CFPB Monitor

News Guidance Perspectives of CFPB | Ballard Spahr Law Firm Blog

Federal appeals court confirms FTC authority to regulate cybersecurity policies and procedures

Posted in Cybersecurity

Banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.  For companies also subject to the FTC’s jurisdiction, however, the threat of FTC regulation of their cybersecurity policies and procedures is significantly more imminent in view of a recent decision of the U.S. Court of Appeals for the Third Circuit.

In FTC v. Wyndham Worldwide Corporation, a case of first impression, the Third Circuit ruled that the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act.  For a discussion of the decision, see our legal alert.

On September 10, 2015, Ballard Spahr attorneys will hold a webinar, “FTC as the de Facto Privacy Regulator: 10 Things You Need To Know” from 12:00-1:00 p.m. ET.   The registration form is available here.


84 House members urge expedited CFPB action on small business lending data collection rules

Posted in Fair Lending

84 House members recently wrote to the CFPB to urge it to expedite rulemaking to implement the small business lending data requirements of Dodd-Frank Section 1071.  Section 1071 amended the ECOA to require financial institutions to collect and maintain certain data in connection with credit applications made by women- or minority-owned businesses and small businesses.  Such data includes the race, sex, and ethnicity of the principal owners of the business.

In their letter to Director Cordray, the House members urge the CFPB “to move forward this year” with Regulation B rulemaking to implement Section 1071.  They assert that “[t]ransparency in small business lending data is the key to understanding the credit needs of women-owned and minority-owned small businesses.  Public and private entities are collecting data on various aspects of small business lending.  However, these groups offer a fragmentary and incomplete picture of lending in the small business marketplace.  Regulation B is essential for facilitating the enforcement of fair lending laws. ”

Last month, a group of 19 Democratic U.S. Senators and a group of 13 Democratic members of the House Financial Services Committee sent similar letters to Director Cordray.  (Nearly all of the 13 House Financial Services Committee members were among the 84 House members signing the new letter.)  In August 2014, the National Community Reinvestment Coalition issued a white paper that urged the CFPB to take an expansive approach in developing regulations to implement Section 1071.

The growing pressure on the CFPB to issue rules implementing Section 1071 is also the subject of a new American Banker article.  The article discussed industry’s concern that rushed action by the CFPB could result in rules that discourage rather than facilitate small business lending.  It also noted the compliance burden the new rules will place on industry, with Alan Kaplinsky, Practice Leader of Ballard Spahr’s Consumer Financial Services Group, commenting that “[t]his is a going to be a major undertaking to be able to collect the data, and there’s always concern about how the data is going to be used.”








No deference for CFPB amicus brief from Ninth Circuit

Posted in Mortgages

Many readers probably remember Edwards v. First American Financial Corp. for its ill-fated journey to the U.S. Supreme Court.  The Supreme Court had granted certiorari to decide the issue of whether a plaintiff who brings a RESPA claim has Article III standing to recover statutory damages in the absence of any actual damages caused by the alleged RESPA violation.  In 2012, seven months after oral argument, the Supreme Court issued a one-sentence per curiam order which stated only that “the writ of certiorari is dismissed as improvidently granted.”  As described below, the case has since found its way back to the Ninth Circuit, which issued an opinion earlier this week in which it refused to give deference to the RESPA interpretation advanced by the CFPB in its amicus brief.

The underlying lawsuit was a class action complaint filed in 2007 by a consumer who alleged that two First American entities violated RESPA by paying unlawful kickbacks to title agencies in exchange for agreements from such agencies to refer all of their title insurance business to First American.  The complaint alleged that the referral arrangements were part of agreements pursuant to which First American purchased ownership interests in such agencies to give the kickbacks “the appearance of legitimacy.”  The certiorari petition followed a decision by the Ninth Circuit affirming the district court’s ruling that the plaintiff had Article III standing and its denial of class certification but remanding the case to allow the plaintiff to conduct nationwide discovery and renew her class certification motion.

After the Supreme Court’s dismissal of the certiorari petition, the case returned to the district court.  The district court again denied the plaintiff’s motion to certify a nationwide class, ruling that to prove a RESPA violation, the plaintiff had to show that the defendants overpaid for their interests in the title agencies.  According to the district court, such proof was necessary for the plaintiff to show that the defendants gave the title agencies a “thing of value” in exchange for the referrals as required by RESPA.  In addition, because the district court read RESPA’s definition of a “referral” to require action “that has the effect of affirmatively influencing the selection” of a settlement service provider, it found that evidence on an individualized basis would be needed to show who precisely influenced class members to choose First American as their title insurer.

