In mid-April, before scandals of mass surveillance and political targeting burst on the scene, Bloomberg News published a story headlined, “U.S. Amasses Data on 10 Million Consumers,” which told of a government entity “gearing up to monitor how millions of Americans use credit cards, take out mortgages and overdraw their checking accounts.” The head of this government entity proudly calls its project “Big Data.”
Does this sound like the NSA, CIA, FBI, or TSA? It’s none of those and not even an agency remotely connected to fighting terrorism. This huge government data-mining program is the product of the Consumer Financial Protect Bureau (CFPB), which was created by the Dodd-Frank “financial reform” law of 2010, supposedly to protect consumers from “predatory” financial products.
The story received little attention, until recently. In a letter to CFPB director Richard Cordray last week, David Hirschmann, head of the U.S. Chamber of Commerce’s Center for Capital Markets Competitiveness, describes the CFPB’s data collection regime bluntly. “We understand that the Bureau is directing at least some credit card issuers to provide — on a real-time, continuous basis — a monthly summary of cardholder transactions on an account-by-account basis,” wrote Hirschmann. “We have heard from companies that the scope may range from dozens to as many as hundreds of pieces of data for each consumer on at least a monthly (and perhaps more frequent) basis.”
President Obama first installed Cordray to head the CFPB on January 4, 2012, in a likely unconstitutional “recess” appointment while the Senate had not adjourned. This was the same day that National Labor Relations Board members were also appointed in this manner in an action that was later declared unconstitutional by federal courts and that the Supreme Court just agreed to review. (My organization, the Competitive Enterprise Institute, has filed a lawsuit challenging the CFPB’s constitutional legitimacy on this and other grounds.)
This year, Obama nominated Cordray to fill the post permanently, and he will soon be up for a confirmation vote. Senators ought to keep the concerns of Hirschmann as well as privacy advocate in mind as they consider Cordray’s nomination. They also ought to demand to see the full report from the Federal Reserve’s inspector general on the flaws in CFPB’s data protection practices.
Some members of the Senate have already raised concerns about the CFPB’s handling of consumer data. “The bureau was founded with a mission to watch out for American consumers, not to watch them,” Senate Banking Committee ranking minority member Mike Crapo (R-Idaho) angrily declared at an April hearing. (Crapo, a consistent champion of privacy rights, called for limits on the USA PATRIOT Act’s surveillance provisions during the Bush administration.)
Cordray responded, “Big data is the cutting edge of analysis and research right now.… It is the way of the world [see just after 19:00 in the video].” So according to Cordray, the CFPB needs to know just about everything about our financial habits in order to protect us.
Last year, just after Cordray was installed illegally as the CFPB’s director, Washington Post consumer finance columnist Michelle Singletary called for the CFPB to become American consumers’ “big brother.” At the time, writing in TAS, I expressed shock that Singletary would use those two words in a favorable light, given that “the pejorative use of this phrase, after all, dates back more than 60 years to George Orwell’s dystopian novel 1984.”
I still don’t know whether Singletary understood the implications of this phrase. But what is clear — and at the same time shocking — is that Cordray does seem to understand Orwellian-style surveillance and embraces many of its concepts. According to the April Bloomberg story, the CFPB is demanding banks to turn over records and buying anonymous data on at least 10 million consumers. Bloomberg reporter Carter Dougherty noted at the time:
Bureau researchers are assembling data from across the financial landscape, according to a review of government records. Credit-card information from nine banks will be stored and analyzed by Argus Information & Advisory Services LLC, a White Plains, New York-based consultancy that won a $15 million contract for the work, procurement documents show. The documents don’t name the nine banks.
As part of a separate industry-wide review, banks are being ordered to provide records of credit-card add-on products including credit monitoring and debt cancellation, according to two people briefed on the matter. And last year, the bureau persuaded banks to submit data on checking-account overdrafts.
How much personal consumer data is the CFPB buying and requiring banks to turn over to it? “Reams and reams and reams of data we’re having to provide to them,” remarked Bank of America Senior Vice President Susan Faulkner at a banking conference in March.
According to Cordray, all of this data gathering is necessary for a government-led innovation in financial services to be masterminded by the CFPB. “The more information there is, the more innovation there can be and the more competition there is among the institutions around customer service,” he told a gathering of consumer groups. “It’s something we want to encourage.”
At the April hearing, Cordray, responding to questions from Sen. Crapo about individual privacy, said that “the data is typically anonymized.” Got that — not anonymous, but “anonymized,” and not all nor even most of the time, but “typically?”
Other CFPB officials have tried to provide a few specifics on Cordray’s weasel words. The CFPB’s assistant director for research told Bloomberg’s Dougherty that it doesn’t collect Social Security numbers and other “personally identifiable data” (Dougherty’s paraphrasing).
Yet because the program, like the CFPB itself, is shrouded in secrecy and a lack of accountability, these reassurances cannot be verified. As Sen. Mike Enzi (R-Wyo.) recently put it, “Congress has less control over this agency than the National Security Agency because authors of the bill that created the consumer bureau gave it funding not through Congress, but through the Federal Reserve.” Indeed, in the name of “financial reform,” Dodd-Frank’s authors put the CFPB outside of Congress’s appropriations process — making it unanswerable to elected representatives — and guaranteed it a stream of funding from the Federal Reserve, an agency with its own issues of lack of transparency and accountability.
Even the Federal Reserve’s Inspector General found in a March report that “improvements are needed” to the security of the CFPB’s consumer data “to ensure that the requirements of FISMA are met.” FISMA is the Federal Information Security Management Act, which requires that agencies have effective safeguards for their databases.
According to the executive summary, the full report “includes nine recommendations… to strengthen security controls for the system.” The Fed IG adds that “we will follow up on the implementation of each recommendation in this report as part of our future auditing activities related to CFPB’s continuing implementation of FISMA.” Yet, in the typical opacity of both the Federal Reserve and the CFPB, the full report is “restricted” and not available to the public.
Very soon, Senate Majority Leader Harry Reid plans to call up Cordray’s nomination for a full Senate vote, and has hinted that he will make radical changes to the filibuster rules to require just 51 votes to cut off debate and proceed to the vote. Senators concerned with privacy for individuals and transparency for government should insist on access to the full report, and making as much of it public as possible without compromising personal data. At the very least, they should not vote to confirm Cordray until the Fed IG’s nine recommendations are implemented.
Richard Cordray has made clear his interest in watching us. Once he is confirmed, Dodd-Frank has made certain we will have no effective way of watching him.