OIG Audit Reveals NCUA Lacks Proper FSOC Confidentiality Procedures
The NCUA has limited comprehensive policies or procedures that would help it adequately control and protect from disclosure confidential Financial Stability Oversight Council information, analyses or information, according to a June 27 Office of Inspector General audit review.
The OIG document, posted on the NCUA’s website, said that while the credit union regulator generally has a culture of protecting information, its current policies and procedures do not adequately address the following items:
- Protecting oral communication of confidential non-public FSOC information;
- Inventorying or tracking FSOC information requests/responses;
- Controlling access to and authorizing release of confidential non-public information to FSOC, FSOC member agencies or other external parties (e.g., Congress);
- Placing appropriate markings on FSOC information to identify it as containing confidential information;
- A central person/group to coordinate all FSOC communications;
- Membership on FSOC committees, including authorized alternate representatives and corresponding duties and responsibilities of the NCUA representatives;
- Identifying, controlling and monitoring who within NCUA will have access to and who has accessed specific FSOC information and systems;
- Handling, controlling, and protecting FSOC information during teleconferences and telework sessions; and
- Consequences for the breach/unauthorized disclosure of FSOC information.
In a June 12 response letter to Inspector General William DeSarno, NCUA Executive Director David Marquis said he believes the regulator’s existing policies, procedures and training are effective.
“While existing policies do not specifically address FSOC information, we take great care in protecting confidential, non-public information in all forms,” Marquis wrote. Credit Union Times recently reported that the NCUA had failed to completely redact a report that questions the safety and soundness of SECU (N.C.).
However, Marquis said the NCUA agreed to continue coordinating with FSOC to implement improved policies, procedures and practices as suggested by FSOC to ensure the protection of confidential, non-public FSOC-related information. The OIG concurred with the NCUA’s response.
Created in 2010 as a requirement of the Dodd-Frank Act, the FSOC facilitates information and data sharing among financial regulators to remove “blind spots in the financial system” so they will “be better equipped to identify systemic risks and other emerging threats.”