[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
EXAMINING HOW THE CONSUMER FINANCIAL
PROTECTION BUREAU COLLECTS AND
USES CONSUMER DATA
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
AND CONSUMER CREDIT
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
JULY 9, 2013
__________
Printed for the use of the Committee on Financial Services
Serial No. 113-36
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PRINTING OFFICE
82-858 PDF WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
GARY G. MILLER, California, Vice MAXINE WATERS, California, Ranking
Chairman Member
SPENCER BACHUS, Alabama, Chairman CAROLYN B. MALONEY, New York
Emeritus NYDIA M. VELAZQUEZ, New York
PETER T. KING, New York MELVIN L. WATT, North Carolina
EDWARD R. ROYCE, California BRAD SHERMAN, California
FRANK D. LUCAS, Oklahoma GREGORY W. MEEKS, New York
SHELLEY MOORE CAPITO, West Virginia MICHAEL E. CAPUANO, Massachusetts
SCOTT GARRETT, New Jersey RUBEN HINOJOSA, Texas
RANDY NEUGEBAUER, Texas WM. LACY CLAY, Missouri
PATRICK T. McHENRY, North Carolina CAROLYN McCARTHY, New York
JOHN CAMPBELL, California STEPHEN F. LYNCH, Massachusetts
MICHELE BACHMANN, Minnesota DAVID SCOTT, Georgia
KEVIN McCARTHY, California AL GREEN, Texas
STEVAN PEARCE, New Mexico EMANUEL CLEAVER, Missouri
BILL POSEY, Florida GWEN MOORE, Wisconsin
MICHAEL G. FITZPATRICK, KEITH ELLISON, Minnesota
Pennsylvania ED PERLMUTTER, Colorado
LYNN A. WESTMORELAND, Georgia JAMES A. HIMES, Connecticut
BLAINE LUETKEMEYER, Missouri GARY C. PETERS, Michigan
BILL HUIZENGA, Michigan JOHN C. CARNEY, Jr., Delaware
SEAN P. DUFFY, Wisconsin TERRI A. SEWELL, Alabama
ROBERT HURT, Virginia BILL FOSTER, Illinois
MICHAEL G. GRIMM, New York DANIEL T. KILDEE, Michigan
STEVE STIVERS, Ohio PATRICK MURPHY, Florida
STEPHEN LEE FINCHER, Tennessee JOHN K. DELANEY, Maryland
MARLIN A. STUTZMAN, Indiana KYRSTEN SINEMA, Arizona
MICK MULVANEY, South Carolina JOYCE BEATTY, Ohio
RANDY HULTGREN, Illinois DENNY HECK, Washington
DENNIS A. ROSS, Florida
ROBERT PITTENGER, North Carolina
ANN WAGNER, Missouri
ANDY BARR, Kentucky
TOM COTTON, Arkansas
KEITH J. ROTHFUS, Pennsylvania
Shannon McGahn, Staff Director
James H. Clinger, Chief Counsel
Subcommittee on Financial Institutions and Consumer Credit
SHELLEY MOORE CAPITO, West Virginia, Chairman
SEAN P. DUFFY, Wisconsin, Vice GREGORY W. MEEKS, New York,
Chairman Ranking Member
SPENCER BACHUS, Alabama CAROLYN B. MALONEY, New York
GARY G. MILLER, California MELVIN L. WATT, North Carolina
PATRICK T. McHENRY, North Carolina RUBEN HINOJOSA, Texas
JOHN CAMPBELL, California CAROLYN McCARTHY, New York
KEVIN McCARTHY, California DAVID SCOTT, Georgia
STEVAN PEARCE, New Mexico AL GREEN, Texas
BILL POSEY, Florida KEITH ELLISON, Minnesota
MICHAEL G. FITZPATRICK, NYDIA M. VELAZQUEZ, New York
Pennsylvania STEPHEN F. LYNCH, Massachusetts
LYNN A. WESTMORELAND, Georgia MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri PATRICK MURPHY, Florida
MARLIN A. STUTZMAN, Indiana JOHN K. DELANEY, Maryland
ROBERT PITTENGER, North Carolina DENNY HECK, Washington
ANDY BARR, Kentucky
TOM COTTON, Arkansas
C O N T E N T S
----------
Page
Hearing held on:
July 9, 2013................................................. 1
Appendix:
July 9, 2013................................................. 51
WITNESSES
Tuesday, July 9, 2013
Antonakes, Steven L., Acting Deputy Director, Consumer Financial
Protection Bureau (CFPB)....................................... 8
APPENDIX
Prepared statements:
Antonakes, Steven L.......................................... 52
Additional Material Submitted for the Record
Capito, Hon. Shelley Moore:
Written statement of the National Association of Federal
Credit Unions (NAFCU)...................................... 57
Antonakes, Steven L.:
Written responses to questions submitted by Representatives
Capito, Duffy, Luetkemeyer, and Posey...................... 59
Additional information provided for the record in response to
questions posed during the hearing by Representatives
Capito, Maloney, Duffy, Luetkemeyer, Rothfus, Barr, and
Westmoreland............................................... 108
EXAMINING HOW THE CONSUMER FINANCIAL
PROTECTION BUREAU COLLECTS AND
USES CONSUMER DATA
----------
Tuesday, July 9, 2013
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 10:04 a.m., in
room 2128, Rayburn House Office Building, Hon. Shelley Moore
Capito [chairwoman of the subcommittee] presiding.
Members present: Representatives Capito, Duffy, McHenry,
Pearce, Posey, Fitzpatrick, Westmoreland, Luetkemeyer,
Stutzman, Pittenger, Barr, Cotton, Rothfus; Maloney, Scott,
Velazquez, Lynch, and Heck.
Ex officio present: Representatives Hensarling and Waters.
Chairwoman Capito. The subcommittee will come to order.
Without objection, the Chair is authorized to declare a recess
of the subcommittee at any time. I don't think that is going to
be necessary.
We are here this morning to learn about the Consumer
Financial Protection Bureau's (CFPB's) collection and use of
consumers' personal financial data. Unfortunately, the fact
that we need today's hearing is an important indication of how
little meaningful information the CFPB has been providing to us
and to the public.
The American people have a right to know how a government
agency is collecting and using their personal financial data.
So far, the CFPB has declined to provide, I believe, concrete
answers to these questions, and I hope we get some of those
answers on record today.
This past April, Senator Crapo, the ranking member of the
Senate Banking Committee, highlighted the CFPB's decision to
not provide him with the specific number of consumer accounts
the agency is monitoring. Instead, we were forced to rely on
accounts from news media outlets which indicate that the number
of accounts may be as high as 10 million.
For an agency whose initial leader once touted that, ``This
consumer bureau belongs to the public, and we are building it
right out in the open there for anyone to see,'' the refusal to
answer this simple question is troubling. Without definitive
answers to this and other basic questions, it is difficult for
consumers to determine how much of their financial data is
being aggregated by the CFPB.
It is critical, I believe, for American consumers to know
why a Federal agency is collecting their financial data and how
the CFPB is ensuring that data has the proper safeguards. Last
year, the GAO and the Federal Reserve's Inspector General found
serious deficiencies with the CFPB's systems and controls for
the data they and the outside entities they are contracting
with are collecting.
More recently, in March of this year, the Federal Reserve
IG issued a report with nine recommendations for the CFPB to
improve the consumer response system's security controls. I am
deeply troubled that not only do we not know how many consumer
data files the CFPB has collected, but also that outside
entities have expressed serious concerns about the ability of
the CFPB to safeguard this data.
I am also concerned about the use and storage of personally
identifiable information when collecting consumer data files.
Despite the clear intent of Congress that the CFPB should not
be collecting personally identifiable information, the CFPB did
acknowledge in the fall of 2012, in a system of records notice
that the agency will be collecting personally identifiable
information that will be held indefinitely to match data files
with other records in order to provide the CFPB with more
comprehensive data to analyze. Much like the earlier issues I
have highlighted, we simply do not know the extent to which the
CFPB is collecting, storing, or having outside contractors
collect and store consumers' personally identifiable
information.
American consumers want answers to these questions. It is
my hope that today's hearing will begin a more transparent
discussion of how the CFPB is collecting and using consumer
data. Many of us have feared that the CFPB would eventually
limit the ability of consumers to choose the financial product
that best suits their individual needs. However, the prospects
of the CFPB watching a consumer's every financial decision
could be troubling.
I now yield to Representative Maloney for the purpose of
making an opening statement.
Mrs. Maloney. Thank you, Chairwoman Capito, and welcome to
Mr. Antonakes, the Acting Deputy Director of the CFPB. Thank
you for being here.
I would like to remind my colleagues that it was
insufficient oversight of many financial institutions and the
lack of oversight of others that led to the financial crisis.
By all accounts, the data wasn't there to make good judgments
about what was happening to our economy. Data-driven decisions
are absolutely critical to making informed and intelligent
determinations about the impact of financial products and their
impact on consumers and the broader economy, and to improve the
supervision of financial institutions, including those firms
like debt collection companies and payday lenders that have
gone largely unregulated until now. We know that industry uses
data to make decisions and market products. The CFPB should use
and have access to the same information to protect the overall
economy and to protect consumers.
I would like to note that there have been no objections, to
my knowledge, to the CFPB's work from the privacy groups, those
groups whose goal is to protect the privacy of consumers. In
fact, I ask unanimous consent to place in the record a letter
from privacy and consumer groups in support of the CFPB's use
of data. It came in this morning, and it includes the Center
for Digital Democracy, Consumer Action, the Consumer Federation
of America, the Consumer Watchdog Privacy Rights Clearinghouse,
Privacy Times, and USPIRG. They are supporting the use of data
and the collection of it.
And may I place this in the record, Madam Chairwoman?
Chairwoman Capito. Without objection, it is so ordered.
Mrs. Maloney. Thank you so much. And I think that it is
important that we are having this hearing, because it allows
the committee to examine how the CFPB is carrying out both its
mandate to protect a data-driven agency and its mandate to
protect the privacy of consumers and the confidentiality of the
information that it collects.
The more data the Bureau has, the better informed it is
when it writes rules. We also, however, have to ensure that the
privacy of consumers is properly protected. The key will be
striking the right balance between the need for sufficient data
and the need to protect consumers' privacy.
The Bureau has done a good job so far in using data
analysis to protect consumers and to inform policymakers. For
example, in April CFPB Director Cordray--the Bureau needed the
authority to collect and analyze data to publish its report on
the effects of the CARD Act, a bill that I authored and that I
am very close to. And I was very, very encouraged when the
Bureau found that the CARD Act has delivered significant
benefits to consumers. That is important. This kind of
information is helpful for policymakers, because now we know
which approaches to regulation work and which approaches don't
work.
Turning to its second mandate, it is important to remember
that when Congress authorized the CFPB to collect data in Dodd-
Frank, it included numerous safeguards designed to protect
consumers' personal privacy and to prevent the misuse of
confidential information. For example, while the Bureau has the
authority to collect data to inform its rule-writing, Congress
specifically prohibited the Bureau from collecting data for the
purpose of analyzing personally identifiable financial
information.
In fact, it is my understanding that the information and
who the person is, is completely divided so that you can't even
get at that kind of information without going to a second step.
Congress required the Bureau to establish and comply with
separate rules regarding the confidential treatment of personal
information that it collects. Even when the Bureau is sharing
information with its fellow bank regulators, Congress specified
that the Bureau can only do this, ``subject to the standards
applicable to Federal agencies for protection of the
confidentiality of personally identifiable information.''
Not only do other banking regulators often purchase data
from the same outside vendors as the CFPB, but other banking
regulators also collect far more data from financial
institutions than the CFPB does. For instance, in order to
prepare the annual stress tests for the largest banks, the
Federal Reserve requires these banks to hand over significantly
more information than they have to submit to the CFPB.
When the Bureau purchases data from outside vendors or
collects it directly from financial institutions, the Bureau
rigorously follows its privacy and confidentiality mandate. And
that is very important.
Finally, I would like to point out that despite all the
talk about the CFPB allegedly being unaccountable, this is the
38th time that a CFPB official has testified before Congress,
and we welcome him, and I look forward to his testimony.
And I yield back. Thank you.
Chairwoman Capito. Thank you. Mr. Duffy for 2 minutes.
Mr. Duffy. Firstly, I thank the chairwoman for holding this
very important hearing. I think it is important that America
knows the kind of information the CFPB is collecting on them.
Some of my friends across the aisle will say that the more
data that the Bureau has, the more data that our government has
on American citizens, the better off we are, the safer we are.
But if you look at the past several months, Americans have
found out far more information about what their government is
doing in regard to collecting information on them, whether it
is the NSA or the IRS.
Many of my constituents are concerned that our government
has their health records, their phone records, their Internet
records, their e-mails, and now the CFPB is monitoring their
financial records. And we have a concern about our
constituents' right to privacy in regard to the information
that the CFPB or others collect in regard to their very private
financial transactions.
My concern here is that much of the information that we
received about your data collection or your monitoring of
financial information has come from news reports or from
Freedom Watch's requirement for freedom of information. And our
concern is that you have been less than forthright about
saying, ``This is what we are collecting, this is who we are
collecting it from, this is how long we are keeping it, and
this is what we are using it for.''
Frankly, there has been a veil of secrecy around the
collection of data at a time when the agency, as it is ramping
up, has made a pledge to Congress and to the American people to
be open and transparent. I believe that the agency or the
Bureau should lead by example.
If you want to collect information about Americans'
financial transactions, if you want to monitor their financial
transactions, you should make a request to them, ask for their
permission to collect that data, but you shouldn't collect it
without their permission. I yield back.
Chairwoman Capito. Mr. Scott for 3 minutes.
Mr. Scott. Thank you very much, Madam Chairwoman.
This is a very timely hearing. The Nation's attention is
riveted on this whole issue of monitoring and surveillance. And
I think it is very important that we have a very clear
explanation, a clear understanding from the CFPB, and answer
each of these charges--and they are charges coming from the
other side. And this is healthy. This is what American
democracy is all about.
Let me just remind everyone why we have the CFPB. The CFPB
was put in the Dodd-Frank Act to protect consumers. You cannot
protect consumers without the capacity of gathering
information. If you limit that capacity of the CFPB, it is sort
of like cutting the legs out from under them and then
condemning them for being a cripple.
This is an opportunity for us to let our light shine in
this Financial Services Committee and get down to the truth of
the matter. And I urge my colleagues on the other side to not
use this in scoring political points for one side or the other,
but let's score some points for the American people and let us
shed some light on the fact that this CFPB needs to be able to
gather information and data to protect our public from
unscrupulous lenders, and to help make sure we stabilize our
financial system.
And the other matter is to deal with how we deal with the
reach of the data information overseas. We are no longer just
here in the United States. Our economy is worldwide. How do we
interface the collection of our data and information in that
way?
I think, to Chairwoman Capito's concerns--which are
legitimate, and I am glad that she and a couple of my
colleagues brought it up--about this personal identification of
information, let me make clear that at the very beginning, in
Dodd-Frank, the law which created this, it totally forbids the
collection of any data that can be personally identified by
name, or by Social Security number. All of that is spelled out.
It is there. They only have the same charge that our other
regulators have, the Fed and others. And we are not talking
about that.
