October 21, 2021

News

News Network

Consumer Privacy: Better Disclosures Needed on Information Sharing by Banks and Credit Unions

11 min read
<div>Banks and credit unions collect, use, and share consumers' personal information—such as income level and credit card transactions—to conduct everyday business and market products and services. They share this information with a variety of third parties, such as service providers and retailers. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide consumers with a privacy notice describing their information-sharing practices. Many banks and credit unions elect to use a model form—issued by regulators in 2009—which provides a safe harbor for complying with the law (see figure). GAO found the form gives a limited view of what information is collected and with whom it is shared. Consumer and privacy groups GAO interviewed cited similar limitations. The model form was issued over 10 years ago. The proliferation of data-sharing since then suggests a reassessment of the form is warranted. Federal guidance states that notices about information collection and usage are central to providing privacy protections and transparency. Since Congress transferred authority to the Consumer Financial Protection Bureau (CFPB) for implementing GLBA privacy provisions, the agency has not reassessed if the form meets consumer expectations for disclosures of information-sharing. CFPB officials said they had not considered a reevaluation because they had not heard concerns from industry or consumer groups about privacy notices. Improvements to the model form could help ensure that consumers are better informed about all the ways banks and credit unions collect and share personal information. Excerpts of the Gramm-Leach-Bliley Act Model Privacy Form Showing Reasons Institutions Share Personal Information Federal regulators examine institutions for compliance with GLBA privacy requirements, but did not do so routinely in 2014–2018 because they found most institutions did not have an elevated privacy risk. Before examinations, regulators assess noncompliance risks in areas such as relationships with third parties and sharing practices to help determine if compliance with privacy requirements needs to be examined. The violations of privacy provisions that the examinations identified were mostly minor, such as technical errors, and regulators reported relatively few consumer complaints. Banks and credit unions maintain a large amount of personal information about consumers. Federal law requires that they have processes to protect this information, including data shared with certain third parties. GAO was asked to review how banks and credit unions collect, use, and share such information and federal oversight of these activities. This report examines, among other things, (1) what personal information banks and credit unions collect, and how they use and share the information; (2) the extent to which they make consumers aware of the personal information they collect and share; and (3) how regulatory agencies oversee such collection, use, and sharing. GAO reviewed privacy notices from a nongeneralizable sample of 60 banks and credit unions with a mix of institutions with asset sizes above and below $10 billion. GAO also reviewed federal privacy laws and regulations, regulators' examinations in 2014–2018 (the last 5 years available), procedures for assessing compliance with federal privacy requirements, and data on violations. GAO interviewed officials from banks, industry and consumer groups, academia, and federal regulators. GAO recommends that CFPB update the model privacy form and consider including more information about third-party sharing. CFPB did not agree or disagree with the recommendation but said they would consider it, noting that it would require a joint rulemaking with other agencies. For more information, contact Alicia Puente Cackley at (202) 512-8678 or CackleyA@gao.gov or Nick Marinos at (202) 512-9342 or MarinosN@gao.gov.</div>

What GAO Found

Banks and credit unions collect, use, and share consumers’ personal information—such as income level and credit card transactions—to conduct everyday business and market products and services. They share this information with a variety of third parties, such as service providers and retailers.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide consumers with a privacy notice describing their information-sharing practices. Many banks and credit unions elect to use a model form—issued by regulators in 2009—which provides a safe harbor for complying with the law (see figure). GAO found the form gives a limited view of what information is collected and with whom it is shared. Consumer and privacy groups GAO interviewed cited similar limitations. The model form was issued over 10 years ago. The proliferation of data-sharing since then suggests a reassessment of the form is warranted. Federal guidance states that notices about information collection and usage are central to providing privacy protections and transparency. Since Congress transferred authority to the Consumer Financial Protection Bureau (CFPB) for implementing GLBA privacy provisions, the agency has not reassessed if the form meets consumer expectations for disclosures of information-sharing. CFPB officials said they had not considered a reevaluation because they had not heard concerns from industry or consumer groups about privacy notices. Improvements to the model form could help ensure that consumers are better informed about all the ways banks and credit unions collect and share personal information.

