Recommendation: Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector's ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1)

Agency: Department of Commerce: National Institute of Standards and Technology: Office of the Director
Status: Open

Comments: In written comments provided in July 2020, the Department of Commerce (Commerce) stated that it agreed with our recommendation. It noted that to further establish its Cybersecurity Measurement program, the National Institute of Standards and Technology (NIST) will document its Cybersecurity Measurement program's scope, objectives, and approach, including an inventory of existing measurement resources. Additionally, to further amplify small business awareness of cybersecurity, and of the Cybersecurity Framework, it noted that NIST will develop and publish two Cybersecurity Framework starter profiles tailored toward risk management of business processes important to small business owners. The expected completion date is September 2020.

Recommendation: The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In written comments provided in April 2020, the United States Department of Agriculture (USDA) stated that it concurred with our recommendation. The department stated that it routinely shared framework guidance provided by the Department of Homeland Security and discussed the framework as part of its monthly Sector conference calls and biannual Sector Meetings. It also added that the department will continue to strengthen its coordination efforts.

Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In written comments provided in July 2020, the Department of Defense concurred with our recommendation. The department noted that it had developed processes and resources to help determine the type of framework adoption across the Defense Industrial Base. These include conducting assessments on the implementation of NIST Special Publication (SP) 800-171 , "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations;" and releasing the Defense Industrial Base Implementation Guide for the NIST Cybersecurity Framework. However, the department has yet to report on sector-wide improvements using these processes and resources. Until it does so, its critical infrastructure sector may not fully understand the value of the framework to better protect its critical infrastructure from cyber threats. The expected completion dates are in September and November 2020.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Energy (DOE) stated that it partially agreed with our recommendation. It noted that DOE will coordinate with the Energy Sector to develop an understanding of sector-wide improvements from use of the framework. The expected completion date is December 2021.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5)

Agency: Environmental Protection Agency
Status: Open

Comments: In written comments provided in July 2020, the Environmental Protection Agency (EPA) stated that it agreed with our recommendation. It noted that it will consult with the Water Sector Coordinating Council, the Department of Homeland Security, and the National Institute of Standards and Technology, as appropriate, to investigate options to collect and report sector-wide improvements, consistent with statutory requirements and the Sector's willingness to participate. However, the department did not provide a timeframe for completing these actions.

Recommendation: The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: In April 2020, the General Services Administration (GSA), in coordination with its co-SSA, the Department of Homeland Security (DHS), provided documentation demonstrating that it had initiated steps to collect and report on sector-wide improvements from use of the NIST Cybersecurity Framework across its critical infrastructure sector. Specifically, the agencies from the government sector had submitted their risk management reports to DHS and OMB that described agencies' action plans to implement the framework, as required under Executive Order 13800 and evaluated the agencies against the five functions of the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond, and Recover. The risk management reports are included as part of OMB's FISMA Annual Report to Congress. According to OMB's FISMA Annual Report to Congress, OMB and DHS determined that 71 of 96 agencies (74 percent) have cybersecurity programs that are either at risk or high risk. As a result, improvements were identified in the form of four core actions in the Federal Cybersecurity Risk Determination Report and Action Plan, which include: (1) Implementing the Cyber Threat Framework to increase cybersecurity threat awareness among Federal agencies, (2) Standardize IT and cybersecurity capabilities, (3) Consolidate agency SOCs to improve incident detection and response capabilities, and (4) Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB's engagements with agency leadership. We are waiting for additional information from GSA and DHS on the status of the four core actions.

Recommendation: The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of Health and Human Services (HHS) stated that it concurred with our recommendation. The department noted that it would work with the appropriate entities to refine and communicate best practices to the sector.

Recommendation: The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Homeland Security (DHS) stated that it agreed with our recommendation. It noted that in coordination with the IT Sector Coordinating Council, the department recently issued a survey to small and mid-sized IT sector partners to better understand framework adoption and use within the IT sector. Once the results of the survey are received, DHS's Cybersecurity and Infrastructure Security Agency will determine the feasibility of issuing similar surveys to other sectors, and the potential timelines for completing sector-specific survey modifications, issuing surveys, compiling responses, and developing white papers on the status of framework adoption for each sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9)

Agency: Department of Transportation: Office of the Secretary
Status: Open

Comments: In written comments provided in April 2020, the Department of Transportation (DOT) stated that it concurred with our recommendation. It noted that the department (through the Office of the Secretary, Office of Intelligence, Security, and Emergency Response) and the Department of Homeland Security (through the Transportation Security Administration and United States Coast Guard) will coordinate as Co-Sector-Specific Agencies for the Transportation Systems Sector to finalize the development and distribution of a survey instrument to determine the level and type of framework adoption in the Sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10)

Agency: Department of the Treasury: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of the Treasury (Treasury) stated that it agreed with our recommendation. The department noted that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from the use of the NIST Framework. The department did not provide a timeframe for completing these actions.

