Trump Administration’s Attacks on the CFPB Threaten Privacy, Data Security, and the Stability of the Financial Industry

Since its founding in 2011, the Consumer Financial Protection Bureau has been a champion for consumers by ensuring that financial services companies follow the law. The Bureau has returned over $21 billion to consumers in its 14 years of operation. Yet the Trump Administration has launched a full-scale attack on the CFPB over the past month, putting the Project 2025 goal of eliminating the CFPB into action. CFPB staff has been ordered to stop work, and many staff members have been terminated. Elon Musk’s so-called “Department of Government Efficiency” (DOGE) barged into the CFPB’s headquarters to rifle through sensitive data, both about consumers and the financial institutions regulated by the CFPB. DOGE has ignored the laws and rules that restrict access to the data held by the CFPB, which puts consumers at risk and threatens to destabilize the financial services marketplace. Meanwhile Elon Musk, the richest man in the world and head of DOGE, stands to make immense financial gains from the CFPB’s downfall. 

Trump Administration Attacks on CFPB Staff 

Just two weeks after Donald Trump’s inauguration, the President fired CFPB Director Rohit Chopra and appointed Treasury Secretary Scott Bessent to serve as acting director. Bessent sent an email directing CFPB staff to halt work on issuing or approving final rules, conducting investigation work for ongoing enforcement actions, initiating new enforcement actions, and issuing any public communications, including research papers. Bessent also suspended the effective dates of previously finalized but not yet effective rules. 

The following week, the newly appointed Office of Management and Budget Director Russell Vought replaced Scott Bessent as the CFPB’s Acting Director. Vought was appointed Acting Director on Friday, February 7. The next day, Vought sent an email directing CFPB staff to stop performing most of their work functions, including supervision and pending investigations. On Monday, February 10, Vought sent an email to all CFPB staff and contractors directing them not to perform any work tasks or come into the office for the week. Vought also posted on X that he has notified the Federal Reserve that the CFPB will not take its next draw of funding. 

Bessent and Vought’s stop work orders are dangerous for consumers. The CFPB conducts regular supervision and examination of financial institutions to ensure they are in compliance with consumer financial protection laws. If the CFPB discovers any potential violations, the Bureau is responsible for investigating and enforcing the law to hold financial institutions accountable for harm to consumers. The CFPB is also responsible for promulgating rules pursuant to consumer financial protection laws. For example, the CFPB has recently finalized rules that enhance privacy and security protections for consumers’ financial data and prohibit the inclusion of medical debt on credit reports. If CFPB staff cannot do their vital work to protect consumers in the financial services industry, consumers will suffer while financial institutions are not held accountable for the harm they cause. 

In addition to the stop work orders, a significant portion of CFPB staff were terminated. First, about 70 probationary employees (those who had worked less than one or two years in their positions at the CFPB) were terminated. Next, 70-100 term employees (career staff with positions lasting a specific length of time), were terminated. CFPB contracts with companies that provide additional staff and infrastructure were also cancelled.  

These terminations and contract cancellations have real consequences for consumers. Erie Meyer, the former CFPB Chief Technologist, explained in a recent affidavit that all contracts with companies who support the Bureau’s Office of Consumer Response were cancelled. This office fields emergency complaints from consumers. For example, when a consumer applying for a mortgage or interviewing for a new job realizes that an error on their credit report might get in the way of that opportunity, the consumer response team can help consumers coordinate with credit bureaus. With the office’s help, consumers can quickly resolve the problem before their offer on a home or an employment offer falls through.  

Cutting CFPB staff and gutting entire departments has dire consequences for consumers. CFPB employees work to protect consumers from harm caused by massive financial institutions by resolving complaints, ensuring the institutions follow the law, and making sure that there are clear, up-to-date rules and guidance for regulated companies. 

DOGE Access to CFPB Data 

While Bessent and Vought worked to gut the CFPB’s ability to protect consumers, Elon Musk’s DOGE infiltrated the CFPB and accessed sensitive financial data pertaining to consumers and financial institutions. On Friday, February 7, the day that Russell Vought was appointed Acting Director of the CFPB, DOGE employees entered the CFPB’s headquarters and began to “review” the agency. The White House ordered the CFPB to grant DOGE employees full access to all unclassified agency records, software, and IT systems.  

Granting DOGE employees access to so much CFPB data violates laws like the Federal Information Security Modernization Act (FISMA) and the Bureau’s strict data access rules, which previously ensured that staff and contractors only had access to data that they needed to perform their job functions. In another affidavit, Erie Meyer described the data access controls previously in effect at CFPB. Employees were required to request access to specific systems; the requests had to be approved by a supervisor; and requests were only approved if the employee had a specific business need to access that system and appropriate controls were in place. Meyer stated that no CFPB employee has ever been granted blanket access to all unclassified CFPB data.  

