Notice and Request for Information, Bureau Data Collections [Docket No. CFPB-2018-0031]
Re: Notice and Request for Information, Bureau Data Collections, 83 Fed. Reg.49,072 (Sept. 28, 2018) [Docket No. CFPB-2018-0031]
Dear Director Kraninger:
The American Bankers Association (ABA) appreciates the opportunity to comment on theBureau of Consumer Financial Protection’s (Bureau) request for information on the overallefficiency and effectiveness of the Bureau’s data governance program and its data collections.We welcome another opportunity to comment through the Request for Information (RFI) processon the Bureau’s policies and procedures. This process has provided a transparent, efficient, andtimely opportunity for all of those affected by the Bureau’s work to help the Bureau identify howit might improve the way it carries out its important mission.
ABA’s goal throughout the RFI process has been to provide constructive feedback on theBureau’s policies and procedures. Our intent is that the Bureau implement programs and policiesthat are transparent, fully consistent with the law, and are focused on promoting the interests offinancial consumers in enjoying a strong, vibrant, and innovative market that offers the variety offinancial products and services that consumers want.
We support the decision to examine the Bureau’s collection, use, and storage of data. The DoddFrank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) gave the Bureauenormous authority and power over retail financial products, banks and others that provide these products, and therefore over the people who use these products. That authority includessweeping power to demand data and other information of the entities it supervises. Because theBureau’s power to collect data is so broad, it is essential that the Bureau operate transparently inits collection and use of those data. We support the actions of your immediate predecessor,Acting Director Mulvaney, to increase accountability and transparency in the Bureau’s activities,and we offer the following recommendations that build upon his work.
We urge the Bureau to adopt safeguards to ensure that it does not use its authority to order theproduction of data that is overly broad, voluminous, or duplicative. These safeguards shouldinclude (a) an assessment of the benefits of obtaining the data as compared with the costs toregulated entities, other businesses, and consumers of providing the data; (b) consideration ofwhether the information sought could be obtained from another source more efficiently and withless cost; and (c) an assessment of whether the demand is narrowly written to obtain only theinformation and data the Bureau needs.
We also encourage the Bureau to exercise care when considering “reusing” data—i.e., using datacollected for one purpose for a second, separate purpose. Although the reuse of data can reduceregulatory burden, the Bureau should exercise care to ensure that doing so does not compromiseattorney-client privilege.
The data that the Bureau collects under its authorities play an important role in nearly everyaspect of the Bureau’s operations, particularly the Bureau’s rulemakings. However, becausemuch of these data are collected under the Bureau’s supervisory authority, the Bureau withholdsfrom the public the data collected, limiting the public’s ability to evaluate, and where appropriatechallenge, the Bureau’s findings and policy decisions. To promote transparency andaccountability, we urge the Bureau to make available to the public anonymized, de-identifieddata relied upon in its policy-making.
We also urge the Bureau to improve its accountability and transparency through faithfulcompliance with the Paperwork Reduction Act of 1995 (PRA) and long-standing directives from the Office of Management and Budget’s Office of Information and Regulatory Affairs(OIRA) interpreting the PRA. Too often under prior leadership, the Bureau contravened the PRAand OIRA’s directives by improperly using the “generic clearance process,” which permits anagency to limit public review. Despite OIRA’s clear statement that the generic clearance processshould be used only when the collection is non-substantive in nature, the Bureau frequently used this process to obtain approval for collections that raise substantive or policy-related issueswithout providing notice to the public or seeking comment.
In addition, because the Bureau’s vast data collections—particularly the detailed, loan levelmortgage data it collects—are an attractive target for hackers, we encourage the Bureau toimplement recommendations made by the Office of Inspector General for the Federal ReserveSystem (IG) to address the vulnerabilities in the Bureau’s information security program. TheBureau should take seriously the privacy concerns raised by the IG and the significant risk thatindividual consumer data that the Bureau releases publicly in de-identified form can be reidentified.
These reforms will promote efficiency, transparency, and accountability. The Bureau will beencouraged to evaluate and weigh the burdens imposed by its data gathering against the likelyvalue of the information to be gained. In addition, the reforms will facilitate meaningful publicengagement with the Bureau’s collection and use of data, which, in turn, will promote publicdiscourse that results in improved policy making.
