An audit of the CFPB’s Consumer Response System (CRS) by the Federal Reserve’s Office of Inspector General (OIG) found that improvements are needed to ensure that the requirements of the Federal Information Security Management Act of 2002 are met. The system allows consumers to submit complaints through the CFPB’s website. The OIG’s Executive Summary of its findings indicates that its report includes nine recommendations to CRS management to strengthen security controls for the system.
The existence of any deficiencies in the complaint system that could threaten the security of data is obviously a matter of concern to both industry and consumers. The summary indicates that “given the sensitivity of information security work,” the full audit report is restricted. As a result, neither industry or consumers have the information needed to assess the seriousness of the deficiencies found by the OIG. Under these circumstances, the CFPB might consider issuing a public response to the audit to provide assurance that the complaint system is sufficiently secure despite such deficiencies.
The CFPB recently announced that it has expanded its public Customer Complaint Database beyond complaints about credit cards. The database will now also include complaints related to mortgages, bank deposit products and services, student loans, and other consumer loans (a category that includes complaints about auto loans and leases).