Skip to Navigation
Skip to Main content
OIG Home
OIG Home

In This Section

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

September 30, 2014

Major Management Challenges for the Consumer Financial Protection Bureau

  • Full Listing

available formats

  • Full Listing:

    PDF | HTML

September 30, 2014



Richard Cordray
Consumer Financial Protection Bureau


Mark Bialek  /signed/
Inspector General


The OIG's List of Major Management Challenges for the CFPB

We are pleased to provide you with the Office of Inspector General's (OIG) first listing of major management challenges facing the Consumer Financial Protection Bureau (CFPB). These challenges represent what we believe to be the areas that, if not addressed, are most likely to hamper the CFPB's accomplishment of its strategic objectives.

We used audit and evaluation work performed by the OIG and audits performed by the U.S. Government Accountability Office, along with CFPB documents, to identify the CFPB's major management challenges, which are listed in the table below.

Management challenge no. Description Attachment 1 page no.
1 Improving the operational efficiency of supervision 1
2 Building and sustaining a high-performing workforce 3
3 Implementing new management operations 6
4 Providing for space needs 9
5 Ensuring an effective information security program 10

Details on each challenge are in attachment 1 of this memorandum. Attachment 2 maps our ongoing and planned work to the major management challenges that we have identified for the CFPB.

We appreciate the cooperation that we received from the CFPB as we developed this listing of challenges. Please contact me if you would like to discuss any of the challenges.


Steven Antonakes, Deputy Director and Associate Director,
    Division of Supervision, Enforcement, and Fair Lending
Sartaj Alag, Chief Operating Officer and Associate Director,
    Operations Division
Gail Hillebrand, Associate Director, Division of Consumer
    Education and Engagement
David Silberman, Associate Director, Research, Markets, and
    Regulations Division
Zixta Martinez, Associate Director, Division of External Affairs
Meredith Fuchs, General Counsel and Associate Director, Legal
Stephen Agostini, Chief Financial Officer and Assistant Director,
    Office of the Chief Financial Officer

Management Challenge 1: Improving the Operational Efficiency of Supervision

Since it began operations in July 2011, the Consumer Financial Protection Bureau (CFPB) has made significant progress toward developing and implementing a comprehensive supervision program for depository and nondepository institutions. The agency has implemented this program on a nationwide basis across its four regional offices. While we recognize the considerable efforts associated with the initial development and implementation of the program, we believe that the CFPB can improve the efficiency and effectiveness of its supervisory activities. Specifically, our evaluation work indicates that improving this program's operational effectiveness will be a focus of management's attention in the coming year as the agency works to (1) clear a considerable number of draft examination reports that have yet to be issued, (2) improve its reporting timeliness, (3) ensure the timely recording of data in its tracking system, and (4) formalize the process for scheduling and tracking examiner hours.

Timely Issuance of Examination Reports

The results of our evaluation work demonstrated that as of July 31, 2013, the CFPB had not met its goals for the timely issuance of examination reports, and a considerable number of draft examination reports had not been issued. A senior CFPB official explained that management's goal of treating similar supervisory issues consistently slowed the examination report review process. This priority and several novel substantive examination issues were contributing causes of the volume of unissued examination reports. Delays in the issuance of examination reports can leave supervised institutions uncertain about the CFPB's feedback on the effectiveness of the institutions' compliance programs or processes, which could delay the implementation of required corrective actions.

Agency Actions

We understand that management has taken a series of actions to (1) improve its timeliness in issuing reports and (2) reduce the number of examination reports that have not been issued. To improve the timely issuance of reports, the CFPB initiated a project focused on clarifying roles and responsibilities, including clarifying the decision rights and accountabilities related to specific aspects of the examination and report review process for key staff members. The agency also hired a third-party vendor to identify possible efficiency opportunities in the examination report review process. As part of these and other efforts, the agency created standard report templates, created an expedited report review process for low-risk reports, and updated the management dashboard to include forward-looking metrics. The agency has implemented many of these enhancements as part of a pilot program that includes 12 examinations. The agency is now in the process of formally codifying these enhancements and developing associated training.

