Right after one of the debates I found myself knee deep in a debate about Dodd-Frank.  A close personal friend of mine, a very bright bulb who I’ve never found a reason to disagree with brought up Dodd-Frank as an example of horrible legislation that’s crippling banks and contributing to our horrible economic conditions.  Whoa, whoa, whoa…. rail against taxes, complain about government spending, assail the current administration for the dramatic escalation of our national debt.  But leave Dodd-Frank out of it because that’s not one of our bigger problems.  I can offer a five thousand word defense of the best parts of Dodd-Frank without even pausing to organize my thoughts but I don’t need to go that far.  I can sell it’s virtues in a single, simple sentence:  Any legislation that created the Consumer Financial Protection Bureau is instantly more effective than anything that’s come before it in my lifetime.

No, seriously… in my lifetime.

I’ve already screamed from the rooftops about how much I like the CFPB.  In my own geeky, nerdy way I’m proud to admit that I look forward to getting their regular updates and announcements because they always seem either ridiculously relevent or illuminate how they’re hot on the heels of yet another predatory business practice.  In barely a years time they’ve pushed deeper into the heart of the issues that crashed Wall Street in 2008 than anyone could have hoped (that’s my opinion but one I’m willing to defend).  And their examiners appear to be freaky efficient.  I’ve been hearing from our banking clients that they’re drilling in on details and covering more territory than was expected and that they’re discussing issues much closer to protecting customers (and members).   Our practice recently issued a bulletin to our clients alerting them to the fact that CFPB examiners are expecting related oversight to be pushed down to external business parters and vendors.  This is not a new consideration, it’s exactly the same as what’s supposed to happen with regards to GLBA (and one of the reasons we developed our related software and services for same) but still, we anticipated this would take several exam cycles to surface.  CFPB cut right to that chase in a heartbeat, which is stunning for such things.  It’s almost like someone told them where to look and what to look for which to a certain extent is true.

The CFPB didn’t start as most new agencies do.  They didn’t recruit green examiners and place them under the management of a few practiced hands.  What they apparently have done is to hire well seasoned examiners from related regulatory agencies (e.g. FDIC, FRB, OCC) have them contribute to creating the necessary procedures and then send them out to bring it all to life.  So on Day One they already know where the bodies are likely to be buried and what to do about it.  It’s brilliant, it’s efficient and it’s the very best example of  your government doing its job.

Here are some snippets from my in-box:

• Regarding the three main credit reporting agencies, the CFPB released a report that said “Among the key takeaways in the report, which is one of the most comprehensive studies of credit reporting to date, are that credit card history dominates the information in credit reports and that debt collection items  generate the highest rate of disputes”.  This becomes important for consumers who are trying to either establish or repair respectable credit ratings.  The news release further explained about the report that it “will help educate regulators and consumers about how this important industry works,” said CFPB Director Richard Cordray. “If consumers know how these companies handle their credit histories, they can make better decisions on how to handle their financial lives.”
• This was another headline “CONSUMER FINANCIAL PROTECTION BUREAU HALTS ALLEGED NATIONWIDE MORTGAGE LOAN MODIFICATION SCAMS”.  The news release explained that the CFPB is  “taking on schemes that prey on consumers who are struggling to pay their mortgages or facing foreclosure,” said CFPB Director Richard Cordray. “We are especially concerned with those who misrepresent government programs or websites to divert distressed homeowners from needed assistance.”
• And even still, another headline “CONSUMER FINANCIAL PROTECTION BUREAU PROPOSES ALLOWING COMPANIES TO RUN TRIAL DISCLOSURE PROGRAMS”.  And while this may seem dry to so many not close to the related issue this is signficant because right now most of us ignore all the small print.  The CFPB is trying to figure out better ways to present disclousre information so that us consumers both think to read it and, more importantly, understand what it’s telling us.  Rather than try and stuff a once-sized-fits-all solution down the industries throat they’re opening it up and authorizing institutions and lenders to explore different approaches.

And the kicker about these three items?  This was all issued this month (December 2012) and we’re not even quite halfway through it.

Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

So when the FDIC recently issued new guidance titled “Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers” (FIL-56-2010),” I was reminded once again of this favorite phrase of mine.

It’s important to explain that my first foray into audit allowed me to work with arguably the best auditor I’ve ever met.  I was taught to question everything and assume it was in scope until proven otherwise, and I was encouraged to trust and follow my instincts.  And so fairly early in my regulatory career when I first started to search out the myriad threats to personally identifiable information (PII), all sorts of things landed on my radar screen.  Accordingly, for nearly a decade I’ve been advising clients on the threats posed by what are typically thought of as secondary devices or peripherals.  Financial institutions will spend all sorts of crazy money to protect servers and storage devices but completely ignore multifunction devices that copy, scan, fax and email just about any document imaginable and often retain those images in memory.  They’ll have surprise desktop audits where someone will spot check work spaces to see if PII has been properly secured but will walk past the copier room time and again and ignore what lays in the output trays.  Our practice has long advocated for related control activities to remove this remarkable blind spot but year over year we return to our clients and find that little has changed.

And so the question needs to be asked: Why?

The answer is very likely found in the fact that no known breaches or cases of identify theft have ever been tied back to information gleaned from a peripheral device.  We’ll read about huge PCI-related disasters where millions of credit card numbers were potentially stolen.  We’ll see stories on the news about how a laptop has gone missing with hundreds of thousands of accounts containing Social Security numbers.  We’ll read about how criminals are piggy-backing card reader devices on legitimate ATM’s to grab your credit and bank card data.  But no one can ever recall hearing about any identity thefts cases where the information involved was found to be harvested from just such a device.  And odds are you’re never going to.

The amount of information to be gleaned from peripheral devices is relatively small.  All but a few of them can only retain a modest amount of data and so you’re not going to find much more than a few dozen opportunities per device.  If someone within an office is aware of this treasure trove of information and is skimming it off and either using it or selling it how would you know?  How would you be able to develop the trend (remember that very few people file police reports when they discover that their identify has been stolen or accounts accessed).  So there isn’t a whole lot of investigating going on.  And if someone at either the equipment reseller or company warehouse is collecting the information and using it for illegal purposes how would anyone know?  We’re not talking about thousands of accounts or individuals from any one company or institution; it’s more like a patchwork collection.  You would only be able to find a trend if you went looking for it, and you would only go looking for it if you had a credible reason to do so.

But here’s the thing; I’ve thought about this information being readily available and difficult to trace and I’m an honest man and one of the good guys. Don’t you think the bad guys have this figured out as well?

So it will be interesting to see how or if the banking industry reacts to this bulletin.  It’s been my experience that these things go largely unheeded until an examiner applies a little pressure.  I suppose way too many financial institutions are happy enough to apply the “what you don’t know can’t hurt you” logic. Not me.