[Federal Register: June 8, 2004 (Volume 69, Number 110)]
[Proposed Rules]
[Page 31913-31922]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr08jn04-23]
========================================================================
Proposed Rules
Federal Register
________________________________________________________________________
This section of the FEDERAL REGISTER contains notices to the public of
the proposed issuance of rules and regulations. The purpose of these
notices is to give interested persons an opportunity to participate in
the rule making prior to the adoption of the final rules.
========================================================================
[[Page 31913]]
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Parts 30 and 41
[Docket No. 04-13]
RIN 1557-AC84
FEDERAL RESERVE SYSTEM
12 CFR Parts 208, 211, 222, and 225
[Docket No. R-1199]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Parts 334 and 364
RIN 3064-AC77
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 568, 570, and 571
[No. 2004-26]
RIN 1550-AB87
Proper Disposal of Consumer Information Under the Fair and
Accurate Credit Transactions Act of 2003
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision,
Treasury (OTS).
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The OCC, Board, FDIC, and OTS (the Agencies) are requesting
comment on a proposal to implement section 216 of the Fair and Accurate
Credit Transactions Act of 2003 by amending the Interagency Guidelines
Establishing Standards for Safeguarding Customer Information. The
proposal would require each financial institution to develop,
implement, and maintain appropriate measures to properly dispose of
consumer information derived from consumer reports to address the risks
associated with identity theft. Each institution would be required to
implement these measures as part of its information security program.
DATES: Comments must be submitted on or before July 23, 2004.
ADDRESSES: Because the Agencies will jointly review all of the comments
submitted, you may comment to any of the Agencies and you need not send
comments (or copies) to all of the Agencies. Because paper mail in the
Washington area and at the Agencies is subject to delay, please submit
your comments by e-mail whenever possible.\1\ Commenters are encouraged
to use the title ``FACT Act Disposal Rule'' in addition to the docket
or RIN number to facilitate the organization and distribution of
comments among the Agencies. Interested parties are invited to submit
comments in accordance with the following instructions:
---------------------------------------------------------------------------
\1\ The Agencies do not edit personal, identifying information
such as names or e-mail addresses from electronic submissions.
Submit only information you wish to make publicly available.
---------------------------------------------------------------------------
OCC: You should designate OCC in your comment and include Docket
Number 04-13. You may submit comments by any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
OCC Web site: http://www.occ.treas.gov. Click on ``Contact
the OCC,'' scroll down and click on ``Comments on Proposed
Regulations.''
E-mail address: regs.comments@occ.treas.gov.
Fax: (202) 874-4448.
Mail: Office of the Comptroller of the Currency, 250 E
Street, SW., Public Reference Room, Mail Stop 1-5, Washington, DC
20219.
Hand Delivery/Courier: 250 E Street, SW., Attn: Public
Reference Room, Mail Stop 1-5, Washington, DC 20219.
Instructions: All submissions received must include the agency name
(OCC) and docket number or Regulatory Information Number (RIN) for this
notice of proposed rulemaking. In general, the OCC will enter all
comments received into the docket without change, including any
business or personal information that you provide. You may review the
comments received by the OCC and other related materials by any of the
following methods:
Viewing Comments Personally: You may personally inspect
and photocopy comments received at the OCC's Public Reference Room, 250
E Street, SW., Washington, DC. You can make an appointment to inspect
comments by calling (202) 874-5043.
Viewing Comments Electronically: You may request e-mail or
CD-ROM copies of comments that the OCC has received by contacting the
OCC's Public Reference Room at regs.comments@occ.treas.gov.
Docket: You may also request available background
documents using the methods described earlier.
Board: You may submit comments, identified by Docket No. R-1199, by
any of the following methods:
Agency Web site: http://www.federalreserve.gov Follow the instructions for
submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
E-mail: regs.comments@federalreserve.gov. Include docket
number in the subject line of the message.
FAX: 202/452-3819 or 202/452-3102.
Mail: Jennifer J. Johnson, Secretary, Board of Governors
of the Federal Reserve System, 20th Street and Constitution Avenue,
NW., Washington, DC 20551.
All public comments are available from the Board's Web site at
http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as
submitted,
except as necessary for technical reasons. Accordingly, your comments
will not be edited to remove any identifying or contact information.
Public comments may also be viewed electronically or in paper in Room
MP-500 of the Board's Martin Building (20th and C Streets, NW.) between
9 a.m. and 5 p.m. on weekdays.
FDIC: You may submit comments, identified by RIN number by any of
the following methods:
Agency Web site: http://www.fdic.gov/regulations/laws/federal/propose.html
.
[[Page 31914]]
Follow instructions for submitting comments on the Agency Web site.
E-mail: Comments@FDIC.gov. Include the RIN number in the
subject line of the message.
Mail: Robert E. Feldman, Executive Secretary, Attention:
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
Hand Delivery/Courier: Guard station at the rear of the
550 17th Street Building (located on F Street) on business days between
7 a.m. and 5 p.m.
Instructions: All submissions received must include the
agency name and RIN for this rulemaking. All comments received will be
posted without change to http://www.fdic.gov/regulations/laws/federal/propose.html
including any personal information provided.
Office of Thrift Supervision: You may submit comments, identified
by No. 2004-26, by any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
E-mail: regs.comments@ots.treas.gov. Please include No.
2004-26 in the subject line of the message and include your name and
telephone number in the message.
Fax: (202) 906-6518.
Mail: Regulation Comments, Chief Counsel's Office, Office
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552,
Attention: No. 2004-26.
Hand Delivery/Courier: Guard's Desk, East Lobby Entrance,
1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention:
Regulation Comments, Chief Counsel's Office, Attention: No. 2004-26.
Instructions: All submissions received must include the agency name
and number or Regulatory Information Number (RIN) for this rulemaking.
All comments received will be posted without change to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1
, including any
personal information provided.
Docket: For access to the docket to read background documents or
comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1.
In addition, you may inspect comments
at the Public Reading Room, 1700 G Street, NW., by appointment. To make
an appointment for access, call (202) 906-5922, send an e-mail to
public.info@ots.treas.gov, or send a facsimile transmission to (202)
906-7755. (Prior notice identifying the materials you will be
requesting will assist us in serving you.) We schedule appointments on
business days between 10 a.m. and 4 p.m. In most cases, appointments
will be available the next business day following the date we receive a
request.