Recommendation: The SEC Chair should direct the Directors of the Division of Corporation Finance, Division of Enforcement, Office of Compliance Inspections and Examinations, and Office of Credit Ratings to develop written policies and processes to systematically assess the effectiveness of staff procedures (procedures applicable to staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate financial securities filings). Examples of elements SEC could include in the policies and processes are the steps necessary to conduct such assessments, including time frames in which the assessments should be performed and reviewed; assignment of responsibilities related to the assessments; requirements for documenting assessments; and steps for staff to take to mitigate and report deficiencies identified as a result of the assessments. (Recommendation 1)

Agency: United States Securities and Exchange Commission
Status: Open

Comments: As of May 2020, SEC updated its Reference Guide for Compliance with Section 961 of the Dodd-Frank Act to require the Division of Corporation Finance, Division of Enforcement, Office of Compliance Inspections and Examinations, and Office of Credit Ratings to develop and maintain written policies and processes for conducting systematic assessments of the effectiveness of procedures applicable to the staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate financial securities filings. The added requirement for each division and office to develop policies and processes is a positive step toward addressing this recommendation. However, until the divisions and offices establish such policies and processes, this recommendation remains open. SEC staff stated that the divisions and offices are currently working on developing their individual frameworks for assessing staff procedures and will likely be done by the end of fiscal year 2020. We will continue to monitor these efforts.

Recommendation: The Director of the Division of Corporation Finance should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 2)

Agency: United States Securities and Exchange Commission: Division of Corporation Finance
Status: Open

Comments: As of May 2020, SEC staff said that the Division of Corporation Finance is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Division of Corporation Finance provides documentation showing the implementation of responsive actions.

Recommendation: The Director of the Division of Enforcement should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 3)

Agency: United States Securities and Exchange Commission: Division of Enforcement
Status: Open

Comments: As of May 2020, SEC staff said that the Division of Enforcement is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Division of Enforcement provides documentation showing the implementation of responsive actions.

Recommendation: The Director of the Office of Compliance Inspections and Examinations should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 4)

Agency: United States Securities and Exchange Commission: Office of Compliance Inspections and Examinations
Status: Open

Comments: As of May 2020, SEC staff said that the Office of Compliance Inspections and Examinations is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Office of Compliance Inspections and Examinations provides documentation showing the implementation of responsive actions.

Recommendation: The Director of the Office of Credit Ratings should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 5)

Agency: United States Securities and Exchange Commission: Office of Credit Ratings
Status: Open

Comments: As of May 2020, SEC staff said that the Office of Credit Ratings is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Office of Credit Ratings provides documentation showing the implementation of responsive actions.

Recommendation: The Secretary of Transportation should direct the Administrator of FTA to identify and develop controls, such as methods to more easily identify transit expenses within applications submitted by larger entities, such as a city, county, or state government, to address the risk of duplicate funding. (Recommendation 1)

Agency: Department of Transportation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should direct the Administrator of FEMA to identify and develop controls, such as methods to more easily identify transit expenses within applications submitted by larger entities such as a city, county, or state government, to address the risk of duplicate funding. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Consumer Financial Protection Bureau should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 5)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In a May 2018 letter, the Acting Director of the Bureau stated that the Bureau has previously issued principles that include reasonable and practical means for consumers to dispute and resolve instances of unauthorized payments conducted in connection with or as a result of authorized or unauthorized data sharing access. The letter notes that the Bureau is committed to monitoring developments in data aggregation markets and will continue to assess how the Bureau's consumer protection principles may be best realized, including engaging in discussions with other relevant federal and state financial regulators. In October 2018, Bureau staff advised us that they made a presentation on existing consumer protections that would appear to be applicable to consumers using data aggregators at the June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, and the National Credit Union Administration. They noted they are monitoring private sector efforts related to resolving data aggregation issues and that additional discussions among the regulators about these issues will be held in the future. We will recontact the agency in the future to obtain information on additional actions it has taken. In January 2020, GAO met with CFPB to discuss the recommendation and potential outcomes that could close the recommendation. CFPB officials stated that they will be hosting a public forum on data aggregation in February 2020. They noted that results from the public forum could include action related to the data aggregation recommendation.

