Re: Proposed CFPB Auto Finance Data Collection
Dear Chairman Brown, Ranking Member Scott, Chairman McHenry, and Ranking Member Waters:
The undersigned trade associations (the Associations) write to express our concerns about the Consumer Financial Protection Bureau's (CFPB) proposed information collection on auto lending. The Associations represent a significant segment of the American vehicle finance industry, which facilitates access to fair and cost-effective vehicle ownership for millions of Americans. As described below, the CFPB proposes to collect annually more than 120 data points about each loan from 4,000 auto lenders. We believe the extensive nature of this multi-faceted information collection is beyond the CFPB's statutory authority, encroaches upon personal privacy boundaries of millions of Americans, and violates several provisions of the Paperwork Reduction Act (PRA) and Section 5512 of the Dodd-Frank Act.
By way of background, in February 2023, the CFPB began collecting detailed, loan-level data on auto lending and servicing from nine lenders (the Pilot). In January 2024, the CFPB requested approval from the Office of Management and Budget as required by the PRA to collect this information annually, effectively expanding the Pilot to 4,000 lenders – those that make at least 20,000 auto loans a year. Like the Pilot, the new data collection would require collection and reporting of more than 120 data points on every loan. These data points include the borrower's zip code, income frequency, military status, loan amount, and dealer compensation, among others. The CFPB also proposes to collect limited information about repossessions and loan modifications for lenders originating between 500 and 20,000 auto loans. The consumer groups are encouraging the CFPB to require the exact same amount of data from small entities as from large ones.
For this massive data collection, the CFPB has offered no justification other than an assertion that it needs the data to monitor the market for risks to consumers. As explained in the comment letter submitted by financial services trades, the CFPB's proposed information collection grossly exceeds its statutory authority and jeopardizes consumers' privacy. In fact, several consumer groups are asking the CFPB to not only publish all the data collected, but also consider ways to collect data about consumer demographics, including race, ethnicity, age, gender, and other characteristics.6 The Bureau's proposal also completely fails to recognize and justify the immense paperwork burden on lenders and otherwise contravenes numerous congressionally mandated prerequisites of the PRA.
The CFPB asserts its market monitoring authority in the Dodd-Frank Act7 authorizes this broad information collection. However, Congress authorized the CFPB to engage in market monitoring only to support its rulemaking and other specified functions. Congress did not give the CFPB boundless authority to requisition information from covered persons. Indeed, Congress typically mandates extensive data collections through express statutory authorization, such as the Home Mortgage Disclosure Act (HMDA), and Dodd-Frank's Section 1071, which authorize the collection of data on mortgage and small business lending respectively. Notably, Congress amended HMDA, and added Section 1071, in the same legislation in which Congress authorized the CFPB to monitor markets in support of its specific functions. It is improbable that Congress intended for the CFPB's market monitoring function to result in this massive data collection for auto lending, which would require far more data points than HMDA or Section 1071.
The proposed data collection would also amass a vast array of sensitive personal financial data on millions of Americans, infringing upon their personal privacy rights. While the CFPB instructs companies reporting data to exclude consumers' names and addresses, the granularity of the aggregated data introduces significant reidentification risk, threatening the privacy of millions of Americans. Consumers seeking financing for the car they need to get to work should not have to put their personal privacy at risk.
In addition, the CFPB has failed to show that the information collection is necessary for the agency's function, has practical utility, avoids unnecessary duplication, and minimizes the burden on individuals providing information, particularly small entities. The agency's PRA estimate asserts that respondents would only need to spend 20 minutes collecting and reporting more than 120 data points on each loan. Based on a small survey among our members, however, the CFPB's estimate is off by a magnitude of at least 3,000 hours. This is just one example of the CFPB's failure to comply with the PRA; others are discussed in the financial trades' comment letter responding to the PRA request.
We urge Congress to exercise its oversight authority and require the CFPB to comply with the Dodd-Frank Act and the PRA. Specifically, we urge Congress to require the CFPB to address the authority and privacy concerns outlined in this letter. We recommend that, during Director Chopra's the spring semi-annual appearances before your committees, that the committee inquire, either during the hearing or through subsequent written queries, about: (1) the CFPB/s authority for conducting the proposed information collection, (2) how the CFPB intends to mitigate the consumer privacy risks stemming from this data collection, and (3) the estimated burden associated with compliance, accompanied by supporting documentation.
Thank you for your consideration regarding this important issue.
Sincerely,
American Bankers Association
American Financial Services Association
America's Credit Unions
Consumer Bankers Association
National Automobile Dealers Association