[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]




                  EXAMINING HOW THE CONSUMER FINANCIAL
                     PROTECTION BUREAU COLLECTS AND
                           USES CONSUMER DATA

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
                          AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              JULY 9, 2013

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 113-36





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





                  U.S. GOVERNMENT PRINTING OFFICE

82-858 PDF                WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

GARY G. MILLER, California, Vice     MAXINE WATERS, California, Ranking 
    Chairman                             Member
SPENCER BACHUS, Alabama, Chairman    CAROLYN B. MALONEY, New York
    Emeritus                         NYDIA M. VELAZQUEZ, New York
PETER T. KING, New York              MELVIN L. WATT, North Carolina
EDWARD R. ROYCE, California          BRAD SHERMAN, California
FRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York
SHELLEY MOORE CAPITO, West Virginia  MICHAEL E. CAPUANO, Massachusetts
SCOTT GARRETT, New Jersey            RUBEN HINOJOSA, Texas
RANDY NEUGEBAUER, Texas              WM. LACY CLAY, Missouri
PATRICK T. McHENRY, North Carolina   CAROLYN McCARTHY, New York
JOHN CAMPBELL, California            STEPHEN F. LYNCH, Massachusetts
MICHELE BACHMANN, Minnesota          DAVID SCOTT, Georgia
KEVIN McCARTHY, California           AL GREEN, Texas
STEVAN PEARCE, New Mexico            EMANUEL CLEAVER, Missouri
BILL POSEY, Florida                  GWEN MOORE, Wisconsin
MICHAEL G. FITZPATRICK,              KEITH ELLISON, Minnesota
    Pennsylvania                     ED PERLMUTTER, Colorado
LYNN A. WESTMORELAND, Georgia        JAMES A. HIMES, Connecticut
BLAINE LUETKEMEYER, Missouri         GARY C. PETERS, Michigan
BILL HUIZENGA, Michigan              JOHN C. CARNEY, Jr., Delaware
SEAN P. DUFFY, Wisconsin             TERRI A. SEWELL, Alabama
ROBERT HURT, Virginia                BILL FOSTER, Illinois
MICHAEL G. GRIMM, New York           DANIEL T. KILDEE, Michigan
STEVE STIVERS, Ohio                  PATRICK MURPHY, Florida
STEPHEN LEE FINCHER, Tennessee       JOHN K. DELANEY, Maryland
MARLIN A. STUTZMAN, Indiana          KYRSTEN SINEMA, Arizona
MICK MULVANEY, South Carolina        JOYCE BEATTY, Ohio
RANDY HULTGREN, Illinois             DENNY HECK, Washington
DENNIS A. ROSS, Florida
ROBERT PITTENGER, North Carolina
ANN WAGNER, Missouri
ANDY BARR, Kentucky
TOM COTTON, Arkansas
KEITH J. ROTHFUS, Pennsylvania

                     Shannon McGahn, Staff Director
                    James H. Clinger, Chief Counsel
       Subcommittee on Financial Institutions and Consumer Credit

             SHELLEY MOORE CAPITO, West Virginia, Chairman

SEAN P. DUFFY, Wisconsin, Vice       GREGORY W. MEEKS, New York, 
    Chairman                             Ranking Member
SPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York
GARY G. MILLER, California           MELVIN L. WATT, North Carolina
PATRICK T. McHENRY, North Carolina   RUBEN HINOJOSA, Texas
JOHN CAMPBELL, California            CAROLYN McCARTHY, New York
KEVIN McCARTHY, California           DAVID SCOTT, Georgia
STEVAN PEARCE, New Mexico            AL GREEN, Texas
BILL POSEY, Florida                  KEITH ELLISON, Minnesota
MICHAEL G. FITZPATRICK,              NYDIA M. VELAZQUEZ, New York
    Pennsylvania                     STEPHEN F. LYNCH, Massachusetts
LYNN A. WESTMORELAND, Georgia        MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri         PATRICK MURPHY, Florida
MARLIN A. STUTZMAN, Indiana          JOHN K. DELANEY, Maryland
ROBERT PITTENGER, North Carolina     DENNY HECK, Washington
ANDY BARR, Kentucky
TOM COTTON, Arkansas



















                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    July 9, 2013.................................................     1
Appendix:
    July 9, 2013.................................................    51

                               WITNESSES
                         Tuesday, July 9, 2013

Antonakes, Steven L., Acting Deputy Director, Consumer Financial 
  Protection Bureau (CFPB).......................................     8

                                APPENDIX

Prepared statements:
    Antonakes, Steven L..........................................    52

              Additional Material Submitted for the Record

Capito, Hon. Shelley Moore:
    Written statement of the National Association of Federal 
      Credit Unions (NAFCU)......................................    57
Antonakes, Steven L.:
    Written responses to questions submitted by Representatives 
      Capito, Duffy, Luetkemeyer, and Posey......................    59
    Additional information provided for the record in response to 
      questions posed during the hearing by Representatives 
      Capito, Maloney, Duffy, Luetkemeyer, Rothfus, Barr, and 
      Westmoreland...............................................   108

 
                  EXAMINING HOW THE CONSUMER FINANCIAL
                     PROTECTION BUREAU COLLECTS AND
                           USES CONSUMER DATA

                              ----------                              


                         Tuesday, July 9, 2013

             U.S. House of Representatives,
             Subcommittee on Financial Institutions
                               and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:04 a.m., in 
room 2128, Rayburn House Office Building, Hon. Shelley Moore 
Capito [chairwoman of the subcommittee] presiding.
    Members present: Representatives Capito, Duffy, McHenry, 
Pearce, Posey, Fitzpatrick, Westmoreland, Luetkemeyer, 
Stutzman, Pittenger, Barr, Cotton, Rothfus; Maloney, Scott, 
Velazquez, Lynch, and Heck.
    Ex officio present: Representatives Hensarling and Waters.
    Chairwoman Capito. The subcommittee will come to order. 
Without objection, the Chair is authorized to declare a recess 
of the subcommittee at any time. I don't think that is going to 
be necessary.
    We are here this morning to learn about the Consumer 
Financial Protection Bureau's (CFPB's) collection and use of 
consumers' personal financial data. Unfortunately, the fact 
that we need today's hearing is an important indication of how 
little meaningful information the CFPB has been providing to us 
and to the public.
    The American people have a right to know how a government 
agency is collecting and using their personal financial data. 
So far, the CFPB has declined to provide, I believe, concrete 
answers to these questions, and I hope we get some of those 
answers on record today.
    This past April, Senator Crapo, the ranking member of the 
Senate Banking Committee, highlighted the CFPB's decision to 
not provide him with the specific number of consumer accounts 
the agency is monitoring. Instead, we were forced to rely on 
accounts from news media outlets which indicate that the number 
of accounts may be as high as 10 million.
    For an agency whose initial leader once touted that, ``This 
consumer bureau belongs to the public, and we are building it 
right out in the open there for anyone to see,'' the refusal to 
answer this simple question is troubling. Without definitive 
answers to this and other basic questions, it is difficult for 
consumers to determine how much of their financial data is 
being aggregated by the CFPB.
    It is critical, I believe, for American consumers to know 
why a Federal agency is collecting their financial data and how 
the CFPB is ensuring that data has the proper safeguards. Last 
year, the GAO and the Federal Reserve's Inspector General found 
serious deficiencies with the CFPB's systems and controls for 
the data they and the outside entities they are contracting 
with are collecting.
    More recently, in March of this year, the Federal Reserve 
IG issued a report with nine recommendations for the CFPB to 
improve the consumer response system's security controls. I am 
deeply troubled that not only do we not know how many consumer 
data files the CFPB has collected, but also that outside 
entities have expressed serious concerns about the ability of 
the CFPB to safeguard this data.
    I am also concerned about the use and storage of personally 
identifiable information when collecting consumer data files. 
Despite the clear intent of Congress that the CFPB should not 
be collecting personally identifiable information, the CFPB did 
acknowledge in the fall of 2012, in a system of records notice 
that the agency will be collecting personally identifiable 
information that will be held indefinitely to match data files 
with other records in order to provide the CFPB with more 
comprehensive data to analyze. Much like the earlier issues I 
have highlighted, we simply do not know the extent to which the 
CFPB is collecting, storing, or having outside contractors 
collect and store consumers' personally identifiable 
information.
    American consumers want answers to these questions. It is 
my hope that today's hearing will begin a more transparent 
discussion of how the CFPB is collecting and using consumer 
data. Many of us have feared that the CFPB would eventually 
limit the ability of consumers to choose the financial product 
that best suits their individual needs. However, the prospects 
of the CFPB watching a consumer's every financial decision 
could be troubling.
    I now yield to Representative Maloney for the purpose of 
making an opening statement.
    Mrs. Maloney. Thank you, Chairwoman Capito, and welcome to 
Mr. Antonakes, the Acting Deputy Director of the CFPB. Thank 
you for being here.
    I would like to remind my colleagues that it was 
insufficient oversight of many financial institutions and the 
lack of oversight of others that led to the financial crisis. 
By all accounts, the data wasn't there to make good judgments 
about what was happening to our economy. Data-driven decisions 
are absolutely critical to making informed and intelligent 
determinations about the impact of financial products and their 
impact on consumers and the broader economy, and to improve the 
supervision of financial institutions, including those firms 
like debt collection companies and payday lenders that have 
gone largely unregulated until now. We know that industry uses 
data to make decisions and market products. The CFPB should use 
and have access to the same information to protect the overall 
economy and to protect consumers.
    I would like to note that there have been no objections, to 
my knowledge, to the CFPB's work from the privacy groups, those 
groups whose goal is to protect the privacy of consumers. In 
fact, I ask unanimous consent to place in the record a letter 
from privacy and consumer groups in support of the CFPB's use 
of data. It came in this morning, and it includes the Center 
for Digital Democracy, Consumer Action, the Consumer Federation 
of America, the Consumer Watchdog Privacy Rights Clearinghouse, 
Privacy Times, and USPIRG. They are supporting the use of data 
and the collection of it.
    And may I place this in the record, Madam Chairwoman?
    Chairwoman Capito. Without objection, it is so ordered.
    Mrs. Maloney. Thank you so much. And I think that it is 
important that we are having this hearing, because it allows 
the committee to examine how the CFPB is carrying out both its 
mandate to protect a data-driven agency and its mandate to 
protect the privacy of consumers and the confidentiality of the 
information that it collects.
    The more data the Bureau has, the better informed it is 
when it writes rules. We also, however, have to ensure that the 
privacy of consumers is properly protected. The key will be 
striking the right balance between the need for sufficient data 
and the need to protect consumers' privacy.
    The Bureau has done a good job so far in using data 
analysis to protect consumers and to inform policymakers. For 
example, in April CFPB Director Cordray--the Bureau needed the 
authority to collect and analyze data to publish its report on 
the effects of the CARD Act, a bill that I authored and that I 
am very close to. And I was very, very encouraged when the 
Bureau found that the CARD Act has delivered significant 
benefits to consumers. That is important. This kind of 
information is helpful for policymakers, because now we know 
which approaches to regulation work and which approaches don't 
work.
    Turning to its second mandate, it is important to remember 
that when Congress authorized the CFPB to collect data in Dodd-
Frank, it included numerous safeguards designed to protect 
consumers' personal privacy and to prevent the misuse of 
confidential information. For example, while the Bureau has the 
authority to collect data to inform its rule-writing, Congress 
specifically prohibited the Bureau from collecting data for the 
purpose of analyzing personally identifiable financial 
information.
    In fact, it is my understanding that the information and 
who the person is, is completely divided so that you can't even 
get at that kind of information without going to a second step. 
Congress required the Bureau to establish and comply with 
separate rules regarding the confidential treatment of personal 
information that it collects. Even when the Bureau is sharing 
information with its fellow bank regulators, Congress specified 
that the Bureau can only do this, ``subject to the standards 
applicable to Federal agencies for protection of the 
confidentiality of personally identifiable information.''
    Not only do other banking regulators often purchase data 
from the same outside vendors as the CFPB, but other banking 
regulators also collect far more data from financial 
institutions than the CFPB does. For instance, in order to 
prepare the annual stress tests for the largest banks, the 
Federal Reserve requires these banks to hand over significantly 
more information than they have to submit to the CFPB.
    When the Bureau purchases data from outside vendors or 
collects it directly from financial institutions, the Bureau 
rigorously follows its privacy and confidentiality mandate. And 
that is very important.
    Finally, I would like to point out that despite all the 
talk about the CFPB allegedly being unaccountable, this is the 
38th time that a CFPB official has testified before Congress, 
and we welcome him, and I look forward to his testimony.
    And I yield back. Thank you.
    Chairwoman Capito. Thank you. Mr. Duffy for 2 minutes.
    Mr. Duffy. Firstly, I thank the chairwoman for holding this 
very important hearing. I think it is important that America 
knows the kind of information the CFPB is collecting on them.
    Some of my friends across the aisle will say that the more 
data that the Bureau has, the more data that our government has 
on American citizens, the better off we are, the safer we are. 
But if you look at the past several months, Americans have 
found out far more information about what their government is 
doing in regard to collecting information on them, whether it 
is the NSA or the IRS.
    Many of my constituents are concerned that our government 
has their health records, their phone records, their Internet 
records, their e-mails, and now the CFPB is monitoring their 
financial records. And we have a concern about our 
constituents' right to privacy in regard to the information 
that the CFPB or others collect in regard to their very private 
financial transactions.
    My concern here is that much of the information that we 
received about your data collection or your monitoring of 
financial information has come from news reports or from 
Freedom Watch's requirement for freedom of information. And our 
concern is that you have been less than forthright about 
saying, ``This is what we are collecting, this is who we are 
collecting it from, this is how long we are keeping it, and 
this is what we are using it for.''
    Frankly, there has been a veil of secrecy around the 
collection of data at a time when the agency, as it is ramping 
up, has made a pledge to Congress and to the American people to 
be open and transparent. I believe that the agency or the 
Bureau should lead by example.
    If you want to collect information about Americans' 
financial transactions, if you want to monitor their financial 
transactions, you should make a request to them, ask for their 
permission to collect that data, but you shouldn't collect it 
without their permission. I yield back.
    Chairwoman Capito. Mr. Scott for 3 minutes.
    Mr. Scott. Thank you very much, Madam Chairwoman.
    This is a very timely hearing. The Nation's attention is 
riveted on this whole issue of monitoring and surveillance. And 
I think it is very important that we have a very clear 
explanation, a clear understanding from the CFPB, and answer 
each of these charges--and they are charges coming from the 
other side. And this is healthy. This is what American 
democracy is all about.
    Let me just remind everyone why we have the CFPB. The CFPB 
was put in the Dodd-Frank Act to protect consumers. You cannot 
protect consumers without the capacity of gathering 
information. If you limit that capacity of the CFPB, it is sort 
of like cutting the legs out from under them and then 
condemning them for being a cripple.
    This is an opportunity for us to let our light shine in 
this Financial Services Committee and get down to the truth of 
the matter. And I urge my colleagues on the other side to not 
use this in scoring political points for one side or the other, 
but let's score some points for the American people and let us 
shed some light on the fact that this CFPB needs to be able to 
gather information and data to protect our public from 
unscrupulous lenders, and to help make sure we stabilize our 
financial system.
    And the other matter is to deal with how we deal with the 
reach of the data information overseas. We are no longer just 
here in the United States. Our economy is worldwide. How do we 
interface the collection of our data and information in that 
way?
    I think, to Chairwoman Capito's concerns--which are 
legitimate, and I am glad that she and a couple of my 
colleagues brought it up--about this personal identification of 
information, let me make clear that at the very beginning, in 
Dodd-Frank, the law which created this, it totally forbids the 
collection of any data that can be personally identified by 
name, or by Social Security number. All of that is spelled out. 
It is there. They only have the same charge that our other 
regulators have, the Fed and others. And we are not talking 
about that.
    So I just want to make sure we understand that we have some 
serious, serious questions to ask here. I want to take the 
opportunity to do so. And I do understand the concerns of the 
other side, and I respect them, and I think there are 
legitimate points that we have to make sure we get an answer 
to, from you, Mr. Antonakes.
    Thank you.
    Chairwoman Capito. Mr. Pittenger for 1\1/2\ minutes.
    Mr. Pittenger. Thank you, Madam Chairwoman. Thank you for 
yielding me the time to address this vital issue regarding 
methods of data collection of the CFPB.
    The privacy of American citizens, whom we all have the 
responsibility of representing, is at stake. Over the past 
several years, we have learned how the IRS targeted 
conservative groups during the last Presidential election. We 
have seen the Department of Justice attack reporters for 
upholding the First Amendment and how one individual can 
inflict immense damage on our national security apparatus with 
NSA data. And now we observe how the CFPB is monitoring and 
collecting data on millions of Americans with the use of their 
credit cards, mortgages, and their checking accounts.
    The recent Bloomberg articles from this past April state 
how the CFPB has already targeted at least 10 million Americans 
in their quest for this private information. The CFPB is 
obtaining this information in two different ways: by putting 
pressure on banks under certain Dodd-Frank provisions; and by 
acquiring it from outside sources. In the wake of what has 
happened in the IRS and the Department of Justice, the CFPB 
should exercise extreme restraint with their enormous power. 
The American people are very hesitant with government 
overreach, and these new policies could easily fall into the 
same abusive actions as other Federal agencies.
    The questions being addressed here today go to the heart of 
American liberty and freedom. And I do look forward to the 
answers. Thank you.
    Chairwoman Capito. Thank you.
    I would like to yield 2\1/2\ minutes to the ranking member 
of the full Financial Services Committee, Ms. Waters from 
California.
    Ms. Waters. Thank you very much.
    The Consumer Financial Protection Bureau fully opened its 
doors on July 21, 2011. Today, it is just shy of 2 years old. 
In the months before the agency officially opened, members of 
the transition team testified before Congress 7 times. As it 
was a young agency being built from the ground up, that may 
have been necessary. In addition to the 7 times the CFPB has 
been called to Congress to testify prior to its opening in July 
2011, CFPB officials have been called up to testify in Congress 
31 times, more than once a month.
    During that time, Director Cordray's nomination has been 
held up by a Senate minority who claims they want to improve an 
agency whose creation most of them never supported in the first 
place. Now, it makes good sense for Congress to perform 
oversight of government agencies, but at some point, it may be 
appropriate to consider whether oversight has become a disguise 
for harassment.
    However, in the last 2 years, when the CFPB has not been 
sitting in a committee room, they have been hard at work. In 
addition to setting up a brand-new agency, the first of its 
kind, and issuing regulations that are directed by the Dodd-
Frank Act, they have been tirelessly enforcing the laws 
Congress passed to protect consumers. The CFPB has recovered 
over $400 million for 6 million American consumers who were the 
victims of predatory financial practices.
    Today, the committee has gathered to talk about the CFPB's 
data collection practices. We share your concern that this data 
be treated carefully by regulators, credit-reporting bureaus, 
data aggregators, and financial services providers to protect 
the privacy of consumers. We would note that Section 1022 of 
the Dodd-Frank Act specifically bars the CFPB from gathering or 
analyzing personally identifiable financial information of 
consumers.
    It is clear that the CFPB has a duty to protect not just 
the consumers' choices, but also their privacy. It is unclear 
to me if any legitimate consumer or privacy advocates have 
raised concerns about the CFPB's data collection practices thus 
far. However, it is clear that access to this data is vital to 
the CFPB's mission of protecting consumers.
    If we are going to expect the CFPB to create a level 
playing field for consumers, they are going to need to have at 
least the same level of access to information about consumers 
as the largest banks and financial services providers have. 
That same data will also allow them to emulate other 
regulators, like the FDIC and the Fed, which provide markets 
with important consumer banking data and will be a tool for 
identifying bad lending practices before another crisis 
happens.
    I strongly support the Consumer Financial Protection Bureau 
and think they have been doing an excellent job on behalf of 
the consumers. And I look forward to the witness' testimony. I 
yield back the balance of my time.
    Chairwoman Capito. Thank you. Mr. Fitzpatrick for 1\1/2\ 
minutes.
    Mr. Fitzpatrick. Thank you, Madam Chairwoman.
    Today's hearing is, I think, very timely. Events in the 
news have focused the American people's attention on the very 
important subject of privacy and government surveillance. Data 
collection and research is not a bad thing. In fact, it is the 
sort of diligence that we would expect of our regulators.
    However, just because a government agency has good 
intentions or a benevolent-sounding name doesn't mean Congress 
should just look the other way while tens of millions of 
Americans are having their financial history gathered up and 
stored.
    Just as the Dodd-Frank Act gave the CFPB the authority that 
it is now exercising to collect this data, the law also put 
some very specific constraints on this activity. Recent stories 
involving the NSA have demonstrated that the American people 
and Members of Congress have every reason to be suspicious of 
so-called metadata gathering, and any analysis of that.
    We don't just need assurances that there is nothing 
potentially harmful or invasive going on. We need maximum 
transparency to ensure it beyond any doubt. The CFPB must do 
more in this regard.
    The right to privacy is not an inconvenient matter that can 
just be swept aside when it hinders government investigations. 
It is a constitutional right that deserves the highest levels 
of protection. Privacy and freedom from unwarranted 
surveillance are fundamental to our individual liberties, and 
we cannot allow any trespass on these hard-fought principles, 
so I appreciate the chairwoman's work on this matter, and I 
look forward to the hearing.
    Chairwoman Capito. Thank you.
    Our final opening statement will be from Mr. Luetkemeyer 
for 1\1/2\ minutes.
    Mr. Luetkemeyer. Thank you, Madam Chairwoman.
    For the past several months, American citizens have been 
made aware that the IRS has targeted specific organizations 
based on political activities. We have witnessed a significant 
leak from a private contractor who exposed classified and 
protected documentation showing a broad abuse of current law. 
We continue to see the potential for personal information to be 
misused and compromised by the government.
    And now we learn that the CFPB, an agency that has always 
touted itself as being transparent, could be collecting and 
storing individualized information on potentially millions of 
Americans.
    Despite the self-professed claims of transparency and 
consumer protection, the CFPB has proven to be unwilling to 
show how much individual data it is collecting, the level of 
detail of the information it is collecting, the number of 
people who have access to this data, or which foreign nations 
may have access to the information.
    The simple fact of the matter is that the CFPB could very 
well be jeopardizing consumer protection instead of ensuring 
it. It is time for the CFPB to answer questions and allow for 
the transparency it claims to value as an organization. I look 
forward to learning more about the activities of the CFPB, and 
I hope that our witnesses will be forthcoming and affirmative.
    With that, Madam Chairwoman, I yield back.
    Chairwoman Capito. The gentleman yield backs.
    I would like to introduce Mr. Lynch for the purpose of 
making an introduction.
    Mr. Lynch. Thank you, Madam Chairwoman. I appreciate the 
courtesy. And I thank the ranking member, as well.
    I would like to take this opportunity to welcome--on behalf 
of Mr. Capuano and I; Mr. Capuano is the senior Member of the 
Massachusetts delegation on this committee, and he is in 
another hearing--Mr. Steve Antonakes, who is an over-20-year 
employee of the Division of Banking in Massachusetts. He spent 
almost 8 years as the head of our banking division in 
Massachusetts. As you know, in Massachusetts we have a long and 
strong tradition of banking regulation that is vigilant in the 
protection of consumers, while fostering competitive financial 
markets. So, Steve, thank you for coming to the committee and 
helping us with our work. And I look forward to your testimony.
    And again, Madam Chairwoman, I thank you for the courtesy. 
I yield back.
    Chairwoman Capito. Thank you.
    I would like to welcome our witness, Mr. Steven L. 
Antonakes, who is the Acting Deputy Director of the CFPB. Mr. 
Antonakes, you are recognized for a 5-minute statement. Thank 
you.

