CFPB Critics Focus Fight on Data Collection

The Consumer Financial Protection Bureau has an ambitious agenda for 2016 and so does its critics.

Since its creation by the Dodd-Frank Act, the CFPB’s critics have been vocal and persistent. Large banks and credit card companies cringe at the thought of its public compliance database and various regulatory intrusions into their business practices, while elected officials focus their fight on constitutional concerns. Critics say the agency—with an independent director who serves at the pleasure of the President and a budget doled out by the Federal Reserve rather than the standard route of Congressional appropriations—lacks transparency and accountability.

In recent days, those longstanding concerns have been supplemented with more narrowly focused complaints about data: how it is collected, how it is used, and how it informs CFPB rulemaking.

In early December, Republicans on the House Financial Services Committee, specifically David Scott of Georgia, took aim at the Bureau’s auto-loan regulations for what they claim was flawed, misapplied data.

The Bureau has made investigating auto lending practices—by both banks and nonbanks—a priority, targeting discriminatory practices for minority borrowers. Throughout 2015, Ally Financial paid $98 million, including $80 million in consumer restitution funds, to settle CFPB charges of discriminatory auto lending. Fifth Third Bancorp reached a similar $18 million settlement. The CFPB also launched investigations into American Honda Finance and Toyota Motor Credit Corp.

Congress took notice. The Reforming CFPB Indirect Auto Financing Guidance Act (already passed in the House and awaiting a Senate vote) would revoke auto lending guidance from the CFPB that pressured lenders to limit or eliminate discretionary lending practices that can lead to discriminatory loan pricing.

“The CFPB’s data collection programs are designed to give the agency a picture of what financial institutions (not individual consumers) are up to—with a focus on practices that harm consumers.”
Deepak Gupta, Former Senior Counsel for Enforcement Strategy, CFPB

The problem, according to members of the Financial Services Committee, is that the CFPB’s own data was manipulated to make discriminatory lending practices appear to be more of a problem than it really was. They claim (using internal agency memos to back the accusation) that statistics on the race and ethnicity of borrowers were merely educated guesses based on zip codes and last names.

The agency has shown a pattern of “cherry-picking data,” says Wayne Abernathy, executive vice president for financial institutions policy for the American Bankers Association. In 2014 the Bureau ordered fewer than 10 banks to provide information on their credit card debt collection and debt sale policies and practices, he claims, adding that the CFPB misstates the extent of how data collections, skewed or not, influence rulemaking and enforcement.

Critics are also targeting how the voluminous amounts of consumer data hoarded by the CFPB is collected and protected. Perhaps sensing an issue that resonates with the general public, CFPB critics are deploying some big guns and highly paid lobbyists. That strategy was on display at a Dec. 16 hearing convened by the Financial Services Committee. Among the experts weighing in on data security was former Speaker of the House Newt Gingrich.

Gingrich insisted he was there on his own accord, a somewhat specious claim. As pointed out by Democrats on the committee, he is a paid adviser for the U.S. Consumer Coalition (described by Media Matters as “a secretive group that is attempting to dismantle the CFPB”) and is also a paid adviser to Wise Public Affairs, a Washington D.C. based lobbying firm that has the U.S. Consumer Coalition as a client.

Gingrich was critical of how much personal data could fall into the hands of a Bureau that he sees as lacking accountability. “We have an agency that is collecting more information about Americans’ private lives than any bureaucracy deserves for reasons unrelated to national security,” he said. The auto lending controversy justifies concerns over the Bureau’s perceived lack of checks and balances. “The CFPB is prohibited from regulating car dealers, but it has done so anyway, using absurdly inaccurate techniques to accuse them of racial discrimination and extract fines from car companies and auto finance companies,” he added.

The CFPB is prohibited in Section 1022 of the Dodd-Frank Act from collecting personally identifiable information, “but is doing so anyway,” Gingrich claimed.

