- Key insight: Audits of both the Federal Reserve Board and the Consumer Financial Protection Bureau found each agency's security systems had declined.
- What's at stake: The findings come at a time when banks face an unprecedented wave of sophisticated cyber threats, raising questions about data protection.
- Forward look: The OIG also found lag times and operational inefficiencies in the Fed's processing times for bank applications.
The Federal Reserve Board and Consumer Financial Protection Bureau both have information security programs that are no longer effective, a government watchdog has found.
On Monday, the Office of the Inspector General released its
The OIG said that it completed its annual information security audits for both the board and the CFPB and "found that each agency's program is no longer effective." The OIG issued "multiple recommendations to each agency to strengthen" their respective programs.
The Federal Reserve Board's information security program dropped from a level-4 rating in 2024 that signified "managed and measurable" status, to a level-3 rating in 2025, according to the OIG. Inspectors highlighted critical vulnerabilities within the central bank's framework, specifically pointing to inadequate security controls for mobile phones and systemic gaps in safeguarding confidential supervisory information — the highly sensitive data gathered during bank examinations.
The loss or misuse of confidential supervisory information "could result in significant legal, reputational, or financial risk to the Fed, the Reserve Banks, financial institutions, and individuals," the OIG said. "Users have more access to sensitive information than appears to be warranted based on their specific financial institution examination assignments, which is inconsistent with board policy and a key information security principle."
While the Fed's downgrade raised immediate concerns, the situation at the CFPB was described as far more severe. The bureau's information security "maturity" rating dropped two levels, from a level-4 to a level-2 due to numerous issues. The OIG report was signed by Inspector General Michael E. Horowitz.
The OIG's audit flagged glaring compliance and security omissions, including unmaintained system authorizations, a lack of structured risk analysis within cybersecurity memorandums, and the continued operation of outdated software that leaves the agency vulnerable to external attacks.
The OIG's findings should raise questions in Congress over how both agencies manage their internal operations and
The House Financial Services Committee and banking leaders are increasingly questioning regulators specifically about how the central bank plans to mitigate the
Beyond the immediate cybersecurity threats, the OIG report also exposed deep operational inefficiencies at the Federal Reserve Board regarding a core regulatory duty: processing times for all banking application types, including critical requests for bank mergers and acquisitions.
The operational slowdown occurred despite the Fed's 2022 rollout of the so-called "FedEZFile," a cloud-based technology platform explicitly designed to streamline the filing and processing of banking applications. FedEZFile, launched in 2022, serves as the central electronic system for submitting filings related to mergers, acquisitions and changes in bank control.
Compounding the problem, the OIG revealed that the Fed currently suffers from severe data-tracking deficiencies. The Fed does not capture or analyze sufficient metrics to isolate why delays are happening. Without granular tracking data, officials are unable to pinpoint the root causes of the bottlenecks, rendering them effectively unequipped to implement meaningful internal reforms or resolve the ongoing bureaucratic gridlock, the OIG report stated.
"Processing times across all [bank] application types increased between 2021 and 2024," the OIG said in the report. "We believe that tracking and documenting key internal milestones in FedEZFile and enhancing monitoring capabilities can help the Board develop solutions that result in a more efficient and timely applications process."