Excerpts of the Gramm-Leach-Bliley Act Model Privacy Form Showing Reasons Institutions Share Personal Information

Federal regulators examine institutions for compliance with GLBA privacy requirements, but did not do so routinely in 2014–2018 because they found most institutions did not have an elevated privacy risk. Before examinations, regulators assess noncompliance risks in areas such as relationships with third parties and sharing practices to help determine if compliance with privacy requirements needs to be examined. The violations of privacy provisions that the examinations identified were mostly minor, such as technical errors, and regulators reported relatively few consumer complaints.

Why GAO Did This Study

Banks and credit unions maintain a large amount of personal information about consumers. Federal law requires that they have processes to protect this information, including data shared with certain third parties. GAO was asked to review how banks and credit unions collect, use, and share such information and federal oversight of these activities. This report examines, among other things, (1) what personal information banks and credit unions collect, and how they use and share the information; (2) the extent to which they make consumers aware of the personal information they collect and share; and (3) how regulatory agencies oversee such collection, use, and sharing.

GAO reviewed privacy notices from a nongeneralizable sample of 60 banks and credit unions with a mix of institutions with asset sizes above and below $10 billion. GAO also reviewed federal privacy laws and regulations, regulators’ examinations in 2014–2018 (the last 5 years available), procedures for assessing compliance with federal privacy requirements, and data on violations. GAO interviewed officials from banks, industry and consumer groups, academia, and federal regulators.

What GAO Recommends

GAO recommends that CFPB update the model privacy form and consider including more information about third-party sharing. CFPB did not agree or disagree with the recommendation but said they would consider it, noting that it would require a joint rulemaking with other agencies.

For more information, contact Alicia Puente Cackley at (202) 512-8678 or CackleyA@gao.gov or Nick Marinos at (202) 512-9342 or MarinosN@gao.gov.

