Report: FTC, CFPB have blind spots for credit reporting agencies

The move comes as Equifax, its peers, and the regulators that oversee them continue to face data security criticisms. The latest chapter in the ongoing story comes from the Government Accountability Office, which is tasked with producing impartial research for Congress, and an investigation requested by Democratic senators in February. The catalyst for that request was a 2017 Equifax data breach that compromised the records of at least 145.5 million consumers. The GAO was asked to examine issues related to the Equifax breach, including federal oversight of credit reporting agencies (CRAs).

CRAs, the GAO report says, collect “vast amounts of sensitive consumer information, package it into consumer reports, and sell the reports to third parties.” Banks, employers, and others use these reports to make credit, employment, insurance, and other decisions. According to a 2018 Department of the Treasury report, the three nationwide CRAs—Equifax, Experian, and TransUnion—maintain credit files on nearly 210 million Americans. The consumer reporting market comprises more than 400 companies, and the Consumer Data Industry Association reports that these companies issue three billion reports and make more than 36 billion updates to consumer files each year. 

“Consumers have little control over what information these companies have, so federal oversight is important—and it could be improved. For example, the [Consumer Financial Protection Bureau] doesn’t routinely consider data security risk when prioritizing its examinations of these companies,” the GAO wrote. Its final report recommends improving federal enforcement of data safeguards and oversight of these companies’ security practices.

Regulatory shortcomings

The Federal Trade Commission and CFPB are the federal agencies primarily responsible for overseeing CRAs. The FTC has authority to investigate most organizations that maintain consumer data and to bring enforcement actions for violations of statutes and regulations that concern the security of data and consumer information. Relevant laws include the Fair Credit Reporting Act (FCRA); the Gramm-Leach-Bliley Act (GLBA); and provisions of the Dodd-Frank Act concerning “unfair, deceptive, or abusive acts or practices.”

The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices” affecting commerce. In the context of privacy and security, these provisions require companies to truthfully represent practices to consumers, and the FTC has found companies that alleged they were following certain data security protections, but did not in fact have such security features, to be covered under that legislative mandate.

To implement standards for CRAs, and other entities that fall under its jurisdiction, the FTC also adopted its Safeguards Rule, which requires, among other things, that financial institutions have a written information security program, assess the risks to customer information, and evaluate and adjust the information security program in light of foreseeable risks. 

Since 2008, the FTC has settled 34 enforcement actions against various entities related to consumer reporting violations of the FCRA, including 17 actions against CRAs. Some of these settlements included civil penalties—fines for wrongdoing that do not require proof of harm—for FCRA violations or violations of consent orders. The FTC, however, does not have civil penalty authority for violations of requirements under the Gramm-Leach-Bliley Act. 

The GAO concluded the FTC’s lack of civil penalty authority for GLBA hinders its effectiveness in enforcing data security provisions. 

“Having civil penalty authority would allow [the] FTC to fine a company for a violation such as a data breach without needing to prove the monetary harm to individual consumers,” it wrote. “For violations of GLBA provisions, which are enforced pursuant to FTC Act authority, the FTC may seek an injunction to stop a company from violating these provisions and may seek redress (damages to compensate consumers for losses) or disgorgement. However, determining the appropriate amount of consumer compensation requires the FTC to identify the consumers affected and the amount of monetary harm they suffered.”

“In cases involving security or privacy violations resulting from data breaches, assessing monetary harm can be difficult,” it added. “It is difficult for the agency to identify which individuals were victimized as a result of a particular breach and to what extent they were harmed and then obtain related redress or disgorgement.” 

The CFPB comes up short on large firms

The CFPB has supervisory authority over “larger market participants” in the consumer reporting market. In 2012, it defined those CRAs as having more than $7 million in annual receipts from consumer reporting. Its supervision of these companies includes monitoring, inspecting, and examining them for compliance with the requirements of certain federal consumer financial laws and regulations. 

Since 2015, the CFPB has completed five public settlements with CRAs. Four of these settlements included alleged violations of FCRA, and three included alleged violations of unfair, deceptive, or abusive practices provisions. 

The Bureau “lacks the data needed to ensure identification of all CRAs that meet [the $7 million] threshold,” the GAO report says. “Identifying additional sources of information on these CRAs, such as by requiring them to register with the agency through a rulemaking, or leveraging state registration information, could help [the] CFPB ensure that it can comprehensively carry out its supervisory responsibilities.”

CFPB staff told the researchers that identifying additional larger-market participant CRAs can be challenging. For example, the Securities and Exchange Commission does not require non-publicly traded CRAs to file financial and other information that could be used to identify them. Staff also said they do not ask CRAs to provide their annual receipts, with the exception of the specific CRAs being considered for examination in a given year, because doing so “could create an additional cost to the companies.”

“One method for identifying institutions for oversight, particularly where data are limited, is to require companies to register with the relevant regulator,” the GAO recommended. “For example, among other requirements, insured depository institutions must obtain a charter to operate, and money services businesses generally must register with the Financial Crimes Enforcement Network. Similarly, the CFPB could identify CRAs that meet the larger market participant threshold by requiring such businesses to register with them, subject to a rulemaking process and cost-benefit analysis of the burden it could impose on the industry.” 

The CFPB could also identify CRAs and inform its oversight activities by leveraging information collected by states, the report adds.

Another problem detailed in the report is that while the CFPB enforces and examines CRAs for compliance with consumer protection laws, it does not fully consider data security in prioritizing examinations. 

Specifically, the CFPB enforces compliance with most provisions of FCRA; several provisions of GLBA; and the prohibition of “unfair, deceptive, or abusive acts or practices” under the Dodd-Frank Act, according to Bureau staff. However, it cannot enforce data security standards under these statutory provisions or the FTC’s implementing rules because it does not have authority to supervise or enforce compliance with the GLBA’s safeguards provision or the FCRA’s red flags or records disposal provisions.

The red flags rule requires financial institutions and creditors to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations. 

Provisions governing the disposal of information and the red flags of identity theft were carved out of the CFPB’s authority in the final version of the Dodd-Frank Act. 

“Identifying additional sources of information on the population of larger market participant CRAs—including those that are lesser-known, possibly unknown to CFPB, and possibly in possession of large amounts of sensitive consumer information—could help ensure that [the] CFPB has more comprehensive information for carrying out its supervisory responsibilities,” the GAO wrote. “Although [the] CFPB’s examination prioritization incorporates several important factors and sources, the process does not routinely include assessments of data security risk, such as how institutions detect and respond to cyber-threats.”

The CFPB’s reliance primarily on consumer complaints, information from public filings, and information and findings from past examination for prioritizing examinations “may not fully detect data security risks that CRAs pose,” it added. “Consumers likely did not know, for example, about Equifax’s data security challenges prior to its breach, so that vulnerability was not a focus of complaints. While the three nationwide CRAs acknowledged the risk of data breaches in recent public filings, other larger participant CRAs may not be publicly traded and therefore may not have public filings. If [the] CFPB’s past examinations have not addressed data security, the agency cannot use those past examination findings to target current risks.”

CFPB officials, in a formal response, “neither agreed nor disagreed with [the] GAO’s recommendations.”