I don's recall that the interagency guidelines say anythign specific about this, but it is good policy to keep all sensitive information locked when employees aren;t around to guard it. At a bank I formerly worked at, it was required to lock everything, including our rolodex! Mainly, it is to prevent service providers who come in nightly after business hours from gettign information or even spying. I know these vendors must sign privacy contracts, but you would not want to temp them either.