The CFPB has also significantly reduced its volume of unissued examination reports. Senior officials have expended considerable effort to monitor and track the progress of the Division of Supervision, Enforcement, and Fair Lending in issuing reports at an individual-examination level. As part of these efforts, senior officials receive summary information concerning how many examination reports were issued in the preceding month and projections identifying how many reports are likely to be issued in future months. In addition to summary status updates, the report also contains detailed status information on specific examinations. Senior CFPB officials have also stated that they intend to formalize many of the steps the agency has taken to address the volume of unissued reports.

Ensuring Timely Input of Data in the Supervisory Examination System

Our evaluation work revealed that the CFPB has not established standards for the timely input of data in the Supervisory Examination System (SES). The CFPB uses SES to monitor and track on a weekly basis its examination teams' progress toward completing key milestones. Because the CFPB has not established a requirement for the timely recording of examination data, we used seven days as a standard that would allow consideration for logistical impediments to recording examination data immediately but would still provide managers with up-to-date and reliable information. Using that standard, we found that examination milestones were not entered in a timely manner in at least one-fourth of the instances for each of the seven key examination milestones we reviewed. The lack of timely SES data may hinder management's ability to monitor and track its examination teams' performance against expectations, as well as to forecast staffing availability for planned examination activities. The agency routinely makes updates to the system, and we understand that a comprehensive update to the system is planned. Ensuring timely data input and implementing this comprehensive system update will be management challenges for the agency.

Agency Actions

The CFPB has drafted and circulated for comment a policy that covers the timely input of data into SES. The draft policy establishes time parameters for when data should be entered and holds examiners accountable for adhering to those parameters. Senior management anticipates that the policy will be finalized by October 2014, and training will be provided at headquarters and in the regions.

As part of its overall efforts, the CFPB continues to develop and expand SES in order to maximize the effectiveness of its supervisory work. The upcoming comprehensive update to SES will enable the CFPB to compile information across its regions and supervised institutions. The system upgrade will also address examination scheduling, document management, examination management, report generation, and analysis.

Formalizing the Process for Scheduling and Tracking Examiner Hours

Our evaluation work found that the CFPB does not have a formalized policy for scheduling or tracking staff member hours on examinations. The agency's four regions do not follow a consistent approach for forecasting and scheduling examiner workloads. Currently, the agency relies on a fluid and informal process for planning and staffing examinations in which field managers meet to discuss examiner availability and experience. Having a policy for scheduling and tracking examination hours will bolster the CFPB's ability to hold staff members and regions accountable for the staff resources allocated and time expended on examinations and to forecast future staffing needs. 

Agency Actions

The agency is currently conducting an internal analysis to evaluate the current processes for coordinating examination staff scheduling across regions and to identify areas of potential inconsistency regarding regional staff scheduling. After completing this analysis, an examiner workgroup will be convened to review the results of the analysis and to propose needed enhancements to those processes for managing staff members' workloads and identifying future staffing requirements. Further, the agency has begun tracking actual staff member hours worked on examinations and plans to develop an associated policy. As it collects more of this type of data, management can establish benchmarks for resources allocated and time spent on examinations. Management also intends for the SES upgrade to address consistency in examination scheduling across the agency's regions.

Management Challenge 2: Building and Sustaining a High-Performing Workforce

Attracting, engaging, and deploying a workforce is a key outcome within the CFPB's strategic goal to advance the agency's performance by maximizing its resource productivity and enhancing its impact. In 2012, the Office of Human Capital issued its Human Capital Strategic Plan FY2013-FY2015, which aligns with the CFPB's goals and outcomes. This plan includes the goal of attracting, engaging, and deploying a workforce to meet dynamic challenges and to provide effective oversight of the consumer financial marketplace. The CFPB faces challenges in meeting this goal due to competition for highly qualified staff with the unique skill sets needed to fulfill its mission. Further, as the agency seeks to build and sustain a high-performing workforce, it will need to strengthen workforce planning, establish appropriate training and development programs, implement an effective performance management system, and put in place a comprehensive diversity and inclusion program. In addition, the Office of Human Capital will need to continue to focus on developing an effective overall human capital infrastructure, a critical step to ensuring alignment with the CFPB's outcomes and its goals of recruiting and retaining a diverse workforce.

