January 25, 2022

News

News Network

Privacy: Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information

12 min read
<div>What GAO Found The five federal financial regulators GAO reviewed have built more than 100 information system applications that regularly collect and use extensive amounts of personally identifiable information (PII)—information that can be used to locate or identify an individual—to fulfill their regulatory missions. These regulators collect and share PII with entities such as banks or service providers, contractors and other third parties, and other federal and state regulators. The regulators also collect PII directly from individuals and from financial institutions. Regulators use the PII to conduct supervisory examinations of financial institutions and to receive and respond to complaints or inquiries from customers (see figure). Collection, Use, and Sharing of Personally Identifiable Information (PII) at Selected Federal Financial Regulators All five financial regulators have created privacy programs that generally take steps to protect PII in accordance with key practices in federal guidance. For example, regulators fully addressed key practices for establishing privacy programs, conducting privacy training for staff, and implementing incident response procedures. However, four of the regulators did not fully implement key practices in other privacy protection areas. For example, the Board of Governors of the Federal Reserve System (Federal Reserve) and National Credit Union Administration (NCUA) did not maintain a full PII inventory for all agency-owned applications, and did not document steps they took to minimize the collection and use of PII. Also, the Federal Deposit Insurance Corporation (FDIC) and Federal Reserve did not establish agencywide metrics to monitor privacy controls, and the Federal Reserve and the Office of the Comptroller of the Currency (OCC) had not fully tracked decisions by program officials on the selection and testing of privacy controls. Until these regulators take steps to mitigate these weaknesses, the PII they collect, use, and share could be at increased risk of compromise. Why GAO Did This Study Federal financial regulators are agencies that supervise the products provided by financial institutions. As part of their oversight responsibilities, many regulators collect and maintain a large amount of consumers' PII. Increased collection and use of PII by agencies can pose challenges in ensuring the protection of individuals' privacy. GAO was asked to review regulators' handling of PII. This report examines (1) what mission-related PII selected federal financial regulators collect, use, and share, and (2) the extent to which selected regulators ensure the privacy of the PII they collect, use, and share, in accordance with federal requirements and guidance. GAO selected for review five regulators based on their authority to enforce consumer protection laws and the amount of PII they collect. For each of these entities, GAO analyzed privacy documentation to determine methods by which regulators handle PII, and compared regulators' key practices for handling PII to federal guidance. GAO interviewed officials from these regulators on their handling of PII. GAO also reviewed available agency inspector general reports addressing privacy issues.</div>

What GAO Found

The five federal financial regulators GAO reviewed have built more than 100 information system applications that regularly collect and use extensive amounts of personally identifiable information (PII)—information that can be used to locate or identify an individual—to fulfill their regulatory missions. These regulators collect and share PII with entities such as banks or service providers, contractors and other third parties, and other federal and state regulators. The regulators also collect PII directly from individuals and from financial institutions. Regulators use the PII to conduct supervisory examinations of financial institutions and to receive and respond to complaints or inquiries from customers (see figure).

Collection, Use, and Sharing of Personally Identifiable Information (PII) at Selected Federal Financial Regulators

All five financial regulators have created privacy programs that generally take steps to protect PII in accordance with key practices in federal guidance. For example, regulators fully addressed key practices for establishing privacy programs, conducting privacy training for staff, and implementing incident response procedures. However, four of the regulators did not fully implement key practices in other privacy protection areas. For example, the Board of Governors of the Federal Reserve System (Federal Reserve) and National Credit Union Administration (NCUA) did not maintain a full PII inventory for all agency-owned applications, and did not document steps they took to minimize the collection and use of PII. Also, the Federal Deposit Insurance Corporation (FDIC) and Federal Reserve did not establish agencywide metrics to monitor privacy controls, and the Federal Reserve and the Office of the Comptroller of the Currency (OCC) had not fully tracked decisions by program officials on the selection and testing of privacy controls. Until these regulators take steps to mitigate these weaknesses, the PII they collect, use, and share could be at increased risk of compromise.