   STATEMENT OF STEVEN L. ANTONAKES, ACTING DEPUTY DIRECTOR, 
          CONSUMER FINANCIAL PROTECTION BUREAU (CFPB)

    Mr. Antonakes. Great. Thank you. Good morning.
    Chairwoman Capito, Ranking Member Waters, Ranking Member 
Maloney, and members of the subcommittee, thank you for the 
opportunity to testify today about the fundamental importance 
of data analysis to the Consumer Financial Protection Bureau's 
mission to protect consumers. My name is Steven Antonakes, and 
I serve as the Acting Deputy Director for the Bureau.
    The Bureau is a data-driven agency, because Congress 
recognized that the Bureau cannot do its job of protecting 
consumers and honest businesses unless it understands the 
consumer financial markets it oversees. The Dodd-Frank Act 
specifically directs the Bureau to gather market information 
pursuant to a variety of authorities and through multiple 
sources. Like other financial service regulators, the Bureau 
only effectively supervises markets which it understands.
    As required by Dodd-Frank, data analysis enables the Bureau 
to not only better protect and educate consumers, but it also 
enables the Bureau to coordinate with other regulators and 
craft tailored rules based on a careful examination of costs 
and benefits. The Bureau's evaluation of this data also allows 
it to provide meaningful reports, as required by Congress, and 
to perform its consumer response function.
    In Fiscal Year 2012, the Bureau spent $7 million on 
obtaining data to support its mission. To place this into 
context, that comprised 2.4 percent of the Bureau's total 
budget. To date, the Bureau's Fiscal Year 2013 data 
procurements total $3 million, or 0.6 percent of the total 
budget. The Bureau makes every effort to collect market data in 
an efficient manner with an eye towards reducing the burden and 
cost on industry. The Bureau also makes every effort to 
safeguard and protect information that it does obtain.
    The Bureau collects and studies data to protect consumers 
throughout the United States in accordance with its statutory 
mandate, not to study any particular individuals. In an effort 
to minimize cost and burden on financial institutions, the 
Bureau relies on information it already has or that other 
regulators share. This practice is not only efficient, but also 
saves industry from providing the same information on multiple 
occasions.
    We may also acquire data from third parties and have 
already collected and compiled information.
    There were also instances where market participants and 
individuals voluntarily submit data. For example, the Bureau 
has successfully tackled some of the unique problems facing 
military consumers based on data submitted to our consumer 
response office. The Bureau has helped servicemembers resolve 
issues with mortgage servicers about permanent change of 
station orders and issued a report detailing the types of 
consumer financial hurdles servicemembers and their families 
experience.
    The Bureau is also committed to ensuring protection for 
consumers' personal privacy. In the very limited cases where 
the Bureau obtains personally identifiable information, it 
stores and protects that information, along with other 
confidential information and data, according to information 
security requirements that comply with applicable Federal laws 
and regulations. The Bureau publishes a privacy policy on its 
Web site that sets forth privacy principles and steps that it 
takes to protect consumers' personal privacy.
    We at the Bureau are committed to delivering tangible value 
to American consumers. With that in mind, I would like to share 
some Bureau accomplishments where data has impacted our work 
and benefited consumers.
    $6.5 million: the amount returned to servicemembers who 
participated in the Military Installment Loan Educational 
Services (MILES) auto loan program and were misled about the 
fees they were charged and the true cost of their auto loans.
    50,000: the number of servicemembers who will get money 
back as a result of the Bureau's supervisory and enforcement 
review of the MILES program.
    $432 million: the amount of money being refunded through 
Bureau enforcement actions to consumers who have been subjected 
to deceptive practices.
    6 million: the number of consumers receiving refunds 
because of 2012 Bureau enforcement actions.
    More than 150,000: the number of complaints the Bureau has 
handled from consumers in every State across the country since 
the Bureau formally opened its doors in July 2011.
    28,000: the number of responses from experts and 
individuals impacted by student debt. This information enabled 
the report on student loan affordability.
    And 644: the number of colleges voluntarily adopting the 
financial aid shopping sheet developed by the Bureau and the 
United States Department of Education.
    Chairwoman Capito, Ranking Member Maloney, Ranking Member 
Waters, and members of the subcommittee, thank you for the 
opportunity to testify before you today. I will be happy to 
answer your questions.
    [The prepared statement of Mr. Antonakes can be found on 
page 52 of the appendix.]
    Chairwoman Capito. Thank you, Mr. Antonakes. I will now 
recognize myself for 5 minutes for the purpose of beginning the 
question-and-answer period.
    In my opening statement, I asked for specific numbers on 
how much data you are collecting and from how many individual 
consumers. Can you give me some specifics on that? You gave me 
a lot of numbers, but specifically on how many accounts you are 
collecting and monitoring?
    Mr. Antonakes. Thank you, Chairwoman Capito. The important 
thing for us is the data collection that we conduct serves the 
primary mission of the Bureau, and that is to protect 
consumers.
    Chairwoman Capito. Right, so how many--
    Mr. Antonakes. The vast majority of data that we collect is 
anonymized and does not include personally identifiable 
information. And that goes for all the data that we purchase 
and data that--
    Chairwoman Capito. And for how many accounts is that? How 
many accounts is that? If it doesn't have any personally 
identifiable information, what is the number? That is what I am 
trying to get.
    Mr. Antonakes. I don't have the exact number. We will be 
happy to follow up with you on what the number is, but we do 
look at a substantial amount of data in order to understand the 
markets and determine where risks may lie.
    Chairwoman Capito. Right, so--
    Mr. Antonakes. The only instances in which we will take in 
personally identifiable information would come through one of 
two channels. The first would be when consumers affirmatively 
reach out to us through our Consumer Response hotline and are 
seeking our help in resolving a complaint. The only other 
circumstance is when we are using our supervisory tool, 
conducting examinations of the banks, the credit unions, and 
the nonbanks under our jurisdiction. The Bureau conducts 
examinations in the same fashion that all of the prudential 
regulators and State regulators do.
    And in that instance, that work is what has resulted in our 
ability to refund significant amounts of monies to consumers. 
We are seeking data to understand markets and to protect 
consumers.
    Chairwoman Capito. Right.
    Mr. Antonakes. We are not seeking data to monitor 
individual Americans.
    Chairwoman Capito. Okay. So in your strategic plan, you 
mentioned that you were going to maintain a credit card 
database covering 80 percent of the credit card market, 
correct? That is in your statement.
    Mr. Antonakes. Correct, yes.
    Chairwoman Capito. And so that would be over 900 million 
accounts. It seems to me, if you are looking for trend lines, 
80 percent--I took statistics when I was in school 150 years 
ago--you don't need 80 percent of the market to figure out what 
the trend lines are.
    Let me ask you this. You mentioned, too, $7 million for 
obtaining data. This year, $3 million for obtaining data. Is 
that the amount of money that the CFPB has paid to private 
contractors for obtaining financial data?
    Mr. Antonakes. I believe that to be correct, yes.
    Chairwoman Capito. That is correct?
    Mr. Antonakes. I believe that to be correct, yes.
    Chairwoman Capito. Okay. What kind of proper background 
investigations do these private contractors have to be able to 
handle--we have already learned about somebody taking a thumb 
drive in and exposing national security secrets. What kind of 
precautions do you require for your private contractors?
    Mr. Antonakes. We do vet the contractors. Moreover, it is 
written into our contracts that they have to abide by the 
Privacy Act and comply with all of the laws. They also have the 
safeguards that we would have if we were collecting that data 
on our own behalf.
    Chairwoman Capito. And then you mentioned, too, that you 
data share with the other regulators so you are not duplicating 
this. Can you tell me, from an institutional standpoint, we 
have heard anecdotally about a lot of institutions which are 
having to data dump to everybody and they are wondering what 
happens with all this data. So you are telling me that all the 
repetitiveness and redundancy is out of the system? That is not 
what we are hearing anecdotally from the institutions which are 
regulated by you and others.
    Mr. Antonakes. That is a great question. I think, in many 
respects, it gets to the kind of new relationships we continue 
to furnish with our sister regulatory agencies. We certainly 
want to ensure that, to the extent we are both seeking 
information, we are coordinating together. It is far better for 
us to share that information directly with the Federal agencies 
than to make a repetitive data request of a financial 
institution.
    Moreover, our examiners are instructed that if the 
institution tells our examiners that they have already provided 
very similar data to another agency, they should accept that 
data in lieu of a second data request. If there is other data 
that the institution has run for its own purposes, that would 
essentially provide what we need, they should accept that.
    Chairwoman Capito. So would you say that is more of a work 
in progress, where the coordination--
    Mr. Antonakes. I would say it is a transitional issue that 
has gotten better over time and will continue to do so.
    Chairwoman Capito. Okay. How long do you store data for 
when you collect it, say, in 2013? How long does it stay a part 
of the system? Is it in the cloud? Or where is this data?
    Mr. Antonakes. We are in the process of developing and 
getting approved, through the National Archives, our data 
destruction schedules. They have not been approved as of yet. 
We want to make sure that the data is appropriately safeguarded 
and that we are taking it off our systems in appropriate 
periods of time.
    Chairwoman Capito. So basically what you are saying is that 
you are still holding the data that you have originally 
collected, because you don't have a data destruction plan, 
correct?
    Mr. Antonakes. That is correct.
    Chairwoman Capito. Correct. All right.
    Mrs. Maloney?
    Mrs. Maloney. I thank the chairwoman. And I believe the 
chairwoman raised some important points about, really, 
coordinating with other agencies on what data is collected. In 
preparing for this hearing, I was reading documents which said 
that other agencies collect far more data than the CFPB does. 
It would be interesting to see a breakdown of who is collecting 
what, how it is being coordinated, and I would like to join the 
gentlelady in the request to the GAO to do such a report. I 
think it could be helpful in policy and going forward to see 
who is collecting what data, how could they share it better, 
streamline it, and I think that is something we could work on.
    My colleague, Mr. Lynch, pointed out that you served under 
Governor Romney as the superintendent of banks, and you also 
served during the financial crisis of 2008. Could you comment 
on your experiences? Did the State of Massachusetts have 
sufficient data to help with this crisis, to help the 
consumers, help the economy, help the State?
    Mr. Antonakes. Thank you, Ranking Member Maloney. We did 
have the advantage, as Congressman Lynch pointed out, of having 
very strong consumer protection laws in Massachusetts. However, 
we were significantly disadvantaged, in my mind, by the lack of 
data that we had at our disposal. I think the financial crisis 
somewhat brings that to light.
    We were busy during that period of time implementing 
previous State legislation on predatory lending, and adopting 
regulations to deal with abuses that occurred in the refinance 
market.
    Mrs. Maloney. So I see that basically you could have 
protected taxpayers' monies more if you had more data. Is that 
a fair statement?
    Mr. Antonakes. Yes, I think we were responding to the 
earlier issue without the data to see that the abuses had 
shifted to the purchased money markets.
    Mrs. Maloney. Also in your testimony, you said that you 
supervised--or your Bureau did--the return of $6.5 million to 
servicemembers who had been harmed by unscrupulous lenders. Can 
you talk a little bit more about this case and how the 
collection of data enabled the Bureau to help nearly 50,000 men 
and women in the armed services and the distinction of what you 
said, farming data to come up with policies for credit cards 
and overdraft, and how that is different from how you helped 
these 50,000 servicemembers?
    Mr. Antonakes. Certainly. So this case really stemmed from 
two sources for us, complaints filed with our Consumer Response 
division, as well as examination activity that we did: digging 
into their records; digging into the files; and digging into 
information that led us to conclude that unfair and deceptive 
acts and practices had occurred. A number of servicemembers 
were being charged more than was disclosed to them in their 
automobile loans. Data also allowed us to identify those 
servicemembers who would be reimbursed.
    Mrs. Maloney. I believe that my colleagues on both sides of 
the aisle have raised the importance of privacy. Not only do 
you need the data, but we need to protect the privacy of 
consumers. And, again, I refer to the letter that came in from 
seven consumer groups saying that they applaud the efforts of 
the Bureau in collecting this data and that these safeguards 
are in place.
    Because this is such an important issue, I would like to 
request if we could do an on-site visit to the CFPB and see how 
the data is secured, how it is done; seeing is believing. And I 
think no matter how much that you tell us that it is secure and 
the consumer is protected, I feel that this would be something 
that could be helpful.
    Do you think that would be beneficial? Could we do such a 
visit, off-site visit?
    Mr. Antonakes. We would be honored to welcome any members 
of the committee or the Congress to come to our facilities.
    Mrs. Maloney. I have no further questions. I yield back.
    Chairwoman Capito. Thank you.
    Mr. Duffy for 5 minutes.
    Mr. Duffy. Thank you, Madam Chairwoman.
    I want to follow up on a question from Chairwoman Capito in 
regard to, how many Americans are you collecting data on? How 
many Americans are you monitoring? You said you would get back 
to the committee, but can you give us a range? Because we have 
read reports that it is 10 million Americans who are being 
monitored or have data being collected on them. What is the 
range?
    Mr. Antonakes. Congressman, we are not monitoring any 
individual Americans. We are collecting broad data on markets 
to understand how varied markets work.
    The PII is constrained to the extent that we are fulfilling 
our consumer response mandate, as well as our examination 
mandate.
    Mr. Duffy. I am asking you a question about a range, then, 
of how many Americans have their data collected by the CFPB. 
How many?
    Mr. Antonakes. I can get back to you with precise numbers, 
but, again, I feel--
    Mr. Duffy. I am not asking you--
    Mr. Antonakes. --the need to point out that we are 
collecting broad data that is desensitized, does not include 
specific information about Americans.
    Mr. Duffy. I know. Reclaiming my time, I know that. But I 
want a range of how many Americans have their data sampled or 
collected by the CFPB. What is the range? Is it 10 million? Is 
it more than 10 million, less than 10 million? What is it?
    Mr. Antonakes. I can--
    Mr. Duffy. You have to know a range.
    Mr. Antonakes. I can--Congressman, I am happy to provide 
you a granular breakdown of what that looks like. I don't have 
that information in front of me at this moment. But, again, I 
do think it bears repeating--
    Mr. Duffy. But you don't--reclaiming my time--know a range 
of the number of how many people have their data collected by 
the CFPB? You don't know that range today?
    Mr. Antonakes. I couldn't give you an accurate range.
    Mr. Duffy. You couldn't. Okay. And what is your position, 
again, at the CFPB?
    Mr. Antonakes. I serve as both the Acting Deputy Director, 
as well as the Associate Director for Supervision, Enforcement, 
and Fair Lending.
    Mr. Duffy. Don't you think that Americans would expect you 
to know at least the range of how many citizens are having 
their data collected by your agency? And you can't even give us 
a range. Is it more than 10 million? Less than 10 million?
    Mr. Antonakes. Congressman, the data collection activities 
that occur at the Bureau virtually mirror the data collection 
activities that occur at other prudential regulators. And, 