In its amicus brief filed in the Ninth Circuit, the CFPB argued that, when a referral agreement is entered into as part of a transaction involving the sale of ownership interests, a plaintiff can prove that the defendant paid for the referral without necessarily showing that the defendant overpaid for those ownership interests.  According to the CFPB, the safe harbor that permits “payments for goods or facilities actually furnished or services actually performed” only applies when good, services or facilities are “actually provided-typically in the context of particular real estate settlements.”  The CFPB therefore took the position that the safe harbor does not extend to every transfer of “things of value,” such as ownership interests in title agencies.  It contended that the sale and purchase of such ownership interests can be considered “things of value” paid in exchange for referrals without regard to whether the price paid for the interests was fair.  Thus, according to the CFPB, RESPA’s kickback prohibition is violated if the referral agreements between First American and the title agencies were a condition to First American’s purchase of ownership interests in the agencies.

On August 24, 2015, the Ninth Circuit issued an opinion vacating the district court’s denial of class certification except with respect to First American’s transactions with certain newly-formed agencies (i.e. agencies formed by First American with third party investors rather than agencies already existing at the time First American purchased its ownership interest).  In the opinion, the Ninth Circuit agreed with the CFPB’s position that the safe harbor did not apply to First American’s ownership interests.  However, the Ninth Circuit stated explicitly that it agreed with the CFPB’s interpretation not as a matter of deference (which the “CFPB urges us to give”) but because the CFPB’s interpretation was consistent with RESPA’s language.  The Ninth Circuit stated:

Here, CFPB is interpreting the statute, not the regulation.  An agency’s interpretation of the statute-when presented in an amicus brief-is not promulgated in the exercise of its forma rule-making authority, so no Chevron deference is warranted.

Since the beginning of the CFPB’s amicus brief program, we have voiced our concerns about the program’s lack of transparency and the CFPB’s use of the program to make law.  We are glad to see that the Ninth Circuit appears to have recognized our concerns by not deferring to the CFPB’s attempt to make RESPA law through an amicus brief.

CFPB issues second monthly complaint report

Posted in CFPB General, Credit Reports

The CFPB has issued its August 2015 complaint report, the second in its new series of monthly complaint reports.  When it announced the launch of the new reports last month, the CFPB stated that each report would spotlight a particular product and geographic location.  The August 2015 spotlights credit reporting complaints and complaints from consumers in the Los Angeles, California metro area.

Findings regarding complaints generally include the following:

  • As of August 1, 2015, the CFPB has handled approximately 677,200 complaints, including 26,700 complaints in July 2015.  Credit reporting complaints showed the greatest month-over-month increase, with the number of such complaints submitted by consumers in July 2015 up 56 percent from the number submitted in June 2015.  Mortgage complaints showed the greatest month-over-month decrease, with the number of complaints submitted by consumers in July 2015 down 4 percent from the number submitted in June 2015.
  • For July 2015, debt collection was the most-complained-about financial product or service, representing about 31 percent of complaints submitted (approximately 8,224 of the 26,704 complaints handled in July).  The second and third most-complained-about products were, respectively, credit reporting and mortgages.
  • Consumer loan complaints, which include pawn, title, and installment loans, increased 61 percent from the same time last year, up from a monthly average of  718 complaints from May to July 2014 to a monthly average of 1,154 complaints from May to July 2015.  This was the greatest percentage increase by product.  Bank account or services complaints showed the greatest percentage decrease (4 percent) by product over the same time period, decreasing from a monthly average of 1,976 complaints to 1,895 complaints.
  • Hawaii, Maine, Georgia, and North Carolina experienced the greatest average monthly complaint volume increases from the same time last year (May to July 2014 as compared with May to July 2015), with Hawaii up 37 percent, Maine up 36 percent, and both Georgia and North Carolina up 33 percent.  South Dakota, New Mexico, and Alaska experienced the greatest complaint volume decrease from the same time last year, with South Dakota down 31 percent, New Mexico down 16 percent, and Arkansas down 11 percent.

