Inspection of Controls for Safeguarding Confidential and Personally Identifiable Information Collected During Bank Examinations

In March 2008, we completed an inspection of Reserve Bank controls for safeguarding confidential and sensitive information that includes PII collected during bank examinations.  PII is information that identifies or describes a particular individual and may include a name, birth date, account numbers, place of birth, driver’s license number, passwords or security codes, or any other personal information that can be linked to an individual.  Federal Reserve Banks conduct safety and soundness, and consumer compliance examinations at state-chartered member banks under delegated authority from the Board.  During financial institution examinations, Reserve Bank staff access and analyze information that is confidential, sensitive, and may include PII.  Reducing the risk of inappropriate or inadvertent disclosure of confidential and sensitive information, including PII, is vital because security breaches could have serious impacts on supervised institutions, their customers, and the Federal Reserve System. The objective of this inspection was to evaluate policies, procedures, practices, and controls to safeguard confidential supervisory information, including PII, collected during bank examinations (hereinafter, referred to as confidential information).

Government-wide measures to safeguard PII were included in recent Office of Management and Budget (OMB) guidance that requires agencies to train employees and establish administrative, technical, and physical safeguards to protect the security and integrity of confidential records.  OMB also requires agencies to apply safeguards to protect sensitive agency information that is processed on computers and related hardware, and to meet certain security incident reporting requirements.  In January 2007, the Division of Banking Supervision and Regulation and the Division of Consumer and Community Affairs issued procedures for safeguarding and reporting a loss of confidential information and assets (hereinafter, the procedures).  To accomplish our inspection objective, we visited five Federal Reserve Banks and performed specific tests (on a judgmentally-selected sample) to verify that supervision and regulation staff members were complying with the procedures.

In general, our inspection-related testing and observations revealed that the Reserve Banks we visited are complying with the procedures.  In addition, we found that all of the Reserve Banks are providing training for safeguarding confidential information, and that staff were generally aware of requirements to ensure the security of confidential information contained in documents and equipment.  Further, our inspections of document storage and other facilities indicated that Reserve Banks were securing, archiving, and disposing of documents and equipment in accordance with the procedures.  While conducting our inspection fieldwork, we noted that several Reserve Banks initiated actions to protect computer equipment and confidential information that supplemented provisions included in the procedures.  We listed these additional procedures in our restricted report because other Reserve Banks may find these initiatives useful for strengthening procedures in their respective districts.