FOR FURTHER INFORMATION CONTACT: OCC: Aida Plaza Carter, Director, Bank
Information Technology, (202) 874-4740; Amy Friend, Assistant Chief
Counsel, (202) 874-5200; or Deborah Katz, Senior Counsel, Legislative
and Regulatory Activities Division, (202) 874-5090.
Board: Donna L. Parker, Supervisory Financial Analyst, Division of
Supervision & Regulation, (202) 452-2614; Thomas E. Scanlon, Counsel,
Legal Division, (202) 452-3594; Minh-Duc T. Le or Ky Tran-Trong, Senior
Attorneys, Division of Consumer and Community Affairs, (202) 452-3667.
FDIC: Jeffrey M. Kopchik, Senior Policy Analyst, Division of
Supervision and Consumer Protection, (202) 898-3872; Kathryn M.
Weatherby, Examination Specialist, Division of Supervision and Consumer
Protection, (202) 898-6793; Robert A. Patrick, Counsel, Legal Division,
(202) 898-3757; Janet V. Norcom, Counsel, Legal Division, (202) 898-
8886.
OTS: Lewis C. Angel, Senior Project Manager, Technology Risk
Management, (202) 906-5645; Richard Bennett, Counsel (Banking and
Finance), Regulations and Legislation Division, (202) 906-7409; Paul
Robin, Special Counsel, Regulations and Legislation Division, (202)
906-6648.
SUPPLEMENTARY INFORMATION:
I. Introduction
Section 216 of the Fair and Accurate Credit Transactions Act of
2003 (FACT Act or the Act) adds a new section 628 to the Fair Credit
Reporting Act (FCRA), at 15 U.S.C. 1681w, that, in general, is designed
to protect a consumer against the risks associated with unauthorized
access to information about the consumer contained in a consumer
report, such as fraud and related crimes including identity theft.
Section 216 of the Act requires each of the Agencies to adopt a
regulation with respect to the entities that are subject to its
enforcement authority ``requiring any person that maintains or
otherwise possesses consumer information, or any compilation of
consumer information, derived from consumer reports for a business
purpose to properly dispose of any such information or compilation.''
Public Law 108-159, 117 Stat. 1985-86. The FACT Act mandates that the
Agencies ensure that their respective regulations are consistent with
the requirements issued pursuant to the Gramm-Leach-Bliley Act (GLB
Act) (Pub. L. 106-102), as well as other provisions of Federal law.
The Agencies propose amendments to the Interagency Guidelines
Establishing Standards for Safeguarding Customer Information
(Guidelines)\2\ to require financial institutions to implement controls
designed to ensure the proper disposal of ``consumer information''
within the meaning of section 216. In accordance with section 216 of
the Act, the Agencies have consulted with the Federal Trade Commission,
the National Credit Union Administration, and the Securities and
Exchange Commission to ensure that, to the extent possible, the rules
proposed by the respective agencies are consistent and comparable.
---------------------------------------------------------------------------
\2\ 12 CFR Parts 30, app. B (OCC); 208, app. D-2 and 225, app. F
(Board); 364, app. B (FDIC); 570, app. B (OTS). See 66 FR 8616 Feb.
1, 2001. Citations to the Guidelines omit references to titles and
publications and give only the appropriate paragraph or section
number.
---------------------------------------------------------------------------
II. Background
On February 1, 2001, the Agencies issued the Guidelines pursuant to
sections 501 and 505 of the GLB Act (15 U.S.C. 6801 and 6805). The
Guidelines establish standards relating to the development and
implementation of administrative, technical, and physical safeguards to
protect the security, confidentiality, and integrity of customer
information. The Guidelines apply to the financial institutions subject
to the Agencies' respective jurisdictions. As mandated by section
501(b) of the GLB Act, the Guidelines require each financial
institution to develop a written information security program that is
designed to: (1) Ensure the security and confidentiality of customer
information; (2) protect against any anticipated threats or hazards to
the security or integrity of such information; and (3) protect against
unauthorized access to or use of such information that could result in
substantial harm or inconvenience to any customer.\3\ The Guidelines
direct financial institutions to assess the risks to their customer
information and customer information systems and, in turn, implement
appropriate security measures to control those risks.\4\ For example,
under the risk-assessment framework currently imposed by the
Guidelines, each financial institution must evaluate whether the
controls the institution has developed sufficiently protect its
customer information from unauthorized access, misuse, or
[[Page 31915]]
alteration when the institution disposes of the information.\5\
---------------------------------------------------------------------------
\3\ Guidelines, II.B.
\4\ See generally III.B and III.C.
\5\ See 66 FR 8618 (``Under the final Guidelines, a financial
institution's responsibility to safeguard customer information
continues through the disposal process.'').
---------------------------------------------------------------------------
III. Proper Disposal of Consumer Information and Customer Information
The Agencies are proposing to amend the Guidelines to require each
financial institution to develop and maintain, as part of its
information security program, appropriate controls designed to ensure
that the institution properly disposes of ``consumer information.'' The
proposed amendments to the Guidelines generally would require a
financial institution to dispose of ``consumer information'' derived
from a consumer report in a manner consistent with the existing
requirements that apply to the disposal of ``customer information.''
The Agencies propose to incorporate this new requirement into the
Guidelines by: (1) Adding a definition of ``consumer information''; (2)
adding an objective (in paragraph II) regarding the proper disposal of
consumer information; and (3) adding a provision (in paragraph III)
that would require a financial institution to implement appropriate
measures to properly dispose of consumer information in a manner
consistent with the disposal of customer information.
The Agencies propose to require each financial institution to
implement the appropriate measures to properly dispose of ``consumer
information'' within three months after the final regulations are
published in the Federal Register. The Agencies believe that any
changes to an institution's existing information security program to
properly dispose of ``consumer information'' likely will be minimal.
Accordingly, the Agencies consider a three-month period sufficient to
enable financial institutions to adjust their systems and controls.
The Agencies invite comment on all aspects of the proposal. A
discussion of each proposed amendment to the Guidelines and to the
addition of cross-references to the Guidelines in the Agencies' FCRA
regulations follows.
Consumer Information
The proposal defines ``consumer information'' to mean ``any record
about an individual, whether in paper, electronic, or other form, that
is a consumer report or is derived from a consumer report and that is
maintained or otherwise possessed by or on behalf of the [institution]
for a business purpose.'' ``Consumer information'' also is defined to
mean ``a compilation of such records.''