Findings regarding credit reporting complaints include the following:

  • The majority of credit reporting complaints (77 percent) submitted to the CFPB involved incorrect information on reports.  Among the claims frequently involved in such complaints were claims that a debt appearing on the report had already been paid, or was no longer due because it was beyond the applicable statute of limitations for bringing a lawsuit, belonged to another person, or was not recognized by the complainant.
  • Consumers consistently reported issues related to accessing their credit reports as a result of online identity authentication questions.
  • Public records appearing on credit reports were a source of concern, with consumers frequently mentioning delays in updating public records, problems correcting inaccurate records and public records being incorrectly matched to credit reports.
  • Hawaii, Iowa and Ohio experienced the greatest percentage increase in the monthly average number of credit reporting complaints submitted between May to July 2015 as compared with May to July 2014 while Utah, South Dakota and Wyoming experienced the greatest percentage decrease in the monthly average of such complaints over the same period.

Findings regarding complaints from consumers in Los Angeles include the following:

  • As of August 1, 2015, of the 94,000 complaints submitted by California consumers, 33,700 were submitted by consumers in the Los Angeles metro area.
  • Mortgages were the product most-complained-about product, with mortgage complaints submitted by Los Angeles consumers constituting 35 percent of total complaints as compared to 28 percent of total complaints nationally.
  • Credit reporting complaints and debt collection complaints constituted a smaller percentage of the total complaints submitted by Los Angeles consumers than those submitted by consumers nationally.

The August 2015 report, like the July 2015 report, identifies the top “most-complained-about companies.”  As we have previously commented, until the CFPB adequately addresses the need for normalization of the complaint data, its lists of top “most-complained-about companies” will only serve to mislead consumers.  And even if the CFPB addresses the normalization issue, we remain concerned that the monthly reports can still mislead consumers by failing to disclose that the CFPB has not vetted any of the complaints, let alone excluded complaints that have no basis in fact.

Noted Scholars Critique the CFPB’s Arbitration Study and Find It Lacking

Posted in Arbitration

We have previously blogged about the comment letter concerning the CFPB’s March 10, 2015 Study on consumer arbitration that we submitted to the CFPB on behalf of the American Bankers Association, the Consumer Bankers Association and The Financial Services Roundtable. That comment letter was highly critical of the conclusions drawn by the CFPB from its own data.

Earlier this month, Professor Jason Scott Johnston of the University of Virginia School of Law and Professor Todd Zywicki of the George Mason University School of Law published a lengthy and important Critique of the CFPB’s Study. The authors conclude that “the CFPB’s findings actually undermine several key arguments that are often asserted to justify restrictions on arbitration, such as the supposed unfairness of arbitration procedures.” For example, they observe, “the CFPB found that arbitration is such a simple and cheap process (now only requiring a $200 filing fee) that consumers achieve good outcomes even when they are not represented by counsel.” Indeed, “arbitration may be the only way for consumers to successfully seek outside redress without resort to hiring costly legal counsel.” According to the Critique, the CFPB’s findings also show that consumer arbitrations are resolved “very quickly.”

Johnston and Zywicki further conclude that the CFPB’s Study “provides no foundation for imposing new restrictions or prohibitions on mandatory arbitration clauses in consumer contracts.” Among other things, the authors address the Study’s finding that few of the arbitrations examined involved small-dollar claims of $1,000 or less, from which the CFPB “implies that the absence of these small-dollar claims from the dataset suggests that arbitration is not a feasible dispute resolution for many consumers,” especially when compared to class actions. They observe that the CFPB failed to consider that many if not most consumer disputes are resolved “without arbitration or litigation” through informal dispute resolution procedures. As an example, Johnston and Zywicki cite “data provided by one financial institution indicat[ing] that it grants refunds to 68% of customers who complain, suggesting that the bank has a well-established internal system for resolving meritorious small-dollar consumer claims, pretermitting either arbitration or litigation.” The refunds for just this one institution totaled more than $2.275 million in 2014 alone. (It is interesting that the CFPB, which had the authority under Dodd-Frank to obtain such information under 12 U.S.C.§ 5512(c), failed to do so). The authors link this data to the CFPB’s own data obtained from its consumer telephone survey:

When consumers were asked what they would do if a credit card company failed to remove a fee that the consumer complained had been wrongly assessed, very few said that they would resort to calling a lawyer. Instead, the vast majority of consumers said that they would simply cancel their accounts and take their business elsewhere. Our data indicate that this consumer market response is credible and real: as economic theory predicts, financial institutions seem to respond to the threat of losing a consumer’s business by waiving various fees and charges on a case-by-case basis. For the vast majority of consumer disputes involving small claims, the market creates incentives for firms to resolve such disputes internally.

Thus, they conclude, “[t]ogether with the CFPB’s survey evidence showing that consumers … punish firms that try to attach unreasonable charges and fees by taking their business elsewhere, it may well be that truly small-dollar claims are increasingly being eliminated by the market itself.”

