More Enforcement Tools for Consumer Reporting Agencies Needed, Says Government Report

The Government Accountability Office (GAO) released a report yesterday arguing that the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) need more enforcement tools to adequately protect consumer financial data.

Since 2008, the FTC has settled 34 enforcement actions – half of which were with consumer reporting agencies (CRA) – related to potential violations of the Fair Credit Reporting Act (FCRA). Several of these settlements included civil penalties, which are “fines for wrongdoing that do not require proof of harm.”

The FTC also enforces the Gramm-Leach-Bliley Act (GLBA), which requires all financial institutions to maintain safeguards to protect consumer information. Unlike the FCRA however, GLBA does not grant the FTC civil penalty authority for violations of the law. Thus, a financial institution may be in violation of GLBA by not having safeguards in place to protect consumer data, but the FTC might be unable to obtain monetary redress since measuring “harm resulting from privacy and security violations can be difficult to measure and can occur years in the future, making it difficult to trace a particular harm to a specific breach.”

As a result, “the FTC lacks a practical enforcement tool for imposing civil money penalties that could help to deter companies, including CRAs, from violating data security provisions of GLBA and its implementing regulations.” GAO recommends that Congress amend GLBA by giving the FTC civil penalty authority.

The CFPB also monitors enforcement with the FCRA. Since 2015, the CFPB has settled four enforcement actions with CRAs related to violations of FCRA. The CFPB oversees CRAs with more than $7 million in annual receipts, but the agency “lacks the data needed to ensure identification of all CRAs that meet this threshold.” GAO recommends the CFPB issue a rulemaking that would require CRAs to register with the federal agency if they obtain more than $7 million in annual receipts.

GAO also recommended the CFPB enhance its prioritization of examinations on CRAs. “CFPB’s process for prioritizing which CRAs to examine does not routinely include an assessment of companies’ data security risks, but doing so could help CFPB better detect such risks and prevent the further exposure or compromise of consumer information.”

The report stated that the CFPB neither agreed nor disagreed with GAO’s recommendations.