The Federal Reserve’s Office of Inspector General (OIG) has issued a report urging the Consumer Financial Protection Bureau (CFPB) to strengthen its controls on confidential supervisory information (CSI), following multiple security breaches and a 2023 incident involving mishandling of sensitive data. The OIG emphasized the need for clearer guidelines and protocols to prevent unauthorized access and ensure better protection of consumer and financial institution data.
The OIG’s report, released Thursday, found that the CFPB lacks a defined “need-to-know” approach to controlling access to CSI. The watchdog also identified gaps in the agency’s practices for responding to breaches and notifying affected firms, calling for more robust, detailed policies to safeguard this sensitive information.
“The CFPB can reduce the risk of unauthorized access to CSI by updating its guidance to limit access to such information on a need-to-know basis and clearly defining when that need to know exists,” the report stated. “Consistently enforcing appropriate consequences when necessary and analyzing the causes of breaches can help the CFPB reduce the risk of recurrence or more severe breaches.”
Confidential supervisory information, which includes examiner findings, private communications, and personal consumer data, is generated through the CFPB’s regular oversight of financial institutions. This material is protected by law and is critical to the integrity of the agency’s work.
The OIG’s investigation highlights a 2023 incident where a CFPB examiner mishandled sensitive data, including information on more than 250,000 consumers. The examiner forwarded confidential documents to a personal email account, resulting in what the CFPB classified as a “major” security breach. While no evidence of further exposure was found, the incident raised significant concerns about the agency’s ability to secure such critical information.
The report further revealed that the CFPB experienced 16 breaches of confidential material between January 2022 and April 2024, nearly half of which were classified as “inadvertent.” The OIG emphasized that the lack of a formal process for accessing documents from other exams contributed to the breach and recommended that the agency adopt a more formalized, permission-based system for sharing sensitive information.
The OIG also pointed out weaknesses in the CFPB’s handling of breach incidents, including the lack of a defined process for assessing the severity of breaches and notifying affected financial institutions. The OIG stressed the importance of transparency and timely communication with affected institutions to mitigate potential legal and reputational risks.
In response to the report, the CFPB expressed its agreement with the OIG’s recommendations and committed to making improvements. However, the agency noted that progress would be contingent on available resources, and no specific time frames were provided for implementing the changes.
The OIG pledged to follow up on the CFPB’s progress in addressing these issues and ensuring the security of sensitive supervisory data in the future.