Why GAO Did This Study

Federal financial regulators are agencies that supervise the products provided by financial institutions. As part of their oversight responsibilities, many regulators collect and maintain a large amount of consumers’ PII. Increased collection and use of PII by agencies can pose challenges in ensuring the protection of individuals’ privacy.

GAO was asked to review regulators’ handling of PII. This report examines (1) what mission-related PII selected federal financial regulators collect, use, and share, and (2) the extent to which selected regulators ensure the privacy of the PII they collect, use, and share, in accordance with federal requirements and guidance.

GAO selected for review five regulators based on their authority to enforce consumer protection laws and the amount of PII they collect. For each of these entities, GAO analyzed privacy documentation to determine methods by which regulators handle PII, and compared regulators’ key practices for handling PII to federal guidance. GAO interviewed officials from these regulators on their handling of PII. GAO also reviewed available agency inspector general reports addressing privacy issues.

More from:

News Network

  • Department of Justice Announces Charges of North Korean and Malaysia Nationals for Bank Fraud, Money Laundering and North Korea Sanctions Violations
    In Crime News
    The Department of Justice announced a criminal complaint charging Ri Jong Chol, Ri Yu Gyong, North Korean nationals, and Gan Chee Lim, a Malaysia national. The three were charged with conspiracy to violate North Korean Sanctions Regulations and bank fraud, and conspiracy to launder funds. The defendants allegedly established and utilized front companies that transmitted U.S. dollar wires through the United States to purchase commodities on behalf of North Korean customers.
    [Read More…]
  • DRL FY19 Supporting Transitional Justice in Burma
    In Human Health, Resources and Services
    Bureau of Democracy, [Read More…]
  • Hospital Pharmacist to Plead Guilty to Attempting to Spoil Hundreds of COVID Vaccine Doses
    In Crime News
    A Wisconsin pharmacist has agreed to plead guilty to charges filed today in federal court that he attempted to render hundreds of doses of COVID-19 vaccine ineffective.
    [Read More…]
  • Founder and Chairman of a Multinational Investment Company and a Company Consultant Convicted of Bribery and Public Corruption are Sentenced to Prison
    In Crime News
    The founder and chairman of a multinational investment company and a company consultant were sentenced to prison today for orchestrating a bribery scheme involving independent expenditure accounts and improper campaign contributions.
    [Read More…]
  • Joint Statement between the United States and Uzbekistan Following the Inaugural Meeting of the Strategic Partnership Dialogue
    In Crime Control and Security News
    Office of the [Read More…]
  • Senior Official for Public Diplomacy and Public Affairs Jennifer Hall Godfrey’s Travel to the United Arab Emirates and Germany
    In Crime Control and Security News
    Office of the [Read More…]
  • Singapore Travel Advisory
    In Travel
    Reconsider travel to [Read More…]
  • Former Tennessee Correctional Officer Sentenced Following Staff Assault of Inmate
    In Crime News
    A former Tennessee correctional officer was sentenced Friday to two years in prison and two years of supervised release for his involvement in a staff assault of an inmate.
    [Read More…]
  • Secretary Blinken’s Call with Danish Foreign Minister Kofod
    In Crime Control and Security News
    Office of the [Read More…]
  • Social Security Disability: Process Needed to Review Productivity Expectations for Administrative Law Judges
    In U.S GAO News
    What GAO Found The Social Security Administration's (SSA) administrative law judges review, process, and adjudicate requests for hearings on disability benefits. In 2007, the agency set an expectation—which SSA reported was based on trend data and some regional managers' input—for judges to issue 500-700 dispositions (decisions and dismissals) each year, and the extent to which they have met this expectation has varied over time. SSA did not document the expectation-setting process in 2007, nor has it formally reviewed the expectation since. Judges in discussion groups held by GAO questioned the basis of the expectation and 87 percent of judges GAO surveyed (47 of 54) said the expectation was too high. The extent to which judges met the annual and related expectations has fluctuated over the years (see figure). Without periodic reviews, SSA cannot be assured that its expectations appropriately allow judges to balance productivity with other expectations, such as quality, given changing conditions over