To fulfill its statutory responsibilities, the CFPB collects large amounts of consumer financial data on credit card accounts, mortgage loans, and other products through one-time or ongoing collections. While the CFPB has taken steps to protect and secure these data collections, GAO determined that additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data.

Areas cited by GAO which need improvement include:

• Written procedures and documentation: CFPB lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments. The lack of written procedures could result in inconsistent application of the established practices.
• Implementation of privacy and security steps: CFPB has not yet fully implemented a number of privacy control steps and information security practices, which could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data.

GAO made 11 recommendations to enhance CFPB’s privacy and information security and 1 recommendation to the Office of the Comptroller of the Currency to ensure its data collections comply with appropriate disclosure requirements. CFPB and OCC agreed with GAO’s recommendations and noted steps they plan to take or have taken to address them.