In support of its duty “to monitor for risks to consumers” in markets for consumer financialproducts or services, Congress gave the Bureau broad authority, under Section 1022 of the Dodd-Frank Act, “to gather information . . . regarding the organization, business conduct, markets, andactivities” of any person that offers or provides a consumer financial product or service, or anyservice provider to such company. Accordingly, the Bureau may “require covered persons andservice providers . . . to file with the Bureau . . . annual or special reports, or answers in writingto specific questions” regarding the topics listed above.
With this broad authority, the Bureau has demanded information and data from regulated entitieson 13 occasions, according to the report the Bureau released simultaneous with this request forinformation. In several instances, the information and data requested were voluminous. Theseinclude the following:
Although recipients of a Section 1022 order sometimes seek to negotiate the scope of the orderwith the Bureau, the recipient ultimately has little, if any, leverage to narrow the order’s scope.Recipients of a Section 1022 order that did not maintain the data in the form the Bureaudemanded had to incur significant expense to generate the data requested.
We urge the Bureau to adopt a policy (after giving the public the opportunity to comment) togovern its use of Section 1022 orders to promote accountability, efficiency, and fairness in theBureau’s exercise of its market monitoring responsibilities. First, prior to issuing an order underSection 1022, the Bureau should assess the benefits to the Bureau of the information demandedas compared with the costs that will be incurred by the order’s recipient(s) to produce thatinformation. Such an internal analysis would be consistent with Director Kraninger’s goal tomake “robust use of cost benefit analysis” and could be modeled after the cost benefit analysisthat is required to be conducted when the Bureau prescribes a rule. The Bureau should alsoconsider whether the information sought could be obtained from another source more efficientlyand with less cost.
Moreover, when preparing a Section 1022 order, the Bureau should consider whether the order isnarrowly written to obtain only the information that the Bureau needs to fulfill its market monitoring responsibilities and to obtain that information in the least burdensome waypossible.
The order should be prepared by Bureau personnel who have experience with the line of businessand are knowledgeable about (and respectful of) the systems that banks and other financialinstitutions use to store and report data in that line of business. When the Bureau demandsinformation from multiple institutions, it should consult with the recipients and modify the datarequests as necessary to ensure that the data are reportable by all institutions regardless of theinstitution’s core processing system. Although we understand that the Bureau may engage withthe recipient on the scope of a Section 1022 order, such engagement varies considerably basedon the Bureau personnel involved with the matter. A process analogous to a “meet and confer”should be formalized in the Bureau’s policy and required of Bureau staff when issuing a Section1022 order.
In addition, the policy should provide due process protections for recipients of a Section 1022order. Unlike federal law governing subpoenas—which provides authority for the recipient toask a court to quash or modify the subpoena—Section 1022 does not provide a formal process tochallenge or limit the breadth of the order. The Bureau should create such a process; it wouldencourage Bureau staff to limit the information demanded to that which the Bureau needs tofulfil its market monitoring responsibilities.
The Bureau’s authority under Section 1022 to demand information from the entities it supervisesis one of several authorities the Bureau possesses to demand data from financial institutions.Under the Dodd-Frank Act, the Bureau has broad powers to demand data from the institutions itsupervises and, when it suspects wrongdoing, from any entity that the Bureau believes hasinformation relevant to the alleged violation of consumer financial law, through its power toissue a Civil Investigative Demand. These powers are expansive; as with Section 1022 orders,the Bureau should exercise constraint and not order the production of data that is overly broad,voluminous, or duplicative.
As described more fully in ABA’s comment letter on the Bureau’s RFI on its supervisionprogram, our members report that Bureau examiners demand data that they do not use, creatingunnecessary expense, wasting both Bureau and bank resources, and frustrating bank compliance staff who must devote time to responding to the demands. Banks also reported that the initialrequests may be followed by one or more supplemental requests, often for data that the bank hasprovided already. Overly tight deadlines for responding to these supplemental requests are notuncommon.
Banks have also expressed frustration that the Bureau and the prudential regulators do notcoordinate data demands, frequently resulting in the agencies’ demanding the same informationbut in different formats. Banks are then obliged to reformat the data, expending significant timeand cost.
Although banks’ recent examination experiences have generally been more positive than earlierexperiences, there is a continuing need for tailoring of examination data and informationdemands. Many of our recommendations for reform of the Bureau’s use of Section 1022 ordersapply to the data demands that the Bureau makes during the supervisory process. Specifically,the Bureau should assess the costs and benefits of any data demanded in connection with anexamination prior to issuing the demand, consider whether the data sought could be obtainedfrom another source more efficiently and with less cost, and (if the Bureau decides to proceedwith the demand) consider whether the demand is narrowly written to fulfill its supervisoryresponsibilities and to obtain the data sought in the least burdensome way possible.