time. Administrative Law Judges Who Met or Exceeded SSA's Annual Productivity Expectation, Fiscal Years 2014-2020 Judges in selected hearing offices cited a variety of factors affecting their ability to meet the annual expectation. The top factor cited by judges GAO surveyed was the size of case files, which have increased five-fold on average since the expectation was established, according to SSA data. The COVID-19 pandemic introduced other factors in 2020, resulting in fewer hearings being conducted. SSA monitors judges' productivity and takes various actions when expectations are not met, ranging from informal conversations to formal discipline. In addition, judges in 11 of 13 discussion groups viewed telework restrictions as a consequence for not meeting expectations. Additionally, judges GAO surveyed reported feeling pressured to meet the expectations. For instance, 87 percent of judges surveyed (47 of 54) said that SSA placed too much emphasis on productivity, and some expressed concerns about their work quality and work-life balance. SSA officials said they do not formally seek feedback from judges on the expectations. However, without feedback or other gauges of pressure, SSA lacks information that could help it appropriately balance timely case processing while maintaining high-quality work and employee morale. Why GAO Did This Study SSA's approximately 1,350 judges play a major role in processing and adjudicating requests for hearings to help ensure individuals who do not agree with the determination on their claim for Social Security disability benefits receive due process. SSA receives hundreds of thousands of hearing requests each year and has historically had a large backlog. GAO was asked to review SSA's productivity expectations for its judges. This report examines (1) how SSA set productivity expectations for judges and the extent to which judges have met them over time, (2) reported factors affecting the ability of judges in selected offices to meet the annual productivity expectation, and (3) SSA's management of judges' productivity. GAO obtained and analyzed SSA data on judges' productivity from fiscal years 2005-2020; surveyed and held 13 virtual discussion groups with judges in six hearing offices selected for geographic location, average productivity, and average case size; reviewed relevant federal laws and agency policies and documents; and interviewed officials from SSA and the association representing judges.
    [Read More…]
  • Switzerland’s Largest Insurance Company and Three Subsidiaries Admit to Conspiring with U.S. Taxpayers to Hide Assets and Income in Offshore Accounts
    In Crime News
    The Department of Justice today filed a criminal information charging Swiss Life Holding AG (Swiss Life Holding), Swiss Life (Liechtenstein) AG (Swiss Life Liechtenstein), Swiss Life (Singapore) Pte. Ltd. (Swiss Life Singapore), and Swiss Life (Luxembourg) S.A. (Swiss Life Luxembourg), collectively, the “Swiss Life Entities,” with conspiring with U.S. taxpayers and others to conceal from the IRS more than $1.452 billion in offshore insurance policies, including more than 1,600 insurance wrapper policies, and related policy investment accounts in banks around the world and the income generated in these accounts.
    [Read More…]
  • Ambassador Pamela Spratlen Designated as Senior Advisor to Department Health Incident Response Task Force
    In Crime Control and Security News
    Office of the [Read More…]
  • Jury convicts Laredo man on cocaine charges
    In Justice News
    A Laredo federal jury [Read More…]
  • Former Venezuelan National Treasurer and Her Spouse Charged in Connection with International Bribery and Money Laundering Scheme
    In Crime News
    A former Venezuelan National Treasurer and her spouse were charged in a superseding indictment filed Tuesday for their alleged participation in a previously indicted billion-dollar currency exchange and money laundering scheme. An alleged co-conspirator was previously charged in the original indictment.
    [Read More…]
  • Defenders Work to Ensure Due Process Amid Pandemic
    In U.S Courts
    Of the many challenges that the coronavirus (COVID-19) pandemic has imposed on the ongoing operations of federal courts, some of the toughest are being faced by federal defenders, who are on the front lines working to overcome unprecedented threats to their clients’ safety and constitutional rights.
    [Read More…]
  • Briefing With Senior State Department Official On the Seventh Round of the JCPOA Talks
    In Crime Control and Security News
    Office of the [Read More…]
  • Military Operations: Actions Needed to Improve Oversight and Interagency Coordination for the Commander’s Emergency Response Program in Afghanistan
    In U.S GAO News