The scope of information covered by the terms ``consumer
information,'' and ``customer information'' as defined under the
Guidelines, will sometimes overlap, but will not always coincide. The
Agencies note that the proposed definition of ``consumer information''
is drawn from the term ``consumer'' in section 603(c) of the FCRA,
which defines a ``consumer'' as an individual. 15 U.S.C. 1681a(c). By
contrast, ``customer information'' under the Guidelines, only covers
nonpublic personal information about a ``customer,'' namely, an
individual who obtains a financial product or service to be used
primarily for personal, family, or household purposes and who has a
continuing relationship with the financial institution.\6\ The
relationship between ``consumer information'' and ``customer
information'' can be illustrated through the following examples.
Payment history information from a consumer report about an individual,
who is a financial institution's customer, will be both ``consumer
information'' because it comes from a consumer report and ``customer
information'' because it is nonpublic personal information about a
customer. In some circumstances, ``customer information'' will be
broader than ``consumer information.'' For instance, information about
a financial institution's transactions with its customer would be only
``customer information'' because it does not come from a consumer
report. In other circumstances, ``consumer information'' will be
broader than ``customer information.'' ``Consumer information'' would
include information from a consumer report that an institution obtains
about an individual who applies for but does not receive a loan, an
individual who guarantees a loan for a business entity, an employee or
a prospective employee, or an individual in connection with a loan to
the individual's sole proprietorship. In each of these instances, the
consumer reports would not be ``customer information'' because the
information would not be about a ``customer'' within the meaning of the
Guidelines.
---------------------------------------------------------------------------
\6\ I.C.2.b.
---------------------------------------------------------------------------
The Agencies propose to define ``consumer information'' as ``any
record about an individual * * * that is a consumer report or is
derived from a consumer report.'' Under this definition, information
that may be ``derived from consumer reports'' but does not identify a
particular consumer would not be covered under the proposal. For
example, a financial institution must implement measures to properly
dispose of ``consumer information'' that identifies a consumer, such as
the consumer's name and the credit score derived from a consumer
report. However, this requirement would not apply to the mean credit
score that is derived from a group of consumer reports. The Agencies
believe that limiting ``consumer information'' to information that
identifies a consumer is consistent with the current law relating to
the scope of the term ``consumer report'' under the FCRA and the
purposes of section 216 of the FACT Act.
The Agencies request suggestions for clarifying the scope of
information covered under the term ``consumer information.'' Among
other issues, the Agencies believe that the phrase ``derived from
consumer reports'' covers all of the information about a consumer that
is taken from a consumer report, including information that results in
whole or in part from manipulation of information from a consumer
report or information from a consumer report that has been combined
with other types of information. Consequently, a financial institution
that possesses any of this information must properly dispose of it.
For example, any record about a consumer derived from a consumer
report, such as the consumer's name and credit score, that is shared
among affiliates must be disposed of properly by each affiliate that
possesses that information. Similarly, a consumer report that is shared
among affiliated companies after the consumer has been given a notice
and has elected not to opt out of that sharing, and therefore is no
longer a ``consumer report'' under the FCRA,\7\ would still be
``consumer information'' under this proposal. Accordingly, a financial
institution that receives ``consumer information'' under these
circumstances must properly dispose of the information. The Agencies
seek comment on whether the definition of ``consumer information''
should be revised to further clarify this interpretation of the
statutory phrase ``derived from consumer reports,'' such as by example
or otherwise.
---------------------------------------------------------------------------
\7\ 15 U.S.C. 1681a(d)(2)(A)(iii).
---------------------------------------------------------------------------
The Agencies note that the proposed definition of ``consumer
information'' includes the qualification ``for a business purpose,'' as
set forth in section 216 of the Act. The Agencies believe that the
phrase ``for a business purpose'' encompasses any commercial purpose
for which a financial institution might maintain or possess ``consumer
[[Page 31916]]
information'' and request comment on that interpretation.
New Objective for an Information Security Program
The Agencies are proposing to add a new objective regarding the
proper disposal of consumer information in paragraph II.B. of the
Guidelines. The proposal would require a financial institution to
design its information security program to ``[e]nsure the proper
disposal of consumer information in a manner consistent with the
disposal of customer information.''
The Agencies believe that imposing this additional objective in
paragraph II.B is important to ensure that the requirement to properly
dispose of ``consumer information'' applies to a financial
institution's service providers. The Guidelines require, in part, that
a financial institution ``[r]equire its service providers by contract
to implement appropriate measures designed to meet the objectives of
these Guidelines.'' \8\
---------------------------------------------------------------------------
\8\ III.D.2. This requirement applies to both domestic and
foreign-based service providers.
---------------------------------------------------------------------------
By expressly incorporating a provision in paragraph II.B., the
Agencies' proposal requires each financial institution to contractually
require its service providers to develop appropriate measures for the
proper disposal of consumer information and, where warranted, to
monitor its service providers to confirm that they have satisfied their
contractual obligations.
The Agencies also propose to amend paragraph III.G.2. to allow a
financial institution a reasonable period of time, after the final
regulations are issued, to amend its contracts with its service
providers to incorporate the necessary requirements in connection with
the proper disposal of consumer information. The Agencies propose
allowing one year after publication of the final regulations for
financial institutions to modify the contracts that will be affected by
the Guidelines.
The Agencies seek comment on whether a one-year period for
modification of agreements with service providers is appropriate.
New Provision To Implement Measures To Properly Dispose of Consumer
Information
The Agencies propose to amend paragraph III.C. (Manage and Control
Risk) by adding a new provision to require a financial institution to
develop, implement, and maintain, as part of its information security
program, appropriate measures to properly dispose of consumer
information. This new provision requires an institution to implement
these measures ``in a manner consistent with the disposal of customer
information'' and ``in accordance with each of the requirements in this
paragraph III.'' of the Guidelines.