Recommendation: The Chair of the Board of Governors of the Federal Reserve System should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 6)

Agency: Federal Reserve System: Board of Governors
Status: Open
Priority recommendation

Comments: In a May 2018 letter, the Chair of the Federal Reserve Board noted that the Federal Reserve recognizes the importance of working together to determine how best to encourage socially beneficial innovation in the marketplace, while ensuring that consumers' interests are protected. The letter noted that the Federal Reserve staff have been meeting with other regulators and industry participants. The Chair states that the Federal Reserve will continue to facilitate and engage in collaborative discussions with other relevant financial regulators in these and other settings to help market participants address the important issues surrounding reimbursement for consumers who use financial account aggregators and experience unauthorized transactions. In October 2018, Federal Reserve staff advised us that issues related to data aggregation were discussed at a June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Consumer Financial Protection Bureau. They noted that they are monitoring private sector efforts related to resolving data aggregation issues and expect to hold additional discussions among the regulators about these issues in the future. In March 2019, the agency noted that it continues to collaborate on this issue. As of February 2020, the agency had no further updates on this recommendation. We plan to follow up with Federal Reserve staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the Federal Deposit Insurance Corporation should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 7)

Agency: Federal Deposit Insurance Corporation
Status: Open
Priority recommendation

Comments: In November 2018, FDIC staff confirmed that they have engaged in collaborative discussions with other relevant financial regulators regarding issues related to consumers' use of account aggregation services and associated liability issues. We followed up in April 2019 and they confirmed that their collaboration had yet to produce outcomes that would satisfy the recommendation.

Recommendation: The Chairman of the National Credit Union Administration should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 8)

Agency: National Credit Union Administration
Status: Open

Comments: In July 2018, NCUA staff indicated that staff from their agency had recently participated in a discussion forum with other federal regulators and other stakeholders on fintech, and, in particular, account aggregation challenges. They stated that they intend to continue to engage other regulators and related industry stakeholders on fintech topics and emerging technology that can have an impact on credit unions and their consumers. In October 2018, NCUA staff advised us that they have been discussing issues related to data aggregation at meetings of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Bureau of Consumer Financial Protection. In November 2019, NCUA staff said that the agency continues to participate in meetings through the Fintech Interagency Discussion Group and had taken part in a Data Symposium held by the San Francisco Federal Reserve. We plan to follow up with NCUA staff to obtain updates on these efforts and resulting outcomes in the future.

Recommendation: The Comptroller of the Currency should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 9)

Agency: Department of the Treasury: Office of the Comptroller of the Currency
Status: Open

Comments: In a May 2018 letter, OCC noted that its staff have met with the other banking regulators and with market participants about account aggregation issues in the past. In October 2018, OCC staff advised us that issues related to data aggregation were discussed at a June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Bureau of Consumer Financial Protection. We followed up in January 2020 and they confirmed that their collaboration had yet to produce outcomes that would satisfy the recommendation. We plan to follow up with OCC staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the National Credit Union Administration should formally evaluate the feasibility and benefit of establishing an office of innovation or clear contact point, including at least a website with a dedicated email address. (Recommendation 11)

Agency: National Credit Union Administration
Status: Open

Comments: NCUA officials told us that in August 2018 the agency established a working group to formally evaluate the feasibility of establishing a dedicated work unit to oversee and lead fintech and innovation efforts, including creating a website and monitoring a dedicated e-mail account. NCUA officials indicated that as of November 2019 the working group was deliberating key considerations related to establishing a dedicated work unit. We plan to follow up with NCUA staff to obtain updates on these efforts in the future.

Recommendation: The Chair of the Board of Governors of the Federal Reserve System should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 12)

Agency: Federal Reserve System: Board of Governors
Status: Open

Comments: In a May 2018 letter, the Chair of the Federal Reserve Board noted that the Federal Reserve recognizes the importance of formally increasing its knowledge base related to financial innovation. The letter noted that the Federal Reserve has recently organized two nationwide teams of experts tasked with monitoring fintech and related emerging technology trends as they relate to its supervisory and payment system mandates, respectively. These new teams include representation from all of the Federal Reserve System's Reserve Banks and have leadership from Board staff. These teams' critical objectives include ensuring that fintech-related information is shared across the Federal Reserve System and is used to inform relevant supervisory, policy, and outreach strategies. As of February 2020, the agency had no updates on this recommendation. We plan to follow up with Federal Reserve staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the Commodity Futures Trading Commission should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 13)

Agency: Commodity Futures Trading Commission
Status: Open

Comments: We followed up in January 2020 and CFTC described its efforts to address this recommendation, which were encouraging. We are awaiting documentation of these efforts and when we confirm the agency's actions, we will provide updated information.

