OIG Audit Report – FAA Civil Aviation Registry Lacks Information Needed for Aviation Safety and Security Measures
Due to congressional concerns over aviation safety and the security of sensitive information, the Office of Inspector General released an Audit Report (the “Report”) of the Federal Aviation Administration’s Civil Aviation Registry (the “Registry”) on June 27, 2013. Located in Oklahoma City, Oklahoma, the Registry is responsible for maintaining two databases, one for registration and the recording of qualifying documents relating to civil aircraft registered in the U.S., and a second database used for maintaining information relating to airmen and the licensing of pilots. In evaluating whether (1) aircraft registrations and pilot certifications include the necessary information for the FAA to ensure aviation safety, (2) security controls exist to protect sensitive information from unauthorized access, and (3) sufficient contingency plans are in place to recover the Registry after an emergency, the Report is highly critical of current Registry procedure.
Incomplete registration information is a major concern of the Report. Specifically, the Report found incomplete information on beneficial owners and operators in fifty-four percent of registrations made in the name of non-U.S. citizen trusts, a device by which an aircraft is owned by a U.S. citizen entity for the benefit of a non-citizen. Under the Chicago Convention, the FAA has a duty to provide information relating to the owners and operators of aircraft to foreign aviation authorities upon request. While the Report refers to the identity of beneficial owners and operators as “registration information,” it should be noted that the Registry is an owner registry rather than an operator registry. Under current FAA regulations, all documents establishing and effecting trusts must be submitted, but no document is required to identify the operator of an aircraft. In this regard, the Report is requesting a significant change in the Registry’s procedure.
Outdated servers, unencrypted personally identifiable information (“PII”), and a lack of quality control requirements leave information contained in the Registry vulnerable to unauthorized access. This is particularly problematic for the airmen registry, as it contains addresses, social security numbers and medical information of each licensed pilot. The Report also finds troubling the lack of an offsite contingency plan that would allow the Registry to resume operations after a shut-down. While the FAA is required by Department of Transportation policy to establish an alternative processing site, the Report notes that currently the FAA only makes phone calls to ensure key personnel may be reached during an emergency shut-down of the Registry.
To better fulfill the DOT’s primary mission of safety, the Report provides eight specific recommendations for the Registry to improve the collection and protection of necessary and sensitive information. While the FAA concurs, or partially concurs, with each recommendation, the OIG has left four recommendations open based on the FAA’s responses. Of particular note, the Report disagrees that the FAA’s recent policy clarification on registration in the name of non-citizen trusts ensures the FAA has the information needed to comply with international law. The FAA’s policy clarification states that trustees, upon the FAA’s request, should provide information regarding operators and beneficial owners within a set timeline. The OIG, however, believes this information should be gathered at the time of registration. At this time, all corrective action of the Registry is subject to follow up by the OIG.