Identifying Mission-Critical Technical, Managerial, and Leadership Skills Through Workforce Planning

A key first step in ensuring that the CFPB has a workforce that can effectively carry out its mission is identifying the critical technical, managerial, and leadership skills through workforce planning. In its 2003 report Human Capital: Key Principles for Effective Strategic Workforce Planning, the U.S. Government Accountability Office (GAO) highlights successful principles for workforce planning that include determining the critical skills and competencies needed to achieve an agency's mission, along with strategies to address skill and competency gaps. The CFPB has established a workforce planning process, but the CFPB has acknowledged the need to broaden its workforce planning to include identifying mission-critical occupations and related competency models, emerging needs, and potential skills gaps. In determining the appropriate strategy to narrow any skill gaps, the CFPB will need to consider the means to obtain the right sets of skills, including the proportion of contracted versus federal employees, and permanent versus term employees.

As a new agency, the CFPB had to quickly build its workforce while simultaneously identifying and recruiting the best-qualified people to meet immediate and long-term staffing needs. Managing a current workforce of more than 1,300 employees requires appropriate management and leadership skills. In its most recent human capital annual report to Congress, the CFPB reported skill development initiatives for managers and supervisors; however, the agency needs to further cultivate management and leadership competencies and develop a long-term approach to workforce planning.

Agency Actions

In the CFPB's Human Capital Strategic Plan FY2013-FY2015, workforce planning is a component of the first human capital strategy. The plan outlines several initiatives related to workforce planning, including continually assessing workforce planning needs. The CFPB reports on its workforce planning efforts in its annual reports to Congress. In the December 2013 report, the CFPB states that its workforce planning process aligns with the annual budget process and identifies workforce requirements proactively. The CFPB has identified four categories of mission-critical occupations and has begun revising its competency model framework. The CFPB plans to use the competency models for career development and training, as well as for clarifying career paths across job families. Additionally, the agency has conducted a structured organizational design analysis of each division.

Recruiting and Retaining a Highly Skilled, Diverse Workforce

The CFPB has identified as one of its key human capital strategies recruiting and retaining a highly skilled, diverse staff through effective workforce planning and talent acquisition methods, as well as through diversity and inclusion programs. The agency has acknowledged that supervising consumer compliance at financial institutions and nondepository entities can be highly complex and specialized, and that without appropriately skilled staff, it will be challenged in meeting its statutory requirements and accomplishing its mission. Our work on the CFPB's supervision program shows the challenges that the CFPB faces in meeting its need for unique skill sets and establishing appropriate staff training and development programs. We found that as of June 2013, 55 percent of the examination staff members were below the minimum grade level for commissioning, indicating that most staff members had not completed the series of supervisory training courses and proficiency examinations required to become a commissioned examiner. While the CFPB works to roll out a finalized commissioning program by the end of 2014, it is commissioning examiners through an interim program.

An additional challenge to retaining a qualified and diverse workforce relates to the CFPB's performance management system. In a March 2003 report, GAO reported that a performance management system can benefit the day-to-day management of an organization, thereby helping it achieve results. The report also notes the need for such a system to have safeguards to ensure the transparency or fairness of evaluations of an employee's performance. In early 2014, the CFPB acknowledged that disparities were identified in employee performance evaluations based on race, age, office location, and length of employment. As a result, the performance management system that was implemented in fiscal year 2013 is being replaced.

Further, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) requires federal financial agencies, including the CFPB, to develop standards for equal employment opportunity and the racial, ethnic, and gender diversity of the agency's workforce, and to report annually on the recruitment and retention of minorities and women and on other diversity practices. In March 2014, the CFPB reported in its Office of Minority and Women Inclusion annual report that agency officials acknowledged the need to continue strengthening the agency's efforts to hire a diverse workforce. In addition, the CFPB acknowledges that in the aggregate, the agency is diverse; however, its workforce could better reflect the nation's multicultural composition. Retention of a diverse workforce is also a challenge, and the CFPB plans to assist managers and leaders in developing diversity and inclusion strategies to strengthen employee retention efforts. As the CFPB continues to create a high-performing workforce, such challenges should continue to be an area of focus.

