A report Monday indicating that the Consumer Financial Protection Bureau is pulling back from a "full-scale probe" of Equifax led to wide-ranging Democratic criticism of the CFPB and revived scrutiny of the credit bureaus.

But it is unclear whether the CFPB is abandoning its supervisory oversight of Equifax or just taking a back seat to the Federal Trade Commission as the latter investigates the credit bureau over its massive data breach last year.

On Monday, Reuters reported that acting CFPB Director Mick Mulvaney has not ordered subpoenas against Equifax or taken any sworn testimony from its executives. Reuters cited unnamed sources who said the CFPB rebuffed prudential banking regulators that had offered to help with on-site supervisory exams.

A monitor displays Equifax signage on the floor of the New York Stock Exchange.
Last year, the Federal Trade Commission took the unusual step of announcing that it was taking the lead in investigating Equifax. Bloomberg News

Yet the story appears more complicated than that. Last year, the FTC took the unusual step of announcing that it was taking the lead in investigating Equifax. Per a prior agreement between the two agencies, to avoid overlapping roles, only one of them is tasked with probing any of the credit reporting giants when it is suspected of potential potential wrongdoing.

"Equifax is a company that falls into a weird regulatory space," said Kirk Nahra, a partner at the law firm Wiley Rein. "There is no particular need for two agencies to do an investigation. Equifax right now is not in the supervisory space, where you are checking on weaknesses."

While a pullback by the CFPB plays into the current narrative that Mulvaney will not push the envelope on enforcement actions, lawyers cautioned that the CFPB likely is coordinating with the FTC and that regulatory oversight of cybersecurity issues is far more nuanced.

Lawyers said the FTC issued a civil investigative demand to Equifax last year in coordination with the CFPB, which is why the bureau did not issue its own, separate subpoena.

If Equifax ultimately enters into a settlement with the FTC, it would have a 20-year audit provision, Nahra said, which would cover much of the supervisory work that the CFPB would be doing.

In addition, the CFPB is conducting supervisory exams of TransUnion and Experian, lawyers told American Banker.

Regulators do not conduct investigations and exams concurrently, because investigators would be able to get privileged information that supervisors could not, creating problems, lawyers said. As a result, the CFPB's examination of Equifax likely was put on hold while the FTC's investigation moved forward, lawyers said.

Consumer groups denounced Mulvaney, noting that the CFPB is far more likely to seek penalties for wrongdoing, while the FTC's ability to levy fines is limited.

"There is no one supervising the credit bureaus for data security," said Chi Chi Wu, a staff attorney at the National Consumer Law Center. "We're disturbed by these reports and think the CFPB should step up its efforts, not roll them back."

Democratic lawmakers, meanwhile, sharply criticized Mulvaney, and pointed to the report as furthering the case for legislation to reform oversight of the credit bureaus.

In a tweet, Sen. Elizabeth Warren, D-Mass., said the report of a CFPB pullback was "another middle finger from @MickMulvaneyOMB to consumers: he’s killed the @CFPB’s probe into the #EquifaxBreach that affected more than 145 million Americans."

Sen. Sherrod Brown, D-Ohio, the ranking member of the Senate Banking Committee, said Mulvaney had turned his back on consumers.

“Refusing to investigate a data breach that put 145 million Americans at risk is malpractice,” Brown said in a press release. “Once again, Mr. Mulvaney has made clear he will always side with special interests over the consumers who count on CFPB for help. The administration needs to swiftly nominate a CFPB director who will protect consumers instead of letting well-connected corporations walk away scot-free.”

The CFPB said it is authorized to take supervisory and enforcement action against certain institutions engaged in unfair, deceptive, or abusive acts or practices, or that otherwise violate federal consumer financial laws.

"This includes acting in response to the failure of institutions to engage in reasonable data security practices in connection with the collection and maintenance of consumer report information," the CFPB said in an emailed statement. "As noted previously, the bureau is looking into Equifax’s data breach and response. Reports to the contrary are incorrect. The Bureau cannot comment further at this time."

The CFPB has supervisory examination authority over Equifax, Experian and TransUnion because the three credit bureaus were designated in 2012 as "larger participants" in the credit reporting market.

The FTC, meanwhile, has authority over data breaches under the Gramm-Leach-Bliley Act of 1999, and created a Safeguards Rule that requires that nonbank financial institutions to maintain a security program for handling customer information.

The prudential financial regulators, including the Federal Deposit Insurance Corp., the Federal Reserve Board and the Office of the Comptroller of the Currency, have taken the unusual position of saying that they have no jurisdiction over the credit bureaus under the Bank Services Company Act, lawyers said.

The jurisdiction for credit bureaus is "a regulatory dead zone," said Amanda Werner, a campaign strategist at Public Justice, a legal advocacy group.

Jeremy Dalpiaz, the Independent Community Bankers of America's assistant vice president for cyber and data security policy, called on prudential banking regulators to subject the three main credit bureaus to exams and supervision.

"The current regulatory regime for the credit rating agencies is too fragmented," Dalpiaz said. "Given the criticality and amount of personally identifiable information the credit rating agencies hold, ensuring that data is appropriately safeguarded is critical for not only consumers but also for the banks that use that data for loan underwriting.

In November, the ICBA sued Equifax in a district court in Georgia asking for compensation for banks that were harmed by the data breach. The complaint cited damages such as the cost of customer credit freezes, the need for protective measures to prevent fraud and canceling replacement payment cards.

The ICBA also has asked the court to require Equifax to improve its security infrastructure to prevent future data breaches.

In a statement, Equifax said it is "cooperating with agencies that are investigating or otherwise seeking information about the cybersecurity incident, including the CFPB." Marisa Salcines, an Equifax spokeswoman, said the credit bureau would not otherwise comment on an ongoing process.

Other observers said that, with the FTC taking the lead, it would make sense for the bureau not to want to get in another agency's way.

"Given where we are with the current administration, it would make sense for Mulvaney to take a step back and simplify the regulatory landscape," said Al Pascual, a senior vice president and research director at Javelin Strategy & Research. "The FTC is going to have more experience in handling these types of cases, for sure, so why not let the agency that has experienced counsel and processes in place be the lead."

Kate Berry

Kate Berry

Kate Berry covers the Consumer Financial Protection Bureau for American Banker.