Keep the Information Flowing
Small contributions go a long way. Your donation to Consumer Action, a 501 (c)(3) nonprofit, nonpartisan organization, can help us cover the cost of research, writing, and translation of our materials. To keep our services free for those who need them. Select an amount to give.
Published: February 2011
CFPB complaint system must resolve complaints and meet public expectations
Coalition: Financial reform
Consumer Action joined a coalition of organizations in asking the Consumer Financial Protection Bureau (CFPB) to design a complaint and inquiry database that effectively gives consumers the information they need, increases regulatory resources, and provides government agencies with early warning signs of problems in the financial sector.
Below is the full text of the letter:
First, we appreciate that the Treasury Department’s CFPB implementation team is moving promptly to set up the complaints and inquiries database. Consumer complaints and inquiries, if accessible in a well-organized database, have the potential to provide valuable information both to the government and to the public about the problems affecting consumers in the marketplace for financial products and services. This data may yield early warning signs of emerging problems, increase efficiency in the use of regulatory resources, and give consumers valuable information as they decide who to do business with in the financial sector.
Second, we continue to believe that in order for the complaints and inquiries database to become an effective and reliable tool for monitoring the marketplace, the CFPB must handle complaints using a process geared toward resolving complaints and meeting public expectations. A successful record of resolving complaints will create good word of mouth for the agency and ultimately provide the CFPB with information about the marketplace which is essential to its job as a regulator, supervisor, and enforcement agency.
Consumers will only come to the CFPB and provide information about their experiences in the marketplace if consumers generally are satisfied with the results of the complaints process - that is, if their problems are resolved. Hence, the more effectively the complaint system resolves problems, the more useful information the CFPB will receive. We recognize that the current comment opportunity concerns the announcement of the existence and purposes of the database rather than the larger purpose of the CFPB’s complaints function, and we look forward to working with the implementation team to design and implement an effective complaint handling process and system.
Third, we offer three specific concerns raised by the description of the database and its uses. These concern the scope of public access, the collection and use of Social Security numbers, and the scope of notice to individuals in the event of a compromise or breach of security.
Summary of issues
1) Need for easy public access to user-defined requested non-private data.
There must be easy access for the public to create user-defined reports for extracts of all information in the database which is not personally identifying information, or sensitive personal information, about individual complainants. We suggest a change in paragraph 15 of the description of routine uses of the records system to clarify this access.
2) No non-essential collection, use, or retention of SSNs; and complaints not tracked by SSN.
The CFPB should not collect Social Security numbers of persons filing complaints unless that number is specifically needed for the type of complaint filed, and the SSN should never be used to tag, retrieve, sort or otherwise track complaint information. This may require a change in the description of retrievability.
3) Need for a strong policy to notify consumers in the event of a security breach.
The database notice contains standard language about the uses of the database in the event of a suspected or confirmed security breach. This language would be too narrow to form the basis for the CFPB’s development of its notice of security breach policy. The CFPB should adopt a policy favoring strong notice to individual consumers in the event it has a future security breach of its complaints and inquiries database. It should follow the best practice of giving notice of a security breach whenever there is a breach of the security of specific types of personally identifiable information.
1. Provide easy public access to non-private data
We are pleased to see that the description of the purposes of the database includes public access, but we suggest a clarification to ensure that public access is sufficiently broad to allow the public, media, academics, and others to engage in their own analysis of the data, not merely to receive trend analysis or extracts chosen by the CFPB for disclosure.
The Federal Register description would allow the public access to information from the complaints and inquiries database in the form of “analytic and statistical reports, summaries, or extracts in which individual identities are not revealed, in order to provide information about trends and patterns derived from information contained in complaint records.” We strongly agree that the identities and other sensitive information about individuals filing complaints must be protected from disclosure. We are concerned, however, that the “or” could mean that the public would receive extracts only if the CFPB decides to release extracts of complaints in addition to its own analytic reports. In addition, we wish to ensure that the user can identify the trends or patterns he or she is looking for, rather than only those pre-identified by the agency. For these reasons, we recommend that the public have full access to extracts of all records minus the sensitive and identifying data.
The user should be able to define a request to query the system with user-defined parameters including the type of complaint, entity complained about, geographic region of complainant, and a temporal component. Members of the public who make such a request should receive the information in a format in which they can read, use, and further analyze it.
To accomplish this, extracts of complaints should be made available which include the full non-private portion of all complaints. These extracts should be provided by the database with support for user-defined requests for data. The requested data should be provided to the requestor in a flat file or similar format in which the user may analyze it further; along with adequate documentation of the meaning of any codes or categories used in the data; and it should be usable with standard application programming (API) protocols.