The Bureau should also exercise extreme care when contemplating issuing a Civil InvestigativeDemand (CID). As described more fully in ABA’s comment letter in response to the Bureau’sRFI on CIDs, these demands result in enormous cost and disruption to the entity that receives thedemand, which often must expend thousands of hours in employee time and incur significantlegal fees to retain outside counsel to respond to the CID. The Bureau should issue a CID onlyas a last resort, after the Bureau’s Supervision staff has sought the information demanded, andafter carefully considering the benefits that would be provided by that information weighedagainst the burdens that would be imposed on the recipient of the order. The Bureau should alsobe more flexible on agreeing to modifications to CIDs and extensions of time for the recipient tocomply with the demand.
The Bureau acknowledges that data collected for one purpose (e.g., supervision or enforcement)has been reused by the Bureau for other purposes, such as rulemaking. On the one hand, the “reuse” of data can reduce regulatory burdens; however, each time the Bureau considersreusing data, it should exercise care to ensure that the data can properly be reused.
For example, as described in ABA’s comment letter on CIDs, when the Bureau decides to movea matter from its Office of Supervision to its Office of Enforcement, Enforcement should notrequire the entity to reproduce the record it has already produced pursuant to a supervisoryrequest. Instead, Supervision and Enforcement should coordinate to have the appropriatedocuments transferred between offices. Importantly, the Bureau should ensure that Enforcementdoes not receive privileged materials that the entity may have shared with Supervision. Suchmaterials are not available to Enforcement when it initiates an investigation and should not beavailable to Enforcement when it inherits documents.
When the Bureau is considering reusing data collected by Supervision or Enforcement inrulemaking, it should take care that the source and breadth of the data fully and accurately reflectthe market that the Bureau seeks to regulate. In addition, when the Bureau seeks to aggregatedata collected from multiple entities, it should ensure that the data collected are properlyaggregable. For example, entities could interpret a demand for “foreclosure date” to meandifferent points in time in the foreclosure process. Consequently, the Bureau must be specific inits demands if it seeks to aggregate data received from multiple entities.
The Administrative Procedure Act mandates that an “agency shall give interested persons anopportunity to participate in the rule making through submission of written data, views, orarguments . . . .” However, past Bureau practices have undermined the public’s ability toprovide feedback on the Bureau’s data collections and to comment on the conclusions the Bureaudrew from that data, which significantly limited the public’s ability to participate meaningfully inthe Bureau’s rule making processes.
The Bureau acknowledges that it relies heavily on the data it collects through its supervisoryauthorities to support the policy decisions it makes through its rulemakings. However, theBureau does not provide access to these data, even in anonymized, de-identified form. Withoutaccess to data in this form, the public is largely unable to review and, as appropriate, challenge the Bureau’s conclusions, limiting opportunities for informed public discourse that improvespolicy-making.
A primary barrier to public access to the data the Bureau collects is the agency’s application ofits privacy regulation (Disclosure Rule) to data collected under Section 1022 of the Dodd-Frank Act. In the Disclosure Rule, the Bureau defined as “confidential supervisory information”any data or information gathered pursuant to a Section 1022 order. This permits the Bureau topublish findings and conclusions about the data, but significantly limits the public’s ability toreview and evaluate the data and comment on the Bureau’s findings. A broad range ofconclusions can be drawn from a single dataset. Without access to anonymized, de-identifieddata, the public is unable to evaluate the Bureau’s conclusions and policy choices.
For example, the Bureau used its authority under Section 1022 to demand overdraft-related datafrom a group of large banks (each with assets exceeding $10 billion). According to the Bureau,the data are representative of the more than 40 million consumer accounts held at the banksstudied.26 On three occasions (2013, 2014, and 2017), the Bureau published analyses of the datait collected, in reports ranging from 23 to 72 pages in length. Each analysis presented selecteddata points. For example, the 2014 report presented the median amount of a transaction paid intooverdraft but omitted other data points that could be viewed as more illuminating to policymakers and the public—namely, the mean amount of a transaction paid into overdraft. Because the Bureau did not disclose the anonymized, de-identified data, the validity of the Bureau’s data findings could not be reviewed—let alone tested—by the public.
