You gotta love government agencies. They lash out when private businesses hurt consumers and yet evidence always seems to surface that they do the exact same thing, sometimes even worse.

Take the Consumer Financial Protection Bureau (CFPB), an agency not many know about. Dodd-Frank birthed this agency as a way to protect consumers from another financial crisis. Its webpage claims that it “makes sure banks, lenders, and other financial companies treat you fairly.”

Officials at the CFPB are upset over the Equifax breach that exposed the personal information of almost 150 million Americans. But, the CFPB has been collecting American’s personal information without takings steps to secure said information for years.

History

The CFPB came about in July 2011 in response to the financial crisis in 2007-2008. Then-Harvard Law School professor Elizabeth Warren, now senator for Massachusetts, suggested the formation of the CFPB in 2007. President Barack Obama did not nominate her as director, but appointed her as Assistant to the President and Special Advisor to the Secretary of Treasury on the CFPB.

The main purpose of the CFPB is to protect consumers in the financial sector, which includes banks, credit unions, mortgages, and debt collectors. The website states:

We aim to make consumer financial markets work for consumers, responsible providers, and the economy as a whole. We protect consumers from unfair, deceptive, or abusive practices and take action against companies that break the law. We arm people with the information, steps, and tools that they need to make smart financial decisions.

In a market that works, the prices, risks, and terms of the deal are clear upfront so that consumers can understand their options and comparison shop. Companies all play by the same consumer protection rules and compete fairly on providing quality and service.

Important note: This agency acts on its own and has no authorization from Congress.

Equifax Leak

In early September, major national credit-reporting company Equifax revealed that a cyberattack from July exposed the personal information of half of America’s population. The company has information on 821 million consumers and 91 million businesses, making it popular for hackers.

Starting in mid-May, cyber terrorists targeted a weak spot in Equifax’s website software. This allowed them to access birth names, birthdays, addresses, credit card numbers, and Social Security numbers. The breach also took “documents with personal information used in disputes for 182,000 people.”

With this information, the criminals “can impersonate people with lenders, creditors and service providers.”

The breach has led to an investigation into possible insider trading. Equifax learned of the breach on July 29 and three top executives sold off shares for a total of $1.8 million. The company did not reveal the leak until September. Since the revelation, Equifax stocks have fallen over 30% and the CEO resigned.

CFPB Response

Equifax has apologized, but CFBP Director Richard Cordray told CNBC that these companies have to welcome in a “new regime” and regulators to make sure this won’t happen again:

“If they’re going to restore public confidence in this marketplace, and if they’re going to create the kind of reforms necessary, they’re going to have to recognize the old days of just doing what they want, being subject to lawsuits now and then, are over,” he said. “There has to be a scheme of preventive monitoring in place. They’re going to have to accept that, they’re going to welcome that, they’re going to have to be very forthcoming.”

He continued:

“We’re going to have monitoring in place that’s preventive. It’s going to be a different regime than we’re used to,” he said. “In the past they dealt with these problems on their own. They did the best they could. … That’s not good enough.”

He said the CFPB will be working with Congress on measures to shore up the way data is handled and how companies react to breaches.

THE HYPOCRISY

That all sounds fine and dandy, right? But someone needs to hand the CFPB a mirror when the company speaks about data collection and privacy.

Back in 2014, the Financial Services Oversight and Investigations Subcommittee held a hearing over CFPB practices that gather American consumers information and is not all that secure:

“Not a day goes by that Americans are not made aware of yet another breach of sensitive information. Whether it’s the public or private sector, vast collections of personal consumer data are a prime target for cyberattacks. Aside from the fact that the CFPB does not need to be collecting this vast amount of information to carry out its regulatory mission, it’s troubling that it has not taken more appropriate steps to secure this data. In fact, before this Committee just last year, CFPB Director Cordray said that he could not rule out the potential for a data breach at the Bureau,” said Subcommittee Chairman Sean Duffy (R-WI).

“We don’t know – and the American people don’t know – how much personally identifiable information the CFPB retains, how that data is protected and what the Bureau plans to do with all that data,” Chairman Duffy added.

Fast forward three years and the CFPB has not improved its practices. Iain Murray at the Competitive Enterprise Institute (CEI), a non-profit organization that promotes economic freedom, released a report this week for the case against the CFPB.

The CFPB has criticized Equifax for not protecting consumer information, but Murray’s report found that the agency has continued to gather private and sensitive information about Americans. The report found that the CFPB “gathers information on virtually every aspect of Americans’ financial affairs.” Murray continued:

By claiming it needs this voluminous data to research patterns of behavior in consumer financial transactions, the agency is putting Americans’ financial information at risk. The Government Accountability Office (GAO) has criticized the CFPB’s security practices in relation to this data because it had not “fully implemented a number of privacy control steps and information security practices.” The GAO noted that “CFPB lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments,” and that the Office of Management and Budget had concerns about the Bureau’s compliance with Paperwork Reduction Act requirements in relation to the millions of credit card accounts on which it collects data. The GAO concluded these difficulties “could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data.”

Here is the table from Murray’s report:

https://cei.org/sites/default/files/Iain%20Murray%20-%20The%20Case%20against%20the%20Consumer%20Financial%20Protection%20Bureau.pdf

Get this. The CFPB has developed more rules to collect MORE information on people. From KQED:

Banks could be forced to collect and report data on the small-business loans they approve and reject — including the ethnicity and gender of the business owners — under new rules being crafted by a federal consumer protection agency. Economists and regulators say the data could help identify whether lenders discriminate against minority- or women-owned businesses.

The American Bankers Association and other organizations representing lenders oppose the CFPB’s steps. The ABA has asked Congress to repeal this provision of Dodd-Frank, arguing the data collection is misguided and could end up reducing access to small-business loans.

“The considerable burdens associated with this data collection and reporting regime would add significant costs and unnecessary red tape to small-business lending, discouraging a primary engine for economic growth,” said one letter the ABA recently submitted to Congress.

Carrie Lukas at National Review Online noted that this new rule means that the federal government will possess “a huge database of financial information on this class of borrowers – who are disproportionally minority and lower-income.” With more information, hackers will be enticed to take this information.

It’s awful for these private companies to store a consumer’s private and sensitive information in an insecure way. But the federal government? They can do what they want.