Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

So when the FDIC recently issued new guidance titled “Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers” (FIL-56-2010),” I was reminded once again of this favorite phrase of mine.

It’s important to explain that my first foray into audit allowed me to work with arguably the best auditor I’ve ever met.  I was taught to question everything and assume it was in scope until proven otherwise, and I was encouraged to trust and follow my instincts.  And so fairly early in my regulatory career when I first started to search out the myriad threats to personally identifiable information (PII), all sorts of things landed on my radar screen.  Accordingly, for nearly a decade I’ve been advising clients on the threats posed by what are typically thought of as secondary devices or peripherals.  Financial institutions will spend all sorts of crazy money to protect servers and storage devices but completely ignore multifunction devices that copy, scan, fax and email just about any document imaginable and often retain those images in memory.  They’ll have surprise desktop audits where someone will spot check work spaces to see if PII has been properly secured but will walk past the copier room time and again and ignore what lays in the output trays.  Our practice has long advocated for related control activities to remove this remarkable blind spot but year over year we return to our clients and find that little has changed.

And so the question needs to be asked: Why?

The answer is very likely found in the fact that no known breaches or cases of identify theft have ever been tied back to information gleaned from a peripheral device.  We’ll read about huge PCI-related disasters where millions of credit card numbers were potentially stolen.  We’ll see stories on the news about how a laptop has gone missing with hundreds of thousands of accounts containing Social Security numbers.  We’ll read about how criminals are piggy-backing card reader devices on legitimate ATM’s to grab your credit and bank card data.  But no one can ever recall hearing about any identity thefts cases where the information involved was found to be harvested from just such a device.  And odds are you’re never going to.

The amount of information to be gleaned from peripheral devices is relatively small.  All but a few of them can only retain a modest amount of data and so you’re not going to find much more than a few dozen opportunities per device.  If someone within an office is aware of this treasure trove of information and is skimming it off and either using it or selling it how would you know?  How would you be able to develop the trend (remember that very few people file police reports when they discover that their identify has been stolen or accounts accessed).  So there isn’t a whole lot of investigating going on.  And if someone at either the equipment reseller or company warehouse is collecting the information and using it for illegal purposes how would anyone know?  We’re not talking about thousands of accounts or individuals from any one company or institution; it’s more like a patchwork collection.  You would only be able to find a trend if you went looking for it, and you would only go looking for it if you had a credible reason to do so.

But here’s the thing; I’ve thought about this information being readily available and difficult to trace and I’m an honest man and one of the good guys. Don’t you think the bad guys have this figured out as well?

So it will be interesting to see how or if the banking industry reacts to this bulletin.  It’s been my experience that these things go largely unheeded until an examiner applies a little pressure.  I suppose way too many financial institutions are happy enough to apply the “what you don’t know can’t hurt you” logic. Not me.