GAO Report Calls for Increased Credit Bureau Oversight

The Government Accountability Office (GAO) has released a new report on the credit reporting agencies (CRAs) that recommends improving federal enforcement of data safeguards and oversight of the companies' security practices. CUNA and the state leagues believe credit bureaus should be examined for compliance with Gramm-Leach-Bliley Act (GLBA) data security standards.

In its report, the GAO highlights that the Federal Trade Commission (FTC) can bring civil penalties against the credit bureaus related to consumer reporting violations of the Fair Credit Reporting Act (FCRA); however, the FTC does not have the same authority to do so under the GLBA.

In addition, the report notes that consumers "generally cannot exercise choice in the consumer reporting market" and have limited actions they can take against a credit bureau if it experiences a data breach.

"This limited control by consumers, coupled with the large amount and sensitive nature of the information CRAs possess, underscores the importance of appropriate federal oversight of CRAs' data security."

The GAO recommends that:

  • Congress consider giving FTC civil penalty authority to enforce GLBA's safeguarding provisions;
  • CFPB identify additional sources of information on larger CRAs; and
  • CFPB reassess its prioritization of examinations to address CRA data security.

CUNA and the state leagues have been advocating for a national data security standard that applies to businesses and other entities that collect and store consumer financial data.