In 2016, the Federal Reserve Board's internal watchdog said the organization lacks a sufficient approach for protecting
Released Monday, the report highlights the corrective action recommendations made to the board of governors that have not been fully addressed. It also identified 18 open recommendations
The OIG report noted that many of the issues identified can take a long time to address. As such, it only discloses information about recommendations that are at least six months old.
The agencies are in the process of addressing all but one of the open issues — a 2023 recommendation that the CFPB develop a testing regime for its information security contingency plans. The CFPB has acknowledged the shortcoming and plans to address it, according to the report.
Representatives from the Fed and CFPB declined to comment on the OIG findings. A spokesperson for the CFPB confirmed the agency is working to implement all the outstanding recommendations.
The 2016 recommendation to the Fed about internal security threats is the oldest outstanding issue. It was one of nine remedies called for by an audit of the Fed's information security program in November of that year. The report directed the Fed's chief operating officer to look across its security protocols and determine which measures might be appropriate for information that is sensitive but classified.
The board has said it has begun taking steps to implement the recommendation.
The report notes that separate recommendations are still open from similar information security audits conducted in 2017, 2018, 2019, 2020, 2022 and 2023. Similarly, all 11 open recommendations for the CFPB were also related to information and data security.
Four open recommendations with the Fed stem from a 2023 audit of the Federal Open Market Committee's trading and investment rules. These include calls for more uniform disclosure policies across the Federal Reserve System, processes for better authenticating financial disclosures and a system for determining and enforcing consequences on individuals who violate the policies.
FOMC trading and investments have been a topic of interest for
Last year, during a
"This is not strong oversight. In fact, it is not even competent oversight," Warren said. "It looks like, to anyone in the public, that you gave your boss a free pass and that's just not going to cut it here."
Supervision was another area with several open recommendations. These touch upon the Fed's approach to third-party risk management and cybersecurity concerns at the institutions it oversees, as well as its governance process around reviewing and approving supervisory proposals.
Two recent audits, the 2023 reviews of the material loss related to Silicon Valley Bank's failure and the supervision of Silvergate Bank — which elected to