again, our sole purpose here is not to study Americans--
    Mr. Duffy. I will reclaim my time. I appreciate that you 
can't give us a range.
    In regard to the length of time in which you store the 
data, you are working with the National Archives Records 
Administration. Have you made a request for a length of time to 
keep this financial data on Americans?
    Mr. Antonakes. I believe there are a number of different 
ranges based upon the types of information that we are 
gathering.
    Mr. Duffy. How long can you keep the data or is the request 
to keep the data?
    Mr. Antonakes. I will have to confirm this with you, 
Congressman. I believe the request is 10 years.
    Mr. Duffy. Ten years.
    Mr. Antonakes. I believe so.
    Mr. Duffy. A lot of us are involved in politics. And we see 
a lot of polling, whether it is with regard to our own races, 
other races, the President. It is sampling of data. Why can't 
you sample data? Why are you collecting massive amounts of 
financial data on Americans and potentially keeping it for 
years, up to 10 years? Why don't you just sample data to 
extract the information that you need to make good rules and 
regulations?
    Mr. Antonakes. I believe it is important for us to have 
wholesome data to truly understand these financial 
marketplaces. I also believe it is important to have the data 
for a number of years so that you can do market analysis and 
look at trends over a period of time. We are still learning, I 
would say, in many respects, the impact on Americans of the 
financial crisis.
    Mr. Duffy. And I know that the Bureau has made a pledge to 
be transparent and open. Will you commit to sending us all the 
contracts that you engage in with third-party vendors? Will you 
send those to us?
    Mr. Antonakes. We are happy to provide the contract 
information to you.
    Mr. Duffy. Thank you. And I know that you send a request to 
financial institutions to collect data from them, as well. Will 
you share those letters with the committee that you send to 
financial institutions requesting data from them?
    Mr. Antonakes. To the extent that we are requesting data 
from financial institutions, it is under our confidential 
supervisory examination program.
    Mr. Duffy. Let me read a quote to you, and tell me if you 
know who said this: ``Transparency is at the core of our 
agenda, and it is a key part of how we operate. You deserve to 
know what the new Bureau is doing for the American public and 
how we are doing it.'' Do you know who said that?
    Mr. Antonakes. I am guessing perhaps it was either Director 
Cordray or--
    Mr. Duffy. Senator Warren.
    Mr. Antonakes. --Senator Warren.
    Mr. Duffy. Yes. So in that vein, why don't you share that 
information with the American people? If you are taking data 
from Americans, why don't you share the request for the data?
    Mr. Antonakes. We don't share the request for the data to 
the extent that we are doing it through our confidential 
supervisory program because our mission there is solely to 
protect consumers, and no other agency has to make that 
request. To request that information during the course of an 
examination--
    Mr. Duffy. So reclaiming my time, in regard to protecting 
Americans, I know you are not dealing with terrorists, like the 
NSA. You are dealing with financial data. Don't you think it is 
appropriate that you ask for permission and consent of 
Americans before you take their data? Shouldn't you ask them 
and get their permission?
    Mr. Antonakes. I think, in the course of an examination, 
which happens on a routine basis, if we were to ask, it could 
conceivably cause reputational damage to the institutions that 
we are examining.
    Mr. Duffy. I yield back.
    Chairwoman Capito. The gentleman's time has expired.
    Ms. Waters for 5 minutes.
    Ms. Waters. Thank you very much.
    Congresswoman Maloney asked about your past experiences in 
Massachusetts and whether or not you had been involved in data 
collection and was it helpful to you as a State banking 
regulator, I believe. Let me just ask, do banks and credit card 
companies have access to this data?
    Mr. Antonakes. Yes, they do.
    Ms. Waters. What do they do with it?
    Mr. Antonakes. They collect it on a regular basis. They use 
it for marketing purposes, for benchmarking, and other internal 
reviews of the efficiency and effectiveness of the products and 
services that they offer.
    Ms. Waters. And so if banks and credit card companies have 
access to this data, is the suggestion here that the consumer 
protection regulator should not have it? Is that what you are 
being asked?
    Mr. Antonakes. I am not sure what the motivation of the 
question is, Ranking Member Waters. We believe we are seeking 
only the information that industry has that will allow us to 
conduct our job, to understand these markets, and understand 
where risks lie for consumers.
    Ms. Waters. Let me just ask, we have gone through a 
financial crisis, starting in 2008, and this crisis, of course, 
was created in the financial services community by many of the 
initiators of mortgages, et cetera. Would it have been helpful 
to have more data to be able to address this problem that we 
were confronted with?
    Mr. Antonakes. It certainly would have been helpful, yes.
    Ms. Waters. And so, again, if the very agencies or 
financial services agencies or companies--whatever you want to 
call them--if they had access to this data and we don't, and 
they created the problems that we face with the subprime 
meltdown, doesn't that put us at a great disadvantage of trying 
to do oversight and regulation?
    Mr. Antonakes. Ranking Member, I believe regulators are at 
a substantial disadvantage if they don't have the information 
that regulated entities have, yes.
    Ms. Waters. Thank you very much. I yield back the balance 
of my time.
    Chairwoman Capito. Thank you.
    I would like to recognize Mr. McHenry for 5 minutes.
    Mr. McHenry. Thank you, Madam Chairwoman.
    The term, ``personally identifiable financial 
information,'' has the CFPB defined the meaning of that?
    Mr. Antonakes. So, Congressman, we would use the term that 
I think is more broadly defined, in terms of information that 
would allow you to identify the particular consumer.
    Mr. McHenry. Is there--
    Mr. Antonakes. We haven't created our own separate and 
distinct definition, no.
    Mr. McHenry. Okay, because in Dodd-Frank, there are two 
provisions that limit the CFPB's authority to collect 
personally identifiable financial information. So is it the 
intent of the CFPB to perhaps have a rule defining that?
    Mr. Antonakes. There are several provisions in Dodd-Frank 
whereby we can collect information. There is one specific rule 
relative to market monitoring that we have not utilized as of 
yet. We also obtain data through the purchase of commercially 
available information, through voluntary data, through publicly 
available data such as the Census Bureau, through our 
supervisory program, as well as through our consumer complaint 
intake. Those are the means that we have used thus far to 
collect this data.
    Mr. McHenry. Yes, but, okay, so the PII, what is that? Can 
you define that again? What does that stand for?
    Mr. Antonakes. Personally identifying information.
    Mr. McHenry. So that is very different than personally 
identifiable financial information. Is it different than--
    Mr. Antonakes. I don't believe it is, Congressman.
    Mr. McHenry. Okay. You don't think it is different. So in 
your contract here, you have--we have this document. Judicial 
Watch got this from a Freedom of Information Act request that 
some of the data will contain sensitive personally identifiable 
information. So is the PII different than what is banned in 
Dodd-Frank, which says the CFPB cannot get individual 
Americans' data?
    Mr. Antonakes. We don't believe that Dodd-Frank says we 
can't collect PII.
    Mr. McHenry. Okay, well, I will follow up on that. So you 
don't have a rule. Do you have any intention of writing a rule 
to define personally identifiable financial information?
    Mr. Antonakes. We don't at this time, no.
    Mr. McHenry. So you wouldn't have, perhaps, public input on 
the meaning of that, to give some assurances that you are not 
collecting individual data. So the personally identifiable 
information, would that include a person's name?
    Mr. Antonakes. Again, I would say, Congressman, it would 
include a person's name.
    Mr. McHenry. It would? Okay. Would it include a person's 
identification number, like a Social Security number, maybe?
    Mr. Antonakes. Again, it would depend on the context in 
which the information was being collected. The definition of 
PII would certainly include those things. It doesn't mean we 
are necessarily collecting that type of information.
    Mr. McHenry. Okay. What about an address? Would an address 
be a part of that?
    Mr. Antonakes. Would an address be considered PII?
    Mr. McHenry. Yes.
    Mr. Antonakes. Yes, sir.
    Mr. McHenry. Okay. So you have a person's name, you have 
the person's Social Security number, and address. What about 
ZIP Code? Not to be redundant, but would that be a part of the 
address?
    Mr. Antonakes. It could be.
    Mr. McHenry. Okay. So what about personal characteristics, 
like fingerprints or pictures? Is that prevented or is that 
included in the data?
    Mr. Antonakes. That would be considered PII. We don't 
collect that type of information.
    Mr. McHenry. Okay, okay, so no pictures. That is good. No 
fingerprints. What about property they own?
    Mr. Antonakes. Again, Congressman, if we were doing an 
examination and we were looking at compliance with mortgage 
rules, during the course of an examination--
    Mr. McHenry. So, yes, like--
    Mr. Antonakes. --see the property during the course of an 
exam.
    Mr. McHenry. Yes, you would see the property, okay. What 
about employment information?
    Mr. Antonakes. Employment information? Again, perhaps 
during the course of reviewing a mortgage loan, conceivably.
    Mr. McHenry. Okay. What about medical information?
    Mr. Antonakes. No, sir.
    Mr. McHenry. No, sir?
    Mr. Antonakes. No.
    Mr. McHenry. Okay. So the fact that somebody is paying a 
bill to the hospital or has substantial debt owed to a hospital 
would not be included in this?
    Mr. Antonakes. During the course of an exam, conceivably.
    Mr. McHenry. So conceivably medical information, as well.
    Mr. Antonakes. But--
    Mr. McHenry. What about credit score?
    Mr. Antonakes. Credit score conceivably, as well.
    Mr. McHenry. Okay. So this sounds to me like personally 
identifiable financial information. And this is a great concern 
at a time when people are worried about their privacy. So it 
seems to me you have no definition, no limitation on the type 
of data you can collect, or for how long you are going to 
collect it.
    Mr. Antonakes. Congressman, I would say only that to the 
extent we are reviewing this type of information, it is through 
our supervisory process, through our consumer complaint 
process, and we are following the same process that has been 
run for years by other Federal and State regulatory agencies. I 
don't believe we are plowing any new ground here.
    Mr. McHenry. You are not?
    Mr. Antonakes. No, sir.
    Mr. McHenry. This is no new ground?
    Mr. Antonakes. In terms of our supervisory program? I would 
say no.
    Mr. McHenry. So the fact that you want to hold nearly a 
billion credit cards and update them on a monthly basis and the 
people's transactions--this sounds like dramatically new ground 
that your agency is taking.
    Mr. Antonakes. Other agencies--
    Mr. McHenry. With that, I yield back.
    Mr. Antonakes. --have collected credit card data before, 
sir.
    Mr. McHenry. On a monthly basis?
    Mr. Antonakes. Yes.
    Mr. McHenry. Updated monthly?
    Chairwoman Capito. The gentleman's time has expired.
    Mr. Scott?
    Mr. Scott. Yes, thank you.
    I think it is very important for us to follow up on Mr. 
McHenry's line of questioning, because I really believe he is 
getting to the heart of the matter. This information of which 
you get names, you could get their Social Security number, you 
can get their addresses, you can, in fact, get this personal 
identification information. Now, it is very important for you 
to very quickly explain to the--if Mr. or Mrs. America is 
watching this program, under what circumstances is this done? 
How is it protected and insured against someone else getting 
it?
    And this is particularly true, because, yes, according to 
my information, you can get medical debt data. And I am 
interested to know how far that would go. Does it go all the 
way to the type of procedure, the type of treatment? Was it 
cancer? Was it--so how much of this personal data information 
are you collecting and why? And do you have the authority to do 
it now?
    And then, secondly, in order to make sure we have America's 
confidence that none of this will leak out--because I will tell 
you, this is what I am concerned about. I am concerned about 
things like this little fellow who is rolling around from 
airport to airport trying to find a place to land, this--all of 
these leakers. And there are many of them out there and with 
the advanced technology of hacking.
    So I want you to kind of defend this position a little bit 
more, because we don't want the American people to go away 
misinformed that you are collecting all this personal data when 
you say you don't.
    Mr. Antonakes. Thank you, Congressman. Our statutory 
mandate, as you know, is to protect consumers. And to the 
extent we collect and analyze data, it is for the purpose of 
fulfilling our statutory mandate. We collect, investigate, and 
respond to consumer complaints. We conduct examinations to 
determine whether or not violations of consumer financial 
protection laws exist.
    Mr. Scott. Let me ask you, though, I am trying to get my 
hands around the quantity of this personal identification. How 
many have you gotten that fit this category? And how do you 
protect that personal identification? We have to get an answer 
to that in order to maintain the credibility of the CFPB to 
know that it is going to be protected. I am not--I am just 
saying, there has to be a reason.
    Dodd-Frank outlaws it up to what the other Federal 
regulators do, like the Fed. Can they do the same thing? I am 
trying to give you a chance here to get out from under this 
accusation that I think Mr. McHenry very eloquently articulated 
here. I think this is a legitimate question that we have to get 
answered.
    Mr. Antonakes. Congressman, to the extent we collect PII, 
it is exceptionally limited, generally through the consumer 
response process, as well as our supervisory process. This is 
very consistent with the way other regulators collect this 
information.
    Mr. Scott. Nothing you do is beyond what other regulators 
do in collection of that personal data?
    Mr. Antonakes. That is correct. And then we secure it, to 
the extent we have to collect it to do our jobs, we secure it 
on our systems. There is very limited access to those systems. 
They meet FISMA standards, the Federal standards, and have 
received clean audits from GAO and the Fed and the CFPB 
Inspector General, in terms of those systems.
    Mr. Scott. So far, has the data security system you have 
been collecting, has it been breached? Have there been attempts 
to hack it? Do we have a fail-safe there?
    Mr. Antonakes. Congressman, to my knowledge, it has not. 
And I would say, again, we have standards in place that meet 
the requirements of existing Federal law.
    Mr. Scott. On the medical debt issue, I wanted to go back 
to that. On that information, do you also have information 
contain what that treatment was? This is very private. This is 
very personal information.
    Mr. Antonakes. No, we don't.
    Mr. Scott. So there is no diligence into what kind of 
procedure he had, what kind of disease, or anything else? That 
is totally unacceptable?
    Mr. Antonakes. Correct.
    Mr. Scott. All right. Thank you, sir.
    Chairwoman Capito. Thank you.
    Mr. Luetkemeyer for 5 minutes.
    Mr. Luetkemeyer. Thank you, Madam Chairwoman.
    I guess I will follow up on Mr. McHenry's questioning, as 
well. What are you trying to do whenever you monitor 80 percent 
of the credit card market?
    Mr. Antonakes. We have a statutory mandate to understand 
the credit card market, as well as other financial 
marketplaces. We also have a congressional mandate to do a 
study on the effectiveness of the CARD Act. So to the extent 
that we are looking at this data--and, again, I need to 
emphasize that other agencies have similar processes in place 
whereby they look at credit card data--it is to fulfill those 
requirements, to understand the credit card market, understand 
where there may be inherent risk to consumers in that market, 
and also to inform the work we have to do as part of the CARD 
Act.
    Mr. Luetkemeyer. You are a former examiner, right?
    Mr. Antonakes. Yes.
    Mr. Luetkemeyer. I am also a former examiner. If we went 
into a bank or financial institution, you always cut on the 
loans to get a certain percentage, and you wouldn't look at the 
lower loans. You would look at only the big loans, because that 
is where most of the risk was.
    Mr. Antonakes. Correct.
    Mr. Luetkemeyer. Why are you not doing that with credit 
cards? There is no--you are not looking at the risk situation 
there. You are monitoring habits. And I am not sure that the 
CFPB needs to be looking at the habits of consumers. They need 