By contrast and in illustration of the point, in completing the statutorily required study ofarbitration agreements, the Bureau published significantly more data. The Bureau published a728-page report that included the total number (and payout amount) of class action settlements itreviewed and the total number of class members in those settlements. From these data, the public, including ABA, could calculate the average recovery provided to members whoparticipated in class actions. The report also provided the average and median grants of relief onclaims that were resolved through arbitration. Based in part on these data, ABA and others—including Congress—were able to challenge the basis for the Bureau’s policy decision to prohibitclass action waivers.
As ABA has expressed on many occasions, the Bureau should provide access to the anonymized,de-identified data used in support of the Bureau’s rulemaking and adequate time for the public toevaluate and comment on the research. By doing so, the Bureau will clearly demonstrate itscommitment to the rigorous, fact-based analysis that the Dodd-Frank Act requires. Non-confidential, non-proprietary data should be publicly disclosed, assuming such disclosure doesnot conflict with consumers’ privacy interests. When the Bureau relies on data that wereprovided by a financial institution in confidence (such as in a supervisory or enforcementcontext) or that is otherwise proprietary, the Bureau should consult with the institution todetermine how to provide public access to those data.
Data should be anonymized and de-identified with respect to both the entities providing the dataand the individual consumers whose data are reported. The Bureau should also exercise care toensure that the data are not reasonably capable of being re-identified. Because of the importanceof the de-identification process, the Bureau should seek public comment on the process it willuse to de-identify and anonymize data it publishes.
Under past leadership, the Bureau avoided public scrutiny of its data collection efforts by makingextensive and impermissible use of the Paperwork Reduction Act’s (PRA) “generic clearance”process. Typically, the PRA requires a Federal agency to provide two opportunities for publiccomment when seeking to conduct a survey or other data collection involving 10 or moreentities. This requirement advances the PRA’s purpose to maximize a collection’s utility andbenefit to the public by affording the public the opportunity to comment on the collection’smethodology and any other issues raised by the collection.
The Office of Management and Budget’s Office of Information and Regulatory Affairs (OIRA),the agency charged with PRA compliance oversight, permits a government agency to use a morestreamlined and expedited PRA review process, the “generic clearance process,” if the collectiondoes “not raise substantive or policy issues.” In these instances, once the agency providesopportunities for public comment on a broad collection topic (the generic clearance), and OIRAgrants its approval, subsequent individual surveys made under that generic clearance may be“reviewed on an expedited basis and are generally not required to undergo further comment.”OIRA has provided three examples of non-controversial, non-substantive information collectionsthat are appropriate for this expedited review: “customer satisfaction surveys, focus grouptesting, and website usability surveys.”
Under former Director Cordray, on multiple occasions the Bureau used the generic clearanceprocess to avoid public scrutiny of proposed information collections involving substantive policymatters. For example, in 2011, the Bureau obtained a generic clearance for the “Developmentand/or Testing of Model Forms, Disclosures, Tools, and Other Similar Related Materials TheBureau conducted 13 information collections under this generic clearance, on the followingtopics: prepaid products, mortgage origination and servicing, debt collection, credit card rewards,overdraft, and small dollar lending. Each of these topics had been the subject of active orexpected rulemaking; however, for all but one of the collections, the Bureau certified, “Information gathered will not be used for the purpose of substantially informing influentialpolicy decisions.” To our knowledge, the Bureau did not provide notice to the public or seekcomment on any of these collections.
There are strong policy reasons why a generic clearance is an inappropriate mechanism forcollecting information on a substantive or policy issue. The prohibition ensures that the publiccan provide feedback on any collection that may be relied upon for rulemaking or otherpolicymaking, thereby maximizing the utility of information collected and promoting“accountability[] and openness in Government and society.” Methodological decisions—suchas the number of frequent users of the financial product or service being studied and how surveyquestions are phrased—significantly impact the data generated. However, as stated above, onceOIRA approves a generic clearance request, individual collections within the generic clearanceare reviewed on an expedited basis and generally without public comment.” Therefore, it iscritical that use of the generic clearance process be limited to the types of collections identifiedin OIRA’s guidance, namely “voluntary, low-burden, and uncontroversial collections,” including“methodological testing, customer satisfaction surveys, focus groups, contests, and websitesatisfaction surveys.”
