AMERICAN BANKERS ASSOCIATION
July 23, 2004
Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, N.W.
Washington, DC 20551
Office of the Comptroller of the Currency
250 E Street, S.W.
Public Reference Room, Mail Stop 1—5
Washington, DC 20219
Robert E. Feldman, Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, DC 20429
Regulation Comments
Chief Counsel’s Office
Office of Thrift Supervision
1700 G Street, N.W.
Washington, DC 20552
Attention No. 2004-26
Re: Proper Disposal of Consumer Information Under the Fair and Accurate Credit Transactions Act of 2003, OCC Docket No. 04-13; FRB Docket No. R-1199; FDIC RIN 3064-AC77; OTS No. 2004-26; 69 Federal Register 31913 (June 8, 2004)
Dear Sir or Madam:
The American Bankers Association (“ABA”) offers the following comments on
the interagency proposal to implement section 216 of the Fair and Accurate Credit
Transactions Act of 2003 (“the FACT Act”) by amending the Interagency
Guidelines Establishing Standards for Safeguarding Customer Information
(“Guidelines”). The proposal would require each financial institution to include
as part of its information security program appropriate measures to properly
dispose of consumer information derived from consumer reports to address the
risks associated with identity theft.
The ABA brings together all elements of the banking community to represent the
interests of this rapidly changing industry. Its membership – which includes
community, regional, and money center banks and holding companies, as well as
savings associations, trust companies, and savings banks – makes ABA the largest
banking trade association in the country.
The ABA and its membership have long been active in the battle to prevent
identity theft. In June 2000, the ABA Task Force on Responsible Use of
Customer information developed voluntary guidelines that reaffirmed the industry
commitment to maintaining confidentiality and security of customer data. In the
same period, ABA published its Communications Kit for Identity Theft to assist
member efforts to promote the sensible and secure handling and disposal of
financial information among bank employees and their customers. In 2002, ABA
released its Safeguarding Customer Information Toolbox, a member service to
guide banks through the process of assessing information security risks and
establishing appropriate policies and controls to manage those risks and protect
customer information.
The ABA supports this proposal as a flexible and sound method for achieving
appropriate disposal of consumer information consistent with the banking
industry’s commitment to safeguard an individual’s sensitive financial
information and combat the risks of identity theft that threaten both consumers
and their banks. We recognize and endorse the agencies’ efforts to integrate the
obligations mandated by section 216 of the FACT Act within the established
Guidelines that govern the implementation of industry customer information
systems. By incorporating the consumer information disposal requirements within
the Guidelines, the agencies’ proposal fosters the adoption of a comprehensive
and secure information disposal program, while avoiding undue regulatory burden
that could otherwise result from imposing separate standards independent from
the existing guidance regimen. ABA applauds this integrated approach.
We comment more specifically below on certain features of the proposal.
Personally Identifiable Records
The ABA considers the proposal’s inclusion of the requirement that any record of
consumer information be “about an individual” to be vital to properly tailoring the
Guidelines to the information security risks relevant to guarding against identity
theft. As explained in the preamble, a record is not “about an individual,” if “it
does not identify a particular consumer.” This element of the definition of
consumer information is essential to drawing the necessary operational lines for
staff to follow to distinguish between information whose disposal does or does not
contribute to the risk of identity theft. This requirement also ensures parallel
treatment by the Guidelines of customer information and consumer information,
because both will be predicated on the concept of being personally identifiable.
Accordingly, ABA recommends that the Guidelines’ definition of consumer
information explicitly incorporate the requirement of “personally identifiable” in
addition to the qualification that a record be “about an individual.” The current
definition of customer information contains a similar emphasis by using both the
description “nonpublic personal information as defined in [§XXX.3(n)]” and the
qualifying phrase “about a customer.” The regulatory definition of “nonpublic
personal information” expressly requires such information to be “personally
identifiable.” See e.g., 12 C.F.R. §40.3(n)(1)(i). It is therefore consistent with the
existing definition of customer information in the Guidelines to have the parallel
definition of consumer information expressly include both modifiers: “personally
identifiable” and “about an individual.” Consequently, ABA urges the agencies
to change the proposed definition to begin as follows: “Consumer information
means any personally identifiable record about an individual, …” Making this
insertion in the final rule will clarify the agencies’ intent as expressed in the
preamble, underscore the identity theft prevention goals of section 216 of the
FACT Act and realize the statutory direction to ensure information security
requirements under GLBA and the FACT Act are consistent.
Information from Consumer Reports
The agencies solicit comment on the definition’s use of the statutorily required
phrase “derived from [a] consumer report[s]” as applied by examples in the
preamble. ABA understands that the point of the examples and commentary is to
capture as consumer information, personally identifiable records that (i) contain
information extracted from a consumer report, (ii) combine information from a
consumer report with information from other sources, and (iii) have lost their
legal status as consumer reports by operation of affiliate sharing after opt-out
under FCRA. ABA considers this scope to be a reasonable application of the
statute’s intent in using “derived from consumer reports.”