to be looking for the risks that they are taking or some sort 
of risk that is inherent within the system of the credit card 
company or within the system of the credit card industry.
    Mr. Antonakes. Congressman, I think it is important to 
point out a couple of things. In terms of the credit card data 
collection, we do not receive data about individual purchase 
transactions. Moreover, we cannot identify specific 
cardholders. We can't identify specific purchases. We don't 
know the items they purchase, who purchased them, when they 
were purchased. We don't look for that type of information.
    In terms of your questions on where you cut the line, you 
are absolutely correct. From an examination point of view, you 
are taking a sample, you are looking at a certain line, the 
higher risks. But to understand this on a more macro level, 
which is really our other function, the market monitoring 
function, to understand where risks may appear more broadly, 
that is where the more wholesome--
    Mr. Luetkemeyer. Okay. So why do you need the personal 
information, then, if you are just looking at macro prints?
    Mr. Antonakes. We aren't collecting personal information on 
the credit card data collection. We are not looking--
    Mr. Luetkemeyer. What about the rest of the information?
    Mr. Antonakes. In terms of the exams, we could look for it 
conceivably in those circumstances to ensure that if consumers 
are being overcharged, they are being refunded. But the broader 
data collection that you are speaking of--
    Mr. Luetkemeyer. Okay, with regards to exams--
    Mr. Antonakes. --there is no PII required.
    Mr. Luetkemeyer. With regards to the exams--
    Mr. Antonakes. Yes.
    Mr. Luetkemeyer. --you know what I am talking about when I 
talk about the pink pages or the informational--
    Mr. Antonakes. Yes, I do.
    Mr. Luetkemeyer. --the information that is there on the 
stockholders, major owners, as well as employees. Is that 
information taken by the CFPB?
    Mr. Antonakes. We don't include pink pages in our 
examination.
    Mr. Luetkemeyer. You don't accumulate that information at 
all?
    Mr. Antonakes. We do not.
    Mr. Luetkemeyer. Okay. So, therefore, it is not given out 
to anybody else, either?
    Mr. Antonakes. We are not a safety and soundness regulator, 
so we don't see the need to collect that type of information.
    Mr. Luetkemeyer. Okay. Well, that is good news.
    Mr. Antonakes. Okay.
    Mr. Luetkemeyer. But we do have concerns with regards to 
the rest of the information that you are giving out, because 
according to some information I have here, you are giving it 
out to, like, 500--do you have contracts with like 500 
different groups to be able to give the information out to some 
folks through the FTC's arrangement with their Sentinel 
Network?
    Mr. Antonakes. I believe you are referring to the extent to 
which we provide access to our consumer database to other State 
agencies. I would say that our consumer response database and 
the manner in which we share with other regulators really 
mirrors the FTC Sentinel program.
    So if there are other agencies--be it a State agency--that 
has comparable jurisdiction over one of the State-licensed non-
bank entities that we may supervise or has supervision over a 
State-chartered bank that we may supervise, then we believe 
they have the right to have this complaint information and 
perhaps--
    Mr. Luetkemeyer. Will they have the right to access your 
files, as well?
    Mr. Antonakes. They would access the complaint information 
that we have. That is what they have access to, the complaint, 
and they have to go through a diligence process and sign 
agreements with us before they can access that type of 
information.
    Mr. Luetkemeyer. Okay. So how many agreements do you have 
at this point?
    Mr. Antonakes. I would have to verify that for you, 
Congressman, but, again, it is for other agencies with similar 
supervisory responsibilities.
    Mr. Luetkemeyer. Do you have agreements with other 
countries?
    Mr. Antonakes. Not that I am aware of.
    Mr. Luetkemeyer. According to the data here with regards to 
the Sentinel Network, now you are--has that information been 
absorbed by you or you have agreement with them?
    Mr. Antonakes. With the FTC?
    Mr. Luetkemeyer. Yes.
    Mr. Antonakes. I believe we have an agreement with the FTC.
    Mr. Luetkemeyer. Therefore, you have access to that 
information?
    Mr. Antonakes. I believe so, yes.
    Mr. Luetkemeyer. So, therefore, any other entity that has 
access to you has access to that information, as well?
    Mr. Antonakes. I believe they would have to have their own. 
I don't believe we are a pass-through. I don't believe another 
agency can make an agreement with us and, therefore, get an 
agreement with the FTC. I believe they would have to do their 
own agreement with the--
    Mr. Luetkemeyer. Do you have any agreements with any 
foreign countries to have access to your information?
    Mr. Antonakes. I will verify that for you, Congressman. I 
am not aware of any.
    Mr. Luetkemeyer. Okay. Thank you very much. I will yield 
back.
    Chairwoman Capito. Thank you.
    Ms. Velazquez for 5 minutes.
    Ms. Velazquez. Thank you.
    Mr. Antonakes, there is still, I guess, by the line of 
questions that you have heard here--understand there are a lot 
of critics who continue to argue that the Bureau's collection 
procedures are too broad and burdensome. I just would like to 
hear from you what percentage of the data you collect must be 
obtained from market participants. And how would you counter 
the argument that businesses are negatively impacted by this 
data request?
    Mr. Antonakes. Congresswoman, we receive information from a 
variety of sources. To the extent we can reduce burden on the 
industry and collect it through third parties that already have 
that information, information that is already provided by the 
financial service companies, we try to use that information. To 
the extent it is in the public domain, we try to use that 
information, as well. And then in terms of our supervisory 
responsibilities, ensuring that Federal financial consumer laws 
are being followed, that is when we would make specific data 
requests of the banks, the credit unions, and the nonbanks that 
are specifically under our jurisdiction.
    Ms. Velazquez. And also, you have heard how much we care 
about the--securing the--and providing identity protection, and 
that issue would be one of the Bureau's top priorities. One 
breach will erode public trust, and it will set back your 
research significantly. And I heard you saying that you are 
complying with Federal laws and regulations in order to protect 
personally identifiable data.
    But beyond that, what additional steps are you taking to 
protect consumer privacy throughout the process, from 
collection to publication?
    Mr. Antonakes. Yes, so we certainly do share this concern. 
And really, the best way we can ensure that we protect this 
information is to collect as little PII as possible. And that 
is our first fundamental goal.
    To the extent we do have to collect it, we store it 
accordingly. We significantly limit, to a need-to-know basis, 
who in the Bureau has access to that information, and we have 
significant security protocols built into our system, as well. 
Once our destruction schedules are approved, we will have the 
means of flushing this data out of our system as well, on a 
regular basis.
    Ms. Velazquez. Recently, Mr. Raj Date, the CFPB's former 
Deputy Director, stated that the Bureau's data analysis could 
lead lenders to innovate in ways that cut consumer costs and 
help regulators create more efficient rules. Will you be able 
to elaborate on how data collection may lead to better 
regulation and more innovation in the financial markets?
    Mr. Antonakes. Well, certainly. Certainly, industry has 
collected this information for a number of years, and 
technology has enhanced their ability to collect it, and it has 
led to a lot of innovation in the financial service 
marketplace, which ultimately has been good for consumers.
    Our use of this data collection is to understand these 
markets, to monitor these markets, and prioritize our limited 
resources accordingly. That essentially is what we are trying 
to do with this information.
    Ms. Velazquez. And you stated in your testimony that 
information is essential to protecting consumers from 
unscrupulous activity, supervising the financial markets, and 
maintaining the stability of the economy. Can you highlight 
some instances where your current data collection and analysis 
efforts have successfully protected consumers?
    Mr. Antonakes. Sure. There are a number of circumstances in 
which the data collection we have done has resulted in us 
prioritizing resources in certain areas. To the extent that we 
have secured significant reimbursement orders against some of 
the large credit card providers because of unfair and deceptive 
acts and practices related to add-on services, some of our most 
significant reimbursements thus far have been the result of 
information coming in through our complaint channel, our 
understanding of the consumer credit card markets, and the 
actual examination of those physical consumer files at the 
credit card institutions.
    Ms. Velazquez. Thank you.
    Thank you, Madam Chairwoman.
    Chairwoman Capito. Mr. Pittenger for 5 minutes.
    Mr. Pittenger. Thank you, Madam Chairwoman.
    Dr. Antonakes, you have a very impressive resume.
    Mr. Antonakes. Thank you.
    Mr. Pittenger. You have served as commissioner of banks. 
You have been a voting member of the Federal Financial 
Institutions Examination Council, vice chairman of the 
Conference of State Bank Supervisors, governing boards of 
Nationwide Mortgage Licensing System. You have graduated from 
very esteemed universities. And I applaud you for that.
    You now are the number-two man in a very important agency, 
perhaps the most powerful ever in the history of this country. 
This agency now assumes all the responsibilities previously 
held by the Federal Reserve, the Office of the Comptroller of 
the Currency, the now-defunct Office of Thrift Supervision, the 
Federal Deposit Insurance Corporation, the FTC, the National 
Credit Union Administration, and the Department of Housing and 
Urban Development. That is pretty impressive.
    In many ways, you could say that your board manages the 
entire financial system of this country. You could be likened 
in ways to Joseph under the Pharaoh in Egypt. You are a 
powerful man. And you know that. It is a powerful agency. 
Wouldn't you agree?
    Mr. Antonakes. I thank you, Congressman. I am not sure I am 
quite as powerful as you described. We have--
    Mr. Pittenger. But let's just set the stage that it is 
correct.
    Mr. Antonakes. We have inherited some of the 
responsibilities of those other regulatory agencies--
    Mr. Pittenger. But never have we had an agency that has had 
the power that is unchecked of--you are accountable basically 
to no one. You don't go through appropriations. Isn't this a 
very powerful agency? And yet the core of what we have been 
told is your transparency is going to be imprimatur of your 
agency. And right now, we have reports on the lack of that.
    Here is one memo that went out to keep your calendar 
entries brief in general. If possible, avoid annotating entries 
with agendas, detailed discussions, et cetera. The flyer also 
instructs employees to minimize attachments to your calendar 
appointments, consider using e-mail to send related 
attachments.
    You know the power you have. Is there a disconnect to you 
between the power of this agency, its accountability to the 
American people, the transparency that it claims to have, and 
yet these kinds of e-mails that have been conveyed to its 
employees?
    Mr. Antonakes. Congressman, I don't believe our agency is 
entirely different than in many other agencies. Several other 
agencies have a single director structure and none of the bank 
regulatory agencies that you referenced are subject to the 
appropriations process.
    We, in fact, are the only bank regulatory agency that 
actually has a hard cap on the ceiling of its budget. We have 
authority in the consumer protection laws that were transferred 
to us by Dodd-Frank. We also have significant responsibility to 
the American people and to the other regulatory agencies. We 
have to, by statute, coordinate our examination activities with 
those other regulatory agencies. We have to provide copies of 
our reports of examination--
    Mr. Pittenger. Yes, sir. I hear that.
    Mr. Antonakes. --for comment to those other regulatory 
agencies.
    Mr. Pittenger. My concern is, sir--
    Mr. Antonakes. So I do believe there are significant checks 
and balances--
    Mr. Pittenger. --that the power you have enables you to 
exercise it in any way that you feel is right for you. And the 
rights of the American people really are the foremost, aren't 
they, and their privacy, and their consideration? You are 
collecting lots of data. And I think it is just a concern to 
this body, the accountability that you have to the American 
people and, frankly, back to the Congress of what you are doing 
with the data that you are obtaining and what role that you are 
going to play in ensuring that you are really transparent and 
that you are doing what is really in the best interest and what 
is really needed for the American people and not abuse the 
power, as we have seen in other agencies in this government.
    There is a no-confidence vote right now in government. You 
probably are aware of that. And I would implore you to use the 
power that you have with full discretion. I yield back my time.
    Chairwoman Capito. The gentleman yields back.
    Mr. Lynch for 5 minutes.
    Mr. Lynch. Thank you, Madam Chairwoman.
    And, again, I thank the witness for his willingness to help 
the committee. I do want to--just at the outset--point out some 
contradictions here. All of the parade of horribles, the evils 
that have been described by my friends on the other side of the 
aisle that might lurk within this agency that is charged with 
the mission of protecting consumers is now in the possession of 
private banks. And even more so, private banks, credit card 
companies, payday loan operators, you name it, they all go on 
these social network sites and they actually get the data that 
you are concerned that this agency might get.
    You have massive data-mining companies, data brokers like 
Acxiom and others. They actually sell this information that you 
are worried that this agency that protects consumers might 
have. The paradox there is that those banks are completely 
unregulated with respect to the conduct that they are 
undertaking and there are no checks and balances.
    In fact, a couple of weeks ago, we passed legislation that 
would allow those same banks that take that information without 
concern for privacy to work with affiliates and other countries 
that have that information, but that are outside the regulatory 
jurisdiction of the United States, that our consumers would be 
totally unprotected by your legislation. That is one paradox or 
one contradiction here today I want to point out.
    The second one is that, as each and every regulatory agency 
comes before this committee and others, there has been a debate 
here in Congress, driven by my colleagues in the Majority, that 
have required each and every regulatory agency to make sure 
that every regulation that they adopt, every rule that they 
adopt is supported by data-driven, fact-based analysis of how 
they operate.
    So you have told these regulators that everything they do 
must be data-driven, everything they do must be fact-based, 
everything they do must be analyzed to prove that the costs do 
not exceed the benefits of that regulation. So you are 
requiring them on the one hand, last week, to get as much data 
as they possibly can, to make sure that their regulations are 
fact-based and in real time. And today, you are wringing your 
hands, saying, ``Oh, my God, they are going after data.'' Well, 
you can't have it both ways.
    You are asking these regulators to base their decisions and 
regulations on data, data-driven analysis. And now, you are 
wringing your hands and saying, ``Oh, we can't do this.''
    I do want to mention that the Patriot Act, which was 
heavily supported by your side and some on our side, requires a 
lot of this information right off the top. And one of the 
principal premises of that legislation is to know your 
customer, for the banks to know their customer and to make sure 
that they aren't allowing bad actors to capitalize on the 
legitimate banking industry.
    Mr. Antonakes, I happen to work very closely with the 
Massachusetts regulators and the Boston office of the Fed. And 
during the housing crisis, I thought it was very helpful that 
the Fed could actually tell me how many homeowners--and they 
could give me the data by town, by county, by my congressional 
district--how many people were in arrears on their mortgages. 
They could tell me how many people were in default. They told 
me how many--they could tell me how many people were in the 
foreclosure process and how many were going to be evicted, so 
we could target resources.
    And it was very different. I have 3 cities, 18 towns, and 
720,000 people in my district, and they were very helpful. That 
is a lot of data that they are getting already. How are you 
working with some of these other agencies? Some of these 
