In addition, the FDIC and Federal Reserve did not establish agency-wide metrics to monitor privacy controls, and the Federal Reserve and OCC had not fully tracked decisions by program officials on the selection and testing of privacy controls.

"Until these regulators take steps to mitigate these weaknesses, the PII they collect, use and share could be at increased risk of compromise," the GAO report said.

The GAO report did not include any findings regarding the CFPB's managing of PII information.

Based on the report's findings, the GAO made eight executive recommendations, four of them for the Federal Reserve, two for the NCUA, and one each for the FDIC and OCC.

In response to the GAO report, NCUA Executive Director Larry Fazio acknowledged in a letter last month that the NCUA needs to improve its facility in tracking consumer PII across its systems, including contractor-run systems to ensure the accuracy and completion of the NCUA's inventory reviews. He also wrote that the federal agency needs to identify a defined process to document the NCUA's actions to minimize the collection and use of PII.

"We are confident that our program already meets the requirements associated with the suggested improvement, but we are committed to continuing to enhance our program," Fazio wrote. "As we mentioned during our interviews such efforts are well underway. We expect full implementation of technology-assisted assessment and authorization tools to be completed in 2022. This will address the enhancements you identified."

Sen. Mike Crapo (R-Idaho), a ranking member of the Senate's Finance Committee, asked the GAO to examine the handling of PII at the five federal financial regulatory agencies.

The report also examined what PII selected federal financial regulators collect, for what purposes they collect it, and how they use and share it; it also looked at the extent to which selected federal financial regulators ensure the privacy of the PII they collect, use and share for key applications, in accordance with federal requirements and guidance.

According to the GAO report, the five financial regulators maintain more than 100 information system applications that collect and use consumer PII. The five regulators use PII primarily in their roles in overseeing supervisory examinations of financial institutions, but also for other purposes such as enforcement of consumer financial laws and processing consumer complaints. The regulators also share PII with other government agencies, law enforcement, judicial entities, and third parties such as contractors, vendors and service providers.

The most common PII collected and used by regulators includes name, address, email, phone number, Social Security number and information related to individual financial transactions. For example, Social Security numbers are collected by the CFPB to connect data points in better understanding consumer financial decision-making, by the NCUA as part of screening prospective credit union officials, and by the OCC as part of information required to be collected on key management personnel of financial institutions. Other types of PII commonly collected and used by regulators include education information; employment information such as employer name or job status; demographic data, such as gender and ethnicity; and background investigation results.