So I just want to make sure we understand that we have some
serious, serious questions to ask here. I want to take the
opportunity to do so. And I do understand the concerns of the
other side, and I respect them, and I think there are
legitimate points that we have to make sure we get an answer
to, from you, Mr. Antonakes.
Thank you.
Chairwoman Capito. Mr. Pittenger for 1\1/2\ minutes.
Mr. Pittenger. Thank you, Madam Chairwoman. Thank you for
yielding me the time to address this vital issue regarding
methods of data collection of the CFPB.
The privacy of American citizens, whom we all have the
responsibility of representing, is at stake. Over the past
several years, we have learned how the IRS targeted
conservative groups during the last Presidential election. We
have seen the Department of Justice attack reporters for
upholding the First Amendment and how one individual can
inflict immense damage on our national security apparatus with
NSA data. And now we observe how the CFPB is monitoring and
collecting data on millions of Americans with the use of their
credit cards, mortgages, and their checking accounts.
The recent Bloomberg articles from this past April state
how the CFPB has already targeted at least 10 million Americans
in their quest for this private information. The CFPB is
obtaining this information in two different ways: by putting
pressure on banks under certain Dodd-Frank provisions; and by
acquiring it from outside sources. In the wake of what has
happened in the IRS and the Department of Justice, the CFPB
should exercise extreme restraint with their enormous power.
The American people are very hesitant with government
overreach, and these new policies could easily fall into the
same abusive actions as other Federal agencies.
The questions being addressed here today go to the heart of
American liberty and freedom. And I do look forward to the
answers. Thank you.
Chairwoman Capito. Thank you.
I would like to yield 2\1/2\ minutes to the ranking member
of the full Financial Services Committee, Ms. Waters from
California.
Ms. Waters. Thank you very much.
The Consumer Financial Protection Bureau fully opened its
doors on July 21, 2011. Today, it is just shy of 2 years old.
In the months before the agency officially opened, members of
the transition team testified before Congress 7 times. As it
was a young agency being built from the ground up, that may
have been necessary. In addition to the 7 times the CFPB has
been called to Congress to testify prior to its opening in July
2011, CFPB officials have been called up to testify in Congress
31 times, more than once a month.
During that time, Director Cordray's nomination has been
held up by a Senate minority who claims they want to improve an
agency whose creation most of them never supported in the first
place. Now, it makes good sense for Congress to perform
oversight of government agencies, but at some point, it may be
appropriate to consider whether oversight has become a disguise
for harassment.
However, in the last 2 years, when the CFPB has not been
sitting in a committee room, they have been hard at work. In
addition to setting up a brand-new agency, the first of its
kind, and issuing regulations that are directed by the Dodd-
Frank Act, they have been tirelessly enforcing the laws
Congress passed to protect consumers. The CFPB has recovered
over $400 million for 6 million American consumers who were the
victims of predatory financial practices.
Today, the committee has gathered to talk about the CFPB's
data collection practices. We share your concern that this data
be treated carefully by regulators, credit-reporting bureaus,
data aggregators, and financial services providers to protect
the privacy of consumers. We would note that Section 1022 of
the Dodd-Frank Act specifically bars the CFPB from gathering or
analyzing personally identifiable financial information of
consumers.
It is clear that the CFPB has a duty to protect not just
the consumers' choices, but also their privacy. It is unclear
to me if any legitimate consumer or privacy advocates have
raised concerns about the CFPB's data collection practices thus
far. However, it is clear that access to this data is vital to
the CFPB's mission of protecting consumers.
If we are going to expect the CFPB to create a level
playing field for consumers, they are going to need to have at
least the same level of access to information about consumers
as the largest banks and financial services providers have.
That same data will also allow them to emulate other
regulators, like the FDIC and the Fed, which provide markets
with important consumer banking data and will be a tool for
identifying bad lending practices before another crisis
happens.
I strongly support the Consumer Financial Protection Bureau
and think they have been doing an excellent job on behalf of
the consumers. And I look forward to the witness' testimony. I
yield back the balance of my time.
Chairwoman Capito. Thank you. Mr. Fitzpatrick for 1\1/2\
minutes.
Mr. Fitzpatrick. Thank you, Madam Chairwoman.
Today's hearing is, I think, very timely. Events in the
news have focused the American people's attention on the very
important subject of privacy and government surveillance. Data
collection and research is not a bad thing. In fact, it is the
sort of diligence that we would expect of our regulators.
However, just because a government agency has good
intentions or a benevolent-sounding name doesn't mean Congress
should just look the other way while tens of millions of
Americans are having their financial history gathered up and
stored.
Just as the Dodd-Frank Act gave the CFPB the authority that
it is now exercising to collect this data, the law also put
some very specific constraints on this activity. Recent stories
involving the NSA have demonstrated that the American people
and Members of Congress have every reason to be suspicious of
so-called metadata gathering, and any analysis of that.
We don't just need assurances that there is nothing
potentially harmful or invasive going on. We need maximum
transparency to ensure it beyond any doubt. The CFPB must do
more in this regard.
The right to privacy is not an inconvenient matter that can
just be swept aside when it hinders government investigations.
It is a constitutional right that deserves the highest levels
of protection. Privacy and freedom from unwarranted
surveillance are fundamental to our individual liberties, and
we cannot allow any trespass on these hard-fought principles,
so I appreciate the chairwoman's work on this matter, and I
look forward to the hearing.
Chairwoman Capito. Thank you.
Our final opening statement will be from Mr. Luetkemeyer
for 1\1/2\ minutes.
Mr. Luetkemeyer. Thank you, Madam Chairwoman.
For the past several months, American citizens have been
made aware that the IRS has targeted specific organizations
based on political activities. We have witnessed a significant
leak from a private contractor who exposed classified and
protected documentation showing a broad abuse of current law.
We continue to see the potential for personal information to be
misused and compromised by the government.
And now we learn that the CFPB, an agency that has always
touted itself as being transparent, could be collecting and
storing individualized information on potentially millions of
Americans.
Despite the self-professed claims of transparency and
consumer protection, the CFPB has proven to be unwilling to
show how much individual data it is collecting, the level of
detail of the information it is collecting, the number of
people who have access to this data, or which foreign nations
may have access to the information.
The simple fact of the matter is that the CFPB could very
well be jeopardizing consumer protection instead of ensuring
it. It is time for the CFPB to answer questions and allow for
the transparency it claims to value as an organization. I look
forward to learning more about the activities of the CFPB, and
I hope that our witnesses will be forthcoming and affirmative.
With that, Madam Chairwoman, I yield back.
Chairwoman Capito. The gentleman yield backs.
I would like to introduce Mr. Lynch for the purpose of
making an introduction.
Mr. Lynch. Thank you, Madam Chairwoman. I appreciate the
courtesy. And I thank the ranking member, as well.
I would like to take this opportunity to welcome--on behalf
of Mr. Capuano and I; Mr. Capuano is the senior Member of the
Massachusetts delegation on this committee, and he is in
another hearing--Mr. Steve Antonakes, who is an over-20-year
employee of the Division of Banking in Massachusetts. He spent
almost 8 years as the head of our banking division in
Massachusetts. As you know, in Massachusetts we have a long and
strong tradition of banking regulation that is vigilant in the
protection of consumers, while fostering competitive financial
markets. So, Steve, thank you for coming to the committee and
helping us with our work. And I look forward to your testimony.
And again, Madam Chairwoman, I thank you for the courtesy.
I yield back.
Chairwoman Capito. Thank you.
I would like to welcome our witness, Mr. Steven L.
Antonakes, who is the Acting Deputy Director of the CFPB. Mr.
Antonakes, you are recognized for a 5-minute statement. Thank
you.
STATEMENT OF STEVEN L. ANTONAKES, ACTING DEPUTY DIRECTOR,
CONSUMER FINANCIAL PROTECTION BUREAU (CFPB)
Mr. Antonakes. Great. Thank you. Good morning.
Chairwoman Capito, Ranking Member Waters, Ranking Member
Maloney, and members of the subcommittee, thank you for the
opportunity to testify today about the fundamental importance
of data analysis to the Consumer Financial Protection Bureau's
mission to protect consumers. My name is Steven Antonakes, and
I serve as the Acting Deputy Director for the Bureau.
The Bureau is a data-driven agency, because Congress
recognized that the Bureau cannot do its job of protecting
consumers and honest businesses unless it understands the
consumer financial markets it oversees. The Dodd-Frank Act
specifically directs the Bureau to gather market information
pursuant to a variety of authorities and through multiple
sources. Like other financial service regulators, the Bureau
only effectively supervises markets which it understands.
As required by Dodd-Frank, data analysis enables the Bureau
to not only better protect and educate consumers, but it also
enables the Bureau to coordinate with other regulators and
craft tailored rules based on a careful examination of costs
and benefits. The Bureau's evaluation of this data also allows
it to provide meaningful reports, as required by Congress, and
to perform its consumer response function.
In Fiscal Year 2012, the Bureau spent $7 million on
obtaining data to support its mission. To place this into
context, that comprised 2.4 percent of the Bureau's total
budget. To date, the Bureau's Fiscal Year 2013 data
procurements total $3 million, or 0.6 percent of the total
budget. The Bureau makes every effort to collect market data in
an efficient manner with an eye towards reducing the burden and
cost on industry. The Bureau also makes every effort to
safeguard and protect information that it does obtain.
The Bureau collects and studies data to protect consumers
throughout the United States in accordance with its statutory
mandate, not to study any particular individuals. In an effort
to minimize cost and burden on financial institutions, the
Bureau relies on information it already has or that other
regulators share. This practice is not only efficient, but also
saves industry from providing the same information on multiple
occasions.
We may also acquire data from third parties and have
already collected and compiled information.
There were also instances where market participants and
individuals voluntarily submit data. For example, the Bureau
has successfully tackled some of the unique problems facing
military consumers based on data submitted to our consumer
response office. The Bureau has helped servicemembers resolve
issues with mortgage servicers about permanent change of
station orders and issued a report detailing the types of
consumer financial hurdles servicemembers and their families
experience.
The Bureau is also committed to ensuring protection for
consumers' personal privacy. In the very limited cases where
the Bureau obtains personally identifiable information, it
stores and protects that information, along with other
confidential information and data, according to information
security requirements that comply with applicable Federal laws
and regulations. The Bureau publishes a privacy policy on its
Web site that sets forth privacy principles and steps that it
takes to protect consumers' personal privacy.
We at the Bureau are committed to delivering tangible value
to American consumers. With that in mind, I would like to share
some Bureau accomplishments where data has impacted our work
and benefited consumers.
$6.5 million: the amount returned to servicemembers who
participated in the Military Installment Loan Educational
Services (MILES) auto loan program and were misled about the
fees they were charged and the true cost of their auto loans.
50,000: the number of servicemembers who will get money
back as a result of the Bureau's supervisory and enforcement
review of the MILES program.
$432 million: the amount of money being refunded through
Bureau enforcement actions to consumers who have been subjected
to deceptive practices.
6 million: the number of consumers receiving refunds
because of 2012 Bureau enforcement actions.
More than 150,000: the number of complaints the Bureau has
handled from consumers in every State across the country since
the Bureau formally opened its doors in July 2011.
28,000: the number of responses from experts and
individuals impacted by student debt. This information enabled
the report on student loan affordability.
And 644: the number of colleges voluntarily adopting the
financial aid shopping sheet developed by the Bureau and the
United States Department of Education.
Chairwoman Capito, Ranking Member Maloney, Ranking Member
Waters, and members of the subcommittee, thank you for the
opportunity to testify before you today. I will be happy to
answer your questions.
[The prepared statement of Mr. Antonakes can be found on
page 52 of the appendix.]
Chairwoman Capito. Thank you, Mr. Antonakes. I will now
recognize myself for 5 minutes for the purpose of beginning the
question-and-answer period.
In my opening statement, I asked for specific numbers on
how much data you are collecting and from how many individual
consumers. Can you give me some specifics on that? You gave me
a lot of numbers, but specifically on how many accounts you are
collecting and monitoring?
Mr. Antonakes. Thank you, Chairwoman Capito. The important
thing for us is the data collection that we conduct serves the
primary mission of the Bureau, and that is to protect
consumers.
Chairwoman Capito. Right, so how many--
Mr. Antonakes. The vast majority of data that we collect is
anonymized and does not include personally identifiable
information. And that goes for all the data that we purchase
and data that--
Chairwoman Capito. And for how many accounts is that? How
many accounts is that? If it doesn't have any personally
identifiable information, what is the number? That is what I am
trying to get.
Mr. Antonakes. I don't have the exact number. We will be
happy to follow up with you on what the number is, but we do
look at a substantial amount of data in order to understand the
markets and determine where risks may lie.
Chairwoman Capito. Right, so--
Mr. Antonakes. The only instances in which we will take in
personally identifiable information would come through one of
two channels. The first would be when consumers affirmatively
reach out to us through our Consumer Response hotline and are
seeking our help in resolving a complaint. The only other
circumstance is when we are using our supervisory tool,
conducting examinations of the banks, the credit unions, and
the nonbanks under our jurisdiction. The Bureau conducts
examinations in the same fashion that all of the prudential
regulators and State regulators do.
And in that instance, that work is what has resulted in our
ability to refund significant amounts of monies to consumers.
We are seeking data to understand markets and to protect
consumers.
Chairwoman Capito. Right.
Mr. Antonakes. We are not seeking data to monitor
individual Americans.
Chairwoman Capito. Okay. So in your strategic plan, you
mentioned that you were going to maintain a credit card
database covering 80 percent of the credit card market,
correct? That is in your statement.
Mr. Antonakes. Correct, yes.
Chairwoman Capito. And so that would be over 900 million
accounts. It seems to me, if you are looking for trend lines,
80 percent--I took statistics when I was in school 150 years
ago--you don't need 80 percent of the market to figure out what
the trend lines are.
Let me ask you this. You mentioned, too, $7 million for
obtaining data. This year, $3 million for obtaining data. Is
that the amount of money that the CFPB has paid to private
contractors for obtaining financial data?
Mr. Antonakes. I believe that to be correct, yes.
Chairwoman Capito. That is correct?
Mr. Antonakes. I believe that to be correct, yes.
Chairwoman Capito. Okay. What kind of proper background
investigations do these private contractors have to be able to
handle--we have already learned about somebody taking a thumb
drive in and exposing national security secrets. What kind of
precautions do you require for your private contractors?
Mr. Antonakes. We do vet the contractors. Moreover, it is
written into our contracts that they have to abide by the
Privacy Act and comply with all of the laws. They also have the
safeguards that we would have if we were collecting that data
on our own behalf.
Chairwoman Capito. And then you mentioned, too, that you
data share with the other regulators so you are not duplicating
this. Can you tell me, from an institutional standpoint, we
have heard anecdotally about a lot of institutions which are
having to data dump to everybody and they are wondering what
happens with all this data. So you are telling me that all the
repetitiveness and redundancy is out of the system? That is not
what we are hearing anecdotally from the institutions which are
regulated by you and others.
Mr. Antonakes. That is a great question. I think, in many
respects, it gets to the kind of new relationships we continue
to furnish with our sister regulatory agencies. We certainly
want to ensure that, to the extent we are both seeking
information, we are coordinating together. It is far better for
us to share that information directly with the Federal agencies
than to make a repetitive data request of a financial
institution.
