Developments in Securities Regulation, Corporate Governance, Capital Markets, M&A and Other Topics of Interest. MORE

To fulfill its statutory responsibilities, the CFPB collects large amounts of consumer financial data on credit card accounts, mortgage loans, and other products through one-time or ongoing collections. While the CFPB has taken steps to protect and secure these data collections, GAO determined that additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data.

Areas cited by GAO which need improvement include:

  • Written procedures and documentation: CFPB lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments. The lack of written procedures could result in inconsistent application of the established practices.
  • Implementation of privacy and security steps: CFPB has not yet fully implemented a number of privacy control steps and information security practices, which could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data.

GAO made 11 recommendations to enhance CFPB’s privacy and information security and 1 recommendation to the Office of the Comptroller of the Currency to ensure its data collections comply with appropriate disclosure requirements. CFPB and OCC agreed with GAO’s recommendations and noted steps they plan to take or have taken to address them.


Stinson Leonard Street LLP provides sophisticated transactional and litigation legal services to clients ranging from individuals and privately held enterprises to national and international public companies. As one of the 75 largest firms in the U.S., Stinson Leonard Street has more than 520 attorneys and offices in 14 cities, including Minneapolis, Mankato and St. Cloud, Minn.; Kansas City, St. Louis and Jefferson City, Mo.; Phoenix, Ariz.; Denver, Colo.; Washington, D.C.; Decatur, Ill.; Wichita and Overland Park, Kan.; Omaha, Neb.; and Bismarck, N.D.

The views expressed herein are the views of the blogger and not those of Stinson Leonard Street or any client.