Paragraph III. of the Guidelines presently requires a financial
institution to undertake measures to design, implement, and maintain
its information security program to protect customer information and
customer information systems, including the methods it uses to dispose
of customer information. Under the proposal, an institution must adopt
a comparable set of procedures and controls to properly dispose of
``consumer information.'' For example, a financial institution must
broaden the scope of its risk assessment to include an assessment of
the reasonably foreseeable internal and external threats associated
with the methods it uses to dispose of ``consumer information,'' and
adjust its risk assessment in light of the relevant changes relating to
such threats. The Agencies, by expressly adding this new provision, are
requiring a financial institution to integrate into its information
security program each of those risk-based measures in connection with
the disposal of ``consumer information,'' as set forth in paragraph
III. of the Guidelines.
The Agencies believe that it is not necessary to propose a
prescriptive rule describing proper methods of disposal. Nonetheless,
consistent with interagency guidance previously issued through the
Federal Financial Institutions Examination Council (FFIEC),\9\ the
Agencies expect institutions to have appropriate disposal procedures
for records maintained in paper-based or electronic form. The Agencies
note that an institution's information security program should ensure
that paper records containing either customer or consumer information
should be rendered unreadable as indicated by the institution's risk
assessment, such as by shredding or any other means. Institutions also
should recognize that computer-based records present unique disposal
problems. Residual data frequently remains on media after erasure.
Since that data can be recovered, additional disposal techniques should
be applied to sensitive electronic data.\10\
---------------------------------------------------------------------------
\9\ See FFIEC Information Security Booklet, page 63 at: http://www.ffiec.gov/ffiecinfobase.html_pages/it_01.html#infosec
.
\10\ See footnote 9, supra.
---------------------------------------------------------------------------
The Agencies seek comment on whether the proposed amendment to
paragraph III.C. of the Guidelines sufficiently explains the nature and
scope of the obligations on each financial institution to modify its
information security program to include measures that must be
implemented and adjusted, as appropriate, to properly dispose of
``consumer information.''
The Agencies request comment on whether the use in the Guidelines
of the statutory phrase ``proper disposal'' is sufficiently clear.
Would a more specific standard provide better guidance to financial
institutions, better protect consumers, or both?
Proposed Amendments to the Agencies' FCRA Regulations
The Agencies propose to amend their respective regulations that
implement the FCRA \11\ by adding a new provision setting forth the
duties of users of consumer reports regarding identity theft. As
proposed, the new provision requires a financial institution to
properly dispose of consumer information in accordance with the
standards set forth in the Guidelines. The proposed provision also
incorporates a rule of construction that closely tracks the terms of
section 628(b) of the FCRA, as added by section 216 of the FACT Act.
---------------------------------------------------------------------------
\11\ 12 CFR part 41 (OCC); 12 CFR part 222 (Board); 12 CFR part
334 (FDIC); and 12 CFR part 571 (OTS).
---------------------------------------------------------------------------
The Agencies request comment on the proposed amendments to their
respective FCRA rules.
IV. Regulatory Analysis
Paperwork Reduction Act
In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3506; 5 CFR 1320 appendix A.1), the Agencies have reviewed the proposed
rules. (The Board has done so under authority delegated to the Board by
the Office of Management and Budget.) The proposed rules contain no
collections of information pursuant to the Paperwork Reduction Act.
Regulatory Flexibility Act
In accordance with the Regulatory Flexibility Act, each agency must
publish an initial regulatory flexibility analysis with its proposed
rule, unless the agency certifies that the rule will not have a
significant economic impact on a substantial number of small entities.
(5 U.S.C. 601-612). Each of the Agencies hereby certifies that its
rule, if adopted as proposed, would not have a significant economic
impact on a substantial number of small entities.
The proposed rules require a financial institution subject to the
jurisdiction of the appropriate agency to implement
[[Page 31917]]
appropriate controls designed to ensure the proper disposal of
``consumer information.'' A financial institution must develop and
maintain these controls as part of implementing its existing
information security program for ``customer information,'' as required
under the Guidelines.\12\
---------------------------------------------------------------------------
\12\ In 2001, the Agencies issued final Guidelines requiring
financial institutions to develop and maintain an information
security program, including procedures to dispose of customer
information, and each agency provided a final regulatory flexibility
analysis at that time. See 66 FR 8625-32 Feb. 1, 2001.
---------------------------------------------------------------------------
Any modifications to a financial institution's information security
program needed to address the proper disposal of ``consumer
information'' could be incorporated through the process the institution
presently uses to adjust its program under paragraph III.E. of the
Guidelines, particularly because of the similarities between the
consumer and customer information and the measures commonly used to
properly dispose of both types of information. To the extent that these
proposed rules impose new requirements for certain types of ``consumer
information,'' developing appropriate measures to properly dispose of
that information likely would require only a minor modification of an
institution's existing information security program.
Because some ``consumer information'' will be ``customer
information'' and because segregating particular records for special
treatment may entail considerable costs, the Agencies believe that many
banks and savings associations, including small institutions, already
are likely to have implemented measures to properly dispose of both
``customer'' and ``consumer'' information. In addition, the Agencies,
through the Federal Financial Institutions Examination Council (FFIEC),
already have issued guidance regarding their expectations concerning
the proper disposal of all of an institution's paper and electronic
records. See FFIEC Information Security Booklet, December 2002, p.
63.\13\ Therefore, the proposed rules do not require any significant
changes for institutions that currently have procedures and systems
designed to comply with this guidance.
---------------------------------------------------------------------------
\13\ See FFIEC Information Security Booklet, page 63 at: http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html#infosec
.
---------------------------------------------------------------------------
The Agencies anticipate that, in light of current practices
relating to the disposal of information in accordance with the
Guidelines and the guidance issued by the FFIEC, the proposed rules
would not impose undue costs on financial institutions. Therefore, the
Agencies believe that the controls that small financial institutions
would develop and implement, if any, to comply with the proposed rules
likely pose a minimal economic impact on those entities. Nonetheless,
the Agencies specifically request comment on the burden the proposed
rules would have on small financial institutions, and how the Agencies'
proposed rules might minimize this burden, to the extent consistent
with the requirements of the FACT Act.
Solicitation of Comments on Use of Plain Language
Section 722(a) of the GLB Act requires the Federal banking agencies
to use plain language in all proposed and final rules.\14\ In light of
this requirement, the Agencies have sought to present the proposed
rules in a simple and straightforward manner. The Agencies invite your
comments on how to make the rules easier to understand. For example:
---------------------------------------------------------------------------
\14\ Pub. L. 106-102, 113 Stat. 1338 (1999), codified at 12
U.S.C. 4809.
---------------------------------------------------------------------------
Have we organized the material to suit your needs? If not,
how could this material be better organized?
Do the regulations contain technical language or jargon
that is not clear? If so, which language requires clarification?
Would a different format (grouping and order of sections,
use of headings, paragraphing) make the regulations easier to
understand? If so, what changes to the format would make the
regulations easier to understand?