concerns are legitimate about making sure we don't let this 
personal information get out there and be abused.
    But how are you coordinating with these other agencies that 
are actually scooping up this data, as well? And can we 
minimize the exposure and minimize the cost of doing what I 
would describe as due diligence, in terms of protecting 
consumers?
    Mr. Antonakes. Congressman, we do have information-sharing 
agreements with the other regulators, and we are not seeking to 
collect information which they already have. So to the extent 
that we can share it, we welcome that opportunity. It would 
reduce cost and burden on the industry.
    Mr. Lynch. Thank you. My time has expired.
    Chairwoman Capito. The gentleman's time has expired.
    Mr. Lynch. I yield back.
    Chairwoman Capito. Thank you.
    Mr. Fitzpatrick for 5 minutes.
    Mr. Fitzpatrick. I thank the Chair.
    And I also want to say to the witness that we all 
appreciate your testimony here today. This subject matter is 
very sensitive to everybody I know, everybody I represent back 
home in Pennsylvania, which is why this hearing is so 
important.
    News reports indicate that the CFPB is assigning an 
identifier to each individual and requiring that all data 
providers use that same identifier for each individual when 
submitting their data. Sir, is that true?
    Mr. Antonakes. I believe it is true, in terms of the credit 
card collection data.
    Mr. Fitzpatrick. For what purpose would the Federal 
Government need to track the financial habits of an individual 
consumer?
    Mr. Antonakes. We are not seeking to identify who the 
consumer is. We are not seeking to monitor individual 
purchases. But it does allow us to see trends over a period of 
time, in terms of balances, in terms of interest rate, and in 
terms of impact. And that is really all we are seeking to do.
    We are not interested in individual American behavior. We 
are not interested in where they purchased their goods, what 
they are buying. We are simply interested in knowing over a 
period of time what happens with credit card balances. Do they 
go up? Do they go down? How are fees associated? How is the 
broader economy impacting those balances, as well? And this 
allows us to track that type of information. We have no 
interest whatsoever in identifying the specific individual who 
owns that card.
    Mr. Fitzpatrick. But if you are using identifier numbers on 
this data that is being collected, the amount of which you 
haven't been able to really tell us today how much--and I 
certainly hope, sir, that you will follow up the questions 
where you had no specific answers and provide that information 
to the committee--but if your Bureau is using identifying 
numbers to link data together, how is that not creating a 
consumer data file on individual Americans? Even if you don't 
know who that American is, theoretically, you are linking data 
sets together through an identification number and you are 
building a consumer file on an individual. Is that not true?
    Mr. Antonakes. We are looking at individual loan level 
account information. That is correct, sir. But we are not 
seeking to determine who that particular consumer is. That is 
the way that we can understand how these marketplaces are 
working. That is how we can basically determine where risks may 
lie and look at trends over a period of time, but we have no 
interest whatsoever in trying to determine or reverse engineer 
who that specific individual is.
    Mr. Fitzpatrick. Does that not mean, though, that the 
Bureau has a picture of the financial transactions at an 
individual level?
    Mr. Antonakes. The only information that we are collecting, 
to my understanding, is the interest rate, fees, previous 
balance, and new balance.
    Mr. Fitzpatrick. Madam Chairwoman, I will yield the balance 
of my time to Mr. Duffy.
    Chairwoman Capito. Mr. Duffy?
    Mr. Duffy. Thank you. Just quickly, I want to go back to 
some of the other questions that I have asked. What 
institutions, again, are you monitoring? You have nine of them, 
right, for financial data?
    Mr. Antonakes. In what respect, Congressman?
    Mr. Duffy. What institutions are you getting financial data 
from?
    Mr. Antonakes. We are looking and, through a variety of 
contacts, we take data from the institutions that are under our 
primary jurisdiction, banks and credit unions, over $10 billion 
in assets, as well as nonbank--
    Mr. Duffy. So from all of them, you are collecting 
financial data?
    Mr. Antonakes. The extent of the data may vary based upon 
their business model and the type of operations they have.
    Mr. Duffy. Okay. And, again, you are not willing to provide 
the letters of request for that financial data to this 
committee, is that correct?
    Mr. Antonakes. The letters themselves are confidential 
supervisory information. We can perhaps discuss what--we could 
give you--
    Mr. Duffy. But don't--
    Mr. Antonakes. --we could give you--
    Mr. Duffy. Don't you think Americans have a right to know 
which financial institutions are providing you their financial 
data? Don't you think that is an American's right to say, 
listen, I know the government is collecting my data if I bank 
with X bank, and I know they give my credit card transactions 
to the CFPB? Don't they have a right to know that? And why 
won't you share that with us?
    Mr. Antonakes. So to the extent that is done, Congressman, 
it is done through our supervisory process, just as it is done 
with the Federal Reserve, the FDIC, the OCC--
    Mr. Duffy. That is not my question.
    Mr. Antonakes. --bank regulators, as well.
    Mr. Duffy. But you are the Consumer Financial Protection 
Bureau.
    Mr. Antonakes. Right.
    Mr. Duffy. And you protect consumers. Do you think 
consumers would be more apt to bank with the institutions that 
you collect data on or less likely to bank with those 
institutions?
    Mr. Antonakes. I believe it is problematic. It would impact 
our ability to efficiently supervise institutions.
    Mr. Duffy. That is right. Because--
    Mr. Antonakes. And I also believe that it could have 
unintended consequences for institutions, as well.
    Mr. Duffy. That is right. Because Americans don't want you 
to have their financial data. That is exactly right. That is 
the point. And so if they don't want you to have their 
financial data, don't take it. Or ask their permission. But you 
make the point for us. They don't want you to have the data, 
and you are taking it anyway, under the auspices of the 
Consumer Financial Protection Bureau. You take their data, they 
don't want you to have it, and you don't care.
    I yield back.
    Chairwoman Capito. Mr. Heck?
    Mr. Heck. Thank you, Madam Chairwoman. I yield 2 minutes to 
the gentleman from Georgia, Mr. Scott.
    Chairwoman Capito. Mr. Scott?
    Mr. Scott. Yes, I have two points to make. First of all, in 
response to Mr. Duffy, for whom I certainly have great respect, 
but at the one point, he is trying to point out how we want to 
make sure information is secure and, on another point, we want 
to share it. You can't do both.
    And I think what we are trying to get here is a delicate 
balance, where you get the information. And, again, I think it 
is very important to repeat that many of these requests for 
this personal data come from that individual reaching out to 
you. Is that not correct?
    Mr. Antonakes. Much of it does. Certainly, anything coming 
in through our consumer complaint hotline, 150,000 requests for 
help from every State in the country has affirmatively come to 
us from consumers.
    Mr. Scott. Right, no different from--you have the banking 
operations, you have other operations, financial operations, 
get the same information. But my point is--there is one area we 
missed here that I think we need to clear up. There are third 
parties involved here. You have vendors, investigators going 
out and collecting this information.
    Can you tell us how our information is protected through 
these third parties? Where does that line come down? How do we 
protect information that these third parties are getting, that 
have contracts and were paid millions of dollars and are 
helping get the money to get back to the consumers? When do we 
wash their hands of this information so it doesn't get out 
through third-party vendors?
    Mr. Antonakes. So, Congressman, any laws that we have to 
follow to protect consumer information they have to follow, as 
well, if we are engaging them specifically.
    Mr. Scott. All right. Well, thank you. I want to take the 
time to thank the gentleman, Mr. Heck, for allowing me those 2 
minutes. Thank you.
    Mr. Heck. Thank you, sir. Thank you for your presence, your 
testimony, and your service to our country.
    I have the honor and privilege to represent a congressional 
district that includes Joint Base Lewis-McChord, the third-
largest military installation in America. And as a consequence, 
I ask the following question: The proposal to require an opt-in 
on the part of individuals, would that affect the Bureau's 
servicemembers' office's ability to protect members of the 
military and their families? Would it materially affect your 
ability to protect those members? And if so, can you describe 
briefly what that would look like?
    Mr. Antonakes. Congressman, thank you. It is something that 
I haven't considered thus far, but I would say my initial 
reaction is it conceivably could impact our ability to protect 
servicemembers, as it would other consumers, as well.
    To the extent servicemembers are serving abroad, they may 
not have ready access to mail, and an opt-in could conceivably 
be difficult in certain circumstances. It also--and this is 
really the broader concern, and I believe the other regulators 
would share this concern--the ability to efficiently examine 
institutions would be significantly impacted, and our ability 
to identify risks, our ability to identify violations of law, 
and most importantly, our ability to identify who should be 
receiving refunds.
    In the case of the MILES program, which servicemembers 
should be receiving $6.5 million in refunds, in the case of our 
other activity, over $425 million in additional refunds last 
year alone, as a result of our ability to look at individual 
transactions in supporting information and data.
    Mr. Heck. So it would hurt your ability to protect members 
of the military?
    Mr. Antonakes. Yes, sir.
    Mr. Heck. Part of our frustration with this discussion is 
that it seems to offer a false choice between treasured and 
cherished values of privacy and that of consumer protection. I 
am acutely sensitive to this as it relates to members of the 
military. And I just don't think these--this is a zero-sum game 
and that these values are mutually exclusive.
    And I have to say, if I can get this out, yesterday I had 
the privilege to visit Walter Reed Hospital. I spent quite a 
bit of time in the amputation wing. And I observed a young man 
who had a double amputation up to and including his hips. And I 
observed him walking on prosthetic devices.
    I have no idea what the technology behind that is, which 
enabled him to do it, but I will tell you, I have never, ever 
observed the level of courage that I did in those young 
servicemembers. And I don't want to do anything that sacrifices 
our ability for you to protect those servicemembers and those 
who put themselves in harm's way. And I don't believe for one 
second that we have to sacrifice the value of privacy in order 
to do that.
    Thank you for the job you have done, sir.
    Chairwoman Capito. Thank you.
    Mr. Rothfus for 5 minutes.
    Mr. Rothfus. Thank you, Madam Chairwoman.
    Welcome, Mr. Antonakes. I am glad to see a Penn State grad 
here. A point has been made about banks having this information 
already, but isn't it true that private financial institutions 
are subject under Gramm-Leach-Bliley to maintain the privacy of 
consumer data?
    Mr. Antonakes. Yes, sir.
    Mr. Rothfus. Now, the CFPB is not subject to Gramm-Leach-
Bliley. Is that correct?
    Mr. Antonakes. We have other data standards that we have to 
follow.
    Mr. Rothfus. If we could go a little bit to the credit card 
collection program that you have and get a little more specific 
types of data that you are collecting under there, it has been 
reported that there have been 100 data fields per account that 
you are collecting. Is that true?
    Mr. Antonakes. I would have to verify that for you, 
Congressman.
    Mr. Rothfus. Can you, again, tell me the types of data 
fields that would be collected: interest rate; balances; month 
to month? I think you testified to that, correct?
    Mr. Antonakes. Yes.
    Mr. Rothfus. Other information? Would the ZIP Code of an 
account be collected?
    Mr. Antonakes. I don't believe we are collecting any PII on 
the credit card information.
    Mr. Rothfus. Okay, so you are--among the hundred data 
fields or so, you are not including the ZIP Code?
    Mr. Antonakes. I don't believe so, but we can verify that 
for you, Congressman.
    Mr. Rothfus. And you would not include date of birth?
    Mr. Antonakes. That is correct.
    Mr. Rothfus. When are you collecting personally 
identifiable information?
    Mr. Antonakes. When we do collect PII, it is generally 
through our consumer response function, in which American 
consumers are reaching out directly to us to help them in their 
financial transactions with institutions that we supervise. And 
it is also--
    Mr. Rothfus. You are collecting that data directly from the 
consumer in that case?
    Mr. Antonakes. That is correct. They provide it to us 
voluntarily, subject to our privacy disclosure, so that we can 
then reach out to their financial institution to determine 
whether or not a violation of consumer protection law did, in 
fact--
    Mr. Rothfus. Now, are you ever collecting data from an 
institution that has not been alleged to have committed any 
wrongdoing?
    Mr. Antonakes. We would review certain data during the 
course of our examination function. We examine--
    Mr. Rothfus. Would you ever ask such an institution that 
has not been accused of any wrongdoing? Have you ever asked 
them for personally identifiable information about any 
consumer?
    Mr. Antonakes. So, Congressman, during the course of an 
examination, we don't presume someone is guilty before we 
conduct an examination, but we have to do certain transaction 
testing, we have to look at certain information to, in fact, 
verify that there haven't been violations of law.
    Mr. Rothfus. Now, you are going to try to collect 
information, for example, 80 percent of the credit card 
accounts in the country?
    Mr. Antonakes. I believe that is the type of data we are 
trying to collect--
    Mr. Rothfus. Do you have any idea of the cost of complying 
with a request like that for a private institution?
    Mr. Antonakes. My understanding is this is information that 
they collect and provide already.
    Mr. Rothfus. That they are already--so up to 80 percent of 
the accounts are already being provided information to a 
government--
    Mr. Antonakes. No, they collect 100 percent of this data 
already. They provide some of this data to other Federal 
regulators.
    Mr. Rothfus. Do you have any idea how much the cost would 
be for them to put together--having this data sent over to the 
CFPB?
    Mr. Antonakes. I don't know the specific costs, 
Congressman, but I need to point out that they collect this 
data and they review this information already.
    Mr. Rothfus. Are you aware that consumers are seeing 
increases in fees and costs being passed onto them by financial 
institutions?
    Mr. Antonakes. I don't believe the fees that may be passed 
on to consumers is the result of our data collection 
activities.
    Mr. Rothfus. What about the loss of free checking that we 
are seeing out there in the marketplace? You are aware of that?
    Mr. Antonakes. I am also aware of other market trends and 
laws that have resulted in shifts in how checking accounts are 
charged.
    Mr. Rothfus. There is no right for a consumer to opt out of 
having a private institution that they have an agreement with 
to have that institution opt out from giving you their data. Is 
that correct?
    Mr. Antonakes. To the extent we are collecting data through 
our supervisory process, no, there is not. And there isn't for 
all of the other prudential regulators and State regulators 
that conduct similar activities.
    Mr. Rothfus. Now, with respect to collect--being able to 
process claims for people who have made complaints--I think we 
talked about 50,000 individuals, servicemembers--that you have 
the data both from complaints and from examination activity. Do 
you have any idea the breakdown--for example, of the 50,000 who 
were due refunds, how many do you get from complaints versus 
the examination activity?
    Mr. Antonakes. I believe in that case the activity was 
brought to our attention through a consumer complaint, and then 
the--
    Mr. Rothfus. Do you have any idea how many consumer 
complaints there were?
    Mr. Antonakes. I can verify that for you. I don't believe 
there was a significant number of consumer complaints. And I 
believe the more wholesome impact on servicemembers was borne 
out during the course of our examination and investigation.
    Mr. Rothfus. Wouldn't it be possible, though, to target in 
that case--if you hear complaints coming from consumers, and 
you see that there might be an actor out there that is not 
doing what they should be doing, then you can target and go 
directly at that particular bad actor. Isn't that right?
