Model privacy form, fintechs’ use of alternative data among areas flagged for CFPB action, report shows

A recent report by the federal agency charged with financial consumer protection provides a window into some of the actions currently underway – including a potential update of the model privacy form explaining information-sharing to consumers – as a result of recommendations by its inspector general as well as the congressional watchdog office.

The Consumer Financial Protection Bureau (CFPB) on Feb. 26 released an annual report to Congress under the 2019 Good Accounting Obligation in Government Act, which requires agencies to annually submit a report to Congress on the status of certain open public audit recommendations. The CFPB report includes sections on open Government Accountability Office (GAO) recommendations and open Federal Reserve Board-CFPB inspector general recommendations. Overall, the CFPB report shows 53 recommendations still open, with 44 of those being public.

Among the open recommendations one from 2018 by the Government Accountability Office (GAO) that the bureau, in coordination with the federal banking regulators and with stakeholder input, communicate in writing to fintech lenders on the appropriate use of alternative data in the underwriting process, including issues to consider when selecting types of alternative data to use. This recommendation is slated for completion this year, the report shows.

Also slated this year is action on two recommendations addressing the bureau’s tracking and examination of consumer reporting agencies (CRAs). Regarding CRA examinations, the GAO recommended in 2019 that the bureau director “assess whether its process for prioritizing CRA examinations sufficiently incorporates the data security risks CRAs pose to consumers, and take any needed steps identified by the assessment to more sufficiently incorporate these risks.”

The bureau is also slated to update, in consultation with other federal financial regulators, the model privacy form (used under the Gramm-Leach-Bliley Act) and consider “whether it is feasible to include more comprehensive information about third parties with whom financial institutions share consumer personal information.” The recommendation was from last October. Estimated completion is “to be determined.”

Numerous IG recommendations surrounding information security and privacy related to the bureau’s use of technology (mobile devices, thumb drives, internal processes) are also slated for action in 2021, the report shows.