What else could we do to make the regulations easier to
understand?
OCC and OTS Executive Order 12866 Determination
The OCC and OTS each have determined that this proposal is not a
``significant regulatory action'' under Executive Order 12866.
OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
Under section 202 of the Unfunded Mandates Reform Act of 1995,
Public Law 104-4 (2 U.S.C. 1532) (Unfunded Mandates Act), the OCC and
OTS must prepare budgetary impact statements before promulgating any
rule likely to result in a federal mandate that may result in the
expenditure by state, local, and tribal governments, in the aggregate,
or by the private sector of $100 million or more in any one year. If a
budgetary impact statement is required, under section 205 of the
Unfunded Mandates Act, the OCC and OTS must identify and consider a
reasonable number of regulatory alternatives before promulgating a
rule.
For the reasons outlined earlier, the OCC and OTS have determined
that this proposal will not result in expenditures by state, local, and
tribal governments, or by the private sector, of $100 million or more,
in any one year. Accordingly, a budgetary impact statement is not
required under section 202 of the Unfunded Mandates Reform Act of 1995
and this rulemaking requires no further analysis under the Unfunded
Mandates Act.
OCC Community Bank Comment Request
The OCC invites your comments on the impact of this proposal on
community banks. The OCC recognizes that community banks operate with
more limited resources than larger institutions and may present a
different risk profile. Thus, the OCC specifically requests comments on
the impact of this proposal on community banks' current resources and
available personnel with the requisite expertise, and whether the goals
of the proposed regulations could be achieved, for community banks,
through an alternative approach.
List of Subjects
12 CFR Part 30
Banks, banking, Consumer protection, National banks, Privacy,
Reporting and recordkeeping requirements.
12 CFR Part 41
Banks, banking, Consumer protection, National banks, Reporting and
recordkeeping requirements.
12 CFR Part 208
Banks, banking, Consumer protection, Information, Privacy,
Reporting and recordkeeping requirements.
12 CFR Part 211
Exports, Foreign banking, Holding companies, Reporting and
recordkeeping requirements.
12 CFR Part 222
Banks, banking, Holding companies, State member banks.
12 CFR Part 225
Banks, banking, Holding companies, Reporting and recordkeeping
requirements.
12 CFR Part 334
Administrative practice and procedure, Bank deposit insurance,
Banks, Banking, Reporting and recordkeeping requirements, Safety and
soundness.
[[Page 31918]]
12 CFR Part 364
Administrative practice and procedure, Bank deposit insurance,
Banks, Banking, Reporting and recordkeeping requirements, Safety and
soundness.
12 CFR Part 568
Consumer protection, Privacy, Reporting and recordkeeping
requirements, Savings associations, Security measures.
12 CFR Part 570
Accounting, Administrative practice and procedure, Bank deposit
insurance, Consumer protection, Holding companies, Privacy, Reporting
and recordkeeping requirements, Safety and soundness, Savings
associations.
12 CFR Part 571
Consumer protection, Credit, Fair Credit Reporting Act, Privacy,
Reporting and recordkeeping requirements, Savings associations.
Department of the Treasury
Office of the Comptroller of the Currency
12 CFR Chapter I
Authority and Issuance
For the reasons discussed in the joint preamble, 12 CFR part 30 and
12 CFR part 41 (as proposed to be added at 69 FR 23394, April 28,
2004), are proposed to be amended as follows:
PART 30--SAFETY AND SOUNDNESS STANDARDS
1. The authority citation for part 30 is revised to read as
follows:
Authority: 12 U.S.C. 93a, 1818, 1831-p and 3102(b); 15 U.S.C.
1681s, 1681w, 6801, and 6805(b)(1).
2. Appendix B to Part 30 is amended by:
a. Amending paragraph I. INTRODUCTION by adding a new sentence at
the end of the paragraph;
b. Amending paragraph I.A. by adding a new sentence at the end of
the paragraph;
c. Redesignating paragraphs I.C.2.b. through e. as paragraphs
I.C.2.d. through g., respectively;
d. Adding new paragraphs I.C.2.b. and c.;
e. Adding a new paragraph II.B.4.;
f. Adding a new paragraph III.C.4.; and
g. Adding new paragraphs III.G.3. and 4. to read as follows:
Appendix B to Part 30--Interagency Guidelines Establishing Standards
for Safeguarding Customer Information
* * * * *
I. * * *
* * * These Guidelines also address standards with respect to
the proper disposal of consumer information, pursuant to sections
621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b)
and 1681w).
A. Scope. * * * The Guidelines also apply to the proper disposal
of consumer information by such entities.
* * * * *
C. * * *
2. * * *
b. Consumer information means any record about an individual,
whether in paper, electronic, or other form, that is a consumer
report or is derived from a consumer report and that is maintained
or otherwise possessed by or on behalf of the bank for a business
purpose. Consumer information also means a compilation of such
records.
c. Consumer report has the same meaning as set forth in 15
U.S.C. 1681a(d).
* * * * *
II. * * *
B. * * *
4. Ensure the proper disposal of consumer information in a
manner consistent with the disposal of customer information.
III. * * *
C. * * *
4. Develop, implement, and maintain, as part of its information
security program, appropriate measures to properly dispose of
consumer information in a manner consistent with the disposal of
customer information, in accordance with each of the requirements of
this paragraph III.
* * * * *
G. Implement the Standards. * * *
3. Effective date for measures relating to the disposal of
consumer information. Each bank must satisfy these Guidelines with
respect to the proper disposal of consumer information by [This date
will be 90 days after the date of publication in the Federal
Register of a final rule].
4. Exception for existing agreements with service providers
relating to the disposal of consumer information. Notwithstanding
the requirement in paragraph III.G.3., a bank's existing contracts
with its service providers with regard to any service involving the
disposal of consumer information must comply with these Guidelines
by [This date will be one year after the date of publication in the
Federal Register of a final rule].
PART 41--FAIR CREDIT REPORTING
3. The authority citation for part 41 is revised to read as
follows:
Authority: 12 U.S.C. 1 et seq., 24 (Seventh), 93a, 481, 484, and
1818; 15 U.S.C. 1681a, 1681b, 1681s, 1681w, 6801 and 6805.
4. Subparts E through H are added and reserved.
5. A new subpart I, consisting of Sec. 41.83, is added to read as
follows:
Subpart I--Duties of Users of Consumer Reports Regarding Identity
Theft
Sec. 41.83 Disposal of consumer information.
