Four of the five federal financial institution regulators have been urged to take actions – ranging in number from one to five – to better protect the personally identifiable information (PII) they collect use, and share in carrying out their regulatory mission.
A report Thursday by the Government Accountability Office (GAO), “Privacy:Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information,” states that all five financial regulators have created privacy programs that generally take steps to protect PII (which they collect from individuals as well as financial institutions) in accordance with key practices in federal guidance. However, it also notes that four of the agencies – the Federal Reserve Board (Fed), National Credit Union Administration (NCUA), Federal Deposit Insurance Corp. (FDIC), and Office of the Comptroller of the Currency (OCC) – did not fully implement key practices in other privacy protection areas.
It notes, for example, that the Fed and NCUA did not maintain a full PII inventory for all agency-owned applications and did not document steps they took to minimize the collection and use of PII; that the FDIC and Fed did not establish agencywide metrics to monitor privacy controls; and that the Fed and OCC had not fully tracked decisions by program officials on the selection and testing of privacy controls.
“Until these regulators take steps to mitigate these weaknesses, the PII they collect, use, and share could be at increased risk of compromise,” the summary states.
Recommendations for executive action – none were listed for the Consumer Financial Protection Bureau (CFPB), also reviewed for this report – include the following:
FDIC
- Recommendation 1: The chair should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended.
Federal Reserve
- Recommendation 2: The chair should define a process for documenting the actions the Fed takes to minimize collection and use of PII.
- Recommendation 3: The chair should include information from systems maintained by Fed contractors in the Fed’s inventory of information systems that handle PII.
- Recommendation 4: The chair should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended.
- Recommendation 5: The chair should establish a timeframe for including information on privacy controls to be tested within the Fed’s written privacy continuous monitoring strategy.
NCUA
- Recommendation 6: The executive director should enhance the NCUA’s ability to query information from an agencywide inventory of information systems containing PII, including contractor-run systems, to facilitate regular reviews of the inventory for accuracy and completion.
- Recommendation 7: The executive director should should define a process for documenting the actions the NCUA takes to minimize collection and use of PII.
OCC
- Recommendation 8: The comptroller should require OCC privacy program officials to review intermediate process documentation, such as system privacy plans and security assessment plans.
The GAO said the FDIC generally agreed with the GAO recommendation. It said the other three agencies, while not agreeing or disagreeing, each described steps they planned to take to implement the recommendations.
The watchdog office said its review was undertaken at the request of Sen. Mike Crapo (R-Idaho), currently the top Republican on the Senate Finance Committee.