News Network

  • Jamaica Travel Advisory
    In Travel
    Reconsider travel [Read More…]
  • Military Operations: DOD Needs to Address Contract Oversight and Quality Assurance Issues for Contracts Used to Support Contingency Operations
    In U.S GAO News
    The Department of Defense (DOD) uses contractors to meet many of its logistical and operational support needs. With the global war on terrorism, there has been a significant increase in deployment of contractor personnel to areas such as Iraq and Afghanistan. In its fiscal year 2007 report, the House Appropriations Committee directed GAO to examine the link between the growth in DOD's operation and maintenance costs and DOD's increased reliance on service contracts. GAO determined (1) the extent to which costs for selected contracts increased and the factors causing the increases, (2) the extent to which DOD provided oversight for selected contracts, and (3) the reasons for DOD's use of contractors to support contingency operations. To address these objectives, GAO reviewed a nonprobability sample of seven DOD contracts for services that provide vital support to contingency operations in Iraq and Afghanistan. GAO reviewed contract requirements, funding documents and DOD guidance for these contracts and interviewed DOD and contractor personnel.Costs for six of the seven contracts GAO reviewed increased from an initial estimate of $783 million to about $3.8 billion, and one consistent and primary factor driving the growth was increased requirements associated with continued military operations in Iraq and Afghanistan. For example, the Army awarded a $218.2 million task order for equipment maintenance and supply services in Kuwait in October 2004. Since then, approximately $154 million of additional work was added to this task order for vehicle refurbishment, tire assembly and repair, and resetting of prepositioned equipment. Other factors that increased individual contract costs include the use of short-term contract extensions and the government's inability to provide contractually required equipment and services. For example, in three of the contracts GAO reviewed, short-term contract extensions (3 to 6 months) increased costs because the contractor felt it was too risky to obtain long-term leases for vehicles and housing. The actual cost of one contract we reviewed did not exceed the estimated cost for reasons such as lower than projected labor rates. GAO has frequently reported that inadequate staffing contributed to contract management challenges. For some contracts GAO reviewed, DOD's oversight was inadequate because it had a shortage of qualified personnel and it did not maintain some contract files in accordance with applicable guidance. For five contracts, DOD had inadequate management and oversight personnel. In one case, the office responsible for overseeing two contracts was short 6 of 18 key positions, all of which needed specialized training and certifications. In addition, for two other contracts, proper accounting of government owned equipment was not performed because the property administrator position was vacant. Second, DOD did not always follow guidance for maintaining contract files or its quality assurance principles. For four contracts, complete contract files documenting administration and oversight actions taken were not kept and incoming personnel were unable to determine how contract management and oversight had been performed and if the contractor had performed satisfactorily prior to their arrival. In addition, oversight was not always performed by qualified personnel. For example, quality assurance officials for the linguist contract were unable to speak the language so they could not judge the quality of the contractor's work. Without adequate levels of qualified oversight personnel, proper maintenance of contract files, and consistent implementation of quality assurance principles, DOD may not be able to determine whether contractors are meeting their contract requirements, which raises the potential for waste. DOD used contractors to support contingency operations for several reasons, including the need to compensate for a decrease in force size and a lack of capability within the military services. For example, an Army contract for linguist services had a requirement for more than 11,000 linguists because DOD did not have the needed linguists. According to Army officials, the Army phased out many interpreter positions years ago and did not anticipate a large need for Arabic speakers.
    [Read More…]
  • Vocational Rehabilitation: More VA and DOD Collaboration Needed to Expedite Services for Seriously Injured Servicemembers
    In U.S GAO News
    More than 10,000 U.S. military servicemembers, including National Guard and Reserve members, have been injured in the conflicts in Afghanistan and Iraq. Those with serious injuries are likely to be discharged from the military and return to civilian life with disabilities. The Department of Veterans Affairs (VA) offers vocational rehabilitation and employment (VR&E) services to help these injured servicemembers in their transition to civilian employment. GAO has noted that early intervention--the provision of rehabilitation services as soon as possible after the onset of a disability--is a practice that significantly facilitates the return to work. GAO examined how VA expedites VR&E services to seriously injured servicemembers and the challenges VA faces in its efforts to do so.VA has taken steps to expedite vocational rehabilitation and employment services for servicemembers returning from Afghanistan and Iraq with serious injuries. The agency has instructed its regional offices to make seriously injured servicemembers a high priority for all VA assistance, including VR&E services, and has asked DOD to provide data that would help VA identify and monitor this population. It has also deployed additional staff to five major Army military treatment