Public access to the full data, minus sensitive and identifying personal information, will give consumers a powerful tool to make choices in the marketplace. It will augment the resources of the CFPB by encouraging independent academic analysis of trends and will provide many more eyes to potentially identify emerging trouble spots. The knowledge that complaint information will be public will also create a powerful incentive for financial services firms to treat customers fairly from the outset.
2. No non-essential collection, use, or retention of SSNs; and no use of SSNs for complaint retrieval
Second, the proposed regulations create a field for Social Security number and would allow, without requiring, that complaints be retrieved by SSN. We caution against any future choice to require the SSN on the complaint form. We recommend that the Consumer Financial Protection Bureau never request the SSN for inquiries, and that it not collect SSNs of individuals who file complaints unless the SSN is essential to the type of issue complained about. Putting the SSN on the complaint form would deter some consumers from filing a complaint, in part due to security concerns about the channel for submitting the complaint, whether online or by mail.
Asking for social security numbers when it is not essential may pose a security risk to the individual and the agency. In 2007, the Office of Management and Budget advised federal executive branch agencies to remove unnecessary social security numbers from their information systems, citing security concerns.2
The section of the Federal Register notice describing retrievability of records states that “records are retrievable by a variety of fields including, but not limited to, the individual’s name, Social Security number, ...” We recommend eliminating retrievability by SSN. Making the complaint retrievable by SSN will encourage the collection of SSNs and will expose the SSN to more routine use within the agency, which increases the risk of a security breach.
On a related issue, we also recommend that account numbers for financial accounts should only be requested from consumers when necessary based on the type of complaint, and that access to those numbers should be limited to the company involved and to those who are working to resolve the complaint.
3. The CFPB should lead by example with a strong policy to notify consumers in the event of a security breach
The Treasury Department’s description of uses for the database refers at paragraph (13) under “routine uses of records” to the disclosure of information from the database to persons when the Treasury suspects or has confirmed a compromise of data security, the Treasury “has determined” that as a result of the security breach “there is a risk of harm...” with some specific types of harms mentioned, and the disclosure is reasonably necessary to assist in connection with the Treasury’s efforts to respond to the suspected or confirmed security breach. This appears to be the standard, OMB-approved language for routine uses so that the agency can communicate with experts about the data in the database to stop or prevent security breaches.
However, we caution that this routine use language is too narrow to form the basis for the CFPB’s future notice of security breach policy. The CFPB should have the best standards for notifying individuals in the unfortunate event of a security breach. That will require more than notice when there has been a determination of a “risk of harm” from a suspected or confirmed compromise of security or confidentiality. We recommend that the Treasury Department, and subsequently the CFPB after the July 2011 start date, adopt a policy to give notice to individuals whenever specific types of sensitive information become the subject of a security breach.
Many states require mandatory notice of a security breach without reference to a risk of harm trigger or exemption from the obligation to give notice. For example, California requires notice to consumers of any breach in the security, confidentiality, or integrity of defined types of unencrypted computerized personal information held by a business or a government agency without reference to a determination of, or the existence of, a risk of harm from the breach (Civil Code Sec. 1798.80-1798.82). Similarly, Texas has a mandatory notice requirement applying to any holder of information who conducts business in the state and incurs a breach of defined types of personal information (Tex. Bus & Com. Code Ann. 4-48-103). New York requires notice by both private and public entities without reference to a perceived risk of harm (NY Bus. Law Sec. 899-aa). Illinois law also requires notice without applying any trigger, screen, or defense related to the risk of harm (815 ILSC 530). These state laws illustrate best practices in notice of breach.
Because the Consumer Financial Protection Bureau should be a leader in consumer protection, the CFPB should not offer less notice of a security breach than consumers in many states get when a business has a security breach. The database notice appears to be boilerplate language not intended to resolve this question, but it does highlight the need for the CFPB to adopt a notice of breach policy. We suggest that the CFPB should adopt a notice policy at least as strong as the “no harm standard” approach to notice of breach provided by the laws of California, Texas, Illinois, and New York.
We look forward to working with the CFPB Implementation Team on these and other key issues of concern to consumers.
Lead Organization
Other Organizations
Americans for Financial Reform | Consumers Union | Consumer Federation of America | California Reinvestment Coalition | Center for Media and Democracy | Center for Digital Democracy | National Association of Consumer Advocates | National Consumer Law Center | National Fair Housing Alliance
Download PDF
No Download Available
Quick Menu
Support Consumer Action
Join Our Email List
Consumer Help Desk
- Help Desk
- Submit Your Complaints
- Presente su queja
- Frequently Asked Questions
- Links to Consumer Resources
- Consumer Service Guide (CSG)
- Alerts
- Consumer Booknotes