While Republicans have argued that the Consumer Financial Protection Bureau's oversight is too broad and needs to be dialed back, Director Richard Cordray is using the Equifax data breach to float the idea of expanded agency authority over the credit reporting bureaus.
The CFPB is the only regulator with supervisory examination authority over Equifax, Experian and TransUnion, which were designated in 2012 as "larger participants" in the credit reporting market. But the primary regulator in charge of enforcing cybersecurity standards of nonbanks is the Federal Trade Commission, which lacks direct supervisory authority.
Cordray has suggested that Congress needs to address that regulatory gap.
"We are going to have to work with Congress to put in place a better framework on data security," Cordray told CNBC in a recent interview "It's not enough to have enforcement come after the fact. There has to be preventive supervision authority in place and there has to be more robust standards to be met by these companies."
That could be done two ways, either giving the CFPB the power to examine the credit reporting agencies for cyber and data security or giving such authority to the FTC, which currently lacks any infrastructure to conduct supervisory exams. In the interview, Cordray signaled that his agency should handle it.
When asked about having CFPB examiners embedded inside the credit bureaus, Cordray said, "That is exactly what I'm suggesting has to be the case, and the companies should welcome it."
"We are going to have to have monitoring in place that's preventive," Cordray said. "It's going to have to be a different regime than they're used to. If they are going to restore public confidence in this marketplace, and if they're going to create the kind of reforms necessary, they are going to have to recognize that the old days of just doing what they want, and being subject to a lawsuit now and then, are over."
That part of the interview has received little attention, but Cordray's suggestion raises the prospect that one day the CFPB could dive into cyber issues. For now, however, getting a Republican Congress to expand the authority of the CFPB is highly unlikely, experts said. The industry is already pushing back.
"For the bureau to seek to get involved in cybersecurity is unacceptable mission creep," said Andrew Sandler, chairman and executive partner at the law firm Buckley Sandler. "The last thing they should be doing in the current environment is to seek broader jurisdiction. Cybersecurity is not a core consumer protection issue. It belongs with the prudential bank regulators, and the Federal Trade Commission at the federal level. Where disclosure issues result in consumer harm, it is a matter of state law for state attorneys general to deal with."
The issue highlights how the Equifax data breach presents several problems for policymakers because of how various regulatory issues are spread among federal and state regulators. But it's not always clear where one issue such as cybersecurity, the FTC's domain, ends when it results in harm to consumers, the CFPB's domain.
The Gramm-Leach-Bliley Act of 1999 gave the FTC authority over the protection and storing of consumer data. The FTC's Safeguards Rule requires that nonbank financial institutions develop, implement and maintain a comprehensive security program for handling customer information.
Despite holding four hearings last week in Congress on the Equifax breach, however, lawmakers on both sides of the aisle have mostly ignored any gaps in the regulatory net. The ten or so bills introduced in response have focused on consumers' rights to freeze credit or the use of the IRS for consumer data verification.
There does not appear much momentum to expand either the CFPB's or FTC's powers. That has left states to fill the vacuum.
"The appetite in Washington for more extensive federal authority is not great, so you're seeing various states taking various initiatives that they know will go beyond their borders," said Bob Cattanach, a partner at Dorsey & Whitney. "Some states with aggressive regulatory programs may feel that they have to do something because the current federal standard is not adequate."
Massachusetts Attorney General Maura filed a lawsuit against Equifax for violating state consumer protection laws. Other states such as New York are looking into what authority states have to require that consumers be notified about data breaches, including when personal identifiable information is stolen.
"The focus is really on the disclosure to consumers of what information is collected and why, and what are they going to do with the information," Cattanach said.
To that end, lawmakers questioned Equifax's former CEO Richard Smith about the business practices of the credit bureaus, including how they are able to collect massive amounts of data on consumers without paying or getting permission for it. Meanwhile, consumers have to go through hoops to get inaccurate information expunged from their credit files by filing complaints with the CFPB under the Fair Credit Reporting Act.
"Consumers have no opportunity to choose the data security protocols that will safeguard their consumer report information or visibility into how those protocols work," said Jenny Lee, a partner at Dorsey & Whitney and a former CFPB enforcement attorney.
There also is concern that data breaches are an evolving area of law, and that absent a single federal standard for data breach prevention that establishes a legal right for consumers, it is unclear if a consumer has standing to sue a company for the potential harm of a hack, particularly if they cannot prove they were part of the data breach.
The CFPB is working with other regulators to address some of the issues, Cordray said.
"I think there's are a lot of things we can do … now that we have this problem at Equifax and we are going to be working to put solutions in place," Cordray said. "We are working with the Federal Trade Commission and with the New York State Department of Financial Services. But I think it's also important that we look at the other big credit reporting companies, Experian and TransUnion."