What GAO Found
The five federal financial regulators GAO reviewed have built more than 100 information system applications that regularly collect and use extensive amounts of personally identifiable information (PII)—information that can be used to locate or identify an individual—to fulfill their regulatory missions. These regulators collect and share PII with entities such as banks or service providers, contractors and other third parties, and other federal and state regulators. The regulators also collect PII directly from individuals and from financial institutions. Regulators use the PII to conduct supervisory examinations of financial institutions and to receive and respond to complaints or inquiries from customers (see figure).
Collection, Use, and Sharing of Personally Identifiable Information (PII) at Selected Federal Financial Regulators
All five financial regulators have created privacy programs that generally take steps to protect PII in accordance with key practices in federal guidance. For example, regulators fully addressed key practices for establishing privacy programs, conducting privacy training for staff, and implementing incident response procedures. However, four of the regulators did not fully implement key practices in other privacy protection areas. For example, the Board of Governors of the Federal Reserve System (Federal Reserve) and National Credit Union Administration (NCUA) did not maintain a full PII inventory for all agency-owned applications, and did not document steps they took to minimize the collection and use of PII. Also, the Federal Deposit Insurance Corporation (FDIC) and Federal Reserve did not establish agencywide metrics to monitor privacy controls, and the Federal Reserve and the Office of the Comptroller of the Currency (OCC) had not fully tracked decisions by program officials on the selection and testing of privacy controls. Until these regulators take steps to mitigate these weaknesses, the PII they collect, use, and share could be at increased risk of compromise.
Why GAO Did This Study
Federal financial regulators are agencies that supervise the products provided by financial institutions. As part of their oversight responsibilities, many regulators collect and maintain a large amount of consumers’ PII. Increased collection and use of PII by agencies can pose challenges in ensuring the protection of individuals’ privacy.
GAO was asked to review regulators’ handling of PII. This report examines (1) what mission-related PII selected federal financial regulators collect, use, and share, and (2) the extent to which selected regulators ensure the privacy of the PII they collect, use, and share, in accordance with federal requirements and guidance.
GAO selected for review five regulators based on their authority to enforce consumer protection laws and the amount of PII they collect. For each of these entities, GAO analyzed privacy documentation to determine methods by which regulators handle PII, and compared regulators’ key practices for handling PII to federal guidance. GAO interviewed officials from these regulators on their handling of PII. GAO also reviewed available agency inspector general reports addressing privacy issues.