by Jeff Sovern
There's been a steady drumbeat of criticism for the CFPB from certain members of Congress for not moving sooner on the Wells Fargo unauthorized account scandal. These critics also tend to support legislation, like the Financial Choice Act, which would take away the power the CFPB used to fine Wells Fargo for its misconduct. Somehow, they overlook the fact that the OCC received hundreds of whistleblower complaints in 2010, before the CFPB existed, and dropped the matter until years later after discussing it with Wells leadership. Now the critics are slamming the Bureau for not doing more about Equifax. Here's Iain Murray of the Competitive Enterprise Institute, no friend to the CFPB, in the National Review:
When CFPB powers were extended over credit reporting bureaus in 2012, the CFPB announced the “companies will be subject to review of compliance systems and procedures, on-site examinations, discussions with relevant personnel, and they will be required to produce relevant reports.” None of this seems to have helped the Bureau stop the Equifax security breach. The Bureau was also supervising Wells Fargo during its upselling excesses, yet it was the Los Angeles Times and California regulators who actually noticed what was going on.
I haven't checked to verify that the Bureau has authority over data breaches at financial institutions, though others have argued that it does. Assuming that it does, it is asking a lot for the Bureau to prevent every data breach. Do the Bureau's critics also argue that the FBI should be weakened because we still have bank robberies after centuries of trying to stop them? The Bureau is still a young institution, and it is entitled to some time to find its way. Even after it matures, some malefactors will slip through the cracks; some always do. But we are much better off with cops on the beat than without them. It is fair to ask the Bureau why it didn't discover the Equifax breach and whether there are steps it could take to prevent future such breaches. But isn't it funny how the people who want the Bureau to do more also complain it does too much?
Dodd-Frank Section 1093 explicitly left data security for non-bank financial institutions with FTC. Credit bureaus are non-bank FIs under Gramm-Leach-Bliley Title V and the subsequent privacy “Safeguards Rule” issued by FTC.