Recommendation: The Chairman of the National Credit Union Administration should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 15)

Agency: National Credit Union Administration
Status: Open

Comments: NCUA officials told us that, as of November 2019, the internal working group that the agency established in August 2018 was evaluating the feasibility and benefits of adopting certain knowledge-building initiatives related to financial innovation. Specifically, the working group was assessing initiatives such as stakeholder outreach, research and collaboration opportunities, grants and other technical assistance, and existing supervisory tools. We plan to follow up with NCUA staff to obtain updates on these efforts in the future.

Recommendation: The Federal Reserve should develop and implement specific policies and procedures for how it will consistently comply with RFA requirements and key aspects of Office of Advocacy and OMB guidance that include the following three elements: (1) processes for creating and maintaining documentation sufficient to support analysis of economic impact and alternatives; (2) processes for disclosing the methodology--including criteria for assessing significant economic impact and a substantial number of small entities--and data sources of economic analysis supporting certification determinations and regulatory flexibility analyses; and (3) processes for considering to the extent practicable a rule's potential economic impacts on small entities, including for evaluating broad economic impacts of regulations in certification determinations and assessing alternatives that could minimize impact on small entities. (Recommendation 5)

Agency: Federal Reserve System
Status: Open

Comments: In June 2019, Federal Reserve staff told us that they continue to review their policies and procedures to ensure compliance with RFA requirements. While Federal Reserve staff said that they use an RFA handbook developed by the SBA Office of Advocacy to support their analyses, the Federal Reserve has not made changes to its policies and procedures based on our recommendations. Until the Federal Reserve develops and implements RFA policies and procedures consistent with the recommendation, it remains open.

Recommendation: The Commodity Futures Trading Commission should develop and implement specific policies and procedures for how it will consistently comply with RFA requirements and key aspects of Office of Advocacy and OMB guidance that include the following four elements: (1) processes for creating and maintaining documentation sufficient to support analysis of economic impact and alternatives; (2) processes for disclosing the methodology--including criteria for assessing significant economic impact and a substantial number of small entities--and data sources of economic analysis supporting certification determinations and regulatory flexibility analyses; (3) processes for considering to the extent practicable a rule's potential economic impacts on small entities, including for evaluating broad economic impacts of regulations in certification determinations and assessing alternatives that could minimize impact on small entities; and (4) in developing policies and procedures for section 610 reviews, include processes for determining which rules require review, posting notices of upcoming reviews in the Federal Register, maintaining documentation supporting the analysis and conclusions of RFA-required considerations, and establishing procedures for publicly disclosing the review or summaries (such as in the Federal Register or on the agency's website). (Recommendation 8)

Agency: Commodity Futures Trading Commission
Status: Open

Comments: In June 2019, CFTC staff told us that they formed a working group to enhance its implementation of RFA requirements. While this working group has begun drafting compliance procedures for RFA reviews, the procedures are incomplete and CFTC staff said it will have to finish updating the "small entity" definition before it can complete these procedures. CFTC staff told us that the working group has focused much of its work on updating the agency's definition of "small entity" because the definition was outdated. The identification of "small entity" is an important preliminary step for RFA analysis. CFTC staff does not expect to publish a proposal to amend the "small entity" definition until the summer 2020. Until CFTC finalizes and implements the new procedures for RFA reviews, this recommendation remains open.

Recommendation: SEC should publicly disclose its section 610 reviews, or summaries of the reviews, with the basis for any conclusions. Such disclosure could include publishing results in the Federal Register or on the agency's website. (Recommendation 10)

Agency: United States Securities and Exchange Commission
Status: Open

Comments: In March 2019, SEC provided us with supplemental policies and procedures it developed for compliance with the Regulatory Flexibility Act (RFA), including section 610 reviews. The procedures require staff to publish on SEC's website a notice that section 610 reviews have been completed and, if the agency plans any further actions, a published RFA agenda would so indicate. Although these notices communicate with interested entities about the status of ongoing as well as completed section 610 reviews, they will not include any details about the basis for SEC's conclusions during the review. Therefore, they do not full implement GAO's recommendation, which remains open.