GAO Recommends Federal Regulators Act to Increase Protection of PII

Written By Haley Metteauer

On January 13, 2022, the U.S. Government Accountability Office (“GAO”) released a report analyzing the privacy practices of five federal regulators—the Consumer Finance Protection Bureau (“CFPB”), the Federal Deposit Insurance Corporation (“FDIC”), the Federal Reserve Board (“FRB”), the Office of the Comptroller of the Currency (“OCC”) and the National Credit Union Administration (“NCUA”).

According to the report, the regulators were chosen because they engage in the collection and maintenance of consumers’ personally identifiable information (“PII”) received through the examination of financial institutions or the receipt of consumer outreach. Additionally, the regulators share this information with relevant third parties, like banks and service providers.

In its report, the GAO reviewed the regulators’ privacy documentation and interviewed employees who handle PII to best assess how the regulators' policies and practices regarding the management of PII compare against federal guidance.

The GAO made the following recommendations:

  • FDIC

    • The Chair of FDIC should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended.

  •  FRB

    • The Chair of the Federal Reserve should define a process for documenting the actions the Federal Reserve takes to minimize collection and use of PII.

    • The Chair of the Federal Reserve should include information from systems maintained by Federal Reserve contractors in the Federal Reserve's inventory of information systems that handle PII.

    • The Chair of the Federal Reserve should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended.

    • The Chair of the Federal Reserve should establish a timeframe for including information on privacy controls to be tested within the Federal Reserve's written privacy continuous monitoring strategy.

  • NCUA

    • The Executive Director of NCUA should enhance NCUA's ability to query information from an agencywide inventory of information systems containing PII, including contractor-run systems, to facilitate regular reviews of the inventory for accuracy and completion.

    • The Executive Director of NCUA should define a process for documenting the actions NCUA takes to minimize collection and use of PII.

  • OCC

    • The Comptroller of the Currency should require OCC privacy program officials to review intermediate process documentation, such as system privacy plans and security assessment plans.

In response, the FDIC “generally agreed” with the GAO’s recommendations. The other regulators neither agreed nor disagreed with the GAO's recommendations but each shared steps they planned to use to implement the recommendations.

Haley Metteauer
Previous

CFPB Issued a Request for Public Comment on “Buy Now, Pay Later”
Next

Large Banks Establish Climate Risk Consortium