Moreover, our examiners are instructed that if the
institution tells our examiners that they have already provided
very similar data to another agency, they should accept that
data in lieu of a second data request. If there is other data
that the institution has run for its own purposes, that would
essentially provide what we need, they should accept that.
Chairwoman Capito. So would you say that is more of a work
in progress, where the coordination--
Mr. Antonakes. I would say it is a transitional issue that
has gotten better over time and will continue to do so.
Chairwoman Capito. Okay. How long do you store data for
when you collect it, say, in 2013? How long does it stay a part
of the system? Is it in the cloud? Or where is this data?
Mr. Antonakes. We are in the process of developing and
getting approved, through the National Archives, our data
destruction schedules. They have not been approved as of yet.
We want to make sure that the data is appropriately safeguarded
and that we are taking it off our systems in appropriate
periods of time.
Chairwoman Capito. So basically what you are saying is that
you are still holding the data that you have originally
collected, because you don't have a data destruction plan,
correct?
Mr. Antonakes. That is correct.
Chairwoman Capito. Correct. All right.
Mrs. Maloney?
Mrs. Maloney. I thank the chairwoman. And I believe the
chairwoman raised some important points about, really,
coordinating with other agencies on what data is collected. In
preparing for this hearing, I was reading documents which said
that other agencies collect far more data than the CFPB does.
It would be interesting to see a breakdown of who is collecting
what, how it is being coordinated, and I would like to join the
gentlelady in the request to the GAO to do such a report. I
think it could be helpful in policy and going forward to see
who is collecting what data, how could they share it better,
streamline it, and I think that is something we could work on.
My colleague, Mr. Lynch, pointed out that you served under
Governor Romney as the superintendent of banks, and you also
served during the financial crisis of 2008. Could you comment
on your experiences? Did the State of Massachusetts have
sufficient data to help with this crisis, to help the
consumers, help the economy, help the State?
Mr. Antonakes. Thank you, Ranking Member Maloney. We did
have the advantage, as Congressman Lynch pointed out, of having
very strong consumer protection laws in Massachusetts. However,
we were significantly disadvantaged, in my mind, by the lack of
data that we had at our disposal. I think the financial crisis
somewhat brings that to light.
We were busy during that period of time implementing
previous State legislation on predatory lending, and adopting
regulations to deal with abuses that occurred in the refinance
market.
Mrs. Maloney. So I see that basically you could have
protected taxpayers' monies more if you had more data. Is that
a fair statement?
Mr. Antonakes. Yes, I think we were responding to the
earlier issue without the data to see that the abuses had
shifted to the purchased money markets.
Mrs. Maloney. Also in your testimony, you said that you
supervised--or your Bureau did--the return of $6.5 million to
servicemembers who had been harmed by unscrupulous lenders. Can
you talk a little bit more about this case and how the
collection of data enabled the Bureau to help nearly 50,000 men
and women in the armed services and the distinction of what you
said, farming data to come up with policies for credit cards
and overdraft, and how that is different from how you helped
these 50,000 servicemembers?
Mr. Antonakes. Certainly. So this case really stemmed from
two sources for us, complaints filed with our Consumer Response
division, as well as examination activity that we did: digging
into their records; digging into the files; and digging into
information that led us to conclude that unfair and deceptive
acts and practices had occurred. A number of servicemembers
were being charged more than was disclosed to them in their
automobile loans. Data also allowed us to identify those
servicemembers who would be reimbursed.
Mrs. Maloney. I believe that my colleagues on both sides of
the aisle have raised the importance of privacy. Not only do
you need the data, but we need to protect the privacy of
consumers. And, again, I refer to the letter that came in from
seven consumer groups saying that they applaud the efforts of
the Bureau in collecting this data and that these safeguards
are in place.
Because this is such an important issue, I would like to
request if we could do an on-site visit to the CFPB and see how
the data is secured, how it is done; seeing is believing. And I
think no matter how much that you tell us that it is secure and
the consumer is protected, I feel that this would be something
that could be helpful.
Do you think that would be beneficial? Could we do such a
visit, off-site visit?
Mr. Antonakes. We would be honored to welcome any members
of the committee or the Congress to come to our facilities.
Mrs. Maloney. I have no further questions. I yield back.
Chairwoman Capito. Thank you.
Mr. Duffy for 5 minutes.
Mr. Duffy. Thank you, Madam Chairwoman.
I want to follow up on a question from Chairwoman Capito in
regard to, how many Americans are you collecting data on? How
many Americans are you monitoring? You said you would get back
to the committee, but can you give us a range? Because we have
read reports that it is 10 million Americans who are being
monitored or have data being collected on them. What is the
range?
Mr. Antonakes. Congressman, we are not monitoring any
individual Americans. We are collecting broad data on markets
to understand how varied markets work.
The PII is constrained to the extent that we are fulfilling
our consumer response mandate, as well as our examination
mandate.
Mr. Duffy. I am asking you a question about a range, then,
of how many Americans have their data collected by the CFPB.
How many?
Mr. Antonakes. I can get back to you with precise numbers,
but, again, I feel--
Mr. Duffy. I am not asking you--
Mr. Antonakes. --the need to point out that we are
collecting broad data that is desensitized, does not include
specific information about Americans.
Mr. Duffy. I know. Reclaiming my time, I know that. But I
want a range of how many Americans have their data sampled or
collected by the CFPB. What is the range? Is it 10 million? Is
it more than 10 million, less than 10 million? What is it?
Mr. Antonakes. I can--
Mr. Duffy. You have to know a range.
Mr. Antonakes. I can--Congressman, I am happy to provide
you a granular breakdown of what that looks like. I don't have
that information in front of me at this moment. But, again, I
do think it bears repeating--
Mr. Duffy. But you don't--reclaiming my time--know a range
of the number of how many people have their data collected by
the CFPB? You don't know that range today?
Mr. Antonakes. I couldn't give you an accurate range.
Mr. Duffy. You couldn't. Okay. And what is your position,
again, at the CFPB?
Mr. Antonakes. I serve as both the Acting Deputy Director,
as well as the Associate Director for Supervision, Enforcement,
and Fair Lending.
Mr. Duffy. Don't you think that Americans would expect you
to know at least the range of how many citizens are having
their data collected by your agency? And you can't even give us
a range. Is it more than 10 million? Less than 10 million?
Mr. Antonakes. Congressman, the data collection activities
that occur at the Bureau virtually mirror the data collection
activities that occur at other prudential regulators. And,
again, our sole purpose here is not to study Americans--
Mr. Duffy. I will reclaim my time. I appreciate that you
can't give us a range.
In regard to the length of time in which you store the
data, you are working with the National Archives Records
Administration. Have you made a request for a length of time to
keep this financial data on Americans?
Mr. Antonakes. I believe there are a number of different
ranges based upon the types of information that we are
gathering.
Mr. Duffy. How long can you keep the data or is the request
to keep the data?
Mr. Antonakes. I will have to confirm this with you,
Congressman. I believe the request is 10 years.
Mr. Duffy. Ten years.
Mr. Antonakes. I believe so.
Mr. Duffy. A lot of us are involved in politics. And we see
a lot of polling, whether it is with regard to our own races,
other races, the President. It is sampling of data. Why can't
you sample data? Why are you collecting massive amounts of
financial data on Americans and potentially keeping it for
years, up to 10 years? Why don't you just sample data to
extract the information that you need to make good rules and
regulations?
Mr. Antonakes. I believe it is important for us to have
wholesome data to truly understand these financial
marketplaces. I also believe it is important to have the data
for a number of years so that you can do market analysis and
look at trends over a period of time. We are still learning, I
would say, in many respects, the impact on Americans of the
financial crisis.
Mr. Duffy. And I know that the Bureau has made a pledge to
be transparent and open. Will you commit to sending us all the
contracts that you engage in with third-party vendors? Will you
send those to us?
Mr. Antonakes. We are happy to provide the contract
information to you.
Mr. Duffy. Thank you. And I know that you send a request to
financial institutions to collect data from them, as well. Will
you share those letters with the committee that you send to
financial institutions requesting data from them?
Mr. Antonakes. To the extent that we are requesting data
from financial institutions, it is under our confidential
supervisory examination program.
Mr. Duffy. Let me read a quote to you, and tell me if you
know who said this: ``Transparency is at the core of our
agenda, and it is a key part of how we operate. You deserve to
know what the new Bureau is doing for the American public and
how we are doing it.'' Do you know who said that?
Mr. Antonakes. I am guessing perhaps it was either Director
Cordray or--
Mr. Duffy. Senator Warren.
Mr. Antonakes. --Senator Warren.
Mr. Duffy. Yes. So in that vein, why don't you share that
information with the American people? If you are taking data
from Americans, why don't you share the request for the data?
Mr. Antonakes. We don't share the request for the data to
the extent that we are doing it through our confidential
supervisory program because our mission there is solely to
protect consumers, and no other agency has to make that
request. To request that information during the course of an
examination--
Mr. Duffy. So reclaiming my time, in regard to protecting
Americans, I know you are not dealing with terrorists, like the
NSA. You are dealing with financial data. Don't you think it is
appropriate that you ask for permission and consent of
Americans before you take their data? Shouldn't you ask them
and get their permission?
Mr. Antonakes. I think, in the course of an examination,
which happens on a routine basis, if we were to ask, it could
conceivably cause reputational damage to the institutions that
we are examining.
Mr. Duffy. I yield back.
Chairwoman Capito. The gentleman's time has expired.
Ms. Waters for 5 minutes.
Ms. Waters. Thank you very much.
Congresswoman Maloney asked about your past experiences in
Massachusetts and whether or not you had been involved in data
collection and was it helpful to you as a State banking
regulator, I believe. Let me just ask, do banks and credit card
companies have access to this data?
Mr. Antonakes. Yes, they do.
Ms. Waters. What do they do with it?
Mr. Antonakes. They collect it on a regular basis. They use
it for marketing purposes, for benchmarking, and other internal
reviews of the efficiency and effectiveness of the products and
services that they offer.
Ms. Waters. And so if banks and credit card companies have
access to this data, is the suggestion here that the consumer
protection regulator should not have it? Is that what you are
being asked?
Mr. Antonakes. I am not sure what the motivation of the
question is, Ranking Member Waters. We believe we are seeking
only the information that industry has that will allow us to
conduct our job, to understand these markets, and understand
where risks lie for consumers.
Ms. Waters. Let me just ask, we have gone through a
financial crisis, starting in 2008, and this crisis, of course,
was created in the financial services community by many of the
initiators of mortgages, et cetera. Would it have been helpful
to have more data to be able to address this problem that we
were confronted with?
Mr. Antonakes. It certainly would have been helpful, yes.
Ms. Waters. And so, again, if the very agencies or
financial services agencies or companies--whatever you want to
call them--if they had access to this data and we don't, and
they created the problems that we face with the subprime
meltdown, doesn't that put us at a great disadvantage of trying
to do oversight and regulation?
Mr. Antonakes. Ranking Member, I believe regulators are at
a substantial disadvantage if they don't have the information
that regulated entities have, yes.
Ms. Waters. Thank you very much. I yield back the balance
of my time.
Chairwoman Capito. Thank you.
I would like to recognize Mr. McHenry for 5 minutes.
Mr. McHenry. Thank you, Madam Chairwoman.
The term, ``personally identifiable financial
information,'' has the CFPB defined the meaning of that?
Mr. Antonakes. So, Congressman, we would use the term that
I think is more broadly defined, in terms of information that
would allow you to identify the particular consumer.
Mr. McHenry. Is there--
Mr. Antonakes. We haven't created our own separate and
distinct definition, no.
Mr. McHenry. Okay, because in Dodd-Frank, there are two
provisions that limit the CFPB's authority to collect
personally identifiable financial information. So is it the
intent of the CFPB to perhaps have a rule defining that?
Mr. Antonakes. There are several provisions in Dodd-Frank
whereby we can collect information. There is one specific rule
relative to market monitoring that we have not utilized as of
yet. We also obtain data through the purchase of commercially
available information, through voluntary data, through publicly
available data such as the Census Bureau, through our
supervisory program, as well as through our consumer complaint
intake. Those are the means that we have used thus far to
collect this data.
Mr. McHenry. Yes, but, okay, so the PII, what is that? Can
you define that again? What does that stand for?
Mr. Antonakes. Personally identifying information.
Mr. McHenry. So that is very different than personally
identifiable financial information. Is it different than--
Mr. Antonakes. I don't believe it is, Congressman.
Mr. McHenry. Okay. You don't think it is different. So in
your contract here, you have--we have this document. Judicial
Watch got this from a Freedom of Information Act request that
some of the data will contain sensitive personally identifiable
information. So is the PII different than what is banned in
Dodd-Frank, which says the CFPB cannot get individual
Americans' data?
Mr. Antonakes. We don't believe that Dodd-Frank says we
can't collect PII.
Mr. McHenry. Okay, well, I will follow up on that. So you
don't have a rule. Do you have any intention of writing a rule
to define personally identifiable financial information?
Mr. Antonakes. We don't at this time, no.
Mr. McHenry. So you wouldn't have, perhaps, public input on
the meaning of that, to give some assurances that you are not
collecting individual data. So the personally identifiable
information, would that include a person's name?
Mr. Antonakes. Again, I would say, Congressman, it would
include a person's name.
Mr. McHenry. It would? Okay. Would it include a person's
identification number, like a Social Security number, maybe?
Mr. Antonakes. Again, it would depend on the context in
which the information was being collected. The definition of
PII would certainly include those things. It doesn't mean we
are necessarily collecting that type of information.
Mr. McHenry. Okay. What about an address? Would an address
be a part of that?
Mr. Antonakes. Would an address be considered PII?
Mr. McHenry. Yes.
Mr. Antonakes. Yes, sir.
Mr. McHenry. Okay. So you have a person's name, you have
the person's Social Security number, and address. What about
ZIP Code? Not to be redundant, but would that be a part of the
address?
Mr. Antonakes. It could be.
Mr. McHenry. Okay. So what about personal characteristics,
like fingerprints or pictures? Is that prevented or is that
included in the data?
Mr. Antonakes. That would be considered PII. We don't
collect that type of information.
Mr. McHenry. Okay, okay, so no pictures. That is good. No
fingerprints. What about property they own?
Mr. Antonakes. Again, Congressman, if we were doing an
examination and we were looking at compliance with mortgage
rules, during the course of an examination--
Mr. McHenry. So, yes, like--
Mr. Antonakes. --see the property during the course of an
exam.
Mr. McHenry. Yes, you would see the property, okay. What
about employment information?
Mr. Antonakes. Employment information? Again, perhaps
during the course of reviewing a mortgage loan, conceivably.
Mr. McHenry. Okay. What about medical information?
Mr. Antonakes. No, sir.
Mr. McHenry. No, sir?
Mr. Antonakes. No.
Mr. McHenry. Okay. So the fact that somebody is paying a
bill to the hospital or has substantial debt owed to a hospital
would not be included in this?
Mr. Antonakes. During the course of an exam, conceivably.
Mr. McHenry. So conceivably medical information, as well.
Mr. Antonakes. But--
Mr. McHenry. What about credit score?
Mr. Antonakes. Credit score conceivably, as well.
