Although the CFPB has taken steps to secure these data collections, the GAO determined that the CFPB:
- Lacks written procedures and comprehensive documentation for a number of process, including data intake and information security risk assessment;
- Has not yet fully implemented a number of privacy control steps and information security practices, which could hamper the agency's ability to identify and monitor privacy risks and protect consumer financial data; and
- Should consult further with OMB about its credit card collection and data sharing agreement.
Furthermore, the OCC should seek OMB approval for its credit card and mortgage data collection.
GAO makes 11 recommendations to enhance CFPB's privacy and information security and 1 recommendation to OCC to ensure its data collections comply with appropriate disclosure requirements. CFPB and OCC agreed with GAO's recommendations and noted steps they plan to take or have taken to address them.