facilities where the majority of the seriously injured are treated. Pending an agreement with DOD for sharing data, VA has relied on its regional offices to learn who the seriously injured are and where they are located. We found that the regional offices we reviewed had developed information that varied in completeness and reliability. We also found that VA does not have a policy for maintaining contact with those with serious injuries who may later be ready for VR&E services but did not initially apply for VR&E. Nevertheless, some regional offices did attempt to maintain contact while other regional offices did not. VA faces significant challenges in expediting VR&E services to seriously injured servicemembers. These include: the inherent challenge that individual differences and uncertainties in the recovery process make it difficult to determine when a servicemember will be ready to consider VR&E services; DOD's concerns that VA's outreach, including early intervention with VR&E, could work at cross purposes to military retention goals for servicemembers whose discharge from military service is not yet certain; and the lack of access to data from DOD that would allow VA to readily know which servicemembers are seriously injured and where they are located. VA and DOD generally concurred with our findings and recommendations.
    [Read More…]
  • DFC Announces Financing to Support COVID-19 Vaccine Manufacturing in South Africa
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Medicare Durable Medical Equipment: Effect of New Bid Surety Bond Requirement on Small Supplier Participation in the Competitive Bidding Program
    In U.S GAO News
    What GAO Found The Centers for Medicare & Medicaid Services (CMS) administers a competitive bidding program (CBP) to determine which suppliers may furnish certain durable medical equipment (DME) to Medicare beneficiaries in designated geographical areas. Specifically, suppliers submit bids to provide specified categories of DME items; CMS determines winning bids based on several factors, including the bid amount, and whether the estimated capacity of suppliers would meet the projected demand for those DME items in each area. Historically, winning suppliers could reject any contract offer to furnish CBP-covered items without penalty. This allowed them to help set CBP payment amounts without being held accountable for furnishing items at those amounts. However, beginning with round 2021—the most recent round of the CBP—bidding suppliers were required by law to obtain a $50,000 bid surety bond for each CBP area in which they submitted a bid. These bonds require a supplier to accept a contract offer when its bid amount is at or below the median of the winning suppliers' bids used to calculate the CBP payment amount offered for each product category. If it does not, the supplier forfeits the bond. GAO found that small suppliers successfully obtained contracts in CBP round 2021. For example, small suppliers accounted for 58 percent of the suppliers awarded contracts in round 2021. Slightly more than half of the bids small suppliers submitted resulted in contracts. Contract Awards by Supplier Size for the Round 2021 Competitions   Suppliers that bid Suppliers awarded contracts Size of bidders Number Percent Number Percent Small suppliers 383 60 207 58 Large suppliers 231 36 148 42 Unknown suppliers 24 4 0 0 Total 638 100 355 100 Source: GAO analysis of Centers for Medicare & Medicaid Services (CMS) data. I GAO-21-602 Notes: CMS defines small suppliers bidding as those generating $3.5 million or less in total gross Medicare and non-Medicare revenue annually, large suppliers as those generating more than that amount of revenue, and unknown suppliers as those whose entire bid was disqualified for a missing financial document and, therefore, did not advance to the evaluation process where a supplier's size is determined. CMS data suggest that bid surety bonds did not negatively affect small supplier participation in CBP round 2021. Specifically, the data show that the small supplier participation rate in round 2021 was comparable to that of the five prior CBP rounds. The data also indicated that only about 5 percent of small suppliers' bids were disqualified due to submission of invalid bid surety bonds. Representatives from two national DME industry trade organizations, as well as six of their small supplier members, told GAO that the new bid surety bond requirement did not create a barrier for small suppliers, as bid surety bonds were accessible to small suppliers and reasonably priced. However, some of these representatives reported other factors may affect small suppliers' future participation in CBP rounds, such as concerns related to small suppliers' ability to provide items at rates that are competitive with larger suppliers. Why GAO Did This Study To achieve Medicare savings and address fraud concerns, Congress required that CMS, in the Department of Health and Human Services (HHS), phase in a CBP for certain DME product categories in designated geographical (or CBP) areas. CBP Round 2021 began on January 1, 2021, and included two product categories (off-the-shelf knee braces and off-the-shelf back braces) in a total of 235 CBP area and product category combinations (known as competitions). CMS estimated that round 2021 will save Medicare more than $600 million over the 3-year contract period. The Medicare Access and CHIP Reauthorization Act of 2015 included a provision for GAO to evaluate the effect of the new bid surety bond requirement on small supplier participation in the CBP. CMS defines small suppliers as those generating $3.5 million or less in total gross Medicare and non-Medicare revenue annually. This report describes 1) the extent to which small suppliers participated in CBP round 2021 and 2) what is known about how the bid surety bond requirement and other factors affected or may affect small supplier participation in the CBP. GAO reviewed bidding process and contract award data; interviewed CMS officials; and interviewed representatives from two national DME industry trade organizations, including six of their small DME supplier members, that GAO selected based on their familiarity with the CBP and the new bid surety bond requirement. HHS provided technical comments on a draft of this report, which GAO incorporated as appropriate. For more information, contact Michelle B. Rosenberg at (202) 512-7114 or rosenbergm@gao.gov.
