There are many flaws in the Consumer Financial Protection Bureau’s (CFPB) small-dollar loan rule, which will deny millions of Americans access to a vital form of credit. One of the biggest problems, which has become an acute problem lately, is the security of consumers’ personal financial information.
By now, we all know that the credit reporting agency Equifax compromised the personal financial information of at least 145 million people in one of largest data breaches in U.S. history. However, most people may not know that the CFPB’s small-dollar lending rule could also compromise — or “Equifax” — the sensitive personal financial data of millions of small-dollar loan customers.
Last month, the CFPB released its highly controversial final rule to impose regulations on the small-dollar lending industry. The rule will not only deny people access to small-dollar loans — a vital source of credit that millions of individuals rely on to manage unexpected expenses — but goes a step further. The rule would also create new mechanisms known as “Registered Information Systems” for consumer data collection by requiring small-dollar non-bank lenders to report personal financial data about their customers to credit bureaus like Equifax or to entities less sophisticated than Equifax. Since many lenders in this space do not currently report information to credit bureaus, these new and untested systems could potentially put consumers at risk of yet another data breach, making it even more difficult for them to access credit.
In fact, CFPB officials met with Equifax leaders in May to discuss the bureau’s small-dollar rule and solicit the company’s input on how to best configure these Registered Information Systems to handle all newly acquired consumer data. In the meeting, the CFPB and Equifax discussed topics such as information sharing, data standards and building information systems. The fact that the bureau relied on input from Equifax to craft its final rule is outright dangerous and irresponsible. Following the company’s massive data breach, any input from Equifax is seriously tainted.
Small-dollar loan customers also recognize the dangers of giving away their personal financial information and spoke out against this part of CFPB’s rule. One customer said, “I’m worried about hackers stealing all my information” while another customer explained, “I do not see the point of providing so much information just to get a payday loan. If a hacker takes the information I have provided, I could be in a lot of trouble.” Yet another customer said, “I will be hesitant to get a payday loan if I have to give up so much personal information and this might result in missed payments. This is a better option, though, than getting my identity stolen.”
The CFPB already has serious vulnerabilities of its own when it comes to cybersecurity, which should make the consumer data requirement of the rule particularly concerning to lawmakers and consumer advocates. In May, a Federal Reserve inspector general report found that the CFPB’s website has several control deficiencies that could cause its systems to be compromised. The report specifically noted the “deficiencies have to do with configuration management, system and information integrity, and contingency planning” and “if not addressed, these deficiencies could adversely affect the confidentiality, integrity, and availability of consumerfinance.gov and the information it contains.” Under the small-dollar loan rule, the CFPB would be responsible for disclosing these new Registered Information Systems to the public, but it is unclear how much more oversight the bureau will have with regard to this new consumer financial data. This question must be answered at once considering the CFPB’s severe data security deficiencies.
The CFPB’s own online and data security vulnerabilities are only one example of the federal government’s data and cybersecurity weaknesses. In past years, many government agencies have experienced data breaches — most recently the Securities and Exchange Commission earlier this month. In 2016, the Internal Revenue Service was breached as hackers stole more than 700,000 Social Security numbers and other sensitive information. In 2015, the Office of Personnel Management was hacked and more than 20 million personnel files were stolen. The Department of Defense was also hacked in 2015, which is an especially troubling fact considering the Pentagon employs some of the most advanced security systems in the world. This underscores how dangerous it is to have the government oversee the creation of even more consumer financial databases containing sensitive information — particularly under the auspices of an agency under security scrutiny such as the CFPB.
The recent Equifax debacle has shown that corporate America and the private sector still struggle to properly safeguard personal financial data from nefarious actors like hackers, and the Equifax data breach has likely shattered any remaining trust between consumers and the companies that hold their personal financial data. When it comes to data security, however, the government has proven to be even less effective than the private sector.
In a world where hackers are just the click of a button away from obtaining our personal financial information, we must examine any data collection proposal from a company or the government through the lens of information security and the potential risks to consumers. This should give all parties serious pause and make the bureau rethink its rule, which could end up doing even more financial harm to consumers. Should the CFPB fail to address this issue, Congress must immediately act before any more consumers are harmed. In short, don’t “Equifax” our customers.
• Dennis Shaul is the chief executive of the Community Financial Services Association of America.