Federal financial regulatory agencies collect and maintain a large amount of consumers' personally identifiable information (PII) for the oversight of banks and credit unions. Protecting PII—which is often shared with other agencies, law enforcement, and contractors—is critical.
The 5 financial regulators we reviewed have processes to protect PII that meet most recommended key practices. But 4 of the regulators didn't fully follow key practices in certain areas, such as documenting how they minimized IT systems' collection and use of PII.
We recommended that financial regulators better ensure the protection of PII they collect, use, and share.
What GAO Found
The five federal financial regulators GAO reviewed have built more than 100 information system applications that regularly collect and use extensive amounts of personally identifiable information (PII)—information that can be used to locate or identify an individual—to fulfill their regulatory missions. These regulators collect and share PII with entities such as banks or service providers, contractors and other third parties, and other federal and state regulators. The regulators also collect PII directly from individuals and from financial institutions. Regulators use the PII to conduct supervisory examinations of financial institutions and to receive and respond to complaints or inquiries from customers (see figure).
Collection, Use, and Sharing of Personally Identifiable Information (PII) at Selected Federal Financial Regulators
All five financial regulators have created privacy programs that generally take steps to protect PII in accordance with key practices in federal guidance. For example, regulators fully addressed key practices for establishing privacy programs, conducting privacy training for staff, and implementing incident response procedures. However, four of the regulators did not fully implement key practices in other privacy protection areas. For example, the Board of Governors of the Federal Reserve System (Federal Reserve) and National Credit Union Administration (NCUA) did not maintain a full PII inventory for all agency-owned applications, and did not document steps they took to minimize the collection and use of PII. Also, the Federal Deposit Insurance Corporation (FDIC) and Federal Reserve did not establish agencywide metrics to monitor privacy controls, and the Federal Reserve and the Office of the Comptroller of the Currency (OCC) had not fully tracked decisions by program officials on the selection and testing of privacy controls. Until these regulators take steps to mitigate these weaknesses, the PII they collect, use, and share could be at increased risk of compromise.
Why GAO Did This Study
Federal financial regulators are agencies that supervise the products provided by financial institutions. As part of their oversight responsibilities, many regulators collect and maintain a large amount of consumers' PII. Increased collection and use of PII by agencies can pose challenges in ensuring the protection of individuals' privacy.
GAO was asked to review regulators' handling of PII. This report examines (1) what mission-related PII selected federal financial regulators collect, use, and share, and (2) the extent to which selected regulators ensure the privacy of the PII they collect, use, and share, in accordance with federal requirements and guidance.
GAO selected for review five regulators based on their authority to enforce consumer protection laws and the amount of PII they collect. For each of these entities, GAO analyzed privacy documentation to determine methods by which regulators handle PII, and compared regulators' key practices for handling PII to federal guidance. GAO interviewed officials from these regulators on their handling of PII. GAO also reviewed available agency inspector general reports addressing privacy issues.
GAO is making eight recommendations to federal financial regulators to better ensure the privacy of the PII they collect, use, and share. FDIC generally agreed with the recommendation it received. Federal Reserve, NCUA, and OCC did not agree or disagree with the recommendations they received, but each described steps they planned to take to implement them.
Recommendations for Executive Action
|Federal Deposit Insurance Corporation||The Chair of FDIC should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended. (Recommendation 1)|
|Federal Reserve System||The Chair of the Federal Reserve should define a process for documenting the actions the Federal Reserve takes to minimize collection and use of PII. (Recommendation 2)|
|Federal Reserve System||The Chair of the Federal Reserve should include information from systems maintained by Federal Reserve contractors in the Federal Reserve's inventory of information systems that handle PII. (Recommendation 3)|
|Federal Reserve System||The Chair of the Federal Reserve should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended. (Recommendation 4)|
|Federal Reserve System||The Chair of the Federal Reserve should establish a timeframe for including information on privacy controls to be tested within the Federal Reserve's written privacy continuous monitoring strategy. (Recommendation 5)|
|National Credit Union Administration||The Executive Director of NCUA should enhance NCUA's ability to query information from an agencywide inventory of information systems containing PII, including contractor-run systems, to facilitate regular reviews of the inventory for accuracy and completion. (Recommendation 6)|
|National Credit Union Administration||The Executive Director of NCUA should define a process for documenting the actions NCUA takes to minimize collection and use of PII. (Recommendation 7)|
|Office of the Comptroller of the Currency||The Comptroller of the Currency should require OCC privacy program officials to review intermediate process documentation, such as system privacy plans and security assessment plans. (Recommendation 8)|