The Consumer Financial Protection Bureau (CFPB) should improve its privacy protections for the data it collects on hundreds of millions of mortgages, student loans and credit cards, the Government Accountability Office says.  

The nonpartisan GAO’s investigation found three major information management issues at the CFPB: written procedures and documentation, implementation of privacy and security steps, and not complying with the Paperwork Reduction Act.

The GAO report said that while the amount of data collected was extensive, it was in line with the data collection activities of other regulators like the Office of the Comptroller of the Currency.

In a statement appended to the report, the CFPB said it “concurred” with the recommendations to beef up its privacy safeguards.

Republican lawmakers say the CFPB is overstepping its authority. Senate Banking Committee Ranking Member Mike Crapo, R-Idaho, requested the report, and he believes the demand for data could be a budding threat to consumer protection and privacy.

“The CFPB’s massive data collection effort is an unwarranted, unwelcome intrusion into the private financial lives of millions of Americans,” Crapo said in a statement. “This GAO report confirms what the Bureau would not — that it has been collecting information on up to 600 million American financial accounts, and it does not have the proper safeguards in place to protect the information it is collecting. At a time when data and identity-related crimes are at an all-time high, the last thing the American people need is one more federal agency collecting their private financial information.”

In its research, the GAO looked into the data collection methods of the CFPB for 12 different projects. Of those accounts, three had information that identified individual consumers.

In May, Crapo requested legal justification for the CFPB’s data collection programs, a request he said was not answered.

“There are many outstanding questions and concerns following this report,” Crapo continued.  “For example, it is still unclear exactly what information the CFPB is collecting, how they are using it, and whether it can be easily reverse-engineered to identify an individual.  I consider these to be very serious concerns at the very agency that was supposed to watch out for consumers, not watch them.”

The CFPB said in its statement that the Dodd-Frank Act authorized it to collect and analyze consumer data and that the bureau was forthright with legislators and the public about the data it collects and how it is used. The bureau has pointed out previously that much of the data it uses, such as mortgage data, is public information. At a time when identity theft is rampant, Americans are concerned about their cyber safety. “The American people are rightfully worried about the massive amounts of private information government collects on their personal lives, especially in this age of criminal hackers, data breaches and identity theft,” House Financial Services Committee Chairman Jeb Hensarling, R-Texas, said in a statement.

According 2012 data (the most recent) from the Bureau of Justice Statistics, 7% of people 16 or older were victims of identity theft. A majority of the thefts — 85% — involved the fraudulent use of credit card or bank account information. The GAO report demonstrates the need for stricter protections for data privacy.   

Officials at the CFPB say that the “data is essential for effective financial regulation,” according to a statement shared with the website Housing Wire. Sam Gilford, spokesperson for CFPB, says he stands behind the efforts of his organization because he believes that necessary information is being provided. “Prior to and during the 2007-2009 financial crisis, [GAO] and others noted that the lack of data on consumer financial products and services hindered federal oversight in areas such as mortgages and fair lending,” he said in the statement. 

Check out What Elizabeth Warren Fails to Understand About Finance on ThinkAdvisor.