Mr. McHenry. Okay. So this sounds to me like personally
identifiable financial information. And this is a great concern
at a time when people are worried about their privacy. So it
seems to me you have no definition, no limitation on the type
of data you can collect, or for how long you are going to
collect it.
Mr. Antonakes. Congressman, I would say only that to the
extent we are reviewing this type of information, it is through
our supervisory process, through our consumer complaint
process, and we are following the same process that has been
run for years by other Federal and State regulatory agencies. I
don't believe we are plowing any new ground here.
Mr. McHenry. You are not?
Mr. Antonakes. No, sir.
Mr. McHenry. This is no new ground?
Mr. Antonakes. In terms of our supervisory program? I would
say no.
Mr. McHenry. So the fact that you want to hold nearly a
billion credit cards and update them on a monthly basis and the
people's transactions--this sounds like dramatically new ground
that your agency is taking.
Mr. Antonakes. Other agencies--
Mr. McHenry. With that, I yield back.
Mr. Antonakes. --have collected credit card data before,
sir.
Mr. McHenry. On a monthly basis?
Mr. Antonakes. Yes.
Mr. McHenry. Updated monthly?
Chairwoman Capito. The gentleman's time has expired.
Mr. Scott?
Mr. Scott. Yes, thank you.
I think it is very important for us to follow up on Mr.
McHenry's line of questioning, because I really believe he is
getting to the heart of the matter. This information of which
you get names, you could get their Social Security number, you
can get their addresses, you can, in fact, get this personal
identification information. Now, it is very important for you
to very quickly explain to the--if Mr. or Mrs. America is
watching this program, under what circumstances is this done?
How is it protected and insured against someone else getting
it?
And this is particularly true, because, yes, according to
my information, you can get medical debt data. And I am
interested to know how far that would go. Does it go all the
way to the type of procedure, the type of treatment? Was it
cancer? Was it--so how much of this personal data information
are you collecting and why? And do you have the authority to do
it now?
And then, secondly, in order to make sure we have America's
confidence that none of this will leak out--because I will tell
you, this is what I am concerned about. I am concerned about
things like this little fellow who is rolling around from
airport to airport trying to find a place to land, this--all of
these leakers. And there are many of them out there and with
the advanced technology of hacking.
So I want you to kind of defend this position a little bit
more, because we don't want the American people to go away
misinformed that you are collecting all this personal data when
you say you don't.
Mr. Antonakes. Thank you, Congressman. Our statutory
mandate, as you know, is to protect consumers. And to the
extent we collect and analyze data, it is for the purpose of
fulfilling our statutory mandate. We collect, investigate, and
respond to consumer complaints. We conduct examinations to
determine whether or not violations of consumer financial
protection laws exist.
Mr. Scott. Let me ask you, though, I am trying to get my
hands around the quantity of this personal identification. How
many have you gotten that fit this category? And how do you
protect that personal identification? We have to get an answer
to that in order to maintain the credibility of the CFPB to
know that it is going to be protected. I am not--I am just
saying, there has to be a reason.
Dodd-Frank outlaws it up to what the other Federal
regulators do, like the Fed. Can they do the same thing? I am
trying to give you a chance here to get out from under this
accusation that I think Mr. McHenry very eloquently articulated
here. I think this is a legitimate question that we have to get
answered.
Mr. Antonakes. Congressman, to the extent we collect PII,
it is exceptionally limited, generally through the consumer
response process, as well as our supervisory process. This is
very consistent with the way other regulators collect this
information.
Mr. Scott. Nothing you do is beyond what other regulators
do in collection of that personal data?
Mr. Antonakes. That is correct. And then we secure it, to
the extent we have to collect it to do our jobs, we secure it
on our systems. There is very limited access to those systems.
They meet FISMA standards, the Federal standards, and have
received clean audits from GAO and the Fed and the CFPB
Inspector General, in terms of those systems.
Mr. Scott. So far, has the data security system you have
been collecting, has it been breached? Have there been attempts
to hack it? Do we have a fail-safe there?
Mr. Antonakes. Congressman, to my knowledge, it has not.
And I would say, again, we have standards in place that meet
the requirements of existing Federal law.
Mr. Scott. On the medical debt issue, I wanted to go back
to that. On that information, do you also have information
contain what that treatment was? This is very private. This is
very personal information.
Mr. Antonakes. No, we don't.
Mr. Scott. So there is no diligence into what kind of
procedure he had, what kind of disease, or anything else? That
is totally unacceptable?
Mr. Antonakes. Correct.
Mr. Scott. All right. Thank you, sir.
Chairwoman Capito. Thank you.
Mr. Luetkemeyer for 5 minutes.
Mr. Luetkemeyer. Thank you, Madam Chairwoman.
I guess I will follow up on Mr. McHenry's questioning, as
well. What are you trying to do whenever you monitor 80 percent
of the credit card market?
Mr. Antonakes. We have a statutory mandate to understand
the credit card market, as well as other financial
marketplaces. We also have a congressional mandate to do a
study on the effectiveness of the CARD Act. So to the extent
that we are looking at this data--and, again, I need to
emphasize that other agencies have similar processes in place
whereby they look at credit card data--it is to fulfill those
requirements, to understand the credit card market, understand
where there may be inherent risk to consumers in that market,
and also to inform the work we have to do as part of the CARD
Act.
Mr. Luetkemeyer. You are a former examiner, right?
Mr. Antonakes. Yes.
Mr. Luetkemeyer. I am also a former examiner. If we went
into a bank or financial institution, you always cut on the
loans to get a certain percentage, and you wouldn't look at the
lower loans. You would look at only the big loans, because that
is where most of the risk was.
Mr. Antonakes. Correct.
Mr. Luetkemeyer. Why are you not doing that with credit
cards? There is no--you are not looking at the risk situation
there. You are monitoring habits. And I am not sure that the
CFPB needs to be looking at the habits of consumers. They need
to be looking for the risks that they are taking or some sort
of risk that is inherent within the system of the credit card
company or within the system of the credit card industry.
Mr. Antonakes. Congressman, I think it is important to
point out a couple of things. In terms of the credit card data
collection, we do not receive data about individual purchase
transactions. Moreover, we cannot identify specific
cardholders. We can't identify specific purchases. We don't
know the items they purchase, who purchased them, when they
were purchased. We don't look for that type of information.
In terms of your questions on where you cut the line, you
are absolutely correct. From an examination point of view, you
are taking a sample, you are looking at a certain line, the
higher risks. But to understand this on a more macro level,
which is really our other function, the market monitoring
function, to understand where risks may appear more broadly,
that is where the more wholesome--
Mr. Luetkemeyer. Okay. So why do you need the personal
information, then, if you are just looking at macro prints?
Mr. Antonakes. We aren't collecting personal information on
the credit card data collection. We are not looking--
Mr. Luetkemeyer. What about the rest of the information?
Mr. Antonakes. In terms of the exams, we could look for it
conceivably in those circumstances to ensure that if consumers
are being overcharged, they are being refunded. But the broader
data collection that you are speaking of--
Mr. Luetkemeyer. Okay, with regards to exams--
Mr. Antonakes. --there is no PII required.
Mr. Luetkemeyer. With regards to the exams--
Mr. Antonakes. Yes.
Mr. Luetkemeyer. --you know what I am talking about when I
talk about the pink pages or the informational--
Mr. Antonakes. Yes, I do.
Mr. Luetkemeyer. --the information that is there on the
stockholders, major owners, as well as employees. Is that
information taken by the CFPB?
Mr. Antonakes. We don't include pink pages in our
examination.
Mr. Luetkemeyer. You don't accumulate that information at
all?
Mr. Antonakes. We do not.
Mr. Luetkemeyer. Okay. So, therefore, it is not given out
to anybody else, either?
Mr. Antonakes. We are not a safety and soundness regulator,
so we don't see the need to collect that type of information.
Mr. Luetkemeyer. Okay. Well, that is good news.
Mr. Antonakes. Okay.
Mr. Luetkemeyer. But we do have concerns with regards to
the rest of the information that you are giving out, because
according to some information I have here, you are giving it
out to, like, 500--do you have contracts with like 500
different groups to be able to give the information out to some
folks through the FTC's arrangement with their Sentinel
Network?
Mr. Antonakes. I believe you are referring to the extent to
which we provide access to our consumer database to other State
agencies. I would say that our consumer response database and
the manner in which we share with other regulators really
mirrors the FTC Sentinel program.
So if there are other agencies--be it a State agency--that
has comparable jurisdiction over one of the State-licensed non-
bank entities that we may supervise or has supervision over a
State-chartered bank that we may supervise, then we believe
they have the right to have this complaint information and
perhaps--
Mr. Luetkemeyer. Will they have the right to access your
files, as well?
Mr. Antonakes. They would access the complaint information
that we have. That is what they have access to, the complaint,
and they have to go through a diligence process and sign
agreements with us before they can access that type of
information.
Mr. Luetkemeyer. Okay. So how many agreements do you have
at this point?
Mr. Antonakes. I would have to verify that for you,
Congressman, but, again, it is for other agencies with similar
supervisory responsibilities.
Mr. Luetkemeyer. Do you have agreements with other
countries?
Mr. Antonakes. Not that I am aware of.
Mr. Luetkemeyer. According to the data here with regards to
the Sentinel Network, now you are--has that information been
absorbed by you or you have agreement with them?
Mr. Antonakes. With the FTC?
Mr. Luetkemeyer. Yes.
Mr. Antonakes. I believe we have an agreement with the FTC.
Mr. Luetkemeyer. Therefore, you have access to that
information?
Mr. Antonakes. I believe so, yes.
Mr. Luetkemeyer. So, therefore, any other entity that has
access to you has access to that information, as well?
Mr. Antonakes. I believe they would have to have their own.
I don't believe we are a pass-through. I don't believe another
agency can make an agreement with us and, therefore, get an
agreement with the FTC. I believe they would have to do their
own agreement with the--
Mr. Luetkemeyer. Do you have any agreements with any
foreign countries to have access to your information?
Mr. Antonakes. I will verify that for you, Congressman. I
am not aware of any.
Mr. Luetkemeyer. Okay. Thank you very much. I will yield
back.
Chairwoman Capito. Thank you.
Ms. Velazquez for 5 minutes.
Ms. Velazquez. Thank you.
Mr. Antonakes, there is still, I guess, by the line of
questions that you have heard here--understand there are a lot
of critics who continue to argue that the Bureau's collection
procedures are too broad and burdensome. I just would like to
hear from you what percentage of the data you collect must be
obtained from market participants. And how would you counter
the argument that businesses are negatively impacted by this
data request?
Mr. Antonakes. Congresswoman, we receive information from a
variety of sources. To the extent we can reduce burden on the
industry and collect it through third parties that already have
that information, information that is already provided by the
financial service companies, we try to use that information. To
the extent it is in the public domain, we try to use that
information, as well. And then in terms of our supervisory
responsibilities, ensuring that Federal financial consumer laws
are being followed, that is when we would make specific data
requests of the banks, the credit unions, and the nonbanks that
are specifically under our jurisdiction.
Ms. Velazquez. And also, you have heard how much we care
about the--securing the--and providing identity protection, and
that issue would be one of the Bureau's top priorities. One
breach will erode public trust, and it will set back your
research significantly. And I heard you saying that you are
complying with Federal laws and regulations in order to protect
personally identifiable data.
But beyond that, what additional steps are you taking to
protect consumer privacy throughout the process, from
collection to publication?
Mr. Antonakes. Yes, so we certainly do share this concern.
And really, the best way we can ensure that we protect this
information is to collect as little PII as possible. And that
is our first fundamental goal.
To the extent we do have to collect it, we store it
accordingly. We significantly limit, to a need-to-know basis,
who in the Bureau has access to that information, and we have
significant security protocols built into our system, as well.
Once our destruction schedules are approved, we will have the
means of flushing this data out of our system as well, on a
regular basis.
Ms. Velazquez. Recently, Mr. Raj Date, the CFPB's former
Deputy Director, stated that the Bureau's data analysis could
lead lenders to innovate in ways that cut consumer costs and
help regulators create more efficient rules. Will you be able
to elaborate on how data collection may lead to better
regulation and more innovation in the financial markets?
Mr. Antonakes. Well, certainly. Certainly, industry has
collected this information for a number of years, and
technology has enhanced their ability to collect it, and it has
led to a lot of innovation in the financial service
marketplace, which ultimately has been good for consumers.
Our use of this data collection is to understand these
markets, to monitor these markets, and prioritize our limited
resources accordingly. That essentially is what we are trying
to do with this information.
Ms. Velazquez. And you stated in your testimony that
information is essential to protecting consumers from
unscrupulous activity, supervising the financial markets, and
maintaining the stability of the economy. Can you highlight
some instances where your current data collection and analysis
efforts have successfully protected consumers?
Mr. Antonakes. Sure. There are a number of circumstances in
which the data collection we have done has resulted in us
prioritizing resources in certain areas. To the extent that we
have secured significant reimbursement orders against some of
the large credit card providers because of unfair and deceptive
acts and practices related to add-on services, some of our most
significant reimbursements thus far have been the result of
information coming in through our complaint channel, our
understanding of the consumer credit card markets, and the
actual examination of those physical consumer files at the
credit card institutions.
Ms. Velazquez. Thank you.
Thank you, Madam Chairwoman.
Chairwoman Capito. Mr. Pittenger for 5 minutes.
Mr. Pittenger. Thank you, Madam Chairwoman.
Dr. Antonakes, you have a very impressive resume.
Mr. Antonakes. Thank you.
Mr. Pittenger. You have served as commissioner of banks.
You have been a voting member of the Federal Financial
Institutions Examination Council, vice chairman of the
Conference of State Bank Supervisors, governing boards of
Nationwide Mortgage Licensing System. You have graduated from
very esteemed universities. And I applaud you for that.
You now are the number-two man in a very important agency,
perhaps the most powerful ever in the history of this country.
This agency now assumes all the responsibilities previously
held by the Federal Reserve, the Office of the Comptroller of
the Currency, the now-defunct Office of Thrift Supervision, the
Federal Deposit Insurance Corporation, the FTC, the National
Credit Union Administration, and the Department of Housing and
Urban Development. That is pretty impressive.
In many ways, you could say that your board manages the
entire financial system of this country. You could be likened
in ways to Joseph under the Pharaoh in Egypt. You are a
powerful man. And you know that. It is a powerful agency.
Wouldn't you agree?
Mr. Antonakes. I thank you, Congressman. I am not sure I am
quite as powerful as you described. We have--
Mr. Pittenger. But let's just set the stage that it is
correct.
Mr. Antonakes. We have inherited some of the
responsibilities of those other regulatory agencies--
Mr. Pittenger. But never have we had an agency that has had
the power that is unchecked of--you are accountable basically
to no one. You don't go through appropriations. Isn't this a
very powerful agency? And yet the core of what we have been
told is your transparency is going to be imprimatur of your
agency. And right now, we have reports on the lack of that.
Here is one memo that went out to keep your calendar
entries brief in general. If possible, avoid annotating entries
with agendas, detailed discussions, et cetera. The flyer also
instructs employees to minimize attachments to your calendar
appointments, consider using e-mail to send related
attachments.
You know the power you have. Is there a disconnect to you
between the power of this agency, its accountability to the
American people, the transparency that it claims to have, and
yet these kinds of e-mails that have been conveyed to its
employees?