To prevent future improper use of the generic clearance process, the Bureau should providenotice to the public whenever it requests approval, under a generic clearance, of an individualinformation collection on a topic of a current or likely future subject of rulemaking. It isplausible that the Bureau may believe that a requested collection concerns an issue that is non-substantive and not related to policy, even though the subject of the request is listed on theagency’s rulemaking agenda. In cases such as these, public notice of the request would providemembers of the public who disagree with the agency’s assessment of policy relevance with anopportunity to comment on the proposed collection.
More broadly, we encourage the Bureau to respect the PRA’s intent that the public receive noticeand opportunity for comment when an agency seeks to collect information from the public.Under prior leadership, the Bureau made requests for data to nine large banks on one occasion in2012, and to fewer than 10 large credit card issuers on another occasion in 2014, for no apparentreason other than to avoid PRA requirements. There may be times when the Bureau needsinformation from only nine (or fewer) entities to fulfil its responsibilities; such decision should be driven by the purpose of the collection request, not by a desire to avoid application of thePRA to the request.
The Bureau collects vast amounts of data through its supervisory, enforcement, rulemaking, andother statutory authorities. Two of these large-scale data collections—the Home MortgageDisclosure Act (HMDA) and the National Mortgage Database—include detailed, loan level (andin the case of the National Mortgage Database, borrower-specific) information, making them anattractive target for hackers. Data breaches in the private and public sector have resulted inmillions of consumers having their privacy invaded and exposed to financial fraud. To protectconsumers, it is incumbent that the Bureau maintain the highest level of data security.
Recent reports by the Office of Inspector General for the Federal Reserve System and Bureau ofConsumer Financial Protection (IG) have described continuing vulnerabilities in the Bureau’sinformation security program. In its 2018 annual independent audit of the Bureau’s informationsecurity program, the IG evaluated the Bureau’s program as operating overall at a level “3” on ascale of “1” to “5.” The IG issued specific recommendations for the Bureau to strengthen itsinformation security program in the areas of configuration management, identity and accessmanagement, and data protection and privacy. We encourage the Bureau to implement the IG’srecommendations expeditiously.
Further, we underscore the importance of protecting consumer privacy. As we have written onseveral occasions, the Bureau’s use of “proposed guidance” to address the risk to consumerprivacy presented by the expanded HMDA data contravenes the Dodd-Frank Act. Theproposed balancing of risk to consumers with the perceived benefits of public disclosure fails toconsider adequately real threats to consumer privacy. Research has shown that re-identificationis already highly possible, even using only the current public HMDA data. It becomes a virtualcertainty with the new data. We urge the Bureau to withdraw its proposed guidance and issue a formal rulemaking that is compliant with the Administrative Procedure Act (APA). Moreover, toguard against invasions of privacy, identity theft, and fraud, the Bureau should disclose the new2018 data only in aggregate form, carefully designed to protect the privacy interests of individualconsumers.
The Bureau’s request for information also seeks comment on “[n]otice to consumers regardinguse of data known to be related to them.” To the extent that the Bureau believes that consumersshould receive information regarding the Bureau’s use of their data, the Bureau—not a bank orother financial institution—should provide the notice. If the Bureau provides such notice, itshould explain that entities it supervises or regulates may be required to report information,including sensitive customer information, to the Bureau; that consumers cannot decline to havetheir data provided (“opt out”); and that the Bureau has sole responsibility for the protection ofthe data once the Bureau receives it.
ABA appreciates the opportunity to comment on the Bureau’s data collections and datagovernance program. We urge the Bureau to reform its use of Section 1022 by seeking moretargeted data and by providing recipients of a Section 1022 order with an opportunity to respondto the order. More broadly, we urge the Bureau to ensure that it does not use any of its statutoryauthorities to order a production of data that is overly broad, voluminous, or duplicative. We alsourge the Bureau to make available to the public the anonymous, de-identified data the Bureaucollects under its supervisory authority, so that the public can meaningfully engage with theBureau’s conclusions regarding those data and with the policy decisions that emanate from thosedata. We also urge the Bureau to adhere to the PRA’s requirements, as interpreted by OIRA, andnot to collect information using a generic clearance unless the collection is non-substantive innature and not policy-related. In addition, we encourage the Bureau to continue to evaluate andremediate its data security vulnerabilities in light of the October 2018 report by the FederalReserve’s IG and to protect consumer privacy by withdrawing its proposed HMDA guidance andissuing a formal rulemaking that is compliant with the APA.
Sincerely,
Jonathan Thessin
Senior Counsel, Center for Regulatory Compliance