The Federal Reserve's Office of the Inspector General (Fed OIG) recently updated its work plan to include a security audit of the data being collected on consumers by the Consumer Financial Protection Bureau (CFPB).
The CFPB collects, handles, and stores various types of consumer information and personally identifiable information (PII) as part of its mission, according to the work plan. The data being collected by the CFPB is defined as data that could be used to identify specific individuals or distinguish individuals from one another.
"We will review the extent to which the CFPB has assessed the risks associated with the collection, maintenance, storage, and disposal of privacy data and PII and applied appropriate information security controls and protection over the data to mitigate those risks," the work plan said. "We will focus on (1) CFPB systems that house PII, (2) access to PII, (3) disposal and destruction mechanisms, (4) the handling of privacy incidents, (5) privacy training, and (6) National Institute of Standards and Technology privacy controls."
Several lawmakers and other financial industry groups and associations have expressed concern over whether or not the CFPB's collection of personal data is an invasion of privacy.
"CUNA (Credit Union National Association) has raised a number of concerns about the CFPB's storage of information in the CFPB's database, particularly if the personal information collected by the bureau is inadvertently disclosed when consumer complaints are filed with the bureau," CUNA said in a press release. "CUNA has urged the CFPB to take steps to minimize privacy risks."
In September 2014, the Government Accountability Office (GAO) released the results of a comprehensive study confirming that the CFPB was collecting financial data on 600 million Americans. The study was requested by U.S. Sen. Mike Crapo (R-Idaho), who at the time was the Ranking Member of the Senate Banking Committee.
"The CFPB’s massive data collection effort is an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans," Crapo said when the GAO's report was released. "This GAO report confirms what the Bureau would not—that it has been collecting information on up to 600 million American financial accounts, and it does not have the proper safeguards in place to protect the information it is collecting. At a time when data and identity-related crimes are at an all-time high, the last thing the American people need is one more federal agency collecting their private financial information."
The Fed OIG's work plan also listed as one of its ongoing projects the audit of the CFPB's controversial Consumer Complaint Database.
"In June 2012, the CFPB became the first federal regulator to publicly share individual-level consumer financial complaint data," the work plan said. "While the Consumer Complaint Database initially contained only credit card complaints, the CFPB has extended the database to other consumer financial products and services covered by the CFPB. Our audit objective is to assess the effectiveness of the CFPB’s controls over the accuracy and completeness of the public complaint database."
Click here to see the entire Fed OIG work plan.