When the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) was enacted in 2010, one of the obvious goals touted by proponents was increased consumer protection. Yet five years later it is unclear as to whether consumers are indeed better “protected.” Instead, it has become increasingly clear the law’s provision allowing for bulk data collection of consumer information may actually increase risks for those it originally sought to protect.
In addition to the countless number of onerous regulations created under Dodd-Frank, the law also authorized the creation of the Consumer Financial Protection Bureau (CFPB), charged with ensuring consumer protection in the financial market. While consumer protection is a laudable goal, the method the CFPB has employed to do so is raising serious privacy concerns for Americans and lawmakers alike.
As part of the powers granted under Dodd-Frank, the CFPB has been working, in conjunction with the Federal Housing Finance Agency (FHFA), to create a “National Mortgage Database” (NMDB). The NMDB is comprised of borrower-specific information on active mortgages dating back to the late 90’s, and has expanded in recent years to include highly sensitive information on hundreds of millions of American consumers.
While the sheer volume of information being compiled in the NMDB is alarming, the type of information being gathered is taking the idea of government intrusion to disturbing new heights.
As one would expect the NMDB covers basic mortgage related information such as the type, term and sales price of the mortgage. However the NMDB also includes highly detailed information from a borrower’s income and credit history to arbitration case records and account balances. The NMDB even goes so far as to specify information on a borrower’s gender, age and ethnicity.
One of the primary concerns with such massive data collection is the ability of government officials overseeing the project to ensure consumer data is protected. In his 2014 testimony before the House Financial Services Committee, CFPB Director Richard Cordray attempted to reassure lawmakers that although the varying information collected in the NMDB is aggregated, the data is void of “personal identifiers.”
Yet despite Director Cordray’s statements, many lawmakers in Washington are not convinced. In a letter sent to Director Cordray in June by Senators Tim Scott (R-SC) and Mike Crapo (R-ID), and signed by 22 other Senators, the CFPB’s ability to protect the data being collected was called into question.
The letter states, “We are gravely concerned by the CFPB’s inability to confirm that the massive amount of data it collects and stores could not be reverse-engineered and traced back to one of our constituents.” The letter goes onto cite a recent study by the Government Accountability Office (GAO) that discovered numerous deficiencies with data security at the CFPB.
The GAO report highlighted two key deficiencies with the CFPB’s ability to ensure the data contained in the NMDB is protected. The report found the “CFPB lacks written procedures…for a number of processes, including data intake and information security risk assessments” that could result in inconsistent application of security practices. The GAO further found the CFPB has not “fully implemented a number of privacy control steps and information security practices, which could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data.”
Given the recent IRS data breach where identity thieves stole over 100,000 taxpayer records, and the breach at the Office of Personnel Management (OPM) where the personal data of four million federal employees was stolen, the GAO’s findings are especially concerning. The irony is that by creating the CFPB and empowering the Bureau to collect and compile an exorbitant amount of sensitive financial data, the Dodd-Frank Act may have actually increased the financial risks for those it originally sought to protect.
With the plethora of privacy concerns facing the CFPB ‘s National Mortgage Database, American consumers and lawmakers should be asking what, if anything, is really being “protected” by this overly intrusive policy, aside from the bureaucratic status quo.