Johnston and Zywicki fault the CFPB for using the relatively low number of small-dollar consumer arbitrations as a proxy for whether arbitration benefits consumers. Under the CFPB’s logic, they contend, consumers would be better off if companies resolved fewer claims using internal complaint-resolution processes and thereby forced more consumers to bring arbitrations.   Such a result would end up burdening consumers, not helping them. The Study is deficient, the authors assert, because while it notes the relative absence of small-dollar arbitrations, it does not attempt to rule out other potential explanations, such as companies resolving such disputes pursuant to internal dispute resolution processes. (Your authors add that most consumer arbitration agreements are required to permit consumers to go to small claims court to resolve small-dollar claims, which obviates the need for the consumer to commence an arbitration).

Another significant observation made by Johnston and Zywicki is that the CFPB Study “makes no attempt to assess the merit of consumer class actions that end in the class action settlements it reports.” They call this a “glaring omission” since the Study “sheds no light on what is perhaps the key public policy question: whether class action settlements often represent a deal struck by defendants to avoid massive discovery costs threatened in lawsuits of questionable substantive merit, whereas arbitration may resolve individual claims more accurately in terms of the substantive merits of the dispute.”

Johnston and Zywicki also examine the CFPB’s conclusion, based upon its telephone survey, that most consumers do not pay attention to whether their credit card contract contains a mandatory arbitration clause. They note that the CFPB seems to imply that for arbitration to benefit consumers, consumers must observe and shop among contract clauses that specify the method by which ex post disputes with the firm will be resolved. Such an implication would be mistaken, the authors state, because the CFPB found that consumers do consider terms such as what interest rate is offered and whether companies fairly resolve consumer complaints. The authors continue:

A firm’s required method of ex post dispute resolution is not something that consumers specifically consider while shopping, but the matters that consumers do consider—prices and how firms resolve complaints—are likely directly influenced by whether a firm can require arbitration. If by requiring arbitration a firm reduces its expected costs of ex post dispute resolution and increases the benefits of accuracy in internal dispute resolution (meaning, it grants consumers a refund when the firm really has made a mistake and denies refunds when no mistake has been made), then arbitration reduces the firm’s costs while increasing its payoff to investing in internal dispute resolution. Arbitration’s likely influence is under the hood, as it were, but potentially it is just as great as if consumers did shop directly considering arbitration clauses.

Johnston and Zywicki also criticize the Study for “not provid[ing] much of the key information necessary to fully evaluate the relative roles of arbitration and class actions as ex post dispute resolution mechanisms for consumer cases.” They explain: “Substantially more and different evidence would be necessary to conclude that consumers are harmed by arbitration or that they would benefit from unleashing class action litigation more routinely. The propriety of caution in moving to restrict arbitration agreements on the basis of the CFPB’s findings is especially appropriate in light of the well-established public policy favoring the use of alternative dispute resolution techniques.”

Professors Johnston and Zywicki have provided valuable information for the CFPB to consider as it begins rulemaking on consumer arbitration agreements.

CFPB lawsuit against pension advance companies could have broader implications

Posted in CFPB Enforcement

A new lawsuit, filed by the CFPB and the New York Department of Financial Services
(NY DFS) in a California federal court against two pension advance companies and three of the companies’ individual managers, again demonstrates the aggressive approach taken by both agencies.  The lawsuit follows a consumer advisory issued by the CFPB in March 2015 regarding “pension advance traps to avoid.”

The complaint alleges that the defendants offered consumers pension advances in the form of  “lump-sum payments that consumers could receive in return for agreeing to redirect all or part of their pension payments, over eight years, to repay the funds.”  The CFPB and NY DFS allege that the defendants engaged in unfair, deceptive and abusive practices in violation of the Consumer Protection Act by, among other things:

  • Failing to disclose or misrepresenting the interest rate and fees for the loans.  The complaint alleges that the defendants represented that the transactions did not involve the payment of interest when they had an average effective annual interest rate of 28.56%.  It also alleges that the defendants failed to disclose associated fees and represented that the transactions had a cost comparable to loans with interest rates substantially lower than the alleged effective rate.
  • Misrepresenting that the transactions were asset purchases and not loans.  The complaint alleges that the companies represented to consumers that the transactions were not loans and instead that the defendants were purchasing consumers’ future pension income.

The complaint also includes various state law claims asserted only by the NY DFS.  The NY DFS alleges that the defendants violated New York usury laws, engaged in false and misleading loan advertising in violation of the New York Banking Law, and intentionally misrepresented a material fact (i.e. that they purchased pension income and there was no interest rate) in violation of the New York Financial Services Law.

