Testimony

Examining the Consumer Financial Protection Bureau’s Mass Data Collection Program

Committee on Financial Services
Subcommittee on Oversight and Investigations
United States House of Representatives

Chairman Duffy, Ranking Member Green, and distinguished members of the Subcommittee, I thank you for the invitation to appear at today’s important hearing. I am Mark Calabria, Director of Financial Regulation Studies at the Cato Institute, a non-profit, non-partisan public policy research institute located here in Washington, D.C. Before I begin my testimony, I would like to make clear that my comments are solely my own and do not represent any official positions of the Cato Institute. In addition, outside of my interest as a citizen, consumer and taxpayer, I have no direct financial interest in the subject matter before the Committee today, nor do I represent any entities that do.

I will also note that my service at HUD included supervising and managing HUD’s enforcement of the Real Estate Settlement Procedures Act (RESPA). These responsibilities, along with the relevant HUD staff, were transferred to the CFPB. Accordingly the views I will offer today are not simply those of an analyst but also of one who has attempted to make our financial consumer protection laws more effective.

Is CFPB’s Massive Data Collection Required?
I believe it would be unfair to criticize any agency for simply following mandates imposed upon it by Congress. If such mandates are problematic, then the blame rests with Congress. Agencies should, however, be held responsible for their implementation and whatever discretionary policies and actions they pursue beyond Congressional mandates. I submit to the Subcommittee that the manner and extent of CFPB’s data collection program goes far beyond what required under the Dodd-Frank Act. The objectives and requirements of Title X of Dodd-Frank can easily be achieved with more narrow and targeted methods.

Let us review the CFPB’s data mandates:
Section 1013 establishes the administrative structure of the CFPB. More precisely as it relates to data collection, 1013(b) established specific function areas, including research:
1013(b)(1) Research.—The Director shall establish a unit whose functions shall include researching, analyzing, and reporting
on-
(A) developments in markets for consumer financial products or services, including market areas of alternative consumer financial products or services with high growth rates and areas of risk to consumers;
(B) access to fair and affordable credit for traditionally underserved communities;
(C) consumer awareness, understanding, and use of disclosures and communications regarding consumer financial products or services;
(D) consumer awareness and understanding of costs, risks, and benefits of consumer financial products or services;
(E) consumer behavior with respect to consumer financial products or services, including performance on mortgage loans; and
(F) experiences of traditionally underserved consumers, including un-banked and under-banked consumers.

None of the preceding activities requires micro-level transactional data. Nowhere in the above are the current data collection efforts mandated or even suggested. As an economist I certainly understand the desire for researchers to have extensive transaction level data. Agencies, however, are not constructed for the enjoyment of researchers, but to achieve a specific public purpose. All of the above areas can be addressed with aggregate level data, most of which is already publicly available.

While 1013(b)(3) establishes collecting and tracking consumer complaints, such is an activity entirely separate from overall market monitoring. And while I believe consumers could be given more disclosure on what is done with the information they submit as part of the complaint process, the fact remains that complaints are submitted voluntarily. Nowhere in 1013(b)(3) is there a requirement for massive non-complaint data collection. Nor will one find such data efforts listed under 1013(c) which establishes CFPB’s Office of Fair Lending and Equal Opportunity.

One might wonder if such a mandate is found elsewhere in Title X. The functions of the CFPB do mention under Section 1021(c) the “collecting, researching, monitoring, and publishing information relevant to the functioning of markets for consumer financial products and services to identify risks to consumers and the proper functioning of such markets”. While the term “information” is indeed broad, I find it difficult to believe that such could be read to mandate the large scale collection of transactional data. In fact individual transactions tell you almost nothing about the overall functioning of specific markets. 1021(c) is easily fulfilled by collecting aggregate data and information published by private and other government sources.

Nor do the monitoring responsibilities under 1022(c) require the collection of massive amounts of transactional data. In fact the monitoring under 1022(c) can be achieved by any competent regulator with the use of aggregate data. There is zero need for transaction level data to fulfill the purposes and objectives of 1022(c).

