Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report:  March 3, 2008

Inspection of Controls for Safeguarding Confidential and Personally Identifiable Information Collected During Bank Examinations

  • REPORT SUMMARY

available formats

  • Report Summary

    HTML

We completed an inspection of Reserve Bank controls for safeguarding confidential and sensitive information that includes PII collected during bank examinations. PII is information that identifies or describes a particular individual and may include an individual's name, birth date, account numbers, place of birth, driver's license number, passwords or security codes, or any other personal information that can be linked to an individual. Federal Reserve Banks conduct safety and soundness, and consumer compliance examinations at state-chartered member banks under delegated authority from the Board. During financial institution examinations, Reserve Bank staff access and analyze information that is confidential, sensitive, and may include PII. Reducing the risk of inappropriate or inadvertent disclosure of confidential and sensitive information, including PII, is vital because security breaches could have serious impacts on supervised institutions, their customers, and the Federal Reserve System. The objective of this inspection was to evaluate policies, procedures, practices, and controls to safeguard confidential supervisory information, including PII, collected during bank examinations (hereinafter, referred to as confidential information).

Government-wide measures to safeguard PII were included in recent Office of Management and Budget (OMB) guidance that requires agencies to train employees and establish administrative, technical, and physical safeguards to protect the security and integrity of confidential records. OMB also requires agencies to apply safeguards to protect sensitive agency information that is processed on computers and related hardware, and to meet certain security incident reporting requirements. In January 2007, BS&R and the Division of Consumer and Community Affairs (C&CA) issued procedures for safeguarding and reporting a loss of confidential information and assets (hereinafter, the procedures). To accomplish our inspection objective, we visited five Federal Reserve Banks and performed specific tests to verify that supervision and regulation staff members were complying with the procedures.

In general, our inspection-related testing and observations revealed that the Reserve Banks we visited are complying with the procedures. In addition, we found that all of the Reserve Banks are providing training for safeguarding confidential information, and that staff were generally aware of requirements to ensure the security of confidential information contained in documents and equipment. Further, our inspections of document storage and other facilities indicated that Reserve Banks were securing, archiving, and disposing of documents and equipment in accordance with the procedures. While conducting our inspection fieldwork, we noted that several Reserve Banks initiated actions to protect computer equipment and confidential information that supplemented provisions included in the procedures. We listed these additional procedures in our restricted report because other Reserve Banks may find these initiatives useful for strengthening procedures in their respective districts.

During the course of our inspection, the Staff Director for Management expressed interest in other agencies' practices for reducing the risk of theft or loss of laptops and confidential information while employees are traveling or working outside of their offices. Because we also saw value in obtaining insights into other agencies' practices for safeguarding electronic devices and confidential information, we expanded the scope of our inspection and included visits to nine other agencies, four of which are federal financial regulators. We analyzed the materials obtained during our visits to derive the core requirements that other agencies have implemented to safeguard laptops and confidential information while employees are traveling or working outside of their offices, and compared these core requirements to the procedures. We found that the procedures cover almost all of the other agencies' core requirements. However, we noted two core requirements that the procedures do not address, and requested that the Directors of BS&R and C&CA review these requirements and consider adding them to the procedures. We also compared the other agencies' core requirements to the Board's policies and procedures for safeguarding laptops and confidential information, and plan to communicate the results of this analysis in a separate briefing to the Staff Director for Management.