A review of five U.S. financial regulators responsible for protecting consumers’ personally identifiable information (PII) revealed four have failed to follow key practices, such as documenting how they minimized IT systems’ collection and use of such data.
In the 49-page report “Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information,” the U.S. Government Accountability Office (GAO), the Congressional watchdog, recommended that financial regulators better ensure the protection of PII they collect, use, and share.
The GAO praised the Consumer Financial Protection Bureau (CFPB) for having an internal team that reviews each new piece of PII collected to better ensure the use of such data is minimized.
But a review of practices by the Federal Deposit Insurance Corp., the Federal Reserve, the National Credit Union Administration and the Office of the Comptroller of the Currency found that while these regulators have established practices to protect privacy, conduct staff training and implement incident response procedures, they did not apply essential procedures in other privacy protection areas.
These regulators “did not fully perform key practices such as maintaining a systems inventory that allow it to ensure the accuracy of its PII, documenting steps taken to minimize PII collected and used by applications, identifying and documenting metrics to evaluate the implementation of privacy controls, and documenting key decisions and approvals for the selection and testing of privacy controls,” the report found.
As a result, researchers said they are less likely to be fully aware of the extent of PII they handle or the controls in place internally and externally to protect it.
The privacy survey comes days after the GAO reported use of crypto payments to enable illegal human and drug trafficking is on the rise.
In “Virtual Currencies: Additional Information Could Improve Federal Agency Efforts to Counter Human and Drug Trafficking,” the GAO said crypto ATMs were partly responsible for the surge because the machines have fewer rules than crypto exchanges and transactions are more difficult to trace.