I was certainly able, when managing HUD’s RESPA activities, to aggressively enforce RESPA and even undertake a major revision of the rules under RESPA, without engaging in the collection of massive amounts of transactional data. It can be done. What difficulties I ran into were almost always a result of the statute, not a lack of data.

To summarize, outside of the consumer complaint database, which has problems of its own1, the large scale collection of transactions data by the CFPB is not mandated by statute or necessary to carry out its statutory responsibilities.

CFPB - Data protection, privacy and the Fourth Amendment
Passed in the aftermath of the terrorist attacks of 9/11, the Patriot Act vastly expanded the data collection efforts of the U.S. government. The public was told that only if we had had more data, the attacks could have been avoided. Yet the intelligence failures were not from lack of data, but from an inability (or unwillingness) to “connect the dots”. Similarly the financial crisis was met with demands for “more data” as if the overheated housing and mortgage markets were not obvious enough from the generally available aggregate data.

Before turning to the CFPB, let me clearly state that the privacy and Fourth Amendment issues raised are not unique to the CFPB. I believe the “third party doctrine” upon which this data collection rests is fundamentally flawed and simply inconsistent with the Forth Amendment. My colleagues at the Cato Institute and I have regularly and consistently expressed concerns as to collection of consumer data by government officials. We have done so regardless of the politics or whether we supported the objectives of the agency in question. The Cato Institute has submitted a number of legal briefs on the issue, most recently in City of Los Angeles v. Patel,2 decided last term before the Supreme Court. I would also point you to our submissions in Riley v. California,3Heien v. North Carolina,4 and Nelson v. City of Rochester.5

We have also repeatedly seen the harm from both the regulatory burden and over-collection of data by other financial regulators. I applaud, for instance, Congressman Ellison’s efforts on last year’s Money Remittances Improvement Act (H.R. 4386). Such reduced data collection burdens in remittance market and did so without sacrificing consumer or national security protections. I believe it can serve as a model for the efforts of the CFPB.

Turning back to the CFPB, the GAO has reported that the CFPB has engaged in at least 12 large scale data collection efforts.6 At least 3 include information that directly identifies individual consumers. Combining this information with other sources allows most of the remaining data collections to also identify individual consumers.7

While some of these collections are relatively small, such as the 11,204 arbitration case records, the Bureau’s collection of mortgages, credit report and credit card data is quite extensive. Combined with the CFPB’s information sharing agreement with the Office of the Comptroller of the Currency, the CFPB has access to almost 90 percent of outstanding credit card balances.

As a former federal employee and one subject to the recent Office of Personnel Management breach, let me clearly say I do not trust the CFPB with protecting my personal financial data from hackers. As both GAO and the Federal Reserve Inspector General (OIG)8 have recognized, the CFPB’s data collect poses significant privacy risk to consumers and remains in need of improvement. In consolidating all this financial information in one place, the CFPB has left consumers extremely vulnerable to identity theft and even extortion from hackers.

A particular vulnerability is the heavy reliance of the CFPB on outside contractors or contractor-controlled systems. A noted by the OIG, the CFPB continues to “face challenges in ensuring that contractors implement information security controls that meet agency requirements.”9 These risks are compounded by the CFPB’s heavy reliance on “cloud” based computing systems, which are especially vulnerable to hacking. To the extent that the CFPB continues to engage in mass data collection, such should be brought “in-house” and not entrusted to private contractors.

The risk of hacking is a threat from outside the Bureau. Unfortunately the CFPB’s data collection, particularly in the area of credit cards, poses significant threats to our fourth amendment protections. As Justice Douglas observed in his dissent to California Bankers Assn v. Shultz, “A checking account…may well record a citizen’s activities, opinions, and beliefs as fully as transcripts of his telephone records.” Credit cards are today’s checks. As GAO noted, the CFPB is not simply collecting account information, which would be bad enough, but also transaction level information. In its brief to California Bankers Assn, the American Civil Liberties Union (ACLU) noted that accessing financial records could allow its membership to be identified, eroding the protections recognized in NAACP v. Alabama. As an employee of an institute that also receives donations transmitted via checks and credit cards, I too fear that allowing government access to such records poses a significant threat to our political freedoms. As Justice Marshall observed in his dissent to California Bankers Assn., “The technique of examining bank accounts to investigate political organizations is, unfortunately, not rare.”

