Privacy: Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information
Fast Facts
Federal financial regulatory agencies collect and maintain a large amount of consumers' personally identifiable information (PII) for the oversight of banks and credit unions. Protecting PII—which is often shared with other agencies, law enforcement, and contractors—is critical.
The 5 financial regulators we reviewed have processes to protect PII that meet most recommended key practices. But 4 of the regulators didn't fully follow key practices in certain areas, such as documenting how they minimized IT systems' collection and use of PII.
We recommended that financial regulators better ensure the protection of PII they collect, use, and share.
Highlights
What GAO Found
The five federal financial regulators GAO reviewed have built more than 100 information system applications that regularly collect and use extensive amounts of personally identifiable information (PII)—information that can be used to locate or identify an individual—to fulfill their regulatory missions. These regulators collect and share PII with entities such as banks or service providers, contractors and other third parties, and other federal and state regulators. The regulators also collect PII directly from individuals and from financial institutions. Regulators use the PII to conduct supervisory examinations of financial institutions and to receive and respond to complaints or inquiries from customers (see figure).
Collection, Use, and Sharing of Personally Identifiable Information (PII) at Selected Federal Financial Regulators
All five financial regulators have created privacy programs that generally take steps to protect PII in accordance with key practices in federal guidance. For example, regulators fully addressed key practices for establishing privacy programs, conducting privacy training for staff, and implementing incident response procedures. However, four of the regulators did not fully implement key practices in other privacy protection areas. For example, the Board of Governors of the Federal Reserve System (Federal Reserve) and National Credit Union Administration (NCUA) did not maintain a full PII inventory for all agency-owned applications, and did not document steps they took to minimize the collection and use of PII. Also, the Federal Deposit Insurance Corporation (FDIC) and Federal Reserve did not establish agencywide metrics to monitor privacy controls, and the Federal Reserve and the Office of the Comptroller of the Currency (OCC) had not fully tracked decisions by program officials on the selection and testing of privacy controls. Until these regulators take steps to mitigate these weaknesses, the PII they collect, use, and share could be at increased risk of compromise.
Why GAO Did This Study
Federal financial regulators are agencies that supervise the products provided by financial institutions. As part of their oversight responsibilities, many regulators collect and maintain a large amount of consumers' PII. Increased collection and use of PII by agencies can pose challenges in ensuring the protection of individuals' privacy.
GAO was asked to review regulators' handling of PII. This report examines (1) what mission-related PII selected federal financial regulators collect, use, and share, and (2) the extent to which selected regulators ensure the privacy of the PII they collect, use, and share, in accordance with federal requirements and guidance.
GAO selected for review five regulators based on their authority to enforce consumer protection laws and the amount of PII they collect. For each of these entities, GAO analyzed privacy documentation to determine methods by which regulators handle PII, and compared regulators' key practices for handling PII to federal guidance. GAO interviewed officials from these regulators on their handling of PII. GAO also reviewed available agency inspector general reports addressing privacy issues.
Recommendations
GAO is making eight recommendations to federal financial regulators to better ensure the privacy of the PII they collect, use, and share. FDIC generally agreed with the recommendation it received. Federal Reserve, NCUA, and OCC did not agree or disagree with the recommendations they received, but each described steps they planned to take to implement them.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Federal Deposit Insurance Corporation | The Chair of FDIC should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended. (Recommendation 1) |
In fiscal year 2023, in response to our recommendation, we verified that FDIC created a new version of its information security continuous monitoring strategy. It specified privacy metrics, such as the completion rate of privacy threshold analyses and privacy impact assessments for FDIC and contractor systems, and the extent to which employees conducted privacy awareness training. FDIC provided a privacy metric report showing that it is tracking these metrics. FDIC also provided a revised privacy program plan to document that its privacy controls are evaluated as part of a combined security and privacy control assessment, as documented in the information security continuous monitoring strategy. By performing these actions, FDIC has improved its ability to monitor and report on the extent to which its controls are sufficient to manage privacy risks. Therefore, we consider this recommendation to be implemented.
|
Federal Reserve System | The Chair of the Federal Reserve should define a process for documenting the actions the Federal Reserve takes to minimize collection and use of PII. (Recommendation 2) |
In September 2023, the Board of Governors of the Federal Reserve System detailed actions it planned to take to address this recommendation. We will continue to be in contact with the Board to gain further information on these actions and progress toward their completion.
|
Federal Reserve System | The Chair of the Federal Reserve should include information from systems maintained by Federal Reserve contractors in the Federal Reserve's inventory of information systems that handle PII. (Recommendation 3) |
In September 2023, the Board of Governors of the Federal Reserve System detailed actions it planned to take to address this recommendation. We will continue to be in contact with the Board to gain further information on these actions and progress toward their completion.
|
Federal Reserve System | The Chair of the Federal Reserve should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended. (Recommendation 4) |
In September 2023, the Board of Governors of the Federal Reserve System detailed actions it planned to take to address this recommendation. We will continue to be in contact with the Board to gain further information on these actions and progress toward their completion.
|
Federal Reserve System | The Chair of the Federal Reserve should establish a timeframe for including information on privacy controls to be tested within the Federal Reserve's written privacy continuous monitoring strategy. (Recommendation 5) |
In September 2023, the Board of Governors of the Federal Reserve System detailed actions it planned to take to address this recommendation. We will continue to be in contact with the Board to gain further information on these actions and progress toward their completion.
|
National Credit Union Administration | The Executive Director of NCUA should enhance NCUA's ability to query information from an agencywide inventory of information systems containing PII, including contractor-run systems, to facilitate regular reviews of the inventory for accuracy and completion. (Recommendation 6) |
In September 2022, NCUA updated its policies to require each of its privacy impact assessments, which document handling of PII, to be entered into an automated system with a querying capability for streamlined review. NCUA specified in policy that use of this system is required for contractor-run systems owned by NCUA. NCUA also demonstrated use of the querying capability for this automated system.
|
National Credit Union Administration | The Executive Director of NCUA should define a process for documenting the actions NCUA takes to minimize collection and use of PII. (Recommendation 7) |
In September 2022, NCUA updated its privacy program plan with further details on how to appropriately consider whether collection of personally identifiable information (PII) was necessary when conducting a privacy impact assessment. In September 2023, NCUA provided artifacts, including completed privacy impact assessments, demonstrating that it had taken specific steps to minimize the collection of PII in selected systems. By doing this, NCUA has demonstrated a more consistent process for minimizing the amount of PII it collects, thus decreasing users' privacy risks.
|
Office of the Comptroller of the Currency | The Comptroller of the Currency should require OCC privacy program officials to review intermediate process documentation, such as system privacy plans and security assessment plans. (Recommendation 8) |
In March and July 2022, OCC revised its assessment and authorization operating procedures to require its Chief Privacy Officer to review and approve all system security plans prior to the testing of control, and provided an example of this type of approval. OCC also clarified in its procedure document and its risk management framework workflow that decisions related to the final selection of privacy controls and detailed control test procedures are delegated to a cyber assessment team. In August 2022, OCC provided an official delegation memo from the chief privacy officer to the cyber assessment team, information on the privacy expertise and certifications for officials on this team, and an example assessment plan approval by a member of this team.
|