Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

CFPB Report: 2025-SR-C-005 May 5, 2025

The CFPB Can Improve Its Safeguards for Protecting Confidential Supervisory Information

available formats

In 2023, the CFPB declared a major breach that affected about 256,000 consumers and 46 institutions after an employee sent confidential supervisory information to a personal email account.

We found that the CFPB’s guidance does not sufficiently limit access to confidential supervisory information. Its guidance also lacks expectations for assessing the severity of confidential supervisory information breaches and enforcing consequences for responsible employees. Finally, the CFPB does not have a defined process to notify affected supervised institutions of breaches.

We are making seven recommendations to address these issues and improve the agency’s protection of confidential supervisory information.