Meyer also described the training process that CFPB requires staff to complete before accessing any of the systems. Staff must complete trainings focusing on privacy, cyber security, and ethics. DOGE employees began examining CFPB systems on the same day that they entered CFPB headquarters for the first time, making it impossible that DOGE staff completed these required trainings. Further, CFPB staff are typically required to be trained on each system before beginning to access the records housed in that system, and DOGE staff do not appear to have completed any of these trainings, Meyer explained.  

The CFPB has developed careful data access protocols to ensure that sensitive financial information remains secure. DOGE infiltrated the CFPB and the sensitive data the Bureau safeguards with no regard for the CFPB’s rules on data access.  

Data Security and Competition Risks 

The CFPB holds extensive sensitive records about consumers, CFPB staff, and financial institutions. To name just a few of the systems maintained by the CFPB: 

• The Bureau collects information about consumers and financial institutions during routine supervision examinations. The CFPB conducts routine supervision of all depository institutions with assets over $10 billion, which includes most major banks, thrifts, and credit unions. The CFPB also supervises some larger non-depository institutions, including digital payment platforms. During supervision examinations, the CFPB collects data about consumers, including name, contact information, and account information.  
• The Bureau also collects detailed records about banks, credit reporting agencies, online payment platforms, auto lenders, and other financial institutions during routine supervision examinations, enforcement investigations, and litigation between the CFPB and financial institutions. 
• When consumers submit a complaint to the CFPB, the Bureau collects records related to the complaint and identifying information about the consumer. 
• The CFPB also holds sensitive information about its own employees, including data like social security numbers, address, information about employees’ disability accommodations, performance records, and more. 

In short: the Bureau collects extensive data about consumers, financial institutions, employees of financial institutions, CFPB staff, and others. As discussed above, the Bureau has strict rules for system access. When DOGE accessed CFPB data without following the CFPB’s rules—not to mention the Privacy Act and FISMA—they put consumers, CFPB staff, and financial institutions at risk. 

DOGE accessing CFPB data without following CFPB data access protocols increases the risk of a breach of consumer data. Data breaches have serious consequences for consumers. People victimized by a data breach face an increased risk of being the victim of identity theft and fraud. Scammers often use data obtained through breaches to legitimize their scams—if a scammer contacts an individual using accurate information about their bank account, for example, then the individual is more likely to fall for the scam, believing that it is a legitimate message from their bank. Data breaches can also cause embarrassment and reputational damage if compromising private information is made public. Even if a consumer’s data is not immediately used in a harmful way after the breach, knowing that their personal data has been breached often causes the consumer to feel anxious about how the data may be used in the future.  

Even setting aside the DOGE’s intentional incursions into protected CFPB systems, the administration’s large-scale terminations of employees and routine activities at the Bureau will make it that much harder for the CFPB to protect the security of the sensitive data it maintains. Consumers should be able to trust that government agencies will carefully safeguard their information. The DOGE’s intrusion on CFPB data violates that trust.  

Beyond the serious harm the DOGE has inflicted on consumers and CFPB staff by improperly accessing personal data, DOGE’s actions also threaten competition in financial markets. As noted, the CFPB collects detailed information about financial institutions, including online payment platforms and auto lenders, during supervision examinations, enforcement actions, and litigation. Elon Musk’s ownership of Twitter/X presents a towering conflict of interest because of DOGE’s access to CFPB data. Twitter/X, the social media platform owned by Elon Musk, has announced plans to enter the consumer financial market by partnering with Visa to offer a digital payment platform for its users. The CFPB holds sensitive business information about other companies in the digital payment market. As the head of DOGE, Musk may be able to access sensitive data about his competitors as he prepares to roll out Twitter/X’s digital payment system. Beyond the conflicts of interest related to Musk, DOGE’s access to CFPB data also increases the risk that sensitive business information could be breached. Such a breach could destabilize the financial services industry by unduly advantaging competitors and malicious third-party actors. 

The attacks on the CFPB also personally benefit Musk and his companies because they help him to avoid regulation by the CFPB. Last year, the CFPB finalized a rule to supervise large digital payment platforms and digital wallet apps. However, the rule requires the CFPB to individually designate which companies are subject to supervision. The stop-work orders issued by Bessent and Vought prohibit CFPB staff from designating any additional digital payment platforms for supervision. Twitter/X plans to roll out its payment platform later this year, and the attacks waged on the CFPB will likely prevent it from designating Musk’s company for supervision. 

Conclusion 

Through its attacks on the CFPB, the Trump administration has waged war on consumers and competition in the financial market. Moreover, the administration has refused to ensure that Musk will not use data accessed by DOGE for his own corrupt benefit. The CFPB provides essential oversight over financial institutions, and its destruction will have dire consequences for the country.