it would sprout up again," said Kevin Williams, a former quality assurance monitor in the CFPB's Office of Consumer Response, who was testifying on allegations of discrimination and retaliation. "That's abnormal. You should not see that many in years."

Jennifer Howard, a spokeswoman for the CFPB, acknowledged there have been occasional hiccups but said the number was very low.

"As we work to provide these consumers with the assistance they seek, there have been a limited number of instances of data entry and verification issues," she said. "These instances represent a tiny fraction of one percent of all interactions. When dealing with tens of thousands of consumer complaints and calls each month, human error may happen. We take these issues seriously and strive to ensure they are rare."

Cordray, meanwhile, has touted the benefits of the agency's data collection efforts, saying this kind of activity is necessary in order to prevent future crises and write balanced rules.

"We didn't know enough about the mortgage market before the crisis. If we had, we might have headed off some aspects of the crisis," Cordray said. "That blind spot was an enormous cost to the American people… This information is very crucial for those purposes."

During the June 18 hearing, Cordray said the agency was initially only going to collect data on 5% of mortgages nationwide, but he added that sometimes banks will give them all of their data in other products like credit cards because it's easier than cutting down to a sample.

Other regulators also collect significant amounts of information on the mortgage market, including the Office of the Comptroller of the Currency, which issues a quarterly metrics report that looks at data from nearly half of the mortgages nationwide from the largest servicers.

The CFPB national mortgage database is still being built and it's unclear what the sample data will look like or all the ways the agency could use that information in the future.

"I think it's appropriate to be cautious, but I don't think the CFPB is carelessly gathering data that's personally identifiable. I also think there's value in the research they are trying to do, as part of a much-needed rethinking of how best to protect consumers," Barefoot said. "At the same time, there's a lot of valid concern across the board about data security and privacy. Those are going to be some of the biggest issues going forward."

For reprint and licensing requests for this article, click here.
Law and regulation
MORE FROM AMERICAN BANKER