    [Read More…]
  • Houston consulting company admits to H-1B visa fraud conspiracy
    In Justice News
    Cloudgen LLC has pleaded [Read More…]
  • Mississippi Tax Preparer Sentenced to Prison for False IRS Returns
    In Crime News
    A Moss Point, Mississippi, resident was sentenced to 22 months in prison for preparing false tax returns, announced Principal Deputy Assistant Attorney General Richard Zuckerman of the Justice Department’s Tax Division and U.S. Attorney Mike Hurst for the Southern District of Mississippi.
    [Read More…]
  • Justice Department Issues Statement on the Department of Transportation’s Newark Airport Reassignment Notice
    In Crime News
    Acting Assistant Attorney General Richard A. Powers of the Justice Department’s Antitrust Division issued the following statement after the Department of Transportation’s notice of proposed reassignment of schedules at Newark airport:
    [Read More…]
  • Hospital Researcher Sentenced to Prison for Conspiring to Steal Trade Secrets and Sell to China
    In Crime News
    An Ohio man was sentenced yesterday to 33 months in prison for conspiring to steal exosome-related trade secrets concerning the research, identification and treatment of a range of pediatric medical conditions.
    [Read More…]
  • The Bureau of Overseas Buildings Operations Announces Award for Worldwide Architectural and Engineering Support Services
    In Crime Control and Security News
    Office of the [Read More…]
  • Duff to Retire as Administrative Office Director; Judge Mauskopf Named as Successor
    In U.S Courts
    James C. Duff has announced he will retire as the director of the Administrative Office of the U.S. Courts on Jan. 31. Chief Justice John G. Roberts, Jr., has appointed Chief Judge Roslynn R. Mauskopf, of the Eastern District of New York, as his successor, effective Feb. 1.
    [Read More…]
  • Secretary Antony J. Blinken with Palestinian Civil Society Leaders
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • The United States Impedes Hizballah Financing by Sanctioning Seven Individuals
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • [Protest of Army Contract Award for Artillery Testing Services]
    In U.S GAO News
    A firm protested an Army contract award for artillery testing services, contending that the Army: (1) should have rejected the awardee's bid as nonresponsive, since its pricing scheme deviated from the solicitation's specifications; and (2) improperly considered the awardee's discounted price in its evaluation of labor costs. GAO held that the: (1) Army reasonably determined that the awardee's bid represented the lowest overall cost to the government; and (2) awardee's pricing scheme did not prejudice the protester. Accordingly, the protest was denied.
    [Read More…]
  • Federal Research: Agencies Need to Enhance Policies to Address Foreign Influence
    In U.S GAO News
    U.S. research may be subject to undue foreign influence in cases where a researcher has a foreign conflict of interest (COI). Federal grant-making agencies can address this threat by implementing COI policies and requiring the disclosure of information that may indicate potential conflicts. GAO reviewed five agencies—which together accounted for almost 90 percent of all federal research and development expenditures at universities in fiscal year 2018—and found that three have agency-wide COI policies, while two do not (see figure). The three agencies with existing policies focus on financial interests but do not specifically address or define non-financial interests, such as multiple professional appointments. In the absence of agency-wide COI policies and definitions on non-financial interests, researchers may not fully understand what they need to report on their grant proposals, leaving agencies with incomplete information to assess the risk of foreign influence. GAO found that, regardless of whether an agency has a conflict of interest policy, all five agencies require researchers to disclose information—such as foreign support for their research—as part of the grant proposal that could be used to determine if certain conflicts exist. Elements of Conflict of Interest (COI) Policies at Agencies with the Most Federal Research Expenditures at Universities Based on a review of university documents, GAO found that all 11 of the universities in its sample have publicly available financial and non-financial COI policies for federally funded research. These policies often align with the financial COI policies or requirements of the grant-making agencies. All five agencies have mechanisms to monitor and enforce their policies and disclosure requirements when there is an alleged failure to disclose required information. All agencies rely on universities to monitor financial COI, and most agencies collect non-financial information such as foreign collaborations, that can help determine if conflicts exist. Agencies have also taken actions in cases where they identified researchers who failed to disclose financial or non-financial information. However, three agencies lack written procedures for handling allegations of failure to disclose required information. Written procedures for addressing alleged failure to disclose required information help agencies manage these allegations and consistently apply enforcement actions. In interviews, stakeholders identified opportunities to improve responses to foreign threats to research, such