Such concerns are not simply reflections of the Watergate era. As recently as 2012, Justice Sotomayor in her concurrence to United States, Petitioner v. Antoine Jones, correctly observed that “Awareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse.” Justice Sotomayor offers the example of medications purchased by online retailers as an example. Such a purchase could potentially be identified within the CFPB’s database of credit card accounts.

For a variety of reasons, the CFPB has become a highly partisan issue. Were it to use the financial records of its critics in an attempt to silence or intimidate these critics, it would not be the first agency to do so.

While today’s hearing is not about the overall structure of the CFPB, we should recognize that its current structure, that of a single director, leaves it especially vulnerable to the cognitive biases that contribute to civil liberties abuses.10 A large body of research on group decision-making suggests that a lack of mechanisms for mandated dissent can result in tunnel vision.11 While of course speculative, I would suggest that the worst abuses of, for instance, J. Edgar Hoover, would have been avoided or minimized had the FBI operated as a board and/or been subject to additional checks and balances.12 Just as we now know recognize that a single-minded focus on fighting communists, terrorists, the mafia or drug dealers (or whoever the villain of the day is) can result in the abuse of civil liberties, so can a single-minded focus on fighting “financial abuse”. Siding with the Constitution is no more siding with “abusive lenders” than it is siding with terrorists or drug dealers.

Unlike many other law enforcement agencies, the CFPB lacks some basic safeguards. For instance no subpoena or warrant has been issued for its massive data collection efforts. As Justice Douglas has explained, a neutral third party, such as magistrate, is needed to balance the pressures of law enforcement with protection of our constitutional freedoms. In McDonald v. United States, Justice Douglas expressed this view of the Founders’ intent: “The right of privacy was too precious to entrust to the discretion of those whose job is the detection of crime and the arrest of criminals. Power is a heady thing; and history shows that the police acting on their own cannot be trusted.” The CFPB has repeatedly characterized itself as a “cop on the beat”. It is long past time that it is subjected to the same constraints and oversight as a “cop on the beat”. The abuses witnessed in law enforcement should remind us all what happens when government is driven by a single-minded, unrestrained, focus on eliminating legal violations.

While other financial regulators also collect large amounts of data, and we should be concerned about those efforts as well, GAO has observed the efforts of other financial regulators are “less extensive than CFPB’s data collections.” For instance neither the Securities and Exchange Commission nor the Commodity Futures Trading Commission engages in the collection of massive amounts of individual investor data.

The Federal Trade Commission (FTC) and the Consumer Product Safety Commission (CPSC), to which the CFPB is often compared, also lack the extensive data collection efforts of the CFPB. The FTC and CPSC do build databases of complaints they receive from consumers, as does the CFPB. Such databases are more than sufficient for regulators to identify trends in misconduct. Would the CFPB have us believe that there are so few consumer complaints that it needs to actively monitor consumers and companies where there have not been any problems found?

As Law Professor Daniel Solove has noted, the “Framers included the warrant clause” of the fourth amendment, “because of their experience with general warrants and writs of assistance.13 One objective of the fourth amendment is to limit the government’s ability to engage in “fishing expeditions”. Yet such is the very nature of the CFPB’s data collection. Is the CFPB’s data collection limited to following up on suspected violations of the law? No, it covers the extensive surveillance of consumers and companies that have neither been convicted of a crime nor suspected of such. The CFPB, unfortunately, is another brick in the foundation of what ProPublica reporter Julia Angwin has called the “Dragnet Nation”.14

In reflecting on the Bank Secrecy Act of 1970, from which the third party doctrine flows, Justice Douglas expressed in dissenting from California Bankers Assn that he was “not yet ready to agree that America is so possessed with evil that we must level all constitutional barriers to give our civil authorities the tools to catch criminals.” I am not yet ready to agree that our financial markets are so possessed with evil as to merit the CFPB’s broad presumption of guilt on the part of all financial market participants. The manner of CFPB’s data collections are the result of a mindset that treats financial services providers not as citizens but as suspects.

