On September 25, the Consumer Financial Protection Bureau issued a report on its sources and uses of data. This report was followed by a Request for Information regarding its data collection practices, published in the Federal Register on September 28. In some respects, both documents are a follow-up to Acting Director Mick Mulvaney’s December 2017 order to CFPB staff to cease collecting personally identifying information, pending a review of and improvements to the Bureau’s overall data security systems.

The Dodd-Frank Act states that the CFPB “shall seek to implement and … enforce Federal consumer financial law consistently for the purpose of ensuring that all consumers have access to markets for consumer financial products and services and that [those markets] are fair, transparent, and competitive.” The CFPB regularly obtains data about consumers to fulfill these statutory functions and obligations and its data collection practices under the leadership of former Director Cordray had been the subject of strong criticism from Republican lawmakers.

The 199-page report describes the sources and uses of data collected, as well as the processes governing the intake, use, access, and disclosure of any data by the Bureau. Appendix B to the report includes a list of the Bureau’s 188 data collections to date from public sources, government agencies, commercial vendors, financial institutions, and consumers. The list generally does not include data collections from consumers on a voluntary basis, such as through focus groups, one-on-one interviews, or user testing. Contained in the report’s Appendix C is a list of the Memoranda of Understanding between the Bureau and other agencies that address the sharing of data. 81 different governmental and quasi-governmental agencies are named in the list.

During its review of its data security systems, the CFPB signed an interagency agreement under which the Department of Defense provided risk assessment services to identify potential gaps in the Bureau’s cybersecurity controls. The Bureau concludes in the report that its security protocol is currently “well-organized and maintained” with no critical issues found.

The CFPB is now seeking public input regarding the overall effectiveness and efficiency of the Bureau’s data collection practices. It is asking the public to provide comments on aspects of its data collection program, such as:

• The sources, uses, and scope of information the Bureau collects;

• Ways the Bureau should or should not reuse data collected for one purpose to inform the other functions of the Bureau;

• Ways to reduce the burden on future furnishers of information;

• Activities the Bureau could engage in to make data collections from financial institutions more effective and efficient; and

• Other changes that may assist the Bureau to more effectively meet its statutory purpose and objectives.

Public comments are due to the CFPB by December 27, 2018.