Agency Actions

The CFPB noted in its most recent human capital annual report to Congress that it continues to develop its human capital practices, including several ongoing initiatives related to workforce planning, recruitment, and retention. Initiatives include the implementation of a new process for position management and position approval to ensure a consistent approach to recruitment. Additionally, as reported in its human capital annual report to Congress, the CFPB has partnered with diversity and professional groups as part of its recruitment efforts. The CFPB's No Fear Act Annual Report FY 2013 states that the agency continues to build its equal employment opportunity program and has identified goals for the next two years to establish and administer plans to ensure that the CFPB has a demographically diverse workforce. In response to developments in early 2014, the CFPB conducted its own internal analysis of the performance management system results for 2013. Based on the findings of this analysis, the CFPB is collaborating with the collective bargaining unit that was established in May 2013 to develop a new performance management system and is taking additional steps to promote fairness and inclusion in the workplace.

Developing an Effective Human Capital Infrastructure

As the CFPB continues to evolve, the agency is further developing its human capital infrastructure. As part of this effort, the CFPB has been establishing human capital policies and working on allocating and prioritizing its resources. The CFPB acknowledges that employees were hired at a rapid pace over the past three years to meet statutory requirements under the Dodd-Frank Act. This rapid growth, coupled with a workforce that is geographically dispersed, enhances the importance of having the appropriate policies and procedures in place and engaging all staff members in a consistent manner. The dispersed nature of the CFPB's workforce calls for a targeted communication strategy to reach staff members who are working remotely. Other components of the agency's human capital infrastructure, such as career maps and additional managerial development programs, will take time to implement.

Additional areas for improvement include streamlining the application process and continuing to develop targeted outreach programs and communications to champion the benefits of careers at the CFPB. As noted previously, the need to recruit and retain a diverse workforce is critical, and improving the CFPB's compensation and benefits policies and practices will contribute to achieving that goal. In addition, establishing a new performance management system that is fair and contributes to developing its workforce will be a challenge for the CFPB and will likely require improvements in components of its human capital infrastructure. Underlying many of these outstanding challenges is the need for the CFPB to implement a comprehensive human resources information system strategy.

Agency Actions

As stated earlier, the CFPB identified several ongoing initiatives in its most recent human capital annual report to Congress that will aid in developing its human capital infrastructure. The CFPB has developed many policies and procedures, implemented a new position management process, and created a workforce planning handbook for leadership and hiring managers. For employee development, an individual development planning process has been instituted, and the CFPB has core competency courses and new learning projects underway to enhance technical expertise for all employees. In addition, CFPB employees are provided many workplace flexibilities in an effort to promote employee engagement and productivity. The CFPB is also collaborating with the collective bargaining unit on many aspects of its human capital infrastructure, including compensation, benefits, and a new performance management system.

Management Challenge 3: Implementing New Management Operations

The CFPB continues to establish and implement its internal management operations as it seeks to provide effective oversight of the consumer financial marketplace. Establishing appropriate internal controls--including policies and procedures that clearly define roles and responsibilities--and effectiveness measures should continue to be an area of focus for the CFPB as the organization grows and the consumer financial products and services that the agency regulates evolve. In addition, the CFPB has acquired staff members from several federal agencies as well as from the private sector, resulting in different sets of practices and expectations across the organization. Key program areas that the agency should focus on include the Civil Penalty Fund and the Consumer Complaint Database.

Strengthening Controls

As mentioned earlier, the CFPB must continue its effort to establish and implement appropriate operational controls related to its supervision program and develop an effective human capital infrastructure. Further, our work related to the Government Performance and Results Act of 1993, as amended (GPRA), determined that the CFPB needs to establish more outcome-based measures. CFPB officials noted during this audit that while the agency was focused on establishing operations, the measures it had in place addressed the CFPB's initial operational activities and some GPRA requirements were unmet. Identifying outcome-based measures that can be quantified using a balanced set of organizational performance indicators and that can be effectively monitored will be a challenge going forward, requiring additional time and outreach efforts to CFPB stakeholders.

