U.S. Sen. Mike Crapo, the ranking member of the upper chamber’s Banking Committee, recently received his requested analysis of the Consumer Financial Protection Bureau by the Government Accountability Office, confirming his apprehensions about what the bureau is doing.

Crapo highlighted the GAO’s comprehensive study confirmed the CFPB is collecting financial data on up to 600 million consumer credit card accounts, and that the bureau’s privacy and security controls for data collection should be enhanced to reduce the risk of improper collection, use, or release of consumer financial data. 

The Idaho Republican indicated the report documents CFPB’s large-scale collection of consumer financial data from 2012 through 2014, confirms the existence of personal identifiers in CFPB’s data collections, and raises the concern that CFPB lacks written policies and procedures for data privacy and protection.

“The CFPB’s massive data collection effort is an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans,” Crapo said. 

“This GAO report confirms what the Bureau would not — that it has been collecting information on up to 600 million American financial accounts, and it does not have the proper safeguards in place to protect the information it is collecting,” he continued.

“At a time when data and identity-related crimes are at an all-time high, the last thing the American people need is one more federal agency collecting their private financial information,” he went on to say.

After discovering the CFPB was spending millions of dollars to collect information on millions of Americans’ personal credit card, banking, mortgage and student loan information, Crapo began to raise concerns with the CFPB’s “big data” collection. 

Crapo believes the bureau repeatedly failed to provide sufficient information regarding the data collection, so he went to the non-partisan GAO to investigate, requesting an official review of the CFPB’s data collection efforts.

The senator mentioned five other key findings from the GAO report:

— CFPB has access to account-level credit card data on between 546-596 million consumer accounts on a monthly basis. This represents consumer data covering 87 percent of the credit card market.

— CFPB conducts large-scale collections on consumer financial data, including data with personal identifiers. Data includes one-time and monthly collections on automobile sales, consumer credit report information, credit cards, credit scores, mortgages, student loans and others.

— CFPB lacks written policies and procedures for data privacy.  GAO noted that the CFPB “has not developed standard policies and written procedures to document the practices it uses for anonymizing data, including clarifying how data sensitivity will be assessed.” For example, the CFPB retained sensitive data in two data collections reviewed by GAO, including religious data.

— GAO found weaknesses in the bureau’s ability to assess risks and vulnerabilities associated with data security and protection of consumer financial information. Both the GAO and the CFPB’s Inspector General previously found similar weaknesses in a separate report released last year.

— GAO noted that the CFPB and Office of the Comptroller of the Currency should submit its credit card data collection plan for consultation and approval by the Office of Management and Budget, as required by law.  Without such review, officials indicated CFPB and OCC lack reasonable assurance that these collections are in compliance with the law.

“There are many outstanding questions and concerns following this report,” Crapo said.

“For example, it is still unclear exactly what information the CFPB is collecting, how they are using it, and whether it can be easily reverse-engineered to identify an individual,” he continued. “I consider these to be very serious concerns at the very agency that was supposed to watch out for consumers, not watch them.”