OIG Report Looks at CFPB Internal Sharing of Complaint Data
The Office of Inspector General for the CFPB (and the Fed) recently issued a report on its evaluation of the Office of Consumer Response’s sharing of complaint data within the CFPB.
As background, the report describes the tools available to Bureau users of complaint data (complaint-sharing tools) to search such data, identify issues, and summarize data, and also describes Consumer Response’s process for approving access to these tools.
Based on its analysis of 2017 data, the OIG found that Supervision, Enforcement, and Fair Lending (SEFL) accounted for the largest portion of complaint-sharing tool users and tool activity, consisting of searches and requests for internal complaint reports. Based on interviews of 17 SEFL users, the OIG learned that 94 percent of them relied on internal complaint data for their work, with 82 percent reporting use of complaint data for supervisory activities, 59 percent for research, 12 percent to support legal actions, and 6 percent to support preparation of products such as internal memoranda and public reports.
Other OIG findings and related recommendations included the following:
While Consumer Response provided robust and effective training on the use of complaint-sharing tools to SEFL users, it provided fewer training opportunities to users in other Divisions, such as those in Research, Markets and Regulations. The OIG recommended that Consumer Response increase its outreach to other Divisions to identify their need for complaint data and develop targeted training. Consumer Response indicated that such efforts were underway.
The OIG found that Consumer Response’s practices for approving access to the complaint-sharing tools, some of which allow access to consumers’ personally identifiable information or other sensitive information, were not aligned with its documented procedures or otherwise raised concerns that access was not being properly restricted. The CFPB’s Information Security Program Policy provides that users of complaint-sharing tools are to be granted only the access privileges needed to perform their job functions and that access privileges should be reviewed at least annually and adjusted as appropriate to prevent unauthorized or unintentional disclosure. The OIG also found that Consumer Response was not regularly assessing whether users needed continued access to complaint-sharing tools. It recommended that all users of tools that allow access to PII have supervisory approval, other steps be taken by Consumer Response to limit users’ access to data they need to perform their job functions, and documented processes and procedures be established for evaluating whether continued access is needed. Consumer Response indicated that it had begun taking actions responsive to these recommendations.