Nor is this level of data collection even needed to monitor our financial markets. The CFPB, like the general public, has access to a variety of public reports that detail, in an aggregate manner, trends in consumer finance. Again I would submit that the aggregate trends in housing and mortgage data before the crisis, while incomplete, were more than sufficient to arouse concern. Such trends certainly concerned me at the time. But even if the CFPB continues to believe that micro data is needed, it is collecting amounts far in excess of required sample sizes. As George Mason University Economics Professor Thomas Stratman has noted, the CFPB plans to collect data samples that are 70,000 times the size needed.15 Such an expansive collection of data reveals that the CFPB is indeed engaged in “fishing expeditions” rather than simply market monitoring.

Setting aside that I believe both California Bankers Assn v Shultz and United States v. Miller to be wrongly decided, it should be noted that Miller, in finding no “expectation of privacy”, relies upon an analysis that “checks are not confidential communications but negotiable instruments to be used in commercial transactions.” True enough. Checks are negotiable and can be widely circulated. Yet what the CFPB collects is not limited to checks. Credit card transactions, for example, are not negotiable. There is no expectation that such will be passed along like currency. Consumers may well prefer credit (and debit) cards due to their relative anonymity. The data collection efforts of the CFPB (under sections 1022, 1024 and 1025 of Dodd-Frank) go far beyond those envisioned or approved in either California Bankers Assn or Miller.

Conclusions
Chairman Duffy, Ranking Member Green, the Consumer Financial Protection Bureau’s data collection activities run afoul of our Fourth Amendment protections. These extensive data collections are in no way necessary for the CFPB to achieve its statutory mission. Such could be accomplished in a manner that does not offend the Fourth Amendment, while also allowing the CFPB to fulfill its consumer protection responsibilities. As Courts have too often been slow to protect our Fourth Amendment rights, it did take almost 30 years for Olmstead to be reversed; Congress should move quickly to protect American consumers from harm of CFPB’s data collection efforts. I would also remind the Subcommittee that the risks deriving from the CFPB’s data collection efforts are also present at other financial regulators as well.

Notes
1 See Rachel Witkowski “Errors Abound in CFPB’s Complaint Portal” American Banker November 17, 2015. http://www.americanbanker.com/news/law-regulation/errors-abound-in-cfpbs-complaint-portal-1077878-1.html
2 See Cato Institute. City of Los Angeles v. Patel Legal Brief https://www.cato.org/publications/legal-briefs/city-los-angeles-v-patel
3 https://www.cato.org/publications/legal-briefs/riley-v-california
4 https://www.cato.org/publications/legal-briefs/heien-v-north-carolina
5 https://www.cato.org/publications/legal-briefs/nelson-v-city-rochester
6 Government Accountability Office. 2014. Consumer Financial Protection Bureau: Some Privacy and Security Procedures for Data Collection Should Continue Being Enhanced. Report to Congressional Addresses GAO-14-758
7 See Yves-Alexandre de Montjoye, Laura Radaelli, Vivek Kumar Singh and Alex Pentland. 2015. “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata,” Science #6221.
8 See Office of the Inspector General, Federal Reserve, Major Management Challenges for the Consumer Financial Protection Bureau September 30, 2015. http://oig.federalreserve.gov/reports/cfpb-management-challenges.htm
9 See Office of the Inspector General, Federal Reserve, Major Management Challenges for the Consumer Financial Protection Bureau September 30, 2015.
10 See generally, Rachlinski, Jeffrey J. and Farina, Cynthia R., “Cognitive Psychology and Optimal Government Design” Cornell Law Review, vol. 87, no. 2 (January 2002).
11 See Cass R. Sunstein, “Conformity and Dissent” (University of Chicago Public Law & Legal Theory Working Paper No. 34, 2002).
12 For examples of some of these well-know abuses, see Curt Gentry, J. Edgar Hoover: The Man and the Secrets. Norton 2001; or Tim Weiner. Enemies: A History of the FBI. Random House 2013.
13 Daniel Solove. 2002. “Digital Dossiers and the Dissipation of Fourth Amendment Privacy,” Southern California Law Review 75:1083.
14 Julia Angwin. 2015. Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. St. Martin’s Griffin.
15 See http://mercatus.org/sites/default/files/StratmannCFPBStatisticMethods.pdf