ABA is concerned that the concept of “derived from consumer reports” could be
applied to information that is so manipulated and removed from the sensitive
information contained in the reports themselves as to have no relation to the
legislation’s underlying purpose to prevent the compromise and misuse of a
consumer’s identity. Exactly where this boundary may be is difficult to ascertain.
As long as the revised Guidelines continue to couple consumer information with
the risk assessment and control process for the disposal of customer information,
ABA expects that agency examination for compliance with the Guidelines will be
predicated on a prudent risk-based judgment of the scope of information
considered “derived from consumer reports.”
Proper Disposal
The proposal seeks comment on whether the use of “proper disposal” is
sufficiently clear. ABA supports the proposed use of the term “proper disposal” in
the revised Guidelines without further specification. The existing Guidelines
have operated effectively without greater specification of the term “disposal.”
There is no demonstrated reason to devise a more detailed definition that could
spawn interpretive confusion and the regulatory burden that often results from
additional verbiage. Indeed the Federal Trade Commission’s proposed disposal
rule illustrates the hazard. By including within its definition of disposal “the sale,
donation, or transfer of any medium … upon which computer information is
stored,” the FTC opened the door to comments seeking to dispel the notion that
“ disposal” included the sale, donation or transfer of consumer information itself—
as opposed to the sale or transfer of the hardware that effectuated a disposal of the
electronic records previously contained on such hardware. Accordingly, ABA
supports the proposed simple reference to “proper disposal” as being adequate for
the affected parties to understand the intended application.
Effective Date
ABA agrees with the agencies’ assumption that banks are already disposing of
consumer information appropriately. Nevertheless, procedures that are formally
described to comply with the existing Guidelines may require changes that
expressly include the controls designed to cover consumer information as well as
customer information. Updates to the formal systems, controls and audit
protocols to incorporate the scope of “consumer information” must compete for
implementation resources with other operational changes. Mandating satisfaction
of the revised Guidelines within 90 days of Federal Register publication may defy
the ability of some institutions that need to make requisite formal changes to their
programs, even when their current disposal practices are sufficiently protective.
In addition, under the proposed amendment to paragraph III of the existing
Guidelines, an institution is required (as described in the preamble) to “broaden
the scope of its risk assessment to include the assessment of the reasonably
foreseeable internal and external threats associated with the methods it uses to
dispose of ‘consumer information,’ and adjust its risk assessment in light of the
relevant changes relating to such threats.” Such an evaluation does not occur
overnight, even when the existing practices for information disposal are in reality
broad enough to properly dispose of both consumer and customer information.
Accordingly, ABA urges the agencies to allow 180 days for achieving compliance
with the revised Guidelines. This modest extension of the compliance deadline
will not undermine or impede the disposal practices that are already in place to
protect consumer information throughout the banking industry.
Exemption Authority
ABA strongly urges all agencies to coordinate their exercise of jurisdiction under
216 of the FACT Act to eliminate any discrepancy in disposal requirements,
duplicative oversight, or enforcement redundancy with respect to the application
of their respective final rules. Redundant regulation imposes undue compliance
burdens on institutions by exposing them to conflicting oversight processes. For
example, there is no reason for the FTC to apply its disposal rule to financial
institutions that are subject to the banking agencies’ Guidelines. The banking
industry is closely supervised for its information security systems through
periodic examinations, while there are whole industries subject to FTC
jurisdiction alone that have no similar comprehensive oversight. It is a
misapplication of limited regulatory resources for the banking industry to be
subject to unnecessary concurrent regulation. Despite well-intended efforts by the
responsible agencies to coordinate regulatory text, the need for compliance
officers to monitor another agency’s rule or interpretive guidance for consistency
with the bank’s or savings association’s primary supervisor is an undue burden
and a waste of valuable time when there are so many rules and regulations that
deserve attention. Banks or savings associations whose subsidiaries or affiliates
are subject to the Guidelines should be exempt from any overlapping regulatory
jurisdiction under the authority provided in section 216(a)(3) of the FACT Act.
Accordingly, ABA asks that the Federal banking agencies work with their sister
financial regulators to implement corresponding exemptions to eliminate
redundant regulatory regimes. In conclusion, ABA supports the agencies’ proposal to integrate the FACT Act
protections for disposal of consumer information into the established Guidelines
for Safeguarding Customer Information and encourages them to adopt the
improvements to their proposal recommended by these comments. We believe
that the track record of the ABA, its members, and the banking industry at large
demonstrates the commitment of America’s Bankers to protect the confidentiality
of consumer credit information and to guard against the real threat of identity
theft. Respectfully submitted,
Richard R. Riese
Senior Compliance Counsel |