The complaint includes allegations that the defendants solicited investors to invest in the transactions and paid investors from pension payments deposited into checking accounts of consumers who entered into transactions with the defendants.  In the complaint, the NY DFS alleges that by transmitting money from consumers’ accounts to investors, the defendants were engaged in the business of money transmitting.  New York Banking Law requires a person engaged in money transmitting to be licensed as a money transmitter unless such person is acting as the agent of a licensee or a payee.  The NY DFS claimed that the defendants were in violation of such law because they were not licensed as a money transmitter or appointed agents of a licensee or the investors.

While the complaint charges that the transactions in question were loans rather than asset purchases, it does not specify that the pensioners had any liability to the pension advance companies in the event the pension payments were smaller than anticipated.  Indeed, the complaint recites that the defendant companies purchased insurance against the risk of premature death (and cessation of pensions) of the pensioners.

The action clearly raises questions about whether the CFPB, NY DFS, or other regulators might bring similar claims against providers of merchant cash advances, litigation funding companies and other firms that purchase uncertain future revenue streams at a discount.  Structured properly, the products offered by these companies are not loans or absolutely repayable obligations.

In the instant case, the CFPB and NY DFS allege a number of troubling facts about the representations made by the defendant companies.  And bad facts often make bad law.  However, even if the CFPB and/or NY DFS prevail in their contention that the pension purchases in these cases were disguised loans, there are several important distinctions between the pension advance products at issue here and other products offered outside of lending laws.

First, the pension advances in this case are consumer transactions, not commercial transactions over which the CFPB and other regulators have limited jurisdiction.  Second, because they involve pensions, they trigger the “hot button” issue of elder abuse which draws significantly greater regulatory scrutiny than business transactions.  Third, as the complaint acknowledges, pension payments are not assignable, so the transactions did not include an actual assignment of the future revenue stream at the time the advance was made, which clearly would make the future revenue stream the property of the advance company.  Instead, they imposed a contractual obligation for the consumer to forward future payments to the pension advance company when received, making the transaction look more like a loan.  Finally, the pension advances had a defined time period during which pension payments had to be remitted, substantially impairing the finance company’s ability to argue that the product has no interest rate, no payment schedule, and no absolute repayment requirement, as is the case of a properly designed merchant cash advance.

Since opening its doors for business, the CFPB has been aggressively testing the limits of its jurisdiction. Earlier this month, we conducted a webinar: “Pushing the Envelope: Are There Limits to the CFPB’s Jurisdiction?” in which we discussed the CFPB’s continuing “jurisdiction creep” and explored the limits of the CFPB’s jurisdiction.


CFPB enters into consent order with company charged with deceptive health care credit enrollment practices

Posted in CFPB Enforcement, UDAAP

The CFPB has entered into a consent order with Springstone Financial, LLC to settle charges that the company was responsible for alleged deceptive and misleading acts and practices in connection with enrolling consumers in a financing program to pay for dental work.  The consent order requires the company to provide $700,000 in redress to consumers who paid deferred interest under the program but does not impose a civil money penalty.

According to the consent order, Springstone administered a financing program offered through partner banks that allowed a consumer to obtain a no-interest loan to pay for health care services if the loan balance was paid during the promotional period.  Consumers could apply for a loan in the office of a health care provider participating in the program (the “Provider-Assisted Channel).  Staff members in the provider’s office would give application materials to consumers, convey information about the program, and submit completed applications to Springstone.

The CFPB claimed that in some instances, staff members in offices of dental care providers told consumers that the product was a no-interest loan rather than a deferred interest loan and failed to inform consumers that a 22.98% APR would apply from the date of purchase if the loan balance was not paid before the promotional period ended.  According to the CFPB, even if a consumer enrolling in the program received appropriate written disclosures, the contradictory or misleading information provided by staff members caused consumers to misunderstand the loan product.  The CFPB claimed that such alleged deceptive and misleading acts and practices were the result of Springstone’s operation of the Provider-Assisted Channel and its failure to adequately train and monitor participating health care providers.  The program was discontinued in 2014.

The consent order requires Springstone to work with its partner banks to issue a credit or send a reimbursement check to those consumers with an open account and mail a reimbursement check to consumers with a closed or inactive account.

In February 2014, the CFPB published a blog post that provided advice to consumers on deferred interest credit cards offered by health care providers, including how to avoid paying interest and what happens if the balance is not paid by the end of the promotional period.


