June 01, 2018

CFPB lifts data collection hold

CFPB headquarters

CFPB Acting Director Mick Mulvaney yesterday announced that the bureau would begin collecting personally identifiable information after a six-month hold on the practice. Mulvaney put the hold in place because of cybersecurity concerns.

In a letter to Mulvaney in January, NAFCU President and CEO Dan Berger applauded the bureau "for initiating a thorough review of the CFPB's data security systems and freezing collection of personally identifiable information until weaknesses are addressed."

"NAFCU hopes that the CFPB's renewed commitment to strengthening its data security will address these problems and mitigate privacy risks associated with the unprecedented scope of [Home Mortgage Disclosure Act (HMDA)] data collection," Berger wrote.

Mulvaney, in an email to staff Thursday, said that an independent review by outside experts revealed "externally facing Bureau systems appear to be well-secured." During a Senate Banking Committee hearing in April, Mulvaney had noted a large number of lapses (not necessarily breaches) where sensitive information from the bureau was released. He also indicated that the CFPB will release a report soon regarding its data collection.

The CFPB's strategic plan for 2018-2022 included an objective to "safeguard the bureau's information and systems" by maintaining a strong cybersecurity program and bringing its IT investments in line with federal security standards and priorities.

NAFCU continues to be a leader in calling for a national data security standard, and has urged the CFPB to pull back its HMDA data collection points in order to protect borrower privacy.