
- Key insight: The Federal Reserve Board's policies on handling sensitive information failed to prevent critical data and reports from being shared with Chinese intelligence officers.
- Expert quote: "The Board of Governors of the Federal Reserve System's insider risk management activities do not proactively or effectively identify and manage risks to the agency's information and assets." —Office of the Inspector General for the Federal Reserve Board
- Forward Look: The Fed has committed to making several changes to centralize and beef up its sensitive-information practices.
The Federal Reserve has failed to stop its employees from sharing sensitive information with foreign adversaries at least several times during the past decade, according to a just-released watchdog report.
The Fed's Office of Inspector General, or OIG, released a 40-page report on Thursday detailing the shortcomings of the central bank's efforts to prevent employees and officials from disclosing proprietary information and analysis.
"The Board of Governors of the Federal Reserve System's insider risk management activities do not proactively or effectively identify and manage risks to the agency's information and assets," the report finds. "The Board's IRM activities are not consistent with leading practices for designing and operating IRM programs."
Earlier this year, the OIG flagged concerns about the procedures for handling confidential supervisory information at the Fed and the Consumer Financial Protection Bureau — the two agencies share the same inspector general. The report concluded that the agency's programs were "
The report released Thursday highlights several specific examples of the Fed's shortcomings. These include unauthorized disclosures of "potentially market-moving" information about monetary policy, supervisory stress tests and other key functions at the Fed.
The report notes that a then-Fed employee had been providing sensitive information from the Board of Governors and the Federal Open Market Committee — the Fed's monetary policy-setting arm — to a Chinese security and intelligence operative for years.
The former staffer, John H. Rogers, 64, of Vienna, Virginia, was sentenced to 38 months in prison this week for lying to OIG investigators about his information-sharing activities, according to a
Rogers, who worked as a senior advisor for the Board of Governors from 2010 to 2021, hand-delivered and emailed information about Fed's interest rate decisions to Chinese state actors between 2017 and his retirement from the Fed in 2021.
The report also points to a 2018 episode, when confidential brief books prepared for nominees to the Board of Governors were shared with outsiders, resulting in sensitive forecasts and economic analyses circulating outside the central bank.
The most recent incident cited occurred in 2022. An employee who had recently given notice about intentions to resign triggered more than 8,000 data loss prevention alerts after uploading 45 gigabytes of data — the equivalent of around 15,000 digital photos — to an unsecured cloud server over the course of a month. The Fed's information technology, legal and records management teams opted to take no action against the employee. After the concerns were raised, the employee continued to transmit data outside, including to "various recipients in China."
International travel reporting was another deficiency highlighted in the report. While the Fed monitors the movements of employees with security clearance — about 12% of the overall board staff — it does not do so for employees that handle sensitive FOMC information or those that deal with confidential supervisory information, 39% and 56% of the workforce, respectively.
The report notes that the Fed Board's practices fall short on several fronts. It has not identified its critical assets, it lacks a centralized program for managing insider risk, it fails to share information in a consistent and timely manner, it has no comprehensive policies and procedures for managing insider risks, and it does not have consistent training requirements on counterintelligence and security principles across its existing programs.
Instead, the Fed has taken a balkanized approach to risk management, one that enables each of its various divisions to set their own best practices and procedures. The current risk management is also a result of the various divisions being developed independently to address distinct responsibilities, the report states.
The OIG makes nine recommendations to address these shortcomings. Collectively, they call for a more centralized and more explicitly defined approach to risk management, one that outlines unified objectives and procedures. It also calls for the Fed to train and designate staff members as insider risk analysts and requires all board personnel to go through annual training.
As is typical, the OIG disclosed its findings to the Fed before releasing the report publicly. The central bank concurred on all of the inspector's findings and recommendations. In a letter to the OIG, Winona Varnon, the Fed Board's chief operating officer, said the agency is already working on implementing the changes called for.
"We are proud of the work accomplished by our Intelligence, Insider Risk, and National Security Programs team," Varnon wrote. "We realize we have additional work to enhance the IRM program's ability to more effectively identify and manage risks to the board's information and assets."