Mr. Antonakes. Congressman, I don't believe our agency is
entirely different than in many other agencies. Several other
agencies have a single director structure and none of the bank
regulatory agencies that you referenced are subject to the
appropriations process.
We, in fact, are the only bank regulatory agency that
actually has a hard cap on the ceiling of its budget. We have
authority in the consumer protection laws that were transferred
to us by Dodd-Frank. We also have significant responsibility to
the American people and to the other regulatory agencies. We
have to, by statute, coordinate our examination activities with
those other regulatory agencies. We have to provide copies of
our reports of examination--
Mr. Pittenger. Yes, sir. I hear that.
Mr. Antonakes. --for comment to those other regulatory
agencies.
Mr. Pittenger. My concern is, sir--
Mr. Antonakes. So I do believe there are significant checks
and balances--
Mr. Pittenger. --that the power you have enables you to
exercise it in any way that you feel is right for you. And the
rights of the American people really are the foremost, aren't
they, and their privacy, and their consideration? You are
collecting lots of data. And I think it is just a concern to
this body, the accountability that you have to the American
people and, frankly, back to the Congress of what you are doing
with the data that you are obtaining and what role that you are
going to play in ensuring that you are really transparent and
that you are doing what is really in the best interest and what
is really needed for the American people and not abuse the
power, as we have seen in other agencies in this government.
There is a no-confidence vote right now in government. You
probably are aware of that. And I would implore you to use the
power that you have with full discretion. I yield back my time.
Chairwoman Capito. The gentleman yields back.
Mr. Lynch for 5 minutes.
Mr. Lynch. Thank you, Madam Chairwoman.
And, again, I thank the witness for his willingness to help
the committee. I do want to--just at the outset--point out some
contradictions here. All of the parade of horribles, the evils
that have been described by my friends on the other side of the
aisle that might lurk within this agency that is charged with
the mission of protecting consumers is now in the possession of
private banks. And even more so, private banks, credit card
companies, payday loan operators, you name it, they all go on
these social network sites and they actually get the data that
you are concerned that this agency might get.
You have massive data-mining companies, data brokers like
Acxiom and others. They actually sell this information that you
are worried that this agency that protects consumers might
have. The paradox there is that those banks are completely
unregulated with respect to the conduct that they are
undertaking and there are no checks and balances.
In fact, a couple of weeks ago, we passed legislation that
would allow those same banks that take that information without
concern for privacy to work with affiliates and other countries
that have that information, but that are outside the regulatory
jurisdiction of the United States, that our consumers would be
totally unprotected by your legislation. That is one paradox or
one contradiction here today I want to point out.
The second one is that, as each and every regulatory agency
comes before this committee and others, there has been a debate
here in Congress, driven by my colleagues in the Majority, that
have required each and every regulatory agency to make sure
that every regulation that they adopt, every rule that they
adopt is supported by data-driven, fact-based analysis of how
they operate.
So you have told these regulators that everything they do
must be data-driven, everything they do must be fact-based,
everything they do must be analyzed to prove that the costs do
not exceed the benefits of that regulation. So you are
requiring them on the one hand, last week, to get as much data
as they possibly can, to make sure that their regulations are
fact-based and in real time. And today, you are wringing your
hands, saying, ``Oh, my God, they are going after data.'' Well,
you can't have it both ways.
You are asking these regulators to base their decisions and
regulations on data, data-driven analysis. And now, you are
wringing your hands and saying, ``Oh, we can't do this.''
I do want to mention that the Patriot Act, which was
heavily supported by your side and some on our side, requires a
lot of this information right off the top. And one of the
principal premises of that legislation is to know your
customer, for the banks to know their customer and to make sure
that they aren't allowing bad actors to capitalize on the
legitimate banking industry.
Mr. Antonakes, I happen to work very closely with the
Massachusetts regulators and the Boston office of the Fed. And
during the housing crisis, I thought it was very helpful that
the Fed could actually tell me how many homeowners--and they
could give me the data by town, by county, by my congressional
district--how many people were in arrears on their mortgages.
They could tell me how many people were in default. They told
me how many--they could tell me how many people were in the
foreclosure process and how many were going to be evicted, so
we could target resources.
And it was very different. I have 3 cities, 18 towns, and
720,000 people in my district, and they were very helpful. That
is a lot of data that they are getting already. How are you
working with some of these other agencies? Some of these
concerns are legitimate about making sure we don't let this
personal information get out there and be abused.
But how are you coordinating with these other agencies that
are actually scooping up this data, as well? And can we
minimize the exposure and minimize the cost of doing what I
would describe as due diligence, in terms of protecting
consumers?
Mr. Antonakes. Congressman, we do have information-sharing
agreements with the other regulators, and we are not seeking to
collect information which they already have. So to the extent
that we can share it, we welcome that opportunity. It would
reduce cost and burden on the industry.
Mr. Lynch. Thank you. My time has expired.
Chairwoman Capito. The gentleman's time has expired.
Mr. Lynch. I yield back.
Chairwoman Capito. Thank you.
Mr. Fitzpatrick for 5 minutes.
Mr. Fitzpatrick. I thank the Chair.
And I also want to say to the witness that we all
appreciate your testimony here today. This subject matter is
very sensitive to everybody I know, everybody I represent back
home in Pennsylvania, which is why this hearing is so
important.
News reports indicate that the CFPB is assigning an
identifier to each individual and requiring that all data
providers use that same identifier for each individual when
submitting their data. Sir, is that true?
Mr. Antonakes. I believe it is true, in terms of the credit
card collection data.
Mr. Fitzpatrick. For what purpose would the Federal
Government need to track the financial habits of an individual
consumer?
Mr. Antonakes. We are not seeking to identify who the
consumer is. We are not seeking to monitor individual
purchases. But it does allow us to see trends over a period of
time, in terms of balances, in terms of interest rate, and in
terms of impact. And that is really all we are seeking to do.
We are not interested in individual American behavior. We
are not interested in where they purchased their goods, what
they are buying. We are simply interested in knowing over a
period of time what happens with credit card balances. Do they
go up? Do they go down? How are fees associated? How is the
broader economy impacting those balances, as well? And this
allows us to track that type of information. We have no
interest whatsoever in identifying the specific individual who
owns that card.
Mr. Fitzpatrick. But if you are using identifier numbers on
this data that is being collected, the amount of which you
haven't been able to really tell us today how much--and I
certainly hope, sir, that you will follow up the questions
where you had no specific answers and provide that information
to the committee--but if your Bureau is using identifying
numbers to link data together, how is that not creating a
consumer data file on individual Americans? Even if you don't
know who that American is, theoretically, you are linking data
sets together through an identification number and you are
building a consumer file on an individual. Is that not true?
Mr. Antonakes. We are looking at individual loan level
account information. That is correct, sir. But we are not
seeking to determine who that particular consumer is. That is
the way that we can understand how these marketplaces are
working. That is how we can basically determine where risks may
lie and look at trends over a period of time, but we have no
interest whatsoever in trying to determine or reverse engineer
who that specific individual is.
Mr. Fitzpatrick. Does that not mean, though, that the
Bureau has a picture of the financial transactions at an
individual level?
Mr. Antonakes. The only information that we are collecting,
to my understanding, is the interest rate, fees, previous
balance, and new balance.
Mr. Fitzpatrick. Madam Chairwoman, I will yield the balance
of my time to Mr. Duffy.
Chairwoman Capito. Mr. Duffy?
Mr. Duffy. Thank you. Just quickly, I want to go back to
some of the other questions that I have asked. What
institutions, again, are you monitoring? You have nine of them,
right, for financial data?
Mr. Antonakes. In what respect, Congressman?
Mr. Duffy. What institutions are you getting financial data
from?
Mr. Antonakes. We are looking and, through a variety of
contacts, we take data from the institutions that are under our
primary jurisdiction, banks and credit unions, over $10 billion
in assets, as well as nonbank--
Mr. Duffy. So from all of them, you are collecting
financial data?
Mr. Antonakes. The extent of the data may vary based upon
their business model and the type of operations they have.
Mr. Duffy. Okay. And, again, you are not willing to provide
the letters of request for that financial data to this
committee, is that correct?
Mr. Antonakes. The letters themselves are confidential
supervisory information. We can perhaps discuss what--we could
give you--
Mr. Duffy. But don't--
Mr. Antonakes. --we could give you--
Mr. Duffy. Don't you think Americans have a right to know
which financial institutions are providing you their financial
data? Don't you think that is an American's right to say,
listen, I know the government is collecting my data if I bank
with X bank, and I know they give my credit card transactions
to the CFPB? Don't they have a right to know that? And why
won't you share that with us?
Mr. Antonakes. So to the extent that is done, Congressman,
it is done through our supervisory process, just as it is done
with the Federal Reserve, the FDIC, the OCC--
Mr. Duffy. That is not my question.
Mr. Antonakes. --bank regulators, as well.
Mr. Duffy. But you are the Consumer Financial Protection
Bureau.
Mr. Antonakes. Right.
Mr. Duffy. And you protect consumers. Do you think
consumers would be more apt to bank with the institutions that
you collect data on or less likely to bank with those
institutions?
Mr. Antonakes. I believe it is problematic. It would impact
our ability to efficiently supervise institutions.
Mr. Duffy. That is right. Because--
Mr. Antonakes. And I also believe that it could have
unintended consequences for institutions, as well.
Mr. Duffy. That is right. Because Americans don't want you
to have their financial data. That is exactly right. That is
the point. And so if they don't want you to have their
financial data, don't take it. Or ask their permission. But you
make the point for us. They don't want you to have the data,
and you are taking it anyway, under the auspices of the
Consumer Financial Protection Bureau. You take their data, they
don't want you to have it, and you don't care.
I yield back.
Chairwoman Capito. Mr. Heck?
Mr. Heck. Thank you, Madam Chairwoman. I yield 2 minutes to
the gentleman from Georgia, Mr. Scott.
Chairwoman Capito. Mr. Scott?
Mr. Scott. Yes, I have two points to make. First of all, in
response to Mr. Duffy, for whom I certainly have great respect,
but at the one point, he is trying to point out how we want to
make sure information is secure and, on another point, we want
to share it. You can't do both.
And I think what we are trying to get here is a delicate
balance, where you get the information. And, again, I think it
is very important to repeat that many of these requests for
this personal data come from that individual reaching out to
you. Is that not correct?
Mr. Antonakes. Much of it does. Certainly, anything coming
in through our consumer complaint hotline, 150,000 requests for
help from every State in the country has affirmatively come to
us from consumers.
Mr. Scott. Right, no different from--you have the banking
operations, you have other operations, financial operations,
get the same information. But my point is--there is one area we
missed here that I think we need to clear up. There are third
parties involved here. You have vendors, investigators going
out and collecting this information.
Can you tell us how our information is protected through
these third parties? Where does that line come down? How do we
protect information that these third parties are getting, that
have contracts and were paid millions of dollars and are
helping get the money to get back to the consumers? When do we
wash their hands of this information so it doesn't get out
through third-party vendors?
Mr. Antonakes. So, Congressman, any laws that we have to
follow to protect consumer information they have to follow, as
well, if we are engaging them specifically.
Mr. Scott. All right. Well, thank you. I want to take the
time to thank the gentleman, Mr. Heck, for allowing me those 2
minutes. Thank you.
Mr. Heck. Thank you, sir. Thank you for your presence, your
testimony, and your service to our country.
I have the honor and privilege to represent a congressional
district that includes Joint Base Lewis-McChord, the third-
largest military installation in America. And as a consequence,
I ask the following question: The proposal to require an opt-in
on the part of individuals, would that affect the Bureau's
servicemembers' office's ability to protect members of the
military and their families? Would it materially affect your
ability to protect those members? And if so, can you describe
briefly what that would look like?
Mr. Antonakes. Congressman, thank you. It is something that
I haven't considered thus far, but I would say my initial
reaction is it conceivably could impact our ability to protect
servicemembers, as it would other consumers, as well.
To the extent servicemembers are serving abroad, they may
not have ready access to mail, and an opt-in could conceivably
be difficult in certain circumstances. It also--and this is
really the broader concern, and I believe the other regulators
would share this concern--the ability to efficiently examine
institutions would be significantly impacted, and our ability
to identify risks, our ability to identify violations of law,
and most importantly, our ability to identify who should be
receiving refunds.
In the case of the MILES program, which servicemembers
should be receiving $6.5 million in refunds, in the case of our
other activity, over $425 million in additional refunds last
year alone, as a result of our ability to look at individual
transactions in supporting information and data.
Mr. Heck. So it would hurt your ability to protect members
of the military?
Mr. Antonakes. Yes, sir.
Mr. Heck. Part of our frustration with this discussion is
that it seems to offer a false choice between treasured and
cherished values of privacy and that of consumer protection. I
am acutely sensitive to this as it relates to members of the
military. And I just don't think these--this is a zero-sum game
and that these values are mutually exclusive.
And I have to say, if I can get this out, yesterday I had
the privilege to visit Walter Reed Hospital. I spent quite a
bit of time in the amputation wing. And I observed a young man
who had a double amputation up to and including his hips. And I
observed him walking on prosthetic devices.
I have no idea what the technology behind that is, which
enabled him to do it, but I will tell you, I have never, ever
observed the level of courage that I did in those young
servicemembers. And I don't want to do anything that sacrifices
our ability for you to protect those servicemembers and those
who put themselves in harm's way. And I don't believe for one
second that we have to sacrifice the value of privacy in order
to do that.
Thank you for the job you have done, sir.
Chairwoman Capito. Thank you.
Mr. Rothfus for 5 minutes.
Mr. Rothfus. Thank you, Madam Chairwoman.
Welcome, Mr. Antonakes. I am glad to see a Penn State grad
here. A point has been made about banks having this information
already, but isn't it true that private financial institutions
are subject under Gramm-Leach-Bliley to maintain the privacy of
consumer data?
Mr. Antonakes. Yes, sir.
Mr. Rothfus. Now, the CFPB is not subject to Gramm-Leach-
Bliley. Is that correct?
Mr. Antonakes. We have other data standards that we have to
follow.
Mr. Rothfus. If we could go a little bit to the credit card
collection program that you have and get a little more specific
types of data that you are collecting under there, it has been
reported that there have been 100 data fields per account that
you are collecting. Is that true?
Mr. Antonakes. I would have to verify that for you,
Congressman.
Mr. Rothfus. Can you, again, tell me the types of data
fields that would be collected: interest rate; balances; month
to month? I think you testified to that, correct?
Mr. Antonakes. Yes.
Mr. Rothfus. Other information? Would the ZIP Code of an
account be collected?
Mr. Antonakes. I don't believe we are collecting any PII on
the credit card information.
Mr. Rothfus. Okay, so you are--among the hundred data
fields or so, you are not including the ZIP Code?
Mr. Antonakes. I don't believe so, but we can verify that
for you, Congressman.
Mr. Rothfus. And you would not include date of birth?
Mr. Antonakes. That is correct.
Mr. Rothfus. When are you collecting personally
identifiable information?
Mr. Antonakes. When we do collect PII, it is generally
through our consumer response function, in which American
consumers are reaching out directly to us to help them in their
financial transactions with institutions that we supervise. And
it is also--
Mr. Rothfus. You are collecting that data directly from the
consumer in that case?
