The Fed and CFPB’s OIG recently released its semiannual report to Congress, covering the period from October 1, 2025, to March 31, 2026. The OIG found that the information security programs at both agencies are “no longer effective.” According to the report, the Fed’s program dropped from a level-4 maturity rating (“managed and measurable”) to level-3 (“consistently implemented”), due in part to purported issues with mobile device security and the protection of confidential supervisory information. The CFPB’s program fell two levels to a level-2 maturity rating (“defined”), with the OIG citing problems related to authorizations, continuous monitoring, and outdated software. The OIG issued multiple recommendations to each agency to address these deficiencies.

The report also found that processing times for banking applications at the Fed increased across all application types between 2021 and 2024, rising approximately 11 percent overall and roughly 40 percent for small community bank mergers and acquisitions, despite the launch of “FedEZFile” in 2022 as a filing and tracking tool to streamline the applications process. The report recommended that the Fed document key internal milestones and strengthen its monitoring capabilities to improve efficiency. The OIG also identified concerns regarding access to confidential supervisory information in the Fed’s “OASIS” platform, finding that users have broader access to sensitive data than warranted by their examination assignments. Finally, the OIG reported that its investigative office produced 6 arrests, 13 indictments, 20 convictions, and approximately $171.6 million in “civil judgments, forfeiture, criminal fines, restitution, and special assessments” during the reporting period.