as harmonizing grant application requirements. Agencies have begun to address such issues. The federal government reportedly expended about $42 billion on science and engineering research at universities in fiscal year 2018. Safeguarding the U.S. research enterprise from threats of foreign influence is of critical importance. Recent reports by GAO and others have noted challenges faced by the research community to combat undue foreign influence, while maintaining an open research environment that fosters collaboration, transparency, and the free exchange of ideas. GAO was asked to review federal agency and university COI policies and disclosure requirements. In this report, GAO examines (1) COI policies and disclosure requirements at selected agencies and universities that address potential foreign threats, (2) mechanisms to monitor and enforce policies and requirements, and (3) the views of selected stakeholders on how to better address foreign threats to federally funded research. GAO reviewed laws, regulations, federal guidance, and agency and university COI policies and requirements. GAO also interviewed agency officials, university officials, and researchers. GAO is making nine recommendations to six agencies, including that grant-making agencies address non-financial conflicts of interest in their COI policies and develop written procedures for addressing cases of failure to disclose required information. Five agencies agreed with GAO's recommendations. The National Science Foundation neither agreed nor disagreed with GAO's recommendation, but identified actions it plans to take in response. For more information, contact Candice N. Wright at (202) 512-6888 or wrightc@gao.gov.
    [Read More…]
  • Return of Canadian Citizens Michael Kovrig and Michael Spavor
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Clinical Researchers Sentenced in Connection with Scheme to Falsify Drug Trial Data
    In Crime News
    A federal judge sentenced a Florida nurse practitioner and a Florida woman to prison terms today in connection with their participation in a conspiracy to falsify data related to clinical drug trials.
    [Read More…]
  • Woman sentenced for tax fraud on behalf of herself and many others
    In Justice News
    A Texas tax preparer has [Read More…]
  • State Department: Implementation of Grants Policies Needs Better Oversight
    In U.S GAO News
    What GAO Found The Department of State (State) has established policies and guidance that provide a supportive environment for managing grants and cooperative agreements (grants). In addition, State provides its grants officials mandatory training on these policies and guidance, and routinely identifies and shares best practices. State's policies are based on federal regulations, reflect internal control standards, and cover topics such as risk assessment and monitoring procedures. State's policies also delineate specific internal control activities that grants officials are required to both implement and document in the grant files as a way of promoting accountability (see fig.). Key Internal Control Activities Required through a Grant's Life Cycle GAO found that inconsistent implementation of policies and guidance weakens State's assurance that grant funds are used as intended. Inadequate risk analysis . In most of the files GAO reviewed, grants officials did not fully identify, assess, and mitigate risks, as required. For example, officials conducted a risk identification process for 45 of the 61 grants that GAO reviewed. While grants officials identified risk in 28 of those 45 grants, they mitigated risks in only 11. Poor documentation . Grants officials generally did not adhere to State policies and procedures relating to documenting internal control activities. For example, 32 of the 61 files reviewed did not contain the required monitoring plan. Considerable turnover among grants officials makes documenting internal control activities particularly important. State's periodic management reviews of selected bureaus' and overseas missions' grant operations have also found that key documentation was frequently missing or incomplete and made recommendations to address the problem. However, State has not consistently followed up to ensure the implementation of these recommendations, as internal control standards require. State does not have processes for ensuring compliance with risk analysis and documentation requirements. Without the proper implementation of its internal control policies for grants management, State cannot be certain that its oversight is adequate or that it is using its limited oversight resources effectively. Why GAO Did This Study Grants are key tools that State uses to conduct foreign assistance. In fiscal year 2012, State obligated over $1.6 billion worldwide for around 14,000 grants to individuals and organizations for a variety of purposes, such as fostering cultural exchange and facilitating refugee resettlement. However, recent GAO and Inspectors General reports have identified challenges with State's management of these funds. This report examines (1) the policies and guidance that State has established to administer and oversee grants, and (2) the extent to which the implementation of those policies and guidance provides reasonable assurance that funds are being used as intended. GAO analyzed State's policies and guidance, and interviewed cognizant grants officials at 14 bureaus headquartered in Washington, D.C., and three overseas missions (Afghanistan, Cambodia, and Turkey). GAO also conducted file reviews for a sample of 61 grants totaling approximately $172 million. Selection criteria included total dollar value of grants in a country, geographic diversity, and balance among bureaus.
    [Read More…]
  • Secretary Antony J. Blinken at OECD Opening and Keynote Address
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
Network News © 2005 Area.Control.Network™ All rights reserved.