CFPB Report: 2013-AE-C-021 December 16, 2013
The CFPB has not formally defined its expectations regarding whether enforcement attorneys should be able to obtain direct access to institutions' systems for the purpose of examinations. We found that enforcement attorneys have obtained direct access to examined institutions' systems containing personally identifiable customer information. As a relatively new agency, the CFPB is still developing policies, procedures, and other safeguards around its operations. We believe that the CFPB should clarify its expectations regarding whether the attorneys should be able to access supervised institutions' systems and, if so, establish safeguards around the access. In the absence of clearly defined expectations on systems access and clearly defined roles for enforcement attorneys and examiners, enforcement attorneys accessing institutions' systems may create the appearance that enforcement attorneys participate on CFPB examinations as a pretense to conduct preliminary investigative activities.
The CFPB is authorized to obtain the information necessary to conduct its supervisory activities. Accordingly, on occasion, examiners obtain direct access to institutions' systems for the purpose of conducting examinations. Some interviewees noted that when they obtain access, the supervised institution provides them with read-only access. Other interviewees indicated that institutions sometimes establish electronic repositories, such as SharePoint sites, where they post documentation for the examination team's use, or they may provide documentation to examiners in hard-copy format. We learned that institutions may have differing preferences or capabilities that drive the level of access provided to CFPB staff.
Based on our interviews, we found that enforcement attorneys typically did not obtain direct access to institutions' systems. Interviewees informed us that institutions may provide documentation to examiners who furnish the documents to the assigned enforcement attorney as needed. In some instances, however, we learned that enforcement attorneys have obtained direct access to examined institutions' systems containing personally identifiable customer information.
Interviewees informed us that the CFPB does not have a policy prohibiting enforcement attorneys from obtaining direct access to institutions' systems for the purpose of examinations. Several interviewees opined that enforcement attorneys should not be able to directly access an institution's systems and highlighted the risks associated with affording enforcement attorneys such access. For example, one interviewee noted that it would create trepidation among institutions if enforcement attorneys had access to their systems. Accordingly, we noted that in the absence of formal safeguards, supervision staff within certain examination teams imposed informal limitations on the assigned enforcement attorneys' ability to access systems during their examinations. In addition, an enforcement attorney informed us that he "would not access systems directly, and it is implicitly understood that it is not something that the enforcement attorneys should be doing." A field manager also indicated that there has never been any expectation that enforcement attorneys "would be involved in conducting exam work or have any need for system access." In our opinion, interviewees' concerns regarding enforcement attorneys accessing institutions' systems highlights the need for a policy to formalize CFPB management's expectations on this issue.
Clarifying the agency's expectations regarding whether enforcement attorneys should be able to have direct access to institutions' systems and clarifying the roles of examiners and enforcement attorneys will help to mitigate the reputation risk associated with enforcement attorneys participating on examinations. In our opinion, a policy on system access and additional role clarity could serve as a possible safeguard to mitigate the risk of CFPB enforcement attorneys operating in a manner that is inconsistent with senior officials' expectations.
We recommend that the Deputy Director and Associate Director for SEFL
Regarding recommendation 5, the Deputy Director and Associate Director for SEFL stated the following:
We concur with this recommendation, and the CFPB is addressing the concerns raised in this recommendation through its new policy on enforcement attorney integration into examinations. The new CFPB policy limits the on-site involvement of enforcement attorneys during the course of a supervisory examination. Enforcement attorneys generally will not attend on-site examinations or obtain information directly from institutions as part of the supervisory process. Where CFPB has formally initiated an enforcement investigation, CFPB enforcement attorneys will exercise appropriate investigative authority to conduct the investigation.
Regarding recommendation 6, the Deputy Director and Associate Director for SEFL stated the following:
We concur with this recommendation, and the CFPB is addressing the concerns raised in this recommendation through its policy on enforcement attorney integration into examinations. Under the new CFPB policy, enforcement attorneys generally will not attend on-site examinations or obtain information directly from institutions under examination as part of the supervisory process. As a consequence, enforcement attorneys do not have on-site access to institutions' systems for the purpose of conducting examinations, thus generally eliminating the concerns raised under this recommendation. Where CFPB has formally initiated an enforcement investigation, CFPB enforcement attorneys will exercise appropriate investigative authority to conduct the investigation. As with all CFPB policies, we expect enforcement attorneys and all other CFPB staff to follow the new policy regarding enforcement attorney involvement on examinations, and we will conduct the appropriate level of management oversight to ensure compliance. The CFPB is also currently drafting additional operating procedures to implement the new policy. These operating procedures will contain appropriate monitoring and reporting requirements and other internal controls to facilitate the oversight of the effectiveness of the new policy.
In our opinion, the actions described by the Deputy Director and Associate Director for SEFL appear to be responsive to our recommendations. We plan to follow up on the CFPB's actions to ensure that each recommendation is fully addressed.