In addition, our audits and evaluations of procurement, travel, supervision, and enforcement found areas in which the CFPB needed to clarify roles and responsibilities. We also noted that the CFPB needed to timely develop and deploy sound policies and procedures in these key areas, as well as for conferences.

Agency Actions

The CFPB has established a team within the Chief Financial Officer's organization to review, monitor, and improve internal control. The CFPB has made progress in establishing new agency operations and will continue to define division-level performance goals and measures. By implementing GPRA, the CFPB is ensuring that its operations align with its strategic plan. In addition, many of our audits and evaluations have noted progress in assigning roles and responsibilities, as well as in establishing policies and procedures.

Civil Penalty Fund

The Dodd-Frank Act requires the CFPB to deposit any civil penalty it obtains in any judicial or administrative action under federal consumer financial law into the Civil Penalty Fund (CPF). The CFPB is to use the funds collected to compensate consumers who were harmed by activities for which civil penalties have been imposed. Under the CPF rule, to the extent that victims have already been compensated, cannot be located, or payment is otherwise not practicable, the CFPB may use the funds for consumer education and financial literacy programs. As of June 30, 2014, the CFPB had collected and deposited approximately $144 million of civil penalties into the CPF and distributed approximately $1 million to victims. The CFPB identified vendors and awarded a multiyear contract to distribute funds to victims. The agency has also identified and approved two consumer education and financial literacy program proposals totaling $28 million to be funded through the CPF. As the fund continues to grow, the CFPB may face challenges in distributing funds to victims in a timely manner.

Agency Actions

The CFPB has issued a final CPF rule and implemented internal controls by developing internal procedures. The CFPB has also contracted with third-party administrators to identify, locate, and notify victims and has begun distributing payments from the CPF to victims. The CFPB established a policy that describes procedures for identifying and developing consumer education and financial literacy programs under the CPF and defines the roles of the Consumer Education and Financial Literacy Officer and the Division of Consumer Education and Engagement Associate Director in selecting those programs.

Consumer Complaint Database

In June 2012, the CFPB became the first federal regulator to publicly share individual-level consumer financial complaint data. While the Consumer Complaint Database initially contained only credit card complaints, the CFPB has extended the database to other consumer financial products and services covered by the CFPB. As the types of products and services expand, the agency will be challenged to manage complaints, improve data quality, and maintain the effectiveness of the complaint process. Further, the CFPB will face additional challenges in ensuring that personally identifiable information is properly protected given the agency's recent decision to publish narratives in its public complaint database.

Agency Actions

The CFPB has taken steps to improve the reliability and timeliness of data in the Consumer Complaint Database, as well as to protect sensitive personal information. The agency's Office of Consumer Response developed written procedures for reviewing and editing complaint data and for the daily refresh process of the public complaint database. In addition, the CFPB has enhanced the efficiency and timeliness of the daily refresh process by fully automating the steps to update the data. In its proposed policy statement dated July 14, 2014, regarding the agency's intent to disclose narratives in the public complaint database, the CFPB stated that a robust scrubbing standard and methodology would be applied to remove personal information and reduce the risk of re-identification.

Management Challenge 4: Providing for Space Needs

The CFPB is undertaking a major capital improvement project to fully renovate its headquarters building. The headquarters renovation project is a multiyear project that involves significant resources and poses several challenges. In addition to the challenges related to the renovation, space planning during and after the renovation may also pose a challenge to the CFPB.

Headquarters Renovation

The headquarters building that CFPB is leasing has not undergone significant renovation since it was constructed in 1976. The CFPB plans to make workplace and energy-efficiency improvements, including upgrades to the building infrastructure, and it plans to replace aging mechanical and electrical systems that have reached the end of their life cycle. An architectural and engineering firm has been selected, and publicly disclosed renovation cost estimates have reached as high as $145 million. This estimate is exclusive of costs for architectural and engineering services, rent for swing space, costs associated with moving, and additional renovation-related expenses. This multiyear project poses several challenges for the CFPB, including managing and mitigating risks such as potential scope changes, schedule delays, unanticipated expenses, and cost overruns. 

Agency Actions

To help mitigate risks during the renovation, the CFPB entered into a memorandum of understanding and obligated funds on a reimbursable work agreement with the U.S. General Services Administration (GSA). GSA is currently managing the procurement of the construction management contract and the construction contract.