(a) In general. Each bank must properly dispose of any consumer
information that it maintains or otherwise possesses in accordance with
the Interagency Guidelines Establishing Standards for Safeguarding
Customer Information, as set forth in appendix B to 12 CFR part 30.
(b) Rule of construction. Nothing in this section shall be
construed to:
(1) Require a bank to maintain or destroy any record pertaining to
a consumer that is not imposed under any other law; or
(2) Alter or affect any requirement imposed under any other
provision of law to maintain or destroy such a record.
Dated: May 14, 2004.
John D. Hawke, Jr.,
Comptroller of the Currency.
Federal Reserve System
12 CFR Chapter II
Authority and Issuance
For the reasons set forth in the joint preamble, parts 208, 211,
222, and 225 of chapter II of title 12 of the Code of Federal
regulations are proposed to be amended as follows:
PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL
RESERVE SYSTEM (REGULATION H)
1. The authority citation for 12 CFR Part 208 is revised to read as
follows:
Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a,
371d, 461, 481-486, 601, 611, 1814, 1816, 1820(d)(9), 1823(j),
1828(o), 1831, 1831o, 1831p-1, 1831r-1, 1831w, 1831x, 1835a, 1882,
2901-2907, 3105, 3310, 3331-3351, and 3906-3909, 15 U.S.C. 78b,
78l(b), 78l(g), 78l(i), 78o-4(c)(5), 78q, 78q-1, 78w, 1681s, 1681w,
6801 and 6805; 31 U.S.C. 5318, 42 U.S.C. 4012a, 4104a, 4104b, 4106,
and 4128.
2. In Sec. 208.3 revise paragraph (d)(1) to read as follows:
Sec. 208.3 Application and conditions for membership in the Federal
Reserve System.
* * * * *
(d) Conditions of membership. (1) Safety and soundness. Each member
bank shall at all times conduct its business and exercise its powers
with due regard to safety and soundness. Each member bank shall comply
with the Interagency Guidelines Establishing
[[Page 31919]]
Standards for Safety and Soundness prescribed pursuant to section 39 of
the FDI Act (12 U.S.C. 1831p-1), set forth in appendix D-1 to this
part, and the Interagency Guidelines Establishing Standards for
Safeguarding Customer Information prescribed pursuant to sections 501
and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) and,
with respect to the proper disposal of consumer information, section
216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C.
1681w), set forth in appendix D-2 to this part.
* * * * *
3. Amend Appendix D-2 to part 208, as follows:
a. In section I., Introduction, a new sentence is added at the end
of the introductory paragraph.
b. In section I.A., Scope, a new sentence is added at the end of
the paragraph.
c. In section I.C.2, paragraphs b. through f. are redesignated as
paragraphs d. through h., respectively, and new paragraphs b. and c.
are added.
d. In section II.B., Objectives, a new paragraph 4 is added.
e. In section III.C., Manage and Control Risk, a new paragraph 4 is
added.
f. In section III.G., Implement the Standards, new paragraphs 3 and
4 are added.
Appendix D-2 to Part 208--Interagency Guidelines Establishing Standards
for Safeguarding Customer Information
* * * * *
I. * * *
* * * These Guidelines also address standards with respect to
the proper disposal of consumer information, pursuant to sections
621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b)
and 1681w).
A. Scope. * * * These Guidelines also apply to the proper
disposal of consumer information by such entities.
* * * * *
C. * * *
2. * * *
b. Consumer information means any record about an individual,
whether in paper, electronic, or other form, that is a consumer
report or is derived from a consumer report and that is maintained
or otherwise possessed by or on behalf of the bank for a business
purpose. Consumer information also means a compilation of such
records.
c. Consumer report has the same meaning as set forth in the Fair
Credit Reporting Act, 15 U.S.C. 1681a(d), and as defined in subpart
A of part 222 (Regulation V) of this chapter.
* * * * *
II.* * *
B. * * *
4. Ensure the proper disposal of consumer information in a
manner consistent with the disposal of customer information.
* * * * *
III.* * *
C. * * *
4. Develop, implement, and maintain, as part of its information
security program, appropriate measures to properly dispose of
consumer information in a manner consistent with the disposal of
customer information, in accordance with each of the requirements in
this paragraph III.
* * * * *
G. * * *
3. Effective date for measures relating to the disposal of
consumer information. Each bank must satisfy these Guidelines with
respect to the proper disposal of consumer information by [This date
will be 90 days after the date of publication in the Federal
Register of a final rule].
4. Exception for existing agreements with service providers
relating to the disposal of consumer information. Notwithstanding
the requirement in paragraph III.G.3., a bank's existing contracts
with its service providers with regard to any service involving the
disposal of consumer information must comply with these Guidelines
by [This date will be one year after the date of publication in the
Federal Register of a final rule].
PART 211--INTERNATIONAL BANKING OPERATIONS (REGULATION K)
4. The authority citation for part 211 is revised to read as
follows:
Authority: 12 U.S.C. 221 et seq., 1818, 1835a, 1841 et seq.,
3101 et seq., and 3901 et seq.; 15 U.S.C. 1681s, 1681w, 6801 and
6805.
5. In Sec. 211.5, revise paragraph (l) to read as follows:
Sec. 211.5 Edge and agreement corporations.
* * * * *
(l) Protection of customer information and consumer information. An
Edge or agreement corporation shall comply with the Interagency
Guidelines Establishing Standards for Safeguarding Customer Information
prescribed pursuant to sections 501 and 505 of the Gramm-Leach-Bliley
Act (15 U.S.C. 6801 and 6805) and, with respect to the proper disposal
of consumer information, section 216 of the Fair and Accurate Credit
Transactions Act of 2003 (15 U.S.C. 1681w), set forth in appendix D-2
to part 208 of this chapter.
* * * * *
6. In Sec. 211.24, revise paragraph (i) to read as follows:
Sec. 211.24 Approval of offices of foreign banks; procedures for
applications; standards for approval; representative-office activities
and standards for approval; preservation of existing authority.
* * * * *
(i) Protection of customer and consumer information. An uninsured
state-licensed branch or agency of a foreign bank shall comply with the
Interagency Guidelines Establishing Standards for Safeguarding Customer
Information prescribed pursuant to sections 501 and 505 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 and 6805) and, with respect to the
proper disposal of consumer information, section 216 of the Fair and
Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681w), set forth
in appendix D-2 to part 208 of this chapter.