ALL ABOUT THE DATA

The following is from documentation, prepared by Republicans on the House Financial Services, prior to a hearing on Dec. 16 that was critical of the Consumer Financial Protection Bureau’s data collection procedures.
The CFPB is collecting more information than is necessary to execute its regulatory mission. The CFPB has already collected information on 87 percent of the credit card market—and in the past has stated that it is seeking to enlarge this number to 95 percent of all credit card accounts—but it only needs to sample approximately one percent of the market to achieve its stated goals. As of September 2014, just one of the CFPB’s 12 mass data collections had already collected information on 173 million loans.
The CFPB is alarmingly non-transparent about its mass data-collection program—the agency does not reveal to the public specifically what data it collects, nor does it notify specific consumers about what information it has gathered about them or how it will be using it. The CFPB collects account-level and sometimes even transaction-level data that captures multiple aspects of consumers’ financial lives, such as information about credit cards and checking accounts.
The CFPB’s data security program has multiple troubling weaknesses. The Bureau’s Information Security Continuous Monitoring program is rated at Level 1 out of 5—defined as “ad hoc,” and the data security protecting the Bureau’s consumer complaint database was found by the Inspector General to be deficient in multiple areas. The CFPB lacks even internal written procedures for “anonymizing” the data is uses.
Source: House Financial Services Committee

The CFPB aims to monitor at least 95 percent of all credit card transactions in the U.S. by 2016 and is already collecting and analyzing data from at least 600 million credit card accounts each month, 7 billion records in the past year alone. The CFPB, by its own statistics, is gathering data on 22 million private-label mortgages each month, 5.5 million student loans, 2 million bank accounts with overdraft fees, and on hundreds of thousands of auto sales, credit scores, and deposit advance loans. An information sharing agreement with the Office of the Comptroller of the Currency gives it access to nearly 90 percent of outstanding credit card balances.

“These secretive and intrusive data-gathering operations are taking place without consumers’ knowledge and without the ability for consumers to opt-out,” Gingrich said. “Certainly, if the NSA and the FBI need a warrant to collect such data on U.S. citizens for the purposes of preventing terrorism, the CFPB should need to get a warrant, too.”

A recent report by the Government Accountability Office found that the CFPB has engaged in at least 12 large-scale data collection efforts; at least three included information that directly identified individual consumers. “Combining this information with other sources allows most of the remaining data collections to also identify individual consumers,” says Mark Calabria, director of Financial Regulation Studies at the Cato Institute, a conservative think tank. “As both the GAO and the Federal Reserve Inspector General have recognized, the CFPB’s data collection poses significant privacy risk to consumers and remains in need of improvement. In consolidating all this financial information in one place, the CFPB has left consumers extremely vulnerable to identity theft and even extortion from hackers.”

Calabria cited the CFPB’s “heavy reliance” on outside contractors and contractor-controlled systems as a specific vulnerability. These risks are compounded by the CFPB’s heavy reliance on “cloud” based computing systems, which are especially vulnerable to hacking. “To the extent that the CFPB continues to engage in mass data collection, it should be brought in-house and not entrusted to private contractors,” he said, offering a rare suggestion of that sort from a small-government advocate.

Calabria stressed that neither the Securities and Exchange Commission nor the Commodity Futures Trading Commission “engages in the collection of massive amounts of individual investor data.” His assessment: the CFPB is engaged in “fishing expeditions,” more so than market monitoring.

No representative of the CFPB attended the House hearing, leaving its defense up to Deepak Gupta, former senior counsel for enforcement strategy at the Bureau and founding principal of the boutique law firm Gupta Wessler.

“The CFPB’s data collection programs are designed to give the agency a picture of what financial institutions (not individual consumers) are up to—with a focus on practices that harm consumers,” he said. The compilation of anonymous, account-level data from the CFPB’s credit-card database allows it to study to study important topics, including credit card marketing practices and the widespread use of forced arbitration clauses in consumer contracts.

Pushing back against references to the GAO report, he pointed out that it “found none of the significant problems with data collection that the CFPB’s opponents have alleged exist.” For collection efforts that even potentially involve personal consumer data, the agency has developed a system for considering privacy implications and has a system for “anonymizing” any material involving identifying information.

“In short, the CFPB’s data collection ensures that the agency’s regulation and enforcement are data-driven and based on the best understanding of market trends and empirical reality,” he added. “The very existence of this hearing illustrates one danger that can occur when public officials don’t base their actions on data. We have a made-up controversy, based on made-up facts.”