ARLINGTON, Va.–NAFCU has sent a letter to the CFPB offering input on the agency’s data collections and internal data governance policies.
While praising the Bureau’s report, “Sources and Uses of Data at the Bureau of Consumer Financial Protection”, NAFCU said it believes more can be done to alleviate consumer privacy risks.
As an initial matter, NAFCU said it recommends the Bureau quickly resolve the findings of the Bureau’s Office of the Inspector General (OIG), which has identified weaknesses in internal access controls.
“While the OIG’s 2018 Audit of the Bureau’s Information Security Program shows that the agency is generally performing at a higher cybersecurity maturity level relative to previous years, NAFCU remains concerned with the OIG’s observation that access to one of the Bureau’s internal collaboration tools, which contains sensitive, personally identifiable information (PII) regarding consumers, was not restricted to individuals with a need to know,” the trade group wrote.
NAFCU called on the CFPB to implement the OIG’s recommendations as quickly as possible.
“Furthermore, documented weaknesses in access restrictions since 2017 should prompt a general scaling-back of existing data collections, particularly when the agency has yet to resolve issues regarding incomplete inventories of PII,” NAFCU said. “As the 2018 audit notes, incomplete inventories of PII that the Bureau is collecting or handling, and uncertainty regarding who within the Bureau is responsible for the security of the data, where the information is stored, and whether a privacy impact assessment is required, are all open issues.”
Other Recommendations
NAFCU added it further believes that the Bureau should limit its current data collection efforts to the minimum required by statute in order to offset risks to consumer privacy, which might expose credit union membership to a heightened risk of fraud.
In the letter, NAFCU also:
- Urged the Bureau to limit public disclosure of HMDA data to mitigate privacy risks to credit union members.
- Urged the Bureau to reevaluate agency policies that govern the collection and publication of consumer complaint information received through the Consumer Complaint Database.