* * * * *
PART 222--FAIR CREDIT REPORTING (REGULATION V)
7. The authority citation for part 222 is revised to read as
follows:
Authority: 15 U.S.C. 1681b, 1681s, and 1681w; Secs. 3 and 217,
Pub. L. 108-159, 117 Stat. 1952.
8. Add a new subpart I to read as follows:
Subpart I--Duties of Users of Consumer Reports Regarding Identity Theft
Sec.
222.80-222.82 [Reserved]
222.83 Disposal of consumer information.
Subpart I--Duties of Users of Consumer Reports Regarding Identity
Theft
Sec. 222.80-222.82 [Reserved]
Sec. 222.83 Disposal of consumer information.
(a) In general. You must properly dispose of any consumer
information that you maintain or otherwise possess in accordance with
the Interagency Guidelines Establishing Standards for Safeguarding
Customer Information, as required under Sec. Sec. 208.3(d) (Regulation
H), 211.5(l) and 211.24(i) (Regulation K), or 225.4(h) (Regulation Y)
of this chapter, as applicable.
(b) Rule of construction. Nothing in this section shall be
construed to:
(1) Require you to maintain or destroy any record pertaining to a
consumer that is not imposed under any other law; or
(2) Alter or affect any requirement imposed under any other
provision of law to maintain or destroy such a record.
[[Page 31920]]
PART 225--BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL
(Regulation Y)
9. The authority citation for part 225 is revised to read as
follows:
Authority: 12 U.S.C. 1817(j)(13), 1818, 1828(o), 1831i, 1831p-1,
1843(c)(8), 1844(b), 1972(1), 3106, 3310, 3331-3351, 3906, and 3909;
15 U.S.C. 1681(b)(1), 1681s, 1681w, 6801 and 6805.
10. In Sec. 225.4, revise paragraph (h) to read as follows:
Sec. 225.4 Corporate practices.
* * * * *
(h) Protection of customer information and consumer information. A
bank holding company, including a bank holding company that is a
financial holding company, shall comply with the Interagency Guidelines
Establishing Standards for Safeguarding Customer Information, as set
forth in appendix F of this part, prescribed pursuant to sections 501
and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) and,
with respect to the proper disposal of consumer information, section
216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C.
1681w).
11. In Appendix F to part 225, the following amendments are made:
a. In section I., Introduction, a new sentence is added at the end
of the introductory paragraph.
b. In section I.A., Scope, a new sentence is added at the end of
the paragraph.
c. In section I.C.2., paragraphs 2.b. through 2.f. are redesignated
as paragraphs 2.d. through 2.h., respectively, and new paragraphs 2.b
and 2.c are added.
d. In section II.B., Objectives, a new paragraph 4 is added.
e. In section III.C., Manage and Control Risk, a new paragraph 4 is
added.
f. In section III.G., Implement the Standards, new paragraphs 3 and
4 are added.
Appendix F To Part 225--Interagency Guidelines Establishing Standards
For Safeguarding Customer Information
* * * * *
I. * * *
* * * These Guidelines also address standards with respect to
the proper disposal of consumer information, pursuant to sections
621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b)
and 1681w).
A. Scope. * * * These Guidelines also apply to the proper
disposal of consumer information by such entities.
* * * * *
C. Definitions. * * *
2. * * *
b. Consumer information means any record about an individual,
whether in paper, electronic, or other form, that is a consumer
report or is derived from a consumer report and that is maintained
or otherwise possessed by you or on your behalf for a business
purpose. Consumer information also means a compilation of such
records.
c. Consumer report has the same meaning as set forth in the Fair
Credit Reporting Act, 15 U.S.C. 1681a(d), and as defined in subpart
A of part 222 (Regulation V) of this chapter.
* * * * *
II. * * *
B. Objectives. * * *
* * * * *
4. Ensure the proper disposal of consumer information in a
manner consistent with the disposal of customer information.
III. * * *
C. Manage and Control Risk. * * *
4. Develop, implement, and maintain, as part of your information
security program, appropriate measures to properly dispose of
consumer information in a manner consistent with the disposal of
customer information, in accordance with each of the requirements in
this paragraph III.
* * * * *
G. Implement the Standards. * * *
3. Effective date for measures relating to the disposal of
consumer information. You must satisfy these Guidelines with respect
to the proper disposal of consumer information by [This date will be
90 days after the date of publication in the Federal Register of a
final rule].
4. Exception for existing agreements with service providers
relating to the disposal of consumer information. Notwithstanding
the requirement in paragraph III.G.3., your existing contracts with
your service providers with regard to any service involving the
disposal of consumer information must comply with these Guidelines
by [This date will be one year after the date of publication in the
Federal Register of a final rule].
By order of the Board of Governors of the Federal Reserve
System, May 25, 2004.
Jennifer J. Johnson,
Secretary of the Board.
Federal Deposit Insurance Corporation
12 CFR Chapter III
Authority and Issuance
For the reasons set forth in the joint preamble, the Federal
Deposit Insurance Corporation proposes to amend 12 CFR part 334 (as
proposed to be added at 69 FR 2339, April 28, 2004), and 12 CFR part
364 as follows:
PART 334--FAIR CREDIT REPORTING
1. The authority citation for part 334 is revised to read as
follows:
Authority: 12 U.S.C. 1818 and 1819 (Tenth); 15 U.S.C. 1681b,
1681s, and 1681w.
2. Add a new subpart I to read as follows:
Subpart I--Duties of Users of Consumer Reports Regarding Identity Theft
Sec.
334.80-334.82 [Reserved]
334.83 Disposal of consumer information.
Subpart I--Duties of Users of Consumer Reports Regarding Identity
Theft
Sec. 334.80-334.82 [Reserved]
Sec. 334.83 Disposal of consumer information.
(a) In general. You must properly dispose of any consumer
information that you maintain or otherwise possess in accordance with
the Interagency Guidelines Establishing Standards for Safeguarding
Customer Information, as set forth in appendix B to part 364 of this
chapter, prescribed pursuant to section 216 of the Fair and Accurate
Credit Transactions Act of 2003 (15 U.S.C. 1681w).
(b) Rule of construction. Nothing in this section shall be
construed to:
(1) Require you to maintain or destroy any record pertaining to a
consumer that is not imposed under any other law; or
(2) Alter or affect any requirement imposed under any other
provision of law to maintain or destroy such a record.