Space Planning

Space planning will be required during and after the headquarters renovation. In May 2014, the CFPB began moving into swing space needed to accommodate staff members displaced by the renovation. In addition to the swing space, the CFPB currently occupies space in one other building. Once the renovation is complete, not all headquarters personnel will fit into the renovated building and additional space will still be required. To address this issue, the CFPB is planning to consolidate personnel currently located in the other two buildings into one permanent space. Any delays in the renovation schedule could affect the CFPB's planning for both the swing space and the permanent space.

Agency Actions

The CFPB is coordinating with GSA to perform space-planning analysis.

Management Challenge 5: Ensuring an Effective Information Security Program

GAO continues to include protecting the federal government's information systems and the nation's cybercritical infrastructure as a priority for federal agencies. The Office of Inspector General has likewise identified information security as a major management challenge for the CFPB due to the advanced, persistent threat to government information technology (IT) infrastructure. CFPB management needs to continue improving its information security program, overseeing the security of contractor-operated information systems, transitioning IT resources from the U.S. Department of the Treasury (Treasury), and ensuring that personally identifiable information is properly protected.

Improving the Information Security Program

As the CFPB evolves, it continues to mature and improve its information security program to align to the new guidance provided by the National Institute of Standards and Technology. The CFPB has taken steps over the past year to develop, document, and implement an information security program; however, we have identified opportunities to improve this program through automation, centralization, and other enhancements to ensure that the Federal Information Security Management Act of 2002 (FISMA) requirements are met. Improvements are needed in four high-priority security risk areas: continuous monitoring, configuration management, security training, and incident response and reporting.

CFPB management faces challenges in implementing a continuous monitoring process for all CFPB systems, establishing metrics to gauge the effectiveness of its continuous monitoring program, and implementing automated tools to more comprehensively assess security controls and system configurations. Challenges also exist in developing and implementing an agency-wide configuration management plan. Further, it is difficult for the CFPB to correlate information on incident activity because it does not yet have the capability to analyze security incident information from all relevant sources. Finally, the agency needs to develop and implement a role-based security training program to ensure that individuals with significant security responsibilities for CFPB systems are effectively and efficiently implementing the agency's information security program.

Agency Actions

The CFPB has taken steps to develop, document, and implement an information security program. The agency has finalized its information security policy, developed information security procedures and standards in several areas, and developed an information security strategy. The CFPB has also implemented processes that are generally consistent with federal requirements for identity and access management, incident response and reporting, risk management, plans of action and milestones, remote access management, and contractor systems. Further, the CFPB is developing an enterprise architecture that will include security architecture to help guide agency investments in information security.

Ensuring the Security of Contractor-Operated Information Systems

FISMA requires agencies to develop, document, and implement an agency-wide information security program for the information and information systems that support the operations and assets of the agency, including those provided by another agency, a contractor, or another source. The CFPB relies on a variety of contractor-operated and contractor-maintained systems to meet its mission, including several cloud computing–based systems in which computing resources may be shared with other federal or commercial entities. The agency faces challenges in ensuring that contractors implement the required information security controls.

The risk associated with contractors can be heightened in cloud computing–based environments because the agency may have limited insight or knowledge of the security processes of contractors. The CFPB needs to ensure that cloud providers are implementing requirements for records management, electronic discovery, privacy, and information security. Our audits of CFPB contractor-operated systems have identified several areas for improvement to ensure that the CFPB's information security requirements are met. These areas include incident response and reporting, configuration management, and personnel security.

Agency Actions

The CFPB has taken several steps to strengthen its oversight processes to ensure that contractor-operated systems meet FISMA and agency information security requirements. The CFPB has implemented a change control process whereby the security impact of changes to all systems, including contractor-operated systems, is analyzed and approved. The CFPB also has begun implementing a continuous monitoring process whereby security controls for contractor-operated systems are assessed on an ongoing basis.