CFPB issues state-specific guides for financial caregivers

Posted in Elder Financial Abuse

In October 2013, the CFPB released four “Managing Someone Else’s Money” guides for financial caregivers, particularly those who handle the finances of older Americans.  The booklets were designed for four different categories of financial caregivers: agents under powers of attorney, court-appointed guardians, trustees, and government fiduciaries, such as someone serving as a Social Security representative payee or Veterans Affairs fiduciary.

Earlier this week, in conjunction with an event about financial management for seniors and their caregivers held in Springfield, Virginia, the CFPB issued a set of the four guides specific to the state of Virginia.  The guides can be accessed on the CFPB’s website and free print copies (including bulk orders) can be ordered online.

The CFPB also plans to issue state-specific guides for Arizona, Florida, Georgia, Illinois, and Oregon.  (It seems likely that the states selected by the CFPB for state-specific guides are the states with the largest populations of older individuals.)  In addition, the CFPB will be providing tips and templates for legal and aging experts in other states to adapt the guides for their states.

CFPB seeks information on income-driven student loan repayment plans

Posted in Student Loans

In a new blog post, the CFPB tells borrowers, that in response to its solicitation of borrower “stories” about problems with student loans, it has heard “about problems related to enrolling in income-driven repayment plans that ended up costing you hundreds of dollars in unexpected payments.”  The blog post includes “some helpful advice and information” for borrowers enrolled in such plans which details the potential consequences a borrower can experience if the borrower’s recertification under such a plan “is not processed on time.”  (The CFPB references information about recertification rates released by the Department of Education noting that 57 percent of all borrowers in its sample missed their deadline to recertify.)

The blog post also indicates that the CFPB is sending a letter “to student loan companies asking for more information about how they make sure student loan borrowers have the information they need to stay on track.”  In the letter, the CFPB states that its preliminary analysis of input received in response to its May 2015 request for information about student loan servicing “has identified a number of consumer comments reporting issues related to seeking to obtain affordable monthly payments.”  The letter seeks information about income-driven repayment plans from companies that “hold or service a portfolio of privately-held legacy federally-guaranteed (commercial FFEL) loans or federal Direct Loans.”

More specifically, the CFPB requests information related to Income Based Repayment (IBR) utilization in a company’s FFEL portfolio and both IBR and Pay As You Earn utilization in a company’s Direct Loan portfolio.  The CFPB asks companies to provide information on:

  • Policies and procedures related to recertification for income-driven repayment plans
  • Enrollment in income-drive repayment plans
  • Recertification for income-drive repayment plans
  • Late recertification for income-drive repayment plans
  • Outcomes for borrowers enrolled in automatic payments and who do not complete a timely recertification
  • Utilization of forbearance when borrowers fail to recertify

The letter indicates that responses are voluntary and that the CFPB “may make public certain information we gather in response to this request, but we will not identify any specific market participants.”

OIG adds four new projects to work plan

Posted in CFPB General

Since our last blog post about the OIG’s work plan, the work plan has been updated as of August 7, 2015 to add four new projects.  A newly added ongoing project is a “Security Control Review of the CFPB’s SQL Environment.”  (An SQL environment is a database management system.)  The OIG’s specific audit objective is to evaluate the adequacy of certain control techniques designed to protect data within the system from unauthorized access, modification, destruction, or disclosure.  The audit has a first quarter 2016 estimated completion date.

New planned projects are:

  • Evaluation of the CFPB’s Risk Assessment Framework for Prioritizing Examination Activities.  The evaluation will assess the CFPB Division of Supervision, Enforcement, and Fair Lending’s risk assessment framework and methodology for prioritizing its examination activities at its supervised institutions.
  • Risk Assessment of the CFPB’s Purchase Card Program. The assessment will identify and analyze the risks of illegal, improper, or erroneous purchases and payments.
  • Audit of the CFPB’s Privacy Data and Personally Identifiable Information (PII) Program.  The OIG  will review the extent to which the CFPB has assessed the risks associated with the collection, maintenance, storage, and disposal of privacy data and PII and applied appropriate information security controls and protection over the data to mitigate those risks.  The audit will focus on (1) CFPB systems that house PII, (2) access to PII,
    (3) disposal and destruction mechanisms, (4) the handling of privacy incidents, (5) privacy training, and (6) National Institute of Standards and Technology privacy controls.

Missing from the updated work plan is an audit of the CFPB’s pay and compensation program which had previously been listed as a planned project.