    Chairwoman Capito. The gentleman can answer.
    Mr. Antonakes. Certainly, consumer response serves two 
purposes for us in many respects, the first of which is an 
immediate means of providing responsiveness and potential 
relief to consumers who reach out directly to us. It is as you 
appropriately point out, also a means by which our priorities 
for supervision and investigations can be impacted, if we see 
certain trends developing through that channel.
    Mr. Rothfus. Thank you.
    Chairwoman Capito. The gentleman's time has expired.
    Mr. Posey?
    Mr. Posey. Thank you, Madam Chairwoman.
    The Consumer Financial Protection Bureau is a great 
sounding name. But there seems to be some reason to question 
whether the title actually reflects the mission, or if in 
reality it is an oxymoron. On December 21st, I sent you a 
letter and listed 19 separate questions regarding the loan 
level data collection project. You--and when I say ``you,'' I 
mean your agency; I sent it to Mr. Cordray's attention--
responded 2 months later with a three-paragraph letter that 
didn't answer a single doggone question in any detail at all, 
the same kind of gibberish that you gave the vice chair a 
little while ago when he asked you one of the 19 questions that 
I asked you.
    It is inconceivable to me, unless you are from the most 
dysfunctional agency in the entire world, that you would come 
here before this committee today unprepared to answer the very 
simple questions that you have been asked. It is inconceivable 
to me that your agency cannot answer the 19 questions that I 
asked you 6 months ago. And yet you call yourselves the most 
transparent agency--your hallmark is supposed to be 
transparency.
    I know more about your agency from Bloomberg than I do from 
any communications you or anybody from your agency have had 
with my office or with me. You have transparency as a core of 
your agenda. Why is it your agency has a flyer instructing 
employees to keep calendar entries brief and general and avoid 
entertaining entries with agenda detail discussions? How can 
you claim to be transparent when you can't provide a single e-
mail in response to the Freedom of Information request from 
Judicial Watch?
    It has been alluded to that the financial crisis was caused 
because we didn't have a CFPB, when I think most people with a 
brain know we already have enough agencies, we have enough 
rules, we have enough bureaus, we have enough employees. We 
just don't have enough of them doing their jobs. And that is 
why we had a financial crisis.
    I don't think that, if we had a dozen CFPBs before and they 
didn't perform any better than any of the other agencies, it 
would have changed anything. And I haven't heard any way yet 
you would stop--anything your agency is authorized to do that 
would stop the same thing from happening again. You are going 
to have all the financial records of 80 percent of Americans. 
And then the next obvious question is, well, why not 100 
percent? Who are you exempting? Why would you exempt them? It 
is going to be like the people who wrote Obamacare. Are they 
going to exempt themselves?
    These are natural questions my constituents have, and I 
don't blame them for being suspicious. Americans like their 
privacy. They enjoy the Fourth Amendment, and they don't like 
it violated. And the more I hear from you, the more I hear that 
you are intentionally violating their Fourth Amendment. You are 
violating their privacy.
    People haven't asked you to--you go to most businesses in 
America and say, ``Hey, I am from the government. How can I 
help you?'' Those are the most feared words they can hear. You 
want to help them? Stay the heck away from them.
    I think we definitely need to have an opt-in to this thing. 
I just think that the fact that you are so ill-prepared to 
answer any questions here today speaks volumes about what is 
already wrong with that agency.
    When Mr. Cordray was here the first time, he appeared 
before us, and we asked a bunch of questions he couldn't 
answer. He said, ``I will come back and answer them.'' Instead, 
he sent ``secretary somebody'' who had the same answer to all 
the questions he did: ``I don't know.''
    I think Mr. Capuano asked her how much she wsa being paid 
not to know anything. And several other Members also asked her. 
She refused to tell her salary. That is how transparent they 
are. I heard Mr. Lynch from Massachusetts talk about all this 
detailed mortgage information that he has about his district. I 
have asked for that information, and I have never gotten one 
ounce of that information before.
    So I am very suspicious, and I would just like for you to 
tell me why you can't answer any questions that we have asked 
here that have already been asked of your agency and you should 
have been well-prepared to answer today.
    Mr. Antonakes. So, Congressman, I appreciate your comments 
very much. And to the extent--
    Mr. Posey. I bet you do.
    Mr. Antonakes. --our response was not satisfactory to you, 
I am happy to try to follow up and provide you more 
information, as well. We, I believe, have tried to answer that 
in the vast majority of cases, we do not collect personally 
identifying information--
    Mr. Posey. Listen--
    Mr. Antonakes. We have--it has resulted--
    Mr. Posey. Reclaiming my time, that is the same baloney 
that you gave Mr. Duffy. And that is basically the only answer 
he gave me. I asked you 19 specific questions. We all know you 
claim not to have detailed personal information, just like the 
NSA and just like the IRS don't abuse that power. We are not 
even going there yet.
    We asked you very simple, easy-to-answer questions that you 
should be able to respond to honesty.
    Chairwoman Capito. The gentleman's time has expired.
    Mr. Pearce?
    Mr. Pearce. Thank you, Madam Chairwoman.
    Thank you, Mr. Director. And trying to put things into 
context, why the questions come up, I hear of your and I read 
in your statement that empirical analysis is necessary for good 
policy, so you collect more of it. Probably no one collects 
more information than the IRS, yet in 2009, they had 100,000 
people, employees of the Federal Government, who were not 
paying their taxes. And, of course, that was led by Treasury 
Secretary Geithner, who didn't think it was his duty to pay 
taxes.
    And now within the last 2 years, that number has gone to 
312,000 and $3.5 billion now owed by Federal Government 
employees. The government has the information. They just choose 
to check on conservative groups rather than check on the people 
who are not paying their taxes.
    So if there is a little concern about what you are 
collecting--and I was a little bit confused. I thought you said 
to Mr. McHenry that part of the PII is name, address, Social 
Security number, ZIP, property they have, credit score, and 
balances. And then I heard a different answer, I thought, to 
Mr. Rothfus. Is this PII? So--name, address, Social Security, 
ZIP, property they have, credit score, I thought you had 
affirmed to Mr. McHenry. Was I hearing backwards? That is not 
stuff you collect and as part of PII?
    Mr. Antonakes. No, sir. So--
    Mr. Pearce. So it is not part of it?
    Mr. Antonakes. We collect PII through our consumer 
response--
    Mr. Pearce. So that--PII includes--
    Mr. Antonakes. --supervisory--
    Mr. Pearce. If I could reclaim my time, PII includes name, 
address, Social Security number, ZIP, property, credit score? I 
thought Mr. McHenry walked through that, so is that part of PII 
or is it not? Yes or no?
    Mr. Antonakes. The answer is it is part of PII. It may not 
be--
    Mr. Pearce. Okay. So if it is part of PII, maybe we should 
invoke the Geneva Convention for consumers. Under the Geneva 
Convention, when I went to Vietnam there were a lot of pilots 
being shot down. We only had to give our name, rank, and Social 
Security number. Here, you collect all the other jazz. You have 
the potential to misuse it, exactly like the IRS is misusing 
it.
    So I was interested in your response to Ms. Velazquez. She 
noted properly that one breach will erode the confidence. And 
she asked, what steps have you taken to see that you don't have 
a breach? You said that the answer was to collect as little 
information as possible. Are there any other things that you do 
to stop a breach?
    Mr. Antonakes. Sure. Congressman, our systems are compliant 
with the Federal--
    Mr. Pearce. No, I didn't ask what you are compliant with. 
What other steps do you take to ensure there is no breach?
    Mr. Antonakes. We have robust security systems, IT systems 
that are constantly being reviewed and audited. We have limited 
significantly which personnel have access to this information, 
and we are trying to ensure that we have the procedures in 
place to discard this information when it is no longer 
necessary.
    Mr. Pearce. So you have contractors that have access to 
information?
    Mr. Antonakes. We have limited contractors that have 
access--
    Mr. Pearce. But some contractors do. I am sure Mr. Snowden 
was one of a very limited number. Have you gone and done case 
studies on agencies or consumer groups, credit card companies 
where information has been distributed, where people have 
leaked or shared or hacked in? Have you studied those? Has your 
agency--as someone said, you are a very powerful agency. You 
are probably going to have more information than even the IRS.
    Have you done any case studies on the people who have 
leaked Mr. Snowden or any of the others? Did you stop--as a 
manager, did you stop everyone and say, ``Hey, this is a wake-
up call. If it can happen in the most secret of our agencies, 
it might happen to us.'' Did you, as Deputy Director, number-
two guy, stop everybody and say, ``Wait, we need to sit down 
and have a discussion on our ethics internally. If it could 
happen over there, it could happen here?''
    Mr. Antonakes. So we do take data security--
    Mr. Pearce. No, I did not--did you have any case studies 
looking at specific things where people have leaked or stolen 
information? That is a fairly simple question.
    Mr. Antonakes. We do--
    Mr. Pearce. You are the number-two guy in the company or 
the--
    Mr. Antonakes. --do not have any specific case studies 
where other agencies have leaked information, Congressman.
    Mr. Pearce. That is incredible to me that you would not 
look at what happened. The breakdowns have happened in some of 
the credit card companies where massive information has been 
received. It is incredible that you as the number-two guy have 
not done that.
    Do any of the people, when you make these awards, have any 
bonuses been given to employees or investigators or people who 
are collection agencies? Have any awards been given to people 
who help you get the information?
    Mr. Antonakes. I am not sure I understand the question, 
Congressman.
    Mr. Pearce. Okay. You said that you found 28,000--or 
employees are--Defense Department people. You got awards back 
to them. Did anybody get finder's fees? Because I am finding 
that in many agencies.
    Mr. Antonakes. No, sir.
    Mr. Pearce. No finder's fees?
    Mr. Antonakes. No.
    Mr. Pearce. No bonuses, no nothing?
    Mr. Antonakes. Not--no.
    Mr. Pearce. Okay.
    Mr. Antonakes. Not to--
    Mr. Pearce. I yield back. Thank you, Madam Chairwoman.
    Chairwoman Capito. Mr. Barr for 5 minutes.
    Mr. Barr. Mr. Antonakes, I am just seeking a little 
clarification here. Under what circumstances does the Consumer 
Financial Protection Bureau obtain in its data collection 
efforts personally identifiable information?
    Mr. Antonakes. We will collect it through our consumer 
response portal, if consumers reach out directly to us for 
assistance--
    Mr. Barr. I understand that. And what is the second 
category?
    Mr. Antonakes. And also during our supervisory process. 
When we conduct examinations of the banks, credit unions, and 
nonbanks that are under our jurisdiction, we may have access to 
that information to report for exams.
    Mr. Barr. Okay. So Section 1022 of Dodd-Frank specifically 
prohibits your agency from collecting data ``for the purposes 
of gathering or analyzing the personally identifiable financial 
information of consumers.'' How do your data collection efforts 
that contain personally identifiable information comport with 
that statutory prohibition?
    Mr. Antonakes. That statutory prohibition lends itself to 
broader market monitoring data collection activities. It does 
not go specifically toward data collection activities through 
our supervisory process.
    Mr. Barr. Okay, are you--
    Mr. Antonakes. There are other provisions in Dodd-Frank 
that allow us to do it.
    Mr. Barr. --familiar with the system of records notice that 
was published in the Federal Register by your agency in 
November of last year?
    Mr. Antonakes. Generally.
    Mr. Barr. Okay. Are you aware that the system of records 
notice, which is required under the Privacy Act of 1971, that 
requirement is triggered by the collection of information that 
is actually retrieved by a personal identifier and that these 
SORN notices are used to provide notice to members of the 
public that their information is being used by an agency? Are 
you aware of that?
    Mr. Antonakes. Yes, sir.
    Mr. Barr. And so you are admitting that your agency has 
issued one of these system of records notices to alert the 
public that you are collecting personally identifiable 
information. Is that correct?
    Mr. Antonakes. Yes, sir, as we are allowed under other 
provisions of Dodd-Frank to fulfill our other mandates to 
protect consumers.
    Mr. Barr. Okay. And so is the information--the PII that you 
are collecting pursuant to this systems of records notice, is 
that personally identifiable information, is that searchable by 
personally identifiable information in your database or your 
contractors' database?
    Mr. Antonakes. We would collect information for our 
consumer response portal, as well as through our supervisory 
process, for the--
    Mr. Barr. I understand you collect it. Is it searchable by 
personally identifiable information?
    Mr. Antonakes. I would have to get back--
    Mr. Barr. Could you get back with us on that?
    Mr. Antonakes. Yes, I would be happy to.
    Mr. Barr. We would be interested to know that. And 
specifically, we want to know if the data can be retrieved by 
personal identifiers. So that would be something of interest to 
this committee, if you could get back to us on that.
    How long is the data that includes personally identifiable 
information retained? What policies or procedures do you have 
in place for records retention of that PII?
    Mr. Antonakes. We have policies that we have submitted to 
the National Archives Center and we are waiting for their 
approval of our destruction schedules.
    Mr. Barr. So, you don't have a policy in place right now?
    Mr. Antonakes. We don't have an approved policy in place by 
the National Archives Center.
    Mr. Barr. So at this point, the PII that you all have 
obtained is not subject to any kind of records retention 
schedule as of yet?
    Mr. Antonakes. As of yet, but we have significant hopes 
that we will have those schedules approved shortly.
    Mr. Barr. Okay, under the system of records notice 
regarding your data collection activities, has the CFPB also 
conducted a privacy impact assessment of that?
    Mr. Antonakes. I would have to confirm that for you, 
Congressman.
    Mr. Barr. Okay. If you could get back to us on that. And 
if--and in addition to whether or not you have conducted the 
privacy impact assessment, if you have not, we would like to 
know why you have not yet subjected the agency to a privacy 
impact assessment.
    And then a third follow up, please, which would be why 
would the CFPB not have made public the privacy impact 
assessment, if, in fact, you have conducted one? So, again, if 
you are unaware of the answer to those questions, if you could 
follow up with my office or the committee, that would be 
appreciated.
    Mr. Antonakes. I will be happy to do so.
    Mr. Barr. Okay. Are any individuals--since you are 
conceding that you--and you have issued this notice in the 
Federal register that you are collecting personally 
identifiable information--are any of the individuals whose 
personally identifiable information that has been collected, 
are any of these individuals--have any of these individuals 
been given notice prior to that collection?
    Mr. Antonakes. No, sir, because it is not required under 
our supervisory authority.
    Mr. Barr. Okay. I yield back.
    Chairwoman Capito. The gentleman's time has expired.
    Mr. Westmoreland?
    Mr. Westmoreland. Thank you, Madam Chairwoman.
    You are the Associate Director of Supervision and 
Enforcement, correct?
    Mr. Antonakes. That is correct.
    Mr. Westmoreland. Do your enforcement officers carry 
firearms?
    Mr. Antonakes. No, they don't, sir.
    Mr. Westmoreland. So they do not carry firearms?
    Mr. Antonakes. No.
    Mr. Westmoreland. Do they wear uniforms?
    Mr. Antonakes. No, sir.
    Mr. Westmoreland. Okay. Do the PII, do the individuals know 
that you are storing their data?
    Mr. Antonakes. To the extent information is coming into our 
consumer response channel, there is a privacy notice for them, 
and I would say, yes, they know that we are storing their 
information. If it is coming through the examination process, 
then not necessarily.
    Mr. Westmoreland. How many questions do you ask these folks 
if they call in with a problem?
