In recent years the practice of bulk data collection by government agencies has been a point of heated contention in American politics. While most are familiar with security related data collection by the NSA, most Americans are completely unaware that their personal financial data is now a primary target for government collection, which is exactly how the Consumer Financial Protection Bureau (CFPB) likes it.
As part of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), the CFPB has been building a “National Mortgage Database” (NMDB) and stockpiling the financial records of millions of Americans. The data being compiled ranges from information on consumer’s credit card transactions, credit scores, loans, and even a borrower’s gender and ethnicity.
At a recent hearing on Capitol Hill the House Oversight and Investigations Subcommittee examined the CFPB’s bulk data collection practices, and the discussion yielded only more questions about the Bureau’s ability to ensure the safety of the personal financial data they are collecting.
Testifying before the subcommittee, former Speaker of the House Newt Gingrich attributed his concerns over the CFPB’s practices to the way the Bureau is structured. Speaker Gingrich explained that in structuring the CFPB under Dodd-Frank, Congress “gave up two of its core Constitutional powers for reining in executive branches,” both of which allow the Bureau to operate with limited oversight and accountability.
Gingrich pointed to the fact that the CFPB is not subject to the annual Congressional appropriations process, and the Director of the CFPB can only be removed by the President, and even then under very limited circumstances. “This means the Bureau is free to do whatever it wants within the broadest imaginable interpretation of its authority, without fear of losing its funding or its leadership”, Gingrich stated.
Concerns over the CFPB’s lack of accountability and oversight were echoed by others testifying before the subcommittee, with Wayne Abernathy of the American Bankers Association saying, “what is missing … is effective oversight of the Bureau’s exercise of this authority.” Due to a lack of oversight, as Mark Calabria of the Cato Institute testified, “the manner and extent of the CFPB’s data collection program goes far beyond what’s required under the Dodd-Frank Act.”
Proponents of bulk data collection on the subcommittee argued that the CFPB’s actions are no different than the DMV collecting driving records or Target collecting consumer data. However this argument fails for one simple reason, which proponents on the subcommittee conveniently overlook…consent. When a person applies for a driver’s license or makes a retail purchase with a credit card there is implied and understood consent to those entities holding a record of that transaction.
Conversely, the CFPB does not ask nor publicize their data collection, they just take, with little regard for privacy or safety. As Speaker Gingrich put it, “these secretive and intrusive data-gathering operations are taking place without consumers’ knowledge and without the ability for consumers to opt-out.”
One of the primary concerns with the CFPB’s bulk data collection is that the inherent lack of oversight and accountability may actually increase consumer risks due to the growing threat of data breaches. For instance, the recent IRS data breach where over 100,000 taxpayers were exposed, or the OPM breach where the personal data of four million federal employees was stolen. For hackers, the CFPB’s records could yield a treasure trove of consumer financial data.
Speaking at the hearing Rep. Mia Love (R-Utah) stated that opponents of the CFPB’s efforts need to “give a fair warning to the American people that if we continue to allow this to happen the only people that are at risk are them, the American people.” Taken together the CFPB’s bulk data collection and ability to continuously expand its reach into the private lives of financial consumers unfettered by Congress, could be a recipe for disaster as Orwellian policies collide with 21st century cyber threats.