Mr. Antonakes. That is correct. They provide it to us
voluntarily, subject to our privacy disclosure, so that we can
then reach out to their financial institution to determine
whether or not a violation of consumer protection law did, in
fact--
Mr. Rothfus. Now, are you ever collecting data from an
institution that has not been alleged to have committed any
wrongdoing?
Mr. Antonakes. We would review certain data during the
course of our examination function. We examine--
Mr. Rothfus. Would you ever ask such an institution that
has not been accused of any wrongdoing? Have you ever asked
them for personally identifiable information about any
consumer?
Mr. Antonakes. So, Congressman, during the course of an
examination, we don't presume someone is guilty before we
conduct an examination, but we have to do certain transaction
testing, we have to look at certain information to, in fact,
verify that there haven't been violations of law.
Mr. Rothfus. Now, you are going to try to collect
information, for example, 80 percent of the credit card
accounts in the country?
Mr. Antonakes. I believe that is the type of data we are
trying to collect--
Mr. Rothfus. Do you have any idea of the cost of complying
with a request like that for a private institution?
Mr. Antonakes. My understanding is this is information that
they collect and provide already.
Mr. Rothfus. That they are already--so up to 80 percent of
the accounts are already being provided information to a
government--
Mr. Antonakes. No, they collect 100 percent of this data
already. They provide some of this data to other Federal
regulators.
Mr. Rothfus. Do you have any idea how much the cost would
be for them to put together--having this data sent over to the
CFPB?
Mr. Antonakes. I don't know the specific costs,
Congressman, but I need to point out that they collect this
data and they review this information already.
Mr. Rothfus. Are you aware that consumers are seeing
increases in fees and costs being passed onto them by financial
institutions?
Mr. Antonakes. I don't believe the fees that may be passed
on to consumers is the result of our data collection
activities.
Mr. Rothfus. What about the loss of free checking that we
are seeing out there in the marketplace? You are aware of that?
Mr. Antonakes. I am also aware of other market trends and
laws that have resulted in shifts in how checking accounts are
charged.
Mr. Rothfus. There is no right for a consumer to opt out of
having a private institution that they have an agreement with
to have that institution opt out from giving you their data. Is
that correct?
Mr. Antonakes. To the extent we are collecting data through
our supervisory process, no, there is not. And there isn't for
all of the other prudential regulators and State regulators
that conduct similar activities.
Mr. Rothfus. Now, with respect to collect--being able to
process claims for people who have made complaints--I think we
talked about 50,000 individuals, servicemembers--that you have
the data both from complaints and from examination activity. Do
you have any idea the breakdown--for example, of the 50,000 who
were due refunds, how many do you get from complaints versus
the examination activity?
Mr. Antonakes. I believe in that case the activity was
brought to our attention through a consumer complaint, and then
the--
Mr. Rothfus. Do you have any idea how many consumer
complaints there were?
Mr. Antonakes. I can verify that for you. I don't believe
there was a significant number of consumer complaints. And I
believe the more wholesome impact on servicemembers was borne
out during the course of our examination and investigation.
Mr. Rothfus. Wouldn't it be possible, though, to target in
that case--if you hear complaints coming from consumers, and
you see that there might be an actor out there that is not
doing what they should be doing, then you can target and go
directly at that particular bad actor. Isn't that right?
Chairwoman Capito. The gentleman can answer.
Mr. Antonakes. Certainly, consumer response serves two
purposes for us in many respects, the first of which is an
immediate means of providing responsiveness and potential
relief to consumers who reach out directly to us. It is as you
appropriately point out, also a means by which our priorities
for supervision and investigations can be impacted, if we see
certain trends developing through that channel.
Mr. Rothfus. Thank you.
Chairwoman Capito. The gentleman's time has expired.
Mr. Posey?
Mr. Posey. Thank you, Madam Chairwoman.
The Consumer Financial Protection Bureau is a great
sounding name. But there seems to be some reason to question
whether the title actually reflects the mission, or if in
reality it is an oxymoron. On December 21st, I sent you a
letter and listed 19 separate questions regarding the loan
level data collection project. You--and when I say ``you,'' I
mean your agency; I sent it to Mr. Cordray's attention--
responded 2 months later with a three-paragraph letter that
didn't answer a single doggone question in any detail at all,
the same kind of gibberish that you gave the vice chair a
little while ago when he asked you one of the 19 questions that
I asked you.
It is inconceivable to me, unless you are from the most
dysfunctional agency in the entire world, that you would come
here before this committee today unprepared to answer the very
simple questions that you have been asked. It is inconceivable
to me that your agency cannot answer the 19 questions that I
asked you 6 months ago. And yet you call yourselves the most
transparent agency--your hallmark is supposed to be
transparency.
I know more about your agency from Bloomberg than I do from
any communications you or anybody from your agency have had
with my office or with me. You have transparency as a core of
your agenda. Why is it your agency has a flyer instructing
employees to keep calendar entries brief and general and avoid
entertaining entries with agenda detail discussions? How can
you claim to be transparent when you can't provide a single e-
mail in response to the Freedom of Information request from
Judicial Watch?
It has been alluded to that the financial crisis was caused
because we didn't have a CFPB, when I think most people with a
brain know we already have enough agencies, we have enough
rules, we have enough bureaus, we have enough employees. We
just don't have enough of them doing their jobs. And that is
why we had a financial crisis.
I don't think that, if we had a dozen CFPBs before and they
didn't perform any better than any of the other agencies, it
would have changed anything. And I haven't heard any way yet
you would stop--anything your agency is authorized to do that
would stop the same thing from happening again. You are going
to have all the financial records of 80 percent of Americans.
And then the next obvious question is, well, why not 100
percent? Who are you exempting? Why would you exempt them? It
is going to be like the people who wrote Obamacare. Are they
going to exempt themselves?
These are natural questions my constituents have, and I
don't blame them for being suspicious. Americans like their
privacy. They enjoy the Fourth Amendment, and they don't like
it violated. And the more I hear from you, the more I hear that
you are intentionally violating their Fourth Amendment. You are
violating their privacy.
People haven't asked you to--you go to most businesses in
America and say, ``Hey, I am from the government. How can I
help you?'' Those are the most feared words they can hear. You
want to help them? Stay the heck away from them.
I think we definitely need to have an opt-in to this thing.
I just think that the fact that you are so ill-prepared to
answer any questions here today speaks volumes about what is
already wrong with that agency.
When Mr. Cordray was here the first time, he appeared
before us, and we asked a bunch of questions he couldn't
answer. He said, ``I will come back and answer them.'' Instead,
he sent ``secretary somebody'' who had the same answer to all
the questions he did: ``I don't know.''
I think Mr. Capuano asked her how much she wsa being paid
not to know anything. And several other Members also asked her.
She refused to tell her salary. That is how transparent they
are. I heard Mr. Lynch from Massachusetts talk about all this
detailed mortgage information that he has about his district. I
have asked for that information, and I have never gotten one
ounce of that information before.
So I am very suspicious, and I would just like for you to
tell me why you can't answer any questions that we have asked
here that have already been asked of your agency and you should
have been well-prepared to answer today.
Mr. Antonakes. So, Congressman, I appreciate your comments
very much. And to the extent--
Mr. Posey. I bet you do.
Mr. Antonakes. --our response was not satisfactory to you,
I am happy to try to follow up and provide you more
information, as well. We, I believe, have tried to answer that
in the vast majority of cases, we do not collect personally
identifying information--
Mr. Posey. Listen--
Mr. Antonakes. We have--it has resulted--
Mr. Posey. Reclaiming my time, that is the same baloney
that you gave Mr. Duffy. And that is basically the only answer
he gave me. I asked you 19 specific questions. We all know you
claim not to have detailed personal information, just like the
NSA and just like the IRS don't abuse that power. We are not
even going there yet.
We asked you very simple, easy-to-answer questions that you
should be able to respond to honesty.
Chairwoman Capito. The gentleman's time has expired.
Mr. Pearce?
Mr. Pearce. Thank you, Madam Chairwoman.
Thank you, Mr. Director. And trying to put things into
context, why the questions come up, I hear of your and I read
in your statement that empirical analysis is necessary for good
policy, so you collect more of it. Probably no one collects
more information than the IRS, yet in 2009, they had 100,000
people, employees of the Federal Government, who were not
paying their taxes. And, of course, that was led by Treasury
Secretary Geithner, who didn't think it was his duty to pay
taxes.
And now within the last 2 years, that number has gone to
312,000 and $3.5 billion now owed by Federal Government
employees. The government has the information. They just choose
to check on conservative groups rather than check on the people
who are not paying their taxes.
So if there is a little concern about what you are
collecting--and I was a little bit confused. I thought you said
to Mr. McHenry that part of the PII is name, address, Social
Security number, ZIP, property they have, credit score, and
balances. And then I heard a different answer, I thought, to
Mr. Rothfus. Is this PII? So--name, address, Social Security,
ZIP, property they have, credit score, I thought you had
affirmed to Mr. McHenry. Was I hearing backwards? That is not
stuff you collect and as part of PII?
Mr. Antonakes. No, sir. So--
Mr. Pearce. So it is not part of it?
Mr. Antonakes. We collect PII through our consumer
response--
Mr. Pearce. So that--PII includes--
Mr. Antonakes. --supervisory--
Mr. Pearce. If I could reclaim my time, PII includes name,
address, Social Security number, ZIP, property, credit score? I
thought Mr. McHenry walked through that, so is that part of PII
or is it not? Yes or no?
Mr. Antonakes. The answer is it is part of PII. It may not
be--
Mr. Pearce. Okay. So if it is part of PII, maybe we should
invoke the Geneva Convention for consumers. Under the Geneva
Convention, when I went to Vietnam there were a lot of pilots
being shot down. We only had to give our name, rank, and Social
Security number. Here, you collect all the other jazz. You have
the potential to misuse it, exactly like the IRS is misusing
it.
So I was interested in your response to Ms. Velazquez. She
noted properly that one breach will erode the confidence. And
she asked, what steps have you taken to see that you don't have
a breach? You said that the answer was to collect as little
information as possible. Are there any other things that you do
to stop a breach?
Mr. Antonakes. Sure. Congressman, our systems are compliant
with the Federal--
Mr. Pearce. No, I didn't ask what you are compliant with.
What other steps do you take to ensure there is no breach?
Mr. Antonakes. We have robust security systems, IT systems
that are constantly being reviewed and audited. We have limited
significantly which personnel have access to this information,
and we are trying to ensure that we have the procedures in
place to discard this information when it is no longer
necessary.
Mr. Pearce. So you have contractors that have access to
information?
Mr. Antonakes. We have limited contractors that have
access--
Mr. Pearce. But some contractors do. I am sure Mr. Snowden
was one of a very limited number. Have you gone and done case
studies on agencies or consumer groups, credit card companies
where information has been distributed, where people have
leaked or shared or hacked in? Have you studied those? Has your
agency--as someone said, you are a very powerful agency. You
are probably going to have more information than even the IRS.
Have you done any case studies on the people who have
leaked Mr. Snowden or any of the others? Did you stop--as a
manager, did you stop everyone and say, ``Hey, this is a wake-
up call. If it can happen in the most secret of our agencies,
it might happen to us.'' Did you, as Deputy Director, number-
two guy, stop everybody and say, ``Wait, we need to sit down
and have a discussion on our ethics internally. If it could
happen over there, it could happen here?''
Mr. Antonakes. So we do take data security--
Mr. Pearce. No, I did not--did you have any case studies
looking at specific things where people have leaked or stolen
information? That is a fairly simple question.
Mr. Antonakes. We do--
Mr. Pearce. You are the number-two guy in the company or
the--
Mr. Antonakes. --do not have any specific case studies
where other agencies have leaked information, Congressman.
Mr. Pearce. That is incredible to me that you would not
look at what happened. The breakdowns have happened in some of
the credit card companies where massive information has been
received. It is incredible that you as the number-two guy have
not done that.
Do any of the people, when you make these awards, have any
bonuses been given to employees or investigators or people who
are collection agencies? Have any awards been given to people
who help you get the information?
Mr. Antonakes. I am not sure I understand the question,
Congressman.
Mr. Pearce. Okay. You said that you found 28,000--or
employees are--Defense Department people. You got awards back
to them. Did anybody get finder's fees? Because I am finding
that in many agencies.
Mr. Antonakes. No, sir.
Mr. Pearce. No finder's fees?
Mr. Antonakes. No.
Mr. Pearce. No bonuses, no nothing?
Mr. Antonakes. Not--no.
Mr. Pearce. Okay.
Mr. Antonakes. Not to--
Mr. Pearce. I yield back. Thank you, Madam Chairwoman.
Chairwoman Capito. Mr. Barr for 5 minutes.
Mr. Barr. Mr. Antonakes, I am just seeking a little
clarification here. Under what circumstances does the Consumer
Financial Protection Bureau obtain in its data collection
efforts personally identifiable information?
Mr. Antonakes. We will collect it through our consumer
response portal, if consumers reach out directly to us for
assistance--
Mr. Barr. I understand that. And what is the second
category?
Mr. Antonakes. And also during our supervisory process.
When we conduct examinations of the banks, credit unions, and
nonbanks that are under our jurisdiction, we may have access to
that information to report for exams.
Mr. Barr. Okay. So Section 1022 of Dodd-Frank specifically
prohibits your agency from collecting data ``for the purposes
of gathering or analyzing the personally identifiable financial
information of consumers.'' How do your data collection efforts
that contain personally identifiable information comport with
that statutory prohibition?
Mr. Antonakes. That statutory prohibition lends itself to
broader market monitoring data collection activities. It does
not go specifically toward data collection activities through
our supervisory process.
Mr. Barr. Okay, are you--
Mr. Antonakes. There are other provisions in Dodd-Frank
that allow us to do it.
Mr. Barr. --familiar with the system of records notice that
was published in the Federal Register by your agency in
November of last year?
Mr. Antonakes. Generally.
Mr. Barr. Okay. Are you aware that the system of records
notice, which is required under the Privacy Act of 1971, that
requirement is triggered by the collection of information that
is actually retrieved by a personal identifier and that these
SORN notices are used to provide notice to members of the
public that their information is being used by an agency? Are
you aware of that?
Mr. Antonakes. Yes, sir.
Mr. Barr. And so you are admitting that your agency has
issued one of these system of records notices to alert the
public that you are collecting personally identifiable
information. Is that correct?
Mr. Antonakes. Yes, sir, as we are allowed under other
provisions of Dodd-Frank to fulfill our other mandates to
protect consumers.
Mr. Barr. Okay. And so is the information--the PII that you
are collecting pursuant to this systems of records notice, is
that personally identifiable information, is that searchable by
personally identifiable information in your database or your
contractors' database?
Mr. Antonakes. We would collect information for our
consumer response portal, as well as through our supervisory
process, for the--
Mr. Barr. I understand you collect it. Is it searchable by
personally identifiable information?
Mr. Antonakes. I would have to get back--
Mr. Barr. Could you get back with us on that?
Mr. Antonakes. Yes, I would be happy to.
Mr. Barr. We would be interested to know that. And
specifically, we want to know if the data can be retrieved by
personal identifiers. So that would be something of interest to
this committee, if you could get back to us on that.