    Mr. Antonakes. We are basically trying to ask the minimum 
questions that will allow us to remedy the situation, if, in 
fact, there has been a violation of consumer law.
    Mr. Westmoreland. And so then you tell them you are storing 
their information for later use?
    Mr. Antonakes. I'm sorry, sir?
    Mr. Westmoreland. You are getting this information, and 
they know you are getting it to store the data.
    Mr. Antonakes. That is correct.
    Mr. Westmoreland. So you tell them--
    Mr. Antonakes. Yes--
    Mr. Westmoreland. --we are storing your data?
    Mr. Antonakes. There is a notice that indicates that.
    Mr. Westmoreland. Okay. How many people have access to 
this?
    Mr. Antonakes. It is limited to those who are responding 
directly to the complaints, as well as some other folks in the 
Bureau that--
    Mr. Westmoreland. I know that, but how many people is that?
    Mr. Antonakes. I would have to get back to you with a 
precise number.
    Mr. Westmoreland. You don't know?
    Mr. Antonakes. I don't know the precise number. It would 
depend on--it is--
    Mr. Westmoreland. Would the Director know the precise 
number? Who would know the number?
    Mr. Antonakes. We could provide that information to you. I 
just don't know it off the top of my head.
    Mr. Westmoreland. Sure.
    Mr. Antonakes. It is focused on a need-to-know basis, for 
those who either are directly responding to--
    Mr. Westmoreland. I think it is pretty unusual that you 
wouldn't know how many people had access to this, but what type 
of security clearance do these CFPB employees have, who have 
access to this information?
    Mr. Antonakes. They all go through significant background 
checks, as well. I think we have the security clearance that is 
akin to agencies of--
    Mr. Westmoreland. Is it--what kind of security clearance is 
it?
    Mr. Antonakes. It is not top-secret clearance.
    Mr. Westmoreland. Okay, so they have information to all 
these personal names, Social Security numbers, addresses, birth 
dates, and whatever. And they don't have any type of level of 
security clearance?
    Mr. Antonakes. We do attempt affirmatively to limit the PII 
that we need to collect--
    Mr. Westmoreland. Do you do it yourself?
    Mr. Antonakes. Do I do it myself?
    Mr. Westmoreland. No.
    Mr. Antonakes. No.
    Mr. Westmoreland. Does the CFPB do it within its own 
agency?
    Mr. Antonakes. We attempt through our consumer response 
portal to limit the type of PII. We collect just enough to be 
able to go back to the company so that they can actually 
identify the account and the complaint and then verify that, in 
fact, it is an actual complaint.
    And the security background checks that everyone would have 
to go through are exhaustive and extensive, and we have certain 
policies and procedures in place, as well, that will--
    Mr. Westmoreland. I guess what I want you to answer is, who 
does the background checks?
    Mr. Antonakes. The Office of Personnel Management, and they 
use their sources that they do for personnel background checks.
    Mr. Westmoreland. So you really don't know who does the 
background checks?
    Mr. Antonakes. The degree of, I think, background checks 
depends on their rank and the positions of the--
    Mr. Westmoreland. So you don't know how many people have 
access to these files? And you don't know really what type of 
background check they have had?
    Mr. Antonakes. I know they have substantial background 
checks. I know the number of people is significantly limited to 
those who work in our consumer response area and those who work 
in our supervision and enforcement areas.
    Mr. Westmoreland. But you don't know the number?
    Mr. Antonakes. I can provide you with the number. I don't 
know the number offhand.
    Mr. Westmoreland. Sure. Okay. Let's say one of my 
constituents calls you up and says, ``Can I see my data? Can I 
see my file that you have on me? First of all, do you have a 
file on me?'' And if the answer would be yes, can they request 
the information that you have?
    Mr. Antonakes. The only information that we would have 
would be the information that they have provided us--
    Mr. Westmoreland. No. No, no, no, no. You are getting 
information from these outside groups, the banks. So can you 
give them that?
    Mr. Antonakes. The information that we would have on a 
consumer that came in through our consumer response portal 
would be the information they provided us, and then we would 
have a summary of--
    Mr. Westmoreland. I am not talking--I am talking about the 
PII.
    Mr. Antonakes. So we are not collecting PII for consumers 
who respond to our consumer response--
    Mr. Westmoreland. Well, no, but you do have this personally 
identification information, right?
    Mr. Antonakes. If they have provided it to us.
    Mr. Westmoreland. So if they find out that you have stored 
this and they don't realize it or don't remember it, can they 
ask to opt out?
    Mr. Antonakes. They are affirmatively reaching out to us 
and voluntarily providing us this information. There is a 
privacy notice which is provided to them at the moment that 
they are filling out that information.
    Mr. Westmoreland. I look forward to some of these answers 
that you said you are going to respond to from these questions. 
And I appreciate you coming, and I appreciate your service. But 
I find it really hard to believe that you didn't realize some 
of the questions you were going to be asked today. So thank you 
for coming.
    Mr. Antonakes. Thank you.
    Chairwoman Capito. Thank you, Mr. Westmoreland.
    That concludes our first round, but I am going to go to a 
second round, because we have a few more interested folks who 
have additional questions, one of whom is me. And the thing I 
am concerned about is, because I think we have a difficulty 
understanding exactly--because in my--in your first response to 
my question, you said you do not collect PII. But in your 
subsequent testimony, you have said that on two occasions you 
would, when a consumer would opt in from a consumer complaint, 
and the other might be from other institutions or other 
information.
    That is the part, I think, that we are having the issue 
with, is not that the consumer is opting in to ask you to help 
them with the consumer complaint, but in the rhetoric, you are 
saying, no--or in your first statements, you said no. But in 
subsequent testimony, you are really saying, yes, we do, in 
certain instances. Maybe not the $800 million credit card 
cases, but in other cases, we do have this PII.
    As clearly as possible, please explain that part and when 
that would come into play.
    Mr. Antonakes. Madam Chairwoman, I am sorry if I was not 
clear on this point in particular, trying to distinguish 
between some of the data that we are purchasing versus the data 
that we have access to through our supervisory program. So to 
the extent that we are conducting examinations which are 
mandated by Dodd-Frank, we are required to examine the large 
banks over $10 billion in assets--
    Chairwoman Capito. Right.
    Mr. Antonakes. --the large credit unions over $10 billion 
in assets--
    Chairwoman Capito. Right.
    Mr. Antonakes. --and certain non-bank entities, we have to 
examine them on a regular basis to determine whether there are 
violations of consumer protection laws. During the course of 
our examinations, our examiners go on-site to these 
institutions and they conduct transaction testing, in which 
they are sitting down and looking at actual loans and loan-
level data to determine whether there are violations of law.
    We are not maintaining or collecting this data 
unnecessarily. If it is a clean--
    Chairwoman Capito. Okay.
    Mr. Antonakes. --exam, we move on and we don't collect it.
    Chairwoman Capito. Okay. Let me stop you right there, so I 
understand. So if you have--on your supervisory job, you are 
collecting a transaction on a person, which then would have 
this--you have already said what PII might be, Social Security 
number, mortgage, whatever name, address, all those things.
    So are you saying, then, that because you are conducting 
this in the supervisory, that you then don't bring that 
information back into the CFPB and hold it for 10 years in the 
cloud? Or do you leave it at the financial institution in the 
course of an exam?
    Mr. Antonakes. If there are violations found and it 
requires some form of corrective action, be it an informal 
action, be it a formal enforcement action, be it the 
requirements at reimbursement, then some of that information 
may be stored.
    Chairwoman Capito. So you bring that and store it?
    Mr. Antonakes. In certain circumstances, yes.
    Chairwoman Capito. Okay. In terms of the--what the 
gentleman from Georgia was asking about, whether you could opt 
out, I guess I am reading here in the Federal Register where 
individuals seeking notification and access to any record 
contained in this system of records or seeking to contest its 
comments may inquire in writing, according with instructions?
    Mr. Antonakes. That is correct.
    Chairwoman Capito. Okay. I didn't hear you say that.
    Mr. Antonakes. I'm sorry. Anyone can ask at any point in 
time if we have any records or information on them, and we 
would be obligated to respond.
    Chairwoman Capito. Right. That doesn't mean they get to see 
their records, though.
    Mr. Antonakes. That is correct.
    Chairwoman Capito. It just means that they can respond 
about their records. Would that be clarification?
    Mr. Antonakes. Right. Yes.
    Chairwoman Capito. Yes? Okay. And I think you understand 
the concern on the privacy issue and the concern on what 
Americans are now finding out is being collected at all levels, 
whether it is financial information, concern, obviously, about 
health records, concern about national security records, 
concern about tax records. All of these things, I think it begs 
to have a great national discussion on where the fine lines 
between your own personal privacy is, whether it is in your 
financial institutions or not.
    Again, I am going to go back to the PII information, 
because I think you have given a little bit of conflicting 
testimony, not intentionally, but more in terms of what your 
actual mission is, not to collect PII, but in the course of 
moving forward in your supervision and in your examination 
procedures, PII is part of what you do collect and keep. So 
would that be a true statement?
    Mr. Antonakes. Madam Chairwoman, for the market monitoring, 
we don't see the need to collect PII. We are not studying 
individual Americans. We are trying to protect Americans.
    So to the extent there is PII that is collected, it is in 
response to consumer complaints or through our supervisory 
work, which, as I testified earlier, has resulted in 
significant reimbursements for American consumers already.
    Chairwoman Capito. Right. That would be mostly through your 
consumer complaint center--
    Mr. Antonakes. And--no. Primarily through our supervision 
program and enforcement program. That is where the 430 million-
plus has come.
    Chairwoman Capito. And my last--I don't even have a last--
but I do thank you for your service and your testimony, for 
which I will thank you again at the end of the hearing. We will 
go to--Mr. Scott, did you have an additional question?
    Oh, I'm sorry. Mrs. Maloney?
    Mrs. Maloney. I think privacy is incredibly important. And 
everyone keeps going back to the PII. So I would like you to 
put your policy on the PII on your Web site that for broad 
areas, looking at interest rates, no one looks at anything 
private. But if an individual calls and says, they 
retroactively raised my interest rate on my credit card by 30 
percent, then you look into that particular situation. So I 
would like to request that you put this information up on your 
Web site so it is very clear.
    I would like to remind my colleagues why we created the 
CFPB in the first place. We had a financial crisis that 
economists tell us was the first financial crisis in the 
history of our country that was caused by policies that hurt 
consumers. This country lost anywhere from $12 trillion to $16 
trillion because of a financial crisis that could have been 
prevented.
    That is why they were created, because consumer protection, 
the subprime crisis, was totally abusive and unfair prices--or 
policies that were put out there by some bad actors, some--not 
the full industry. There are many honest, good financial 
institutions. But some bad actors, some of whom were not 
regulated, put this out there and brought this country to its 
knees. And our citizens are still suffering.
    No agency was looking at consumer protection. It was a 
secondary thought, a third thought, or not thought about at 
all. So we believed--many of us--to have an agency that looked 
at protecting our veterans as they were overseas fighting, that 
looked at protecting our students that we need to educate for 
our future, from high interest card rates, to protect our 
citizens. The credit card bill of rights that many of us worked 
on, according to the Pew Foundation, saved consumers $10 
billion last year. That is a lot of money that goes into the 
hands of working men and women who need it.
    So the financial board came in place, and I would like to 
ask unanimous consent to place in the record a series of areas 
where they have saved consumers money, kept the money in the 
consumer's pocket, which has helped the working men and women 
of this country.
    So they have been tasked and are mandated to look at 
policies in a broad way so that they can prevent abusive 
policies in the future, that new products that are created, 
that they look to see if they are fair to consumers, that 
consumers can understand them.
    Their success rate has been phenomenal, and their reports--
granted, they take a long time to do, because they are data-
driven--have helped us with better policies. In overdraft, an 
area that I work in, in credit card, an area that I work in, in 
student loans, it has helped us make better policy decisions.
    They are basically collecting data. We have to make sure 
that it is secure and private, but one aspect that you answered 
earlier, you testified that other financial agencies such as 
the Federal Reserve are collecting more data than the CFPB is 
collecting. So what I don't want this to be is a witch hunt 
after the CFPB, which is trying to protect consumers.
    The other regulators--and they do a very important job--are 
protecting institutions to make sure that they don't go under 
or hopefully will protect them from going under. But could you 
elaborate on what other financial institutions by law are 
collecting?
    And I believe you testified that they are collecting more 
information than the CFPB is. Is that correct?
    Mr. Antonakes. Ranking Member, I don't know precisely how 
much information the other Federal regulators are collecting.
    Mrs. Maloney. The chairwoman and I are going to do a GAO 
report and find out--
    Mr. Antonakes. Right.
    Mrs. Maloney. --so that we can understand and also 
streamline it so that agencies aren't collecting the same 
information.
    Mr. Antonakes. But my understanding is they do collect 
substantial amounts of information. The credit card information 
we are collecting has been collected by other Federal agencies 
for several years.
    Mrs. Maloney. And what about stress tests that the Fed 
does? What kind of information do they collect?
    Mr. Antonakes. Certainly, the Fed has very broad authority, 
both in terms of monetary policy and bank regulation, and they 
are collecting very different data in many respects than the 
type of information that we are collecting.
    Mrs. Maloney. What type of information--are they doing 
interest rates? Are they doing--
    Mr. Antonakes. Well, certainly, unemployment information--
    Mrs. Maloney. So that is what you are collecting?
    Mr. Antonakes. --a wide variety of information, but I would 
not be the best person to ask what particular information the 
Federal Reserve is collecting.
    Mrs. Maloney. I think we need to really review--
    Chairwoman Capito. The gentlelady's time has expired.
    Mrs. Maloney. --all of the agencies. What are they 
collecting? And how are they protecting the consumer and 
financial institutions?
    I yield back.
    Chairwoman Capito. Mr. Duffy?
    Mr. Duffy. I would agree with the gentlelady from New York. 
We should know what other agencies are collecting, as well. But 
I would disagree with her in the sense that she mentions that 
obviously the more data that you have, the better you are able 
to protect consumers.
    I actually would agree with that component of it. But we 
always have a balance with the private sector and our 
government in privacy and our civil liberties. And, yes, more 
data might mean more protection, but it also means less privacy 
for Americans. And I think you are tipping the scales into the 
privacy component, as opposed to the protection component.
    In regard to data collection, what other agency collects 
nearly a--because you have 1.2 billion credit cards out there. 
You are collecting 73 percent, going to 80 percent. That is 
almost a billion credit card accounts. What other agency is 
collecting that kind of data out there? A billion accounts.
    Mr. Antonakes. I believe the data collection activities 
that we have under way in the card space is very similar to 
other data that has been collected by the Federal Reserve, as 
well as the Office of the Comptroller of the Currency.
    Mr. Duffy. I do want you to answer my question. Is there 
