GAO makes 8 recommendations to FI regulators to better safeguard personally identifiable info

January 13, 2022 CFPB, FDIC, NCUA, OCC, Other, The Fed 0

Four of the five federal financial institution regulators have been urged to take actions – ranging in number from one to five – to better protect the personally identifiable information (PII) they collect use, and share in carrying out their regulatory mission.

A report Thursday by the Government Accountability Office (GAO), “Privacy:Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information,” states that all five financial regulators have created privacy programs that generally take steps to protect PII (which they collect from individuals as well as financial institutions) in accordance with key practices in federal guidance. However, it also notes that four of the agencies – the Federal Reserve Board (Fed), National Credit Union Administration (NCUA), Federal Deposit Insurance Corp. (FDIC), and Office of the Comptroller of the Currency (OCC) – did not fully implement key practices in other privacy protection areas.

It notes, for example, that the Fed and NCUA did not maintain a full PII inventory for all agency-owned applications and did not document steps they took to minimize the collection and use of PII; that the FDIC and Fed did not establish agencywide metrics to monitor privacy controls; and that the Fed and OCC had not fully tracked decisions by program officials on the selection and testing of privacy controls.

“Until these regulators take steps to mitigate these weaknesses, the PII they collect, use, and share could be at increased risk of compromise,” the summary states.

Recommendations for executive action – none were listed for the Consumer Financial Protection Bureau (CFPB), also reviewed for this report – include the following:

FDIC

Recommendation 1: The chair should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended.

Federal Reserve

Recommendation 2: The chair should define a process for documenting the actions the Fed takes to minimize collection and use of PII.
Recommendation 3: The chair should include information from systems maintained by Fed contractors in the Fed’s inventory of information systems that handle PII.
Recommendation 4: The chair should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended.
Recommendation 5: The chair should establish a timeframe for including information on privacy controls to be tested within the Fed’s written privacy continuous monitoring strategy.

NCUA

Recommendation 6: The executive director should enhance the NCUA’s ability to query information from an agencywide inventory of information systems containing PII, including contractor-run systems, to facilitate regular reviews of the inventory for accuracy and completion.
Recommendation 7: The executive director should should define a process for documenting the actions the NCUA takes to minimize collection and use of PII.

OCC

Recommendation 8: The comptroller should require OCC privacy program officials to review intermediate process documentation, such as system privacy plans and security assessment plans.

The GAO said the FDIC generally agreed with the GAO recommendation. It said the other three agencies, while not agreeing or disagreeing, each described steps they planned to take to implement the recommendations.

The watchdog office said its review was undertaken at the request of Sen. Mike Crapo (R-Idaho), currently the top Republican on the Senate Finance Committee.

GAO-22-104551

Competing proposals to change rules on Bank Control Act withdrawn after neither can win majority of FDIC Board votes

April 25, 2024 0

Neither of two competing proposals for changes to the federal bank deposit insurer’s rules implementing the Bank Control Act (BCA) were adopted Thursday by the agency’s board after sponsors of the two proposals withdrew them, largely after it became apparent [...]
FDIC: Deposit Insurance Fund on track to reach statutory minimum before deadline

April 25, 2024 0

The federal bank deposit insurer’s Deposit Insurance Fund (DIF) reserve ratio grew from 1.11% June 2023 to 1.15% in December and remains on track to return to its statutory minimum of 1.35% before its statutory deadline of Sept. 30, 2028, [...]
CFPB’s consumer panel to meet May 15

April 25, 2024 0

A public meeting of the Consumer Advisory Board (CAB) of the federal consumer financial protection agency is slated for May 15 from 10:30 a.m. to 1 p.m. Eastern. CAB is charged with advising and consulting with the Consumer Financial Protection [...]
Bureau asserts scrutiny of mortgage servicing fees having impact; declines in overdraft, NSF fees leveling off

April 24, 2024 0

More than $120 million in junk fee refunds since August from bank account deposits has resulted in the federal consumer financial protection agency’s supervision work on the charges, the agency said in a release Wednesday. Meanwhile, the agency said, fees [...]
4 named to FDIC MDI subcommittee; panel to meet May 1

April 24, 2024 0

Four bankers have been named to the minority depository institutions (MDI) panel that provides feedback to the Federal Deposit Insurance Corp. (FDIC) on how the agency fulfills its statutory goals to support MDIs, the FDIC announced Wednesday. The new members [...]
Agencies give extension to comment period for Capitol One’s proposed purchase of Discover

April 24, 2024 0

The acquisition of Discover Financial Services by a large, Virginia-based banking firm will be subject to public comment through May 31, federal banking regulators said separately Wednesday. The Federal Reserve Board and the Office of the Comptroller of the Currency [...]

Related