How long is the data that includes personally identifiable
information retained? What policies or procedures do you have
in place for records retention of that PII?
Mr. Antonakes. We have policies that we have submitted to
the National Archives Center and we are waiting for their
approval of our destruction schedules.
Mr. Barr. So, you don't have a policy in place right now?
Mr. Antonakes. We don't have an approved policy in place by
the National Archives Center.
Mr. Barr. So at this point, the PII that you all have
obtained is not subject to any kind of records retention
schedule as of yet?
Mr. Antonakes. As of yet, but we have significant hopes
that we will have those schedules approved shortly.
Mr. Barr. Okay, under the system of records notice
regarding your data collection activities, has the CFPB also
conducted a privacy impact assessment of that?
Mr. Antonakes. I would have to confirm that for you,
Congressman.
Mr. Barr. Okay. If you could get back to us on that. And
if--and in addition to whether or not you have conducted the
privacy impact assessment, if you have not, we would like to
know why you have not yet subjected the agency to a privacy
impact assessment.
And then a third follow up, please, which would be why
would the CFPB not have made public the privacy impact
assessment, if, in fact, you have conducted one? So, again, if
you are unaware of the answer to those questions, if you could
follow up with my office or the committee, that would be
appreciated.
Mr. Antonakes. I will be happy to do so.
Mr. Barr. Okay. Are any individuals--since you are
conceding that you--and you have issued this notice in the
Federal register that you are collecting personally
identifiable information--are any of the individuals whose
personally identifiable information that has been collected,
are any of these individuals--have any of these individuals
been given notice prior to that collection?
Mr. Antonakes. No, sir, because it is not required under
our supervisory authority.
Mr. Barr. Okay. I yield back.
Chairwoman Capito. The gentleman's time has expired.
Mr. Westmoreland?
Mr. Westmoreland. Thank you, Madam Chairwoman.
You are the Associate Director of Supervision and
Enforcement, correct?
Mr. Antonakes. That is correct.
Mr. Westmoreland. Do your enforcement officers carry
firearms?
Mr. Antonakes. No, they don't, sir.
Mr. Westmoreland. So they do not carry firearms?
Mr. Antonakes. No.
Mr. Westmoreland. Do they wear uniforms?
Mr. Antonakes. No, sir.
Mr. Westmoreland. Okay. Do the PII, do the individuals know
that you are storing their data?
Mr. Antonakes. To the extent information is coming into our
consumer response channel, there is a privacy notice for them,
and I would say, yes, they know that we are storing their
information. If it is coming through the examination process,
then not necessarily.
Mr. Westmoreland. How many questions do you ask these folks
if they call in with a problem?
Mr. Antonakes. We are basically trying to ask the minimum
questions that will allow us to remedy the situation, if, in
fact, there has been a violation of consumer law.
Mr. Westmoreland. And so then you tell them you are storing
their information for later use?
Mr. Antonakes. I'm sorry, sir?
Mr. Westmoreland. You are getting this information, and
they know you are getting it to store the data.
Mr. Antonakes. That is correct.
Mr. Westmoreland. So you tell them--
Mr. Antonakes. Yes--
Mr. Westmoreland. --we are storing your data?
Mr. Antonakes. There is a notice that indicates that.
Mr. Westmoreland. Okay. How many people have access to
this?
Mr. Antonakes. It is limited to those who are responding
directly to the complaints, as well as some other folks in the
Bureau that--
Mr. Westmoreland. I know that, but how many people is that?
Mr. Antonakes. I would have to get back to you with a
precise number.
Mr. Westmoreland. You don't know?
Mr. Antonakes. I don't know the precise number. It would
depend on--it is--
Mr. Westmoreland. Would the Director know the precise
number? Who would know the number?
Mr. Antonakes. We could provide that information to you. I
just don't know it off the top of my head.
Mr. Westmoreland. Sure.
Mr. Antonakes. It is focused on a need-to-know basis, for
those who either are directly responding to--
Mr. Westmoreland. I think it is pretty unusual that you
wouldn't know how many people had access to this, but what type
of security clearance do these CFPB employees have, who have
access to this information?
Mr. Antonakes. They all go through significant background
checks, as well. I think we have the security clearance that is
akin to agencies of--
Mr. Westmoreland. Is it--what kind of security clearance is
it?
Mr. Antonakes. It is not top-secret clearance.
Mr. Westmoreland. Okay, so they have information to all
these personal names, Social Security numbers, addresses, birth
dates, and whatever. And they don't have any type of level of
security clearance?
Mr. Antonakes. We do attempt affirmatively to limit the PII
that we need to collect--
Mr. Westmoreland. Do you do it yourself?
Mr. Antonakes. Do I do it myself?
Mr. Westmoreland. No.
Mr. Antonakes. No.
Mr. Westmoreland. Does the CFPB do it within its own
agency?
Mr. Antonakes. We attempt through our consumer response
portal to limit the type of PII. We collect just enough to be
able to go back to the company so that they can actually
identify the account and the complaint and then verify that, in
fact, it is an actual complaint.
And the security background checks that everyone would have
to go through are exhaustive and extensive, and we have certain
policies and procedures in place, as well, that will--
Mr. Westmoreland. I guess what I want you to answer is, who
does the background checks?
Mr. Antonakes. The Office of Personnel Management, and they
use their sources that they do for personnel background checks.
Mr. Westmoreland. So you really don't know who does the
background checks?
Mr. Antonakes. The degree of, I think, background checks
depends on their rank and the positions of the--
Mr. Westmoreland. So you don't know how many people have
access to these files? And you don't know really what type of
background check they have had?
Mr. Antonakes. I know they have substantial background
checks. I know the number of people is significantly limited to
those who work in our consumer response area and those who work
in our supervision and enforcement areas.
Mr. Westmoreland. But you don't know the number?
Mr. Antonakes. I can provide you with the number. I don't
know the number offhand.
Mr. Westmoreland. Sure. Okay. Let's say one of my
constituents calls you up and says, ``Can I see my data? Can I
see my file that you have on me? First of all, do you have a
file on me?'' And if the answer would be yes, can they request
the information that you have?
Mr. Antonakes. The only information that we would have
would be the information that they have provided us--
Mr. Westmoreland. No. No, no, no, no. You are getting
information from these outside groups, the banks. So can you
give them that?
Mr. Antonakes. The information that we would have on a
consumer that came in through our consumer response portal
would be the information they provided us, and then we would
have a summary of--
Mr. Westmoreland. I am not talking--I am talking about the
PII.
Mr. Antonakes. So we are not collecting PII for consumers
who respond to our consumer response--
Mr. Westmoreland. Well, no, but you do have this personally
identification information, right?
Mr. Antonakes. If they have provided it to us.
Mr. Westmoreland. So if they find out that you have stored
this and they don't realize it or don't remember it, can they
ask to opt out?
Mr. Antonakes. They are affirmatively reaching out to us
and voluntarily providing us this information. There is a
privacy notice which is provided to them at the moment that
they are filling out that information.
Mr. Westmoreland. I look forward to some of these answers
that you said you are going to respond to from these questions.
And I appreciate you coming, and I appreciate your service. But
I find it really hard to believe that you didn't realize some
of the questions you were going to be asked today. So thank you
for coming.
Mr. Antonakes. Thank you.
Chairwoman Capito. Thank you, Mr. Westmoreland.
That concludes our first round, but I am going to go to a
second round, because we have a few more interested folks who
have additional questions, one of whom is me. And the thing I
am concerned about is, because I think we have a difficulty
understanding exactly--because in my--in your first response to
my question, you said you do not collect PII. But in your
subsequent testimony, you have said that on two occasions you
would, when a consumer would opt in from a consumer complaint,
and the other might be from other institutions or other
information.
That is the part, I think, that we are having the issue
with, is not that the consumer is opting in to ask you to help
them with the consumer complaint, but in the rhetoric, you are
saying, no--or in your first statements, you said no. But in
subsequent testimony, you are really saying, yes, we do, in
certain instances. Maybe not the $800 million credit card
cases, but in other cases, we do have this PII.
As clearly as possible, please explain that part and when
that would come into play.
Mr. Antonakes. Madam Chairwoman, I am sorry if I was not
clear on this point in particular, trying to distinguish
between some of the data that we are purchasing versus the data
that we have access to through our supervisory program. So to
the extent that we are conducting examinations which are
mandated by Dodd-Frank, we are required to examine the large
banks over $10 billion in assets--
Chairwoman Capito. Right.
Mr. Antonakes. --the large credit unions over $10 billion
in assets--
Chairwoman Capito. Right.
Mr. Antonakes. --and certain non-bank entities, we have to
examine them on a regular basis to determine whether there are
violations of consumer protection laws. During the course of
our examinations, our examiners go on-site to these
institutions and they conduct transaction testing, in which
they are sitting down and looking at actual loans and loan-
level data to determine whether there are violations of law.
We are not maintaining or collecting this data
unnecessarily. If it is a clean--
Chairwoman Capito. Okay.
Mr. Antonakes. --exam, we move on and we don't collect it.
Chairwoman Capito. Okay. Let me stop you right there, so I
understand. So if you have--on your supervisory job, you are
collecting a transaction on a person, which then would have
this--you have already said what PII might be, Social Security
number, mortgage, whatever name, address, all those things.
So are you saying, then, that because you are conducting
this in the supervisory, that you then don't bring that
information back into the CFPB and hold it for 10 years in the
cloud? Or do you leave it at the financial institution in the
course of an exam?
Mr. Antonakes. If there are violations found and it
requires some form of corrective action, be it an informal
action, be it a formal enforcement action, be it the
requirements at reimbursement, then some of that information
may be stored.
Chairwoman Capito. So you bring that and store it?
Mr. Antonakes. In certain circumstances, yes.
Chairwoman Capito. Okay. In terms of the--what the
gentleman from Georgia was asking about, whether you could opt
out, I guess I am reading here in the Federal Register where
individuals seeking notification and access to any record
contained in this system of records or seeking to contest its
comments may inquire in writing, according with instructions?
Mr. Antonakes. That is correct.
Chairwoman Capito. Okay. I didn't hear you say that.
Mr. Antonakes. I'm sorry. Anyone can ask at any point in
time if we have any records or information on them, and we
would be obligated to respond.
Chairwoman Capito. Right. That doesn't mean they get to see
their records, though.
Mr. Antonakes. That is correct.
Chairwoman Capito. It just means that they can respond
about their records. Would that be clarification?
Mr. Antonakes. Right. Yes.
Chairwoman Capito. Yes? Okay. And I think you understand
the concern on the privacy issue and the concern on what
Americans are now finding out is being collected at all levels,
whether it is financial information, concern, obviously, about
health records, concern about national security records,
concern about tax records. All of these things, I think it begs
to have a great national discussion on where the fine lines
between your own personal privacy is, whether it is in your
financial institutions or not.
Again, I am going to go back to the PII information,
because I think you have given a little bit of conflicting
testimony, not intentionally, but more in terms of what your
actual mission is, not to collect PII, but in the course of
moving forward in your supervision and in your examination
procedures, PII is part of what you do collect and keep. So
would that be a true statement?
Mr. Antonakes. Madam Chairwoman, for the market monitoring,
we don't see the need to collect PII. We are not studying
individual Americans. We are trying to protect Americans.
So to the extent there is PII that is collected, it is in
response to consumer complaints or through our supervisory
work, which, as I testified earlier, has resulted in
significant reimbursements for American consumers already.
Chairwoman Capito. Right. That would be mostly through your
consumer complaint center--
Mr. Antonakes. And--no. Primarily through our supervision
program and enforcement program. That is where the 430 million-
plus has come.
Chairwoman Capito. And my last--I don't even have a last--
but I do thank you for your service and your testimony, for
which I will thank you again at the end of the hearing. We will
go to--Mr. Scott, did you have an additional question?
Oh, I'm sorry. Mrs. Maloney?
Mrs. Maloney. I think privacy is incredibly important. And
everyone keeps going back to the PII. So I would like you to
put your policy on the PII on your Web site that for broad
areas, looking at interest rates, no one looks at anything
private. But if an individual calls and says, they
retroactively raised my interest rate on my credit card by 30
percent, then you look into that particular situation. So I
would like to request that you put this information up on your
Web site so it is very clear.
I would like to remind my colleagues why we created the
CFPB in the first place. We had a financial crisis that
economists tell us was the first financial crisis in the
history of our country that was caused by policies that hurt
consumers. This country lost anywhere from $12 trillion to $16
trillion because of a financial crisis that could have been
prevented.
That is why they were created, because consumer protection,
the subprime crisis, was totally abusive and unfair prices--or
policies that were put out there by some bad actors, some--not
the full industry. There are many honest, good financial
institutions. But some bad actors, some of whom were not
regulated, put this out there and brought this country to its
knees. And our citizens are still suffering.
No agency was looking at consumer protection. It was a
secondary thought, a third thought, or not thought about at
all. So we believed--many of us--to have an agency that looked
at protecting our veterans as they were overseas fighting, that
looked at protecting our students that we need to educate for
our future, from high interest card rates, to protect our
citizens. The credit card bill of rights that many of us worked
on, according to the Pew Foundation, saved consumers $10
billion last year. That is a lot of money that goes into the
hands of working men and women who need it.
So the financial board came in place, and I would like to
ask unanimous consent to place in the record a series of areas
where they have saved consumers money, kept the money in the
consumer's pocket, which has helped the working men and women
of this country.
So they have been tasked and are mandated to look at
policies in a broad way so that they can prevent abusive
policies in the future, that new products that are created,
that they look to see if they are fair to consumers, that
consumers can understand them.
Their success rate has been phenomenal, and their reports--
granted, they take a long time to do, because they are data-
driven--have helped us with better policies. In overdraft, an
area that I work in, in credit card, an area that I work in, in
student loans, it has helped us make better policy decisions.
They are basically collecting data. We have to make sure
that it is secure and private, but one aspect that you answered
earlier, you testified that other financial agencies such as
the Federal Reserve are collecting more data than the CFPB is
collecting. So what I don't want this to be is a witch hunt
after the CFPB, which is trying to protect consumers.
The other regulators--and they do a very important job--are
protecting institutions to make sure that they don't go under
or hopefully will protect them from going under. But could you
elaborate on what other financial institutions by law are
collecting?
And I believe you testified that they are collecting more
information than the CFPB is. Is that correct?
Mr. Antonakes. Ranking Member, I don't know precisely how
much information the other Federal regulators are collecting.
Mrs. Maloney. The chairwoman and I are going to do a GAO
report and find out--
Mr. Antonakes. Right.
Mrs. Maloney. --so that we can understand and also
streamline it so that agencies aren't collecting the same
information.
Mr. Antonakes. But my understanding is they do collect
substantial amounts of information. The credit card information
we are collecting has been collected by other Federal agencies
for several years.
Mrs. Maloney. And what about stress tests that the Fed
does? What kind of information do they collect?
Mr. Antonakes. Certainly, the Fed has very broad authority,
both in terms of monetary policy and bank regulation, and they
are collecting very different data in many respects than the
type of information that we are collecting.
Mrs. Maloney. What type of information--are they doing
interest rates? Are they doing--
Mr. Antonakes. Well, certainly, unemployment information--
Mrs. Maloney. So that is what you are collecting?