another agency that collects about 80 percent--a billion 
accounts? Does the Fed do that?
    Mr. Antonakes. I don't know what percentage of the accounts 
that the other agencies collect, but I do know that they 
collect substantial amounts of credit card data.
    Mrs. Maloney. Point of personal privilege, because my name 
was mentioned?
    Chairwoman Capito. Will the gentlelady suspend?
    Mrs. Maloney. Pardon me?
    Chairwoman Capito. Hold just a minute, please--time to ask 
you a question--
    Mr. Duffy. Yes, I would yield to the gentlelady from New 
York.
    Mrs. Maloney. I agree completely with Congressman Duffy 
that we need to have the right balance. We need to protect the 
consumers overall and have fair and honest banking practices, 
but we also have to protect privacy. And, again, I placed in 
the record a letter from five different consumer privacy 
groups--
    Mr. Duffy. Reclaiming my time--
    Mrs. Maloney. --who believe that the right balance was 
achieved--
    Mr. Duffy. --gentlelady from New York--
    Mrs. Maloney. --in the CFPB.
    Mr. Duffy. --with me in regard to the privacy balance. I 
just want to mention that--I believe that Senator Crapo had 
asked 3 times that the CFPB to provide him information in 
regard to how many accounts and how many Americans have their 
financial data collected by your agency. And the CFPB has 
refused to provide that information to the Senate.
    Today, you have agreed to provide that information to us. 
Now, I am disappointed that you don't have that number for this 
committee. You knew the question was going to come up, and you 
were ill-prepared to answer it. But to that point, can we 
expect that information within 2 weeks?
    Mr. Antonakes. Congressman, we have to be, I think, 
entirely precise, just so we can answer you correctly, in terms 
of what particular information you are seeking--
    Mr. Duffy. How long--
    Mr. Antonakes. There is a lot of information.
    Mr. Duffy. How many accounts? How long will it take to get 
that information?
    Mr. Antonakes. Congressman, are you speaking to the 
instances in which we collect PII or more broad information 
that does not include PII?
    Mr. Duffy. All accounts.
    Mr. Antonakes. Again, it is not accounts in some cases. It 
is loan-level data. It is other types of information, as well. 
We can seek to provide that information to you. We will do it 
in as timely a fashion as possible.
    Mr. Duffy. Okay. I want to move to another issue. In regard 
to how you store financial data, do you silo your supervisory 
role, data that you collect in your supervisory role? Do you 
silo that information from the information you collect in your 
market monitoring? That information and data is siloed? They 
are separated? They are not merged? Is that correct?
    Mr. Antonakes. We don't merge different data sets. 
Conceivably, market monitoring personnel would have access to 
some of the information, because we are allowed to collect data 
for multiple purposes and sources, but we are not mixing and 
matching data sets.
    Mr. Duffy. So through the supervisory process, the data 
that you collect can be merged with the market monitoring. Is 
that correct?
    Mr. Antonakes. That is not what I said. I said that they 
would have access and the ability to look at that information, 
but we are not mixing and matching data sets. We are not trying 
to re-identify consumers, from which we have not collected PII 
on.
    Mr. Duffy. Okay. We received a contract that the CFPB had 
with Experian through Judicial Watch. And that contract would 
have been used in the market monitoring function. Is that 
correct?
    Mr. Antonakes. That is correct.
    Mr. Duffy. And you have also testified today that in a 
market monitoring function, you don't obtain personally 
identifiable information. Is that also correct?
    Mr. Antonakes. I am saying that if it is coming through 
purchases, voluntary information requests, we are not 
collecting PII.
    Mr. Duffy. Okay.
    Mr. Antonakes. If it is coming through the supervisory 
channel, it could conceivably--
    Mr. Duffy. That is right. But through market monitoring, 
you are not collecting it. In regard to Mr. McHenry's 
question--and you also said that addresses, as well as ZIP 
Codes, plus four, are personally identifiable information, 
correct?
    Mr. Antonakes. Correct.
    Mr. Duffy. Now, I have a contract here provided from 
Judicial Watch, your contract with Experian, which requests 
that the contractor shall provide ZIP plus four or other 
geographic location information, such as census block 
identifiers. So I have a contract right here that shows that 
you are actually collecting that information, and so your 
testimony today is actually incorrect, per your contract with 
Experian. Is that right?
    Mr. Antonakes. I would have to verify the contract with 
Experian to see exactly what type of information we are--
    Mr. Duffy. So you are obtaining personally identifiable 
information in the market monitoring function, contrary to the 
testimony here today. I yield back.
    Mr. Antonakes. I don't believe we are, sir.
    Chairwoman Capito. The gentleman's time has expired.
    Mr. Scott?
    Mr. Scott. Yes, thank you, Madam Chairwoman.
    Let me just mention--and again, let me just commend the 
ranking member, with whom I very much agree on the need for 
this, and let me commend the chairwoman of the committee for 
this extraordinarily important hearing.
    And, again, let me go to one point that needs 
clarification, which Mr. Duffy raised. First of all, we raise 
this huge number of $80 million on the credit card issue. But 
isn't it true that there probably is no other area of great 
complaint and concern for consumer protection than the credit 
cards? We are almost a credit card society. We have stolen 
credit cards. We have misplaced credit cards.
    And I think it is very important to clarify that this PII 
information that you have to request comes from the personal 
request of the individual coming to you to get you to look into 
this matter. Are those points correct?
    Mr. Antonakes. I would say credit cards is one significant 
area of complaints for us. There are others, but it is a 
significant area of complaints.
    And I would say, to the extent that a consumer is reaching 
out to us directly through our consumer response channel, in 
that instance, we are collecting PII because they are asking us 
to intervene on their own behalf.
    Mr. Scott. And while Dodd-Frank, as we mentioned, outlaws 
PII information and so forth, it does so within the context 
that you fit in with the same parameters as the FDIC, the 
Federal Reserve, and other regulatory agencies. Is that 
correct?
    Mr. Antonakes. That is correct.
    Mr. Scott. All right. Now, with that information, the other 
request that comes from the other side--and on this request for 
numbers and how many and so forth--might have something to do 
with the aspect of confidentiality and--we love C-SPAN, and it 
is all across the Nation, and the good people hear it, as well 
as bad people hear it, and so forth, so there is a reason for 
some method of confidentiality.
    But you have agreed to find a way individually to make that 
known to those various members of the committee who have been 
asking for it, correct?
    Mr. Antonakes. Correct.
    Mr. Scott. All right. Now, let me just ask you this 
question again. I don't know if I matched it before, but I 
think it is very important. Has there been any breach in the 
CFPB's data system concerning this information? Has there been 
any breach in that information getting out?
    Mr. Antonakes. There has been no breach that we are aware 
of, Congressman.
    Mr. Scott. No breach that you are aware of. Which means, 
are there any--
    Mr. Antonakes. I don't--
    Mr. Scott. --that you may be unaware of? I need a clear--
    Mr. Antonakes. Congressman, I don't believe we have had a 
breach.
    Mr. Scott. I don't believe, but--is there anybody else in 
there where information is brought that there may be a breach?
    Mr. Antonakes. We have no reason to believe there has been 
a breach.
    Mr. Scott. All right. Now, are there firewalls, internal 
firewalls that you have involved for storing and using any of 
this data so that we can give the public additional assurance 
that you have some system in place for various probabilities, 
that you have people there whose job it is to just sit all day 
and all day and their job is to figure out, how can anything 
happen to get this information out to protect it? And do we 
have firewalls there?
    Mr. Antonakes. Yes, Congressman, we have firewalls, we have 
data security personnel, folks whose sole responsibility is to 
make sure that any data we collect is being maintained in a 
secure fashion.
    Mr. Scott. Okay. All right. And finally, I have one other 
very, very important point I would like to make, which is that 
we are working to try to get something right here to protect 
the American people who were grossly taken advantage of in so 
many areas.
    And I would say, of all that we have done in this lawsuit 
reform, the primary role of the CFPB is as the enforcer. And 
you can't do that without getting the information. Is there 
anything you would recommend to this committee that you need to 
be able to do a better job? And especially responding to some 
of the concerns that we have had.
    Mr. Antonakes. Congressman, I believe we have the tools 
necessary to protect American consumers, which is our mandate 
and all that we focus upon and why we collect and analyze this 
data.
    Mr. Scott. Thank you, sir.
    Chairwoman Capito. Mr. Barr?
    Mr. Barr. Mr. Antonakes, thank you for your testimony 
today. I appreciate you providing this committee and the 
Congress with more information about the handling of American 
citizens' personally identifiable information by the Consumer 
Financial Protection Bureau.
    But I wanted to follow up on a line of questions, which, 
with all respect, I don't think we have the answer that I think 
some of my colleagues were seeking, and that has to do with the 
categories of information that you are collecting, the 
categories of PII that you are collecting.
    One category is a category of PII that you get from 
consumers who voluntarily disclose it to your agency, correct?
    Mr. Antonakes. Correct.
    Mr. Barr. The second and--there are only two, as I 
understand it, from your testimony--the second is personally 
identifiable information that the Bureau obtains in the course 
of exercising its supervisory function. Is that correct?
    Mr. Antonakes. That is correct.
    Mr. Barr. Okay, I am interested in this second category, 
where you are obtaining PII from third parties, okay? In those 
cases, would an individual be able to, through a FOIA request 
or some other mechanism, obtain a file in the possession or 
custody of the Bureau with their PII that was obtained from a 
third party?
    Mr. Antonakes. So my understanding--and I want to answer 
this carefully, Congressman, to make sure it is completely 
accurate and responsive to your question--my understanding is, 
under the Privacy Act, an individual consumer could request to 
know whether or not we had collected information on that 
person. And I believe--I have to verify--that we would then 
provide that information to the individual consumer. They 
couldn't ask about other consumers; they could just ask about 
their own personally identifiable information.
    Mr. Barr. Right, but to follow up Mr. Westmoreland's line 
of questioning, for that category of information, PII--
    Mr. Antonakes. Yes.
    Mr. Barr. --that is obtained by your agency from a third 
party, in the course of your supervisory functions--
    Mr. Antonakes. Right.
    Mr. Barr. --could the individual to which that confidential 
information or personal information applies--could that person 
obtain the file that you are keeping?
    Mr. Antonakes. I want to verify this, but I believe they 
have the right to ask, and then we will provide that 
information to them.
    Mr. Barr. Okay. Let me ask you another question about the 
disclosure and the rules and the regulations that govern the 
Bureau's disclosure of this personally identifiable 
information. One of the regulations, 12 CFR 1070.41(b), 
provides the Bureau with authority to make disclosures to your 
contractors and your agents. How many contractors, agents, and 
third parties have been granted access by the Bureau to this 
database of information?
    Mr. Antonakes. I would say we have different folks in a 
contractual arrangement serving different roles at the Bureau.
    Mr. Barr. Yes, how many, approximately?
    Mr. Antonakes. I would have to provide that information for 
you. I want to be accurate. I would have to get that 
information for you.
    Mr. Barr. Are we talking a dozen or are we talking--
approximately how many contracts do you all have with third 
parties with whom you share this information?
    Mr. Antonakes. We have certain areas that we contract with 
to do certain services for certain work for us, so it varies. 
But those contractors would have access only to the information 
that is fundamental to the job that they are doing. They 
wouldn't have broad access to all of the information--
    Mr. Barr. When you disclose this information to the 
contractor or third party, who decides whether or not the 
information contains the PII?
    Mr. Antonakes. It would be germane to the particular area.
    Mr. Barr. Okay, so--
    Mr. Antonakes. So if we had contractors, for example, 
supporting our consumer response function, then they may have 
access to some of the information coming in from complainants. 
They wouldn't have information coming in through our 
supervisory channel.
    Mr. Barr. But the bottom line is, is both your systems of 
records notice and your regulatory framework contemplates 
sharing PII with third parties?
    Mr. Antonakes. With people who are working for us and who 
are operating under Federal privacy laws.
    Mr. Barr. One final question about the data that you 
collect from your supervisory role and then the purchase data 
sets. Do you match up the data that you obtain from purchased 
information, from Experian or CoreLogic or some of these other 
organizations--do you match at the individual level that data 
with the PII that you obtain under your supervisory functions?
    Mr. Antonakes. No, sir, we do not.
    Mr. Barr. Okay, my time has expired.
    Chairwoman Capito. Mr. Heck?
    Mr. Heck. Thank you, Madam Chairwoman.
    Hopefully, to close this maybe on a little bit of a 
positive note, and to use but one tiny but important example of 
how working with the CFPB has helped people, according to 
current law--I hope I say this accurately in its entirety--if 
you are a member of the service and you produce your orders 
with a stipulated end date, you are exempt from your student 
loan rate rising above a certain level while you are on active-
duty service.
    Because of a peculiarity in the law, if you are an officer, 
your orders don't carry a stipulated end date. And as a 
consequence, we have all manner of 22-year-old ROTC graduates 
about to get hammered by high student loan interest rates.
    Our office, working with the Bureau, through their efforts, 
identified this as a problem, and there was an amendment added 
to the National Defense Authorization Act which corrected this, 
and that could not have occurred, sir, without the work of your 
agency ferreting that out, identifying it, working it with the 
lenders, and with our office to amend the bill so that we can 
correct this going forward. Just a tiny example of where people 
have been helped and protected because of the work of your 
Servicemember Affairs Office. And I thank you for that, as 
well.
    Mr. Antonakes. Thank you, Congressman. Holly Petraeus and 
our entire Office of Servicemember Affairs do a tremendous job. 
Congress really appropriately identified in Dodd-Frank the 
special needs of servicemembers and how they have, on occasion 
in the past, been taken advantage of. So the work they do is 
critically important. Thank you.
    Mr. Heck. Thank you.
    I yield back the balance of my time.
    Chairwoman Capito. Thank you. I would like to thank the 
witness. I would also like to just review that we have a 
request for information from follow up from the CFPB, 
specifically, I think, on the numbers of records more specific.
    Also, I would like to add to that, if you could, the 
categories of PII that you have been collecting in the 
supervisory--I am not sure we got that definitively answered, 
and I think that would help the committee.
    So I would like to thank--
    Mrs. Maloney. What categories in general are they 
collecting?
    Chairwoman Capito. Yes, what categories in general of the 
PII. And if you could submit that to me, too, I know some of 
the other Members, like Mr. Duffy and others, had asked for 
specific information. And thank you for indulging us a second 
round. I appreciate that.
    The Chair notes that some Members may have additional 
questions for this witness, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to this witness and to place his responses in the record. Also, 
without objection, Members will have 5 legislative days to 
submit extraneous materials to the Chair for inclusion in the 
record.
    And without objection, the hearing is adjourned. Thank you 
very much.
    [Whereupon, at 12:27 p.m., the hearing was adjourned.]





                            A P P E N D I X



                              July 9, 2013


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