    U.S. government agencies, including the Department of Defense (DOD) and the United States Agency for International Development (USAID) have spent billions of dollars to develop Afghanistan. From fiscal years 2004 to 2008, DOD has reported obligations of about $1 billion for its Commander's Emergency Response Program (CERP), which enables commanders to respond to urgent humanitarian and reconstruction needs. As troop levels increase, DOD officials expect the program to expand. Under the authority of the Comptroller General, GAO assessed DOD's (1) capacity to manage and oversee the CERP in Afghanistan and (2) coordination of projects with USAID. Accordingly, GAO interviewed DOD and USAID officials, and examined program documents to identify workload, staffing, training, and coordination requirements. In Afghanistan, GAO interviewed key military personnel on the sufficiency of training, and their ability to execute assigned duties.Although DOD has used CERP to fund projects that it believes significantly benefit the Afghan people, it faces significant challenges in providing adequate management and oversight because of an insufficient number of trained personnel. GAO has frequently reported that inadequate numbers of management and oversight personnel hinders DOD's use of contractors in contingency operations. GAO's work also shows that high-performing organizations use data to make informed decisions about current and future workforce needs. DOD has not conducted an overall workforce assessment to identify how many personnel are needed to effectively execute CERP. Rather, individual commanders determine how many personnel will manage and execute CERP. Personnel at all levels, including headquarters and unit personnel that GAO interviewed after they returned from Afghanistan or who were in Afghanistan in November 2008, expressed a need for more personnel to perform CERP program management and oversight functions. Due to a lack of personnel, key duties such as performing headquarters staff assistance visits to help units improve contracting procedures and visiting sites to monitor project status and contractor performance were either not performed or inconsistently performed. Per DOD policy, DOD personnel should receive timely and effective training to enable performance to standard during operations. However, key CERP personnel at headquarters, units, and provincial reconstruction teams received little or no training prior to deployment which commanders believed made it more difficult to properly execute and oversee the program. Also, most personnel responsible for awarding and overseeing CERP contracts valued at $500,000 or less received little or no training prior to deployment and, once deployed, received a 1-hour briefing, which did not provide detailed information on the individual's duties. As a result, frequent mistakes occurred, such as the omission of key clauses from contracts, which slowed the project approval process. As GAO has reported in the past, poorly written contracts and statements of work can increase DOD's cost risk and could result in payment for projects that do not meet project goals or objectives. While mechanisms exist to facilitate coordination, DOD and USAID lack information that would provide greater visibility on all U.S. government development projects. DOD and USAID generally coordinate projects at the headquarters and unit level as well as through military-led provincial reconstruction teams which include USAID representatives. In addition, in November 2008, USAID, DOD and the Department of State began participating in an interagency group composed of senior U.S. government civilians and DOD personnel in Afghanistan to enhance planning and coordination of development plans and related projects. However, complete project information is lacking, because DOD and USAID use different databases. USAID has been tasked to develop a common database and is coordinating with DOD to do so, but development is in the early stages and goals and milestones have not been established. Without clear goals and milestones, it is unclear how progress will be measured or when it will be completed
    [Read More…]
  • Frequently Asked Questions about the Visa Waiver Program (VWP) and the Electronic System for Travel Authorization (ESTA)
    In Travel
    Content currently [Read More…]
  • Secretary Blinken’s Call with Kuwaiti Foreign Minister Al-Sabah
    In Crime Control and Security News
    Office of the [Read More…]
  • United States Seizes Domain Names Used by Iran’s Islamic Revolutionary Guard Corps
    In Crime News
    The United States has seized 92 domain names that were unlawfully used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign, announced the Department of Justice. 
    [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.