Is CFPB’s data freeze about security or a political ploy?

WASHINGTON — The Consumer Financial Protection Bureau's recent freeze on collecting any personally identifiable information from companies it supervises is slowing investigations and could ultimately cripple the agency's enforcement function — and that may be the point, according to former agency and law enforcement officials.

Acting CFPB Director Mick Mulvaney issued a directive instructing staff not to collect such data, known as PII, from lenders or businesses that can be traced back to individual consumers ostensibly because of concerns about data security. But former officials are skeptical of that rationale, arguing it's being used as a pretext.

"Shutting down enforcement agency access to information about specific individuals who were harmed is like telling a waiter in a restaurant that they can collect information on the aggregate number and type of dishes ordered but not who ordered what," said Prentiss Cox, an associate professor at the University of Minnesota and former assistant Minnesota attorney general.

"This is a very thinly veiled attempt to shut down fraud enforcement, which is consistent with the not-even-veiled priority agenda item of the congressional Republicans to eviscerate the CFPB."

In his directive, Mulvaney cited concerns about data security laid out in a May 2017 report by the Office of the Inspector General, which found that confidential and sensitive enforcement information was accessible by a wider circle of CFPB employees than was necessary and prudent. Mulvaney said that staff instead could access aggregate data.

Sen. Elizabeth Warren and Mick Mulvaney, acting CFPB director.

But Sen. Elizabeth Warren, the founder of the CFPB and one of its most vocal supporters, sent a letter to Mulvaney last week openly doubting that explanation, noting that the inspector general did not recommend a halt to the data collection.

“I believe Director Mulvaney's actions are unjustified and that he inappropriately used the reports as a pretext to halt and weaken critical agency functions,” said the Massachusetts Democrat.

Other officials said they can't know for certain Mulvaney's reasoning, but said a data freeze would effectively stop the agency’s activities in their tracks.

“Assuming that the freeze is being implemented the way Sen. Warren describes, this is a way to essentially cripple the agency, not just hamstring it,” said Richard Horn, who served as special counsel and senior adviser at the CFPB. “Its examination activities and its investigation activities depend on reviewing consumer information, and the consumer complaint function as well.”

Adding to the suspicion of Mulvaney's motives is his outspoken views about the CFPB and its mission. While he was a member of Congress, Mulvaney lashed out against the agency, and upon his appointment as the bureau’s acting director, he said during a press conference that the bureau is “an awful example of a bureaucracy that has gone wrong and is almost entirely unaccountable to the people that are supposed to oversee it and supposed to pay for it.”

The CFPB’s organizational structure is comprised of several departments, each of which use personal identifiable information in different ways and to varying degrees. The consumer complaint database, for example, is a portal through which individual consumers can file a grievance against a firm. Through those complaints — as well as through investigations or through supervisory activities — the CFPB’s enforcement office can build a case for fraud or unfair or deceptive practices.

Lena Mualla, a staff attorney at Troutman Sanders and former CFPB attorney, said that PII is the linchpin of the CFPB’s enforcement actions, and while the impact of a freeze could be drastic, Mulvaney’s directive doesn’t seem to have reached as far as the consumer complaint database. That still gives CFPB examiners access to key data.

“It’s really important. It’s the genesis of any kind of process of going forward with an enforcement action,” Mualla said. “It could be extensive, especially if is going to affect the complaint database, which remains to be seen.”

Lucy Morris, an attorney at Hudson Cook and former deputy enforcement director at CFPB, acknowledged that data security is an important problem, and one that any director needs to take seriously — especially in light of the recent Equifax breach. But the directive has doubtless had the effect of at least slowing down the supervisory and enforcement functions at the bureau.

“Keep in mind that this is occurring at a time when you’ve had very big public data breaches, and then you have the IG reports on top of it," she said. "I don’t want to suggest that this isn’t something that shouldn’t be taken seriously, but in the case of the CFPB, it’s probably something that’s slowing down the exam work, and it may be carrying over to other data collection [activities] in the enforcement office.”

One industry attorney, who requested anonymity because their clients are subject to CFPB examinations and investigations, said that, from their point of view, the agency’s enforcement activities do not appear to have missed a beat save for a few weeks after former director Richard Cordray left and Mulvaney took over.

The attorney said he doesn't know if CFPB lawyers can still review personal information in documents acquired through discovery — Warren alleges that they cannot — but firms under investigation are still providing information with PII to the agency.

“The agency has not ground to a halt,” the attorney said. “There was a period of a couple of weeks where things seemed to be frozen up, but they’re back to collecting information. But to the extent there are internal disruptions at the bureau, they’re not visible to us.”

One unresolved question is why Mulvaney would take so drastic a step in response to a months-old inspector general’s report. Bank regulators — not to mention other government agencies like the Social Security Administration and the IRS — deal extensively in highly sensitive personal information and have never been subject to such a drastic directive. Both the Office of Personnel Management and the State Department were the subject of extensive security breaches in 2015 and neither were instructed to not collect personal data.

Morris said that she wasn’t aware of any data security issue at the CFPB that would warrant such a move.

“It is a newer agency, quite a new agency, so there’s likely room for improvement, given that it’s a new agency that’s trying to figure out things as it goes,” Morris said. “But I’ve never heard that it has a problem or that it does things differently than other agencies.”

The industry attorney speculated that only two motivations for the directive make sense.

“One of two things is going on. Either this is a legitimate concern because there is something worse we don’t know about, or this was somebody’s misguided attempt to be clever about jamming up the CFPB,” the attorney said. “But it didn’t work, because the examinations appear to be going forward.”

Horn said that, if the directive is intended to provide political cover to gum up the CFPB’s operations, the agency might find itself subject to litigation. The Dodd-Frank Act requires the agency to have a consumer complaint function, and if the directive prevents that function from providing a “timely response to their complaints,” citizens and advocacy groups might attempt to compel the agency to act.

“They have to have a consumer complaint function,” Horn said. “So maybe … a consumer could sue because the CFPB ceases to take consumer complaints because they contain PII, they wouldn’t be fulfilling their statutory obligations.”

Kate Berry contributed to this article.

For reprint and licensing requests for this article, click here.
Enforcement Cyber security Litigation Mick Mulvaney Richard Cordray Elizabeth Warren CFPB News & Analysis
MORE FROM AMERICAN BANKER