WASHINGTON–NCUA is among four federal financial institution regulators that are being urged by the Government Accountability Office to take actions to better protect the personally identifiable information (PII) they collect, use, and share in carrying out their regulatory mission.
The report issued by GAO, “Privacy: Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information,” states that all five financial regulators have created privacy programs that take steps to protect PII (which they collect from individuals as well as financial institutions) in accordance with key practices in federal guidance.
But the report notes that four of the agencies – besides NCUA, the FDIC, Federal Reserve and Office of the Comptroller of the Currency (OCC) – have not fully implemented key practices in other privacy protection areas.
For example, the report said the Fed and NCUA have not maintained a full PII inventory for all agency-owned applications and did not document steps taken to minimize the collection and use of PII. In addition, the report found the FDIC and Fed did not establish agencywide metrics to monitor privacy controls, and that the Fed and OCC had not fully tracked decisions by program officials on the selection and testing of privacy controls.
“Until these regulators take steps to mitigate these weaknesses, the PII they collect, use, and share could be at increased risk of compromise,” the report’s summary states.
The Recommendations
Recommendations for executive action made in the report include:
NCUA
- The executive director should enhance the NCUA’s ability to query information from an agencywide inventory of information systems containing PII, including contractor-run systems, to facilitate regular reviews of the inventory for accuracy and completion.
- The executive director should define a process for documenting the actions the NCUA takes to minimize collection and use of PII.
FDIC
- The chair should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended.
Federal Reserve
- The chair should define a process for documenting the actions the Fed takes to minimize collection and use of PII.
- The chair should include information from systems maintained by Fed contractors in the Fed’s inventory of information systems that handle PII.
- The chair should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended.
- The chair should establish a timeframe for including information on privacy controls to be tested within the Fed’s written privacy continuous monitoring strategy.
OCC
- The comptroller should require OCC privacy program officials to review intermediate process documentation, such as system privacy plans and security assessment plans.
According to the GAO, the FDIC has generally agreed with the GAO recommendations, but the other three agencies, while not agreeing or disagreeing, each described steps they planned to take to implement the recommendations.
The CFPB was the lone agency not included in the report.