At a Senate Banking Committee hearing last week, Richard Cordray - the director of the Bureau of Consumer Financial Protection - was on the defensive with respect to the bureau's collection of information about Americans' spending habits. His unpersuasive defense of the CFPB's data collection practices was not surprising in light of the agency's flawed design.
First, Mr. Cordray explained that the industry and other regulators also collect credit card information. It is difficult to understand how he reached that conclusion since he did not seem certain about the scope of the bureau's data collection efforts. Mr. Cordray did not directly answer repeated questions from ranking member Sen. Mike Crapo about whether the CFPB is demanding from credit card companies monthly reports with approximately 100 data fields about 900 million different credit card accounts.
Even if Mr. Cordray's but-everyone-is-doing-it assertion is accurate, the fact that other regulators are collecting the same information does not make it acceptable. Nor is industry's collection of information relevant, since consumers consent to credit card providers retaining their usage information; and there are limits on how industry can use the data it collects. History has taught us to worry about massive government data collection efforts-even those undergirded with good intentions-about private citizens.
Mr. Cordray's second line of defense was that the CFPB is only interested in learning about financial institutions, not about individuals. As Mr. Cordray put it: "I don't care about any individual, and we're not tracking anybody's credit card spending of any sort." Data about consumers is transmitted to a third party service provider that converts names to numbers. It would not be too difficult to get the names added back on, and, elsewhere the agency has said that it may maintain consumers' names and other personally identifiable information and transactional histories.
There have been suggestions that the bureau is planning to consolidate the information it receives from different companies about the same individual under a single identifying number, which would suggest the regulator is, in fact, interested in what individuals are doing. The notion that a government agency may be watching Americans' financial lives unfold transaction-by-transaction is unsettling, even if the agency only knows those Americans by their assigned numbers, not their names.
Finally, Mr. Cordray insisted that the CFPB needs the information it is collecting to oversee the financial institutions, bring enforcement actions, and make reports to Congress. It is difficult to believe that the agency needs to collect granular, individualized information about millions of credit card users to do its job. The Bureau routinely examines financial institutions and receives complaints directly from consumers. It also has a whistleblower program. These are more targeted ways of obtaining the information that it needs, without compromising the privacy of the consumers it is supposed to be protecting.
Unfortunately, there are incentives for regulators not to take a consumer's desire for privacy into account. For regulators, collecting lots of data is an easy, tangible way to look as if they are doing something. Moreover, there is a reason that the CFPB seems insensitive to privacy concerns; it's viewed as irrelevant to the bureau's sole mission of regulating the offering and provision of consumer financial products and services.
The CFPB's tunnel focus is attributable in large part to flaws in its institutional design. Oft-repeated, heartfelt assurances of the bureau's good intentions cannot mitigate those flaws. A more substantive way to allay concerns about the CFPB's practices-including its data collection practices-would be for Congress to accede to very practical suggestions for building into the bureau's statutory framework more transparency, accountability, and oversight.