Transitioning Information Security and IT Resources From Treasury to the CFPB's Infrastructure

Transitioning information security and IT resources from Treasury and building the CFPB's IT infrastructure poses challenges for the CFPB. When the CFPB began operations in July 2011, it relied on the IT systems, the IT infrastructure, and the information security program of Treasury. Since then, the CFPB has made progress in transitioning from Treasury; however, the CFPB must address management and technical challenges in its transition to ensure the implementation of a robust IT infrastructure.

The CFPB has encountered scheduling delays in transitioning IT from Treasury and in establishing certain components of its own IT infrastructure. The CFPB continues to rely on Treasury for certain information security program services and systems, including remote access, security awareness training, and incident reporting. The transition will require significant resources and a concerted effort over several years. The CFPB should analyze the costs and benefits of various approaches to developing its IT infrastructure and completing the development and implementation of its enterprise architecture. Further, the agency must ensure that its IT infrastructure is built with appropriate security and privacy controls to protect sensitive information.

Agency Actions

The CFPB has developed a phased approach to transitioning IT services from Treasury and developing its IT infrastructure. Having transitioned e-mail, file shares, mobile devices, and other enterprise services to CFPB-managed infrastructure, the agency is making progress toward full technology independence. The CFPB is also in the process of defining its enterprise architecture, which includes the IT technologies, standards, and processes the agency will use to accomplish its mission.

Ensuring Protection of Personally Identifiable Information

Protecting personally identifiable information in federal systems is critical because its loss or unauthorized disclosure can lead to serious consequences for individuals. The CFPB must continue to ensure that sensitive privacy information is adequately protected within the systems it owns and maintains and within those maintained on its behalf by contractors and other entities.

To accomplish its mission, the CFPB collects, processes, stores, and shares privacy-related information on consumer financial products and services. The CFPB has stated that it does not monitor the accounts of particular consumers and does not track the financial habits or activities of any individual consumer. In the normal course of carrying out its statutory mandate to protect consumers, ensure regulatory compliance, and monitor the consumer financial marketplace for risks to consumers, the CFPB receives information about accounts from consumers who seek the CFPB's help through the Consumer Response function and from the institutions involved in the complaints. In addition, the CFPB performs market monitoring activities, which involve the analysis of market trends and risks to consumers based on aggregated account information.

Agency Actions

The CFPB has designated a Chief Privacy Officer, who is responsible for the agency's privacy compliance and operational activities. The CFPB has also developed privacy and breach notification policies, systems of records notices, and privacy impact assessments of various systems that collect or store personal information. Further, the agency has implemented a number of management, operational, and technical controls to ensure that privacy information is adequately protected.

CFPB Management Challenges: Crosswalk to Ongoing and Planned OIG Work

Management Challenge 1: Improving the Operational Efficiency of Supervision

Ongoing work

  • Joint Evaluation of Coordination Between the CFPB and Other Regulatory Agencies

Planned work for 2014

  • Evaluation of the Effectiveness of the CFPB's Examination Workpaper Documentation
Management Challenge 2: Building and Sustaining a High-Performing Workforce

Ongoing work

  • Evaluation of CFPB's Hiring Process
  • Audit of the CFPB's Diversity and Inclusion Processes
Planned work for 2014
  • Audit of the CFPB's Pay and Compensation Program
Management Challenge 3: Implementing New Management Operations

Ongoing work

  • Audit of the CFPB's Distribution of Civil Penalty Funds
  • Audit of the CFPB's Contract Management Process
  • Audit of the CFPB's Public Consumer Complaint Database
  • Evaluation of the CFPB's Hiring Process
  • Risk Assessment of the CFPB's Travel Card Program



Management Challenge 4: Providing for Space Needs

Ongoing work

  • Audit of the CFPB's Space-Planning Activities
  • Audit of the CFPB's Headquarters Renovation Costs
Planned work for 2014
  • Additional audit work will be planned based on the results of our ongoing projects.
Management Challenge 5: Ensuring an Effective Information Security Program

Ongoing work

  • Audit of the CFPB's Cloud Computing Environment
  • Security Control Review of the CFPB's DT Complaints Database
  • 2014 Audit of the CFPB's Information Security Program
  • Audit of the CFPB's Tableau System
Source: Office of Inspector General, Work Plan, updated September 5, 2014. The OIG's current Work Plan is available at

archived reports