Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

The FDIC’s Privacy Program

Wednesday, December 18, 2019

The FDIC’s Privacy Program

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) issued an audit report that highlights weaknesses in the controls and practices of the FDIC’s Privacy Program. 

The FDIC collects and maintains significant quantities of Personally Identifiable Information (PII) on bankers, financial institution customers, FDIC employees, and contractors.  As of June 2018, the FDIC reported that it maintained 338 information systems containing PII.  The significant amount of PII held by the FDIC underscores the importance of implementing an effective Privacy Program that ensures proper handling of this information and compliance with privacy laws, policies, and guidelines. 

The objective of the audit was to assess the effectiveness of the FDIC’s Privacy Program and practices.  The audit focused on the FDIC’s compliance in eight of the nine privacy control areas established within Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource.  

We found that the Privacy Program controls and practices we assessed were effective in four of eight areas examined.  However, privacy controls and practices with respect to the Risk Management Framework; Privacy Roles and Responsibilities; Managing PII; and Privacy Impact Assessments were either partially effective or not effective.  The FDIC’s Privacy Program in these areas did not comply with all relevant privacy laws and/or OMB policy and guidance.

Specifically, we found that the FDIC did not: 

  • Fully integrate privacy considerations into its risk management framework designed to identify and address privacy risks;
  • Adequately define or implement certain privacy responsibilities; or
  • Effectively manage or secure PII stored in network shared drives and in hard copy. 

During our audit, we alerted FDIC management to instances of both electronic and hard copy records containing sensitive PII that lacked appropriate access restrictions, prompting urgent action.

Further, we found that the FDIC did not dispose of PII within established timeframes, and it did not ensure that the Agency always completed, monitored, and retired Privacy Impact Assessments (PIAs) in a timely manner.

Our report contains 14 recommendations intended to strengthen the effectiveness of the FDIC's Privacy Program and records management practices.  FDIC management concurred with all of the recommendations.

PDF Report: 
Print Print
Close