WASHINGTON (8/19/15)--A look at the Consumer Financial Protection Bureau’s (CFPB) storage of personally identifiable information is part of the Federal Reserve’s Office of the Inspector General’s work plan. The plan was recently updated to include CFPB data security audit, as well as a number of other additions.

The CFPB, as part of its mission, collects, handles and stores several types of consumer information and personally identifiable information, defined as data that could potentially be used to identify a specific individual, or to distinguish one individual from another.

The Fed’s Office of the Inspector General intends to review the extent to which the CFPB has assessed the risks that come with collection, maintenance, storage and disposal of this data.

The review will focus on: bureau systems that house the information; access to the information; disposal and destruction mechanisms; how privacy incidents are handled; how CFPB staff are trained on privacy matters; and the use of National Institute of Standards and Technology privacy controls.

CUNA has raised a number of concerns about the CFPB's storage of information in the CFPB's database, particularly if the personal information collected by the bureau is inadvertently disclosed whenc consumer complaints are filed with the bureau. CUNA has urged the CFPB to take steps to minimize privacy risks. 

Other items added to the latest work plan include:

• An audit of the Federal Financial Institutions Examination Council’s financial statements for years ending Dec. 31, 2015 and Dec. 31, 2014;
   
• An audit of the Federal Reserve board of governors’ oversight of cybersecurity threats to financial institutions. The review will focus on whether the Fed’s examination process is providing adequate oversight;
   
• A security control review of the CFPB’s information server operating environment. Specifically, control techniques used to protect data within the system from unauthorized access will be examined;
   
• An evaluation of the CFPB’s risk assessment framework used to prioritize examination activities; and
   
• A risk assessment of the CFPB’s purchase card program, which will identify and analyze the risks of illegal, improper, or erroneous purchases and payments.