The CFPB Can Improve Its Safeguards for Protecting Confidential Supervisory Information

Date Issued

Monday, May 5, 2025

Submitting OIG

Federal Reserve Board & CFPB OIG

Agencies Reviewed/Investigated

Consumer Financial Protection Bureau

Report Number

2025-SR-C-005

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

https://oig.federalreserve.gov/reports/cfpb-confidential-supervisory-informatio…

Open Recommendations

This report has 7 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
Define in policy a. the process that examiners should use to request access to files in the Supervision Examination System. b. the criteria that managers and regional analysts should use to assess whether a need to know exists in accordance with the least privilege principle. c. the requirement that regional analysts document an examiner’s need to know before granting access to supervision files in the Supervision Examination System. d. consequences for accessing confidential supervisory information without a need to know or providing access to confidential supervisory information when a need to know does not exist.
2	No	$0	$0
Update the document handling directive to require supervision staff to share files by emailing Supervision Examination System links.
3	No	$0	$0
Develop and require training for CFPB staff involved in the examination process for the policy and guidance resulting from recommendations 1 and 2.
4	No	$0	$0
Update the guidance for prioritizing and scheduling examinations to reflect the current link sharing practice and to limit access to the supporting analysis to those with a need to know.
5	No	$0	$0
Update the guidance for managing breaches of confidential supervisory information to include expectations for a. assessing and documenting the level of harm associated with a breach. b. counseling, training, or taking other measures to hold CFPB staff responsible for breaches accountable, as appropriate, and documenting such actions. c. analyzing the causes of breaches to identify trends and implement appropriate control adjustments, as necessary.
6	No	$0	$0
Develop required training on the updated guidance after it is implemented.
7	No	$0	$0
Update the CFPB’s confidential information breach response directive to a. provide guidance for assessing the risk to institutions affected by breaches of confidential supervisory information and notifying those institutions. b. define the roles and responsibilities for those involved in the process.