Mr. Antonakes. --a wide variety of information, but I would
not be the best person to ask what particular information the
Federal Reserve is collecting.
Mrs. Maloney. I think we need to really review--
Chairwoman Capito. The gentlelady's time has expired.
Mrs. Maloney. --all of the agencies. What are they
collecting? And how are they protecting the consumer and
financial institutions?
I yield back.
Chairwoman Capito. Mr. Duffy?
Mr. Duffy. I would agree with the gentlelady from New York.
We should know what other agencies are collecting, as well. But
I would disagree with her in the sense that she mentions that
obviously the more data that you have, the better you are able
to protect consumers.
I actually would agree with that component of it. But we
always have a balance with the private sector and our
government in privacy and our civil liberties. And, yes, more
data might mean more protection, but it also means less privacy
for Americans. And I think you are tipping the scales into the
privacy component, as opposed to the protection component.
In regard to data collection, what other agency collects
nearly a--because you have 1.2 billion credit cards out there.
You are collecting 73 percent, going to 80 percent. That is
almost a billion credit card accounts. What other agency is
collecting that kind of data out there? A billion accounts.
Mr. Antonakes. I believe the data collection activities
that we have under way in the card space is very similar to
other data that has been collected by the Federal Reserve, as
well as the Office of the Comptroller of the Currency.
Mr. Duffy. I do want you to answer my question. Is there
another agency that collects about 80 percent--a billion
accounts? Does the Fed do that?
Mr. Antonakes. I don't know what percentage of the accounts
that the other agencies collect, but I do know that they
collect substantial amounts of credit card data.
Mrs. Maloney. Point of personal privilege, because my name
was mentioned?
Chairwoman Capito. Will the gentlelady suspend?
Mrs. Maloney. Pardon me?
Chairwoman Capito. Hold just a minute, please--time to ask
you a question--
Mr. Duffy. Yes, I would yield to the gentlelady from New
York.
Mrs. Maloney. I agree completely with Congressman Duffy
that we need to have the right balance. We need to protect the
consumers overall and have fair and honest banking practices,
but we also have to protect privacy. And, again, I placed in
the record a letter from five different consumer privacy
groups--
Mr. Duffy. Reclaiming my time--
Mrs. Maloney. --who believe that the right balance was
achieved--
Mr. Duffy. --gentlelady from New York--
Mrs. Maloney. --in the CFPB.
Mr. Duffy. --with me in regard to the privacy balance. I
just want to mention that--I believe that Senator Crapo had
asked 3 times that the CFPB to provide him information in
regard to how many accounts and how many Americans have their
financial data collected by your agency. And the CFPB has
refused to provide that information to the Senate.
Today, you have agreed to provide that information to us.
Now, I am disappointed that you don't have that number for this
committee. You knew the question was going to come up, and you
were ill-prepared to answer it. But to that point, can we
expect that information within 2 weeks?
Mr. Antonakes. Congressman, we have to be, I think,
entirely precise, just so we can answer you correctly, in terms
of what particular information you are seeking--
Mr. Duffy. How long--
Mr. Antonakes. There is a lot of information.
Mr. Duffy. How many accounts? How long will it take to get
that information?
Mr. Antonakes. Congressman, are you speaking to the
instances in which we collect PII or more broad information
that does not include PII?
Mr. Duffy. All accounts.
Mr. Antonakes. Again, it is not accounts in some cases. It
is loan-level data. It is other types of information, as well.
We can seek to provide that information to you. We will do it
in as timely a fashion as possible.
Mr. Duffy. Okay. I want to move to another issue. In regard
to how you store financial data, do you silo your supervisory
role, data that you collect in your supervisory role? Do you
silo that information from the information you collect in your
market monitoring? That information and data is siloed? They
are separated? They are not merged? Is that correct?
Mr. Antonakes. We don't merge different data sets.
Conceivably, market monitoring personnel would have access to
some of the information, because we are allowed to collect data
for multiple purposes and sources, but we are not mixing and
matching data sets.
Mr. Duffy. So through the supervisory process, the data
that you collect can be merged with the market monitoring. Is
that correct?
Mr. Antonakes. That is not what I said. I said that they
would have access and the ability to look at that information,
but we are not mixing and matching data sets. We are not trying
to re-identify consumers, from which we have not collected PII
on.
Mr. Duffy. Okay. We received a contract that the CFPB had
with Experian through Judicial Watch. And that contract would
have been used in the market monitoring function. Is that
correct?
Mr. Antonakes. That is correct.
Mr. Duffy. And you have also testified today that in a
market monitoring function, you don't obtain personally
identifiable information. Is that also correct?
Mr. Antonakes. I am saying that if it is coming through
purchases, voluntary information requests, we are not
collecting PII.
Mr. Duffy. Okay.
Mr. Antonakes. If it is coming through the supervisory
channel, it could conceivably--
Mr. Duffy. That is right. But through market monitoring,
you are not collecting it. In regard to Mr. McHenry's
question--and you also said that addresses, as well as ZIP
Codes, plus four, are personally identifiable information,
correct?
Mr. Antonakes. Correct.
Mr. Duffy. Now, I have a contract here provided from
Judicial Watch, your contract with Experian, which requests
that the contractor shall provide ZIP plus four or other
geographic location information, such as census block
identifiers. So I have a contract right here that shows that
you are actually collecting that information, and so your
testimony today is actually incorrect, per your contract with
Experian. Is that right?
Mr. Antonakes. I would have to verify the contract with
Experian to see exactly what type of information we are--
Mr. Duffy. So you are obtaining personally identifiable
information in the market monitoring function, contrary to the
testimony here today. I yield back.
Mr. Antonakes. I don't believe we are, sir.
Chairwoman Capito. The gentleman's time has expired.
Mr. Scott?
Mr. Scott. Yes, thank you, Madam Chairwoman.
Let me just mention--and again, let me just commend the
ranking member, with whom I very much agree on the need for
this, and let me commend the chairwoman of the committee for
this extraordinarily important hearing.
And, again, let me go to one point that needs
clarification, which Mr. Duffy raised. First of all, we raise
this huge number of $80 million on the credit card issue. But
isn't it true that there probably is no other area of great
complaint and concern for consumer protection than the credit
cards? We are almost a credit card society. We have stolen
credit cards. We have misplaced credit cards.
And I think it is very important to clarify that this PII
information that you have to request comes from the personal
request of the individual coming to you to get you to look into
this matter. Are those points correct?
Mr. Antonakes. I would say credit cards is one significant
area of complaints for us. There are others, but it is a
significant area of complaints.
And I would say, to the extent that a consumer is reaching
out to us directly through our consumer response channel, in
that instance, we are collecting PII because they are asking us
to intervene on their own behalf.
Mr. Scott. And while Dodd-Frank, as we mentioned, outlaws
PII information and so forth, it does so within the context
that you fit in with the same parameters as the FDIC, the
Federal Reserve, and other regulatory agencies. Is that
correct?
Mr. Antonakes. That is correct.
Mr. Scott. All right. Now, with that information, the other
request that comes from the other side--and on this request for
numbers and how many and so forth--might have something to do
with the aspect of confidentiality and--we love C-SPAN, and it
is all across the Nation, and the good people hear it, as well
as bad people hear it, and so forth, so there is a reason for
some method of confidentiality.
But you have agreed to find a way individually to make that
known to those various members of the committee who have been
asking for it, correct?
Mr. Antonakes. Correct.
Mr. Scott. All right. Now, let me just ask you this
question again. I don't know if I matched it before, but I
think it is very important. Has there been any breach in the
CFPB's data system concerning this information? Has there been
any breach in that information getting out?
Mr. Antonakes. There has been no breach that we are aware
of, Congressman.
Mr. Scott. No breach that you are aware of. Which means,
are there any--
Mr. Antonakes. I don't--
Mr. Scott. --that you may be unaware of? I need a clear--
Mr. Antonakes. Congressman, I don't believe we have had a
breach.
Mr. Scott. I don't believe, but--is there anybody else in
there where information is brought that there may be a breach?
Mr. Antonakes. We have no reason to believe there has been
a breach.
Mr. Scott. All right. Now, are there firewalls, internal
firewalls that you have involved for storing and using any of
this data so that we can give the public additional assurance
that you have some system in place for various probabilities,
that you have people there whose job it is to just sit all day
and all day and their job is to figure out, how can anything
happen to get this information out to protect it? And do we
have firewalls there?
Mr. Antonakes. Yes, Congressman, we have firewalls, we have
data security personnel, folks whose sole responsibility is to
make sure that any data we collect is being maintained in a
secure fashion.
Mr. Scott. Okay. All right. And finally, I have one other
very, very important point I would like to make, which is that
we are working to try to get something right here to protect
the American people who were grossly taken advantage of in so
many areas.
And I would say, of all that we have done in this lawsuit
reform, the primary role of the CFPB is as the enforcer. And
you can't do that without getting the information. Is there
anything you would recommend to this committee that you need to
be able to do a better job? And especially responding to some
of the concerns that we have had.
Mr. Antonakes. Congressman, I believe we have the tools
necessary to protect American consumers, which is our mandate
and all that we focus upon and why we collect and analyze this
data.
Mr. Scott. Thank you, sir.
Chairwoman Capito. Mr. Barr?
Mr. Barr. Mr. Antonakes, thank you for your testimony
today. I appreciate you providing this committee and the
Congress with more information about the handling of American
citizens' personally identifiable information by the Consumer
Financial Protection Bureau.
But I wanted to follow up on a line of questions, which,
with all respect, I don't think we have the answer that I think
some of my colleagues were seeking, and that has to do with the
categories of information that you are collecting, the
categories of PII that you are collecting.
One category is a category of PII that you get from
consumers who voluntarily disclose it to your agency, correct?
Mr. Antonakes. Correct.
Mr. Barr. The second and--there are only two, as I
understand it, from your testimony--the second is personally
identifiable information that the Bureau obtains in the course
of exercising its supervisory function. Is that correct?
Mr. Antonakes. That is correct.
Mr. Barr. Okay, I am interested in this second category,
where you are obtaining PII from third parties, okay? In those
cases, would an individual be able to, through a FOIA request
or some other mechanism, obtain a file in the possession or
custody of the Bureau with their PII that was obtained from a
third party?
Mr. Antonakes. So my understanding--and I want to answer
this carefully, Congressman, to make sure it is completely
accurate and responsive to your question--my understanding is,
under the Privacy Act, an individual consumer could request to
know whether or not we had collected information on that
person. And I believe--I have to verify--that we would then
provide that information to the individual consumer. They
couldn't ask about other consumers; they could just ask about
their own personally identifiable information.
Mr. Barr. Right, but to follow up Mr. Westmoreland's line
of questioning, for that category of information, PII--
Mr. Antonakes. Yes.
Mr. Barr. --that is obtained by your agency from a third
party, in the course of your supervisory functions--
Mr. Antonakes. Right.
Mr. Barr. --could the individual to which that confidential
information or personal information applies--could that person
obtain the file that you are keeping?
Mr. Antonakes. I want to verify this, but I believe they
have the right to ask, and then we will provide that
information to them.
Mr. Barr. Okay. Let me ask you another question about the
disclosure and the rules and the regulations that govern the
Bureau's disclosure of this personally identifiable
information. One of the regulations, 12 CFR 1070.41(b),
provides the Bureau with authority to make disclosures to your
contractors and your agents. How many contractors, agents, and
third parties have been granted access by the Bureau to this
database of information?
Mr. Antonakes. I would say we have different folks in a
contractual arrangement serving different roles at the Bureau.
Mr. Barr. Yes, how many, approximately?
Mr. Antonakes. I would have to provide that information for
you. I want to be accurate. I would have to get that
information for you.
Mr. Barr. Are we talking a dozen or are we talking--
approximately how many contracts do you all have with third
parties with whom you share this information?
Mr. Antonakes. We have certain areas that we contract with
to do certain services for certain work for us, so it varies.
But those contractors would have access only to the information
that is fundamental to the job that they are doing. They
wouldn't have broad access to all of the information--
Mr. Barr. When you disclose this information to the
contractor or third party, who decides whether or not the
information contains the PII?
Mr. Antonakes. It would be germane to the particular area.
Mr. Barr. Okay, so--
Mr. Antonakes. So if we had contractors, for example,
supporting our consumer response function, then they may have
access to some of the information coming in from complainants.
They wouldn't have information coming in through our
supervisory channel.
Mr. Barr. But the bottom line is, is both your systems of
records notice and your regulatory framework contemplates
sharing PII with third parties?
Mr. Antonakes. With people who are working for us and who
are operating under Federal privacy laws.
Mr. Barr. One final question about the data that you
collect from your supervisory role and then the purchase data
sets. Do you match up the data that you obtain from purchased
information, from Experian or CoreLogic or some of these other
organizations--do you match at the individual level that data
with the PII that you obtain under your supervisory functions?
Mr. Antonakes. No, sir, we do not.
Mr. Barr. Okay, my time has expired.
Chairwoman Capito. Mr. Heck?
Mr. Heck. Thank you, Madam Chairwoman.
Hopefully, to close this maybe on a little bit of a
positive note, and to use but one tiny but important example of
how working with the CFPB has helped people, according to
current law--I hope I say this accurately in its entirety--if
you are a member of the service and you produce your orders
with a stipulated end date, you are exempt from your student
loan rate rising above a certain level while you are on active-
duty service.
Because of a peculiarity in the law, if you are an officer,
your orders don't carry a stipulated end date. And as a
consequence, we have all manner of 22-year-old ROTC graduates
about to get hammered by high student loan interest rates.
Our office, working with the Bureau, through their efforts,
identified this as a problem, and there was an amendment added
to the National Defense Authorization Act which corrected this,
and that could not have occurred, sir, without the work of your
agency ferreting that out, identifying it, working it with the
lenders, and with our office to amend the bill so that we can
correct this going forward. Just a tiny example of where people
have been helped and protected because of the work of your
Servicemember Affairs Office. And I thank you for that, as
well.
Mr. Antonakes. Thank you, Congressman. Holly Petraeus and
our entire Office of Servicemember Affairs do a tremendous job.
Congress really appropriately identified in Dodd-Frank the
special needs of servicemembers and how they have, on occasion
in the past, been taken advantage of. So the work they do is
critically important. Thank you.
Mr. Heck. Thank you.
I yield back the balance of my time.
Chairwoman Capito. Thank you. I would like to thank the
witness. I would also like to just review that we have a
request for information from follow up from the CFPB,
specifically, I think, on the numbers of records more specific.
Also, I would like to add to that, if you could, the
categories of PII that you have been collecting in the
supervisory--I am not sure we got that definitively answered,
and I think that would help the committee.
So I would like to thank--
Mrs. Maloney. What categories in general are they
collecting?
Chairwoman Capito. Yes, what categories in general of the
PII. And if you could submit that to me, too, I know some of
the other Members, like Mr. Duffy and others, had asked for
specific information. And thank you for indulging us a second
round. I appreciate that.
The Chair notes that some Members may have additional
questions for this witness, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to this witness and to place his responses in the record. Also,
without objection, Members will have 5 legislative days to
submit extraneous materials to the Chair for inclusion in the
record.
And without objection, the hearing is adjourned. Thank you
very much.
[Whereupon, at 12:27 p.m., the hearing was adjourned.]
A P P E N D I X
July 9, 2013
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