PART 364--STANDARDS FOR SAFETY AND SOUNDNESS
3. The authority citation for part 364 is revised to read as
follows:
Authority: 12 U.S.C. 1819 (Tenth), 1831p-1; 15 U.S.C. 1681s,
1681w, 6801(b), 6805(b)(1).
4. Revise Sec. 364.101(b) to read as follows:
Sec. 364.101 Standards for safety and soundness.
* * * * *
(b) Interagency Guidelines Establishing Standards for Safeguarding
Customer Information. The Interagency Guidelines Establishing Standards
for Safeguarding Customer Information prescribed pursuant to section 39
of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1), and sections
501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801, 6805(b)),
and with respect to the proper disposal of consumer information,
requirements pursuant to sections 621(b) and 628 of the Fair Credit
Reporting Act (15 U.S.C. 1681s(b) and 1681w), as set forth in appendix
B to this part, apply to all insured state nonmember banks, insured
state licensed branches of foreign banks, and any subsidiaries of such
entities
[[Page 31921]]
(except brokers, dealers, persons providing insurance, investment
companies, and investment advisers).
5. In Appendix B to part 364, the following amendments are made:
a. In the Introduction, a new sentence is added at the end of the
introductory paragraph.
b. In section I.A., Scope, the first sentence is revised.
c. In section I.C.2., Definitions, paragraphs 2.b. through 2.e. are
redesignated as paragraphs 2.d. through 2.g., respectively, and new
paragraphs 2.b. and 2.c. are added.
d. In section II.B., Objectives, a new paragraph 4. is added.
e. In section III.C., Manage and Control Risk, a new paragraph 4.
is added.
f. In section III.G, new paragraphs 3. and 4. are added.
Appendix B to Part 364--Interagency Guidelines Establishing Standards
for Safeguarding Customer Information
* * * * *
I. Introduction
* * * These Guidelines also address standards with respect to
the proper disposal of consumer information pursuant to section
621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b)
and 1681w).
A. Scope. The Guidelines apply to customer information
maintained by or on behalf of, and to the disposal of consumer
information by, entities over which the Federal Deposit Insurance
Corporation (FDIC) has authority. * * *
* * * * *
C. * * *
2. * * *
b. Consumer information means any record about an individual,
whether in paper, electronic, or other form, that is a consumer
report or is derived from a consumer report and that is maintained
or otherwise possessed by or on behalf of the bank for a business
purpose. Consumer information also means a compilation of such
records.
c. Consumer report has the same meaning as set forth in the Fair
Credit Reporting Act, 15 U.S.C. 1681a(d).
* * * * *
II. * * *
B. * * *
4. Ensure the proper disposal of consumer information in a
manner consistent with the disposal of customer information.
III. * * *
C. * * *
4. Develop, implement, and maintain, as part of its information
security program, appropriate measures to properly dispose of
consumer information in a manner consistent with the disposal of
customer information, in accordance with each of the requirements in
this paragraph III.
* * * * *
G. * * *
3. Effective date. Each bank must satisfy these Guidelines with
respect to the proper disposal of consumer information by [This date
will be 90 days after the publication in the Federal Register of a
final rule.]
4. Exception for existing agreements with service providers
relating to the disposal of consumer information. Notwithstanding
the requirement in paragraph III.G.3., a bank's existing contracts
with its service providers with regard to any service involving the
disposal of consumer information must comply with these Guidelines
by [This date will be one year after the date of publication in the
Federal Register of a final rule.]
Dated at Washington, DC, this 21st day of May, 2004.
By order of the Board of Directors.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
Office of Thrift Supervision
12 CFR Chapter V
Authority and Issuance
For the reasons set forth in the joint preamble, the Office of
Thrift Supervision proposes to amend chapter V of title 12 of the Code
of Federal Regulations by amending parts 568 and 570, and amending part
571 (as proposed to be added at 69 FR 23402, April 28, 2004), as
follows:
PART 568--SECURITY PROCEDURES
1. The authority citation for part 568 is revised to read as
follows:
Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1,
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).
2. Revise the part heading for part 568 to read as shown above.
3. Revise the first sentence of Sec. 568.1(a) to read as follows:
Sec. 568.1 Authority, purpose, and scope.
(a) This part is issued by the Office of Thrift Supervision (OTS)
under section 3 of the Bank Protection Act of 1968 (12 U.S.C 1882),
sections 501 and 505(b)(1) of the Gramm-Leach-Bliley Act (15 U.S.C.
6801 and 6805(b)(1)), and sections 621 and 628 of the Fair Credit
Reporting Act (15 U.S.C. 1681s and 1681w). * * *
* * * * *
4. Revise Sec. 568.5 to read as follows:
Sec. 568.5 Protection of customer information.
Savings associations and their subsidiaries (except brokers,
dealers, persons providing insurance, investment companies, and
investment advisers) must comply with the Interagency Guidelines
Establishing Standards for Safeguarding Customer Information set forth
in appendix B to part 570 of this chapter.
PART 570--SAFETY AND SOUNDNESS GUIDELINES AND COMPLIANCE PROCEDURES
5. The authority citation for part 570 is revised to read as
follows:
Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1,
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).
6. Amend Appendix B of part 570 by:
a. Revising the first sentence of the introductory paragraph of
section I. Introduction;
b. Adding a new sentence to the end of paragraph I.A. Scope;
c. Redesignating paragraphs 2.a. through 2.d. of paragraph I.C.2.
Definitions as paragraphs 2.c. through 2.f., respectively, and adding
new paragraphs 2.a. and 2.b.;
d. Adding a new paragraph 4. to paragraph II.B. Objectives;
e. Adding a new paragraph 4. to paragraph III.C. Manage and Control
Risk; and
f. Adding new paragraphs 3. and 4. to paragraph III.G. Implement
the Standards.
Appendix B to Part 570--Interagency Guidelines Establishing Standards
for Safeguarding Customer Information
* * * * *
I. Introduction
The Interagency Guidelines Establishing Standards for
Safeguarding Customer Information (Guidelines) set forth standards
pursuant to section 39(a) of the Federal Deposit Insurance Act (12
U.S.C. 1831p-1), and sections 501 and 505(b) of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801 and 6805(b)). These Guidelines also
address standards with respect to the proper disposal of consumer
information, pursuant to sections 621 and 628 of the Fair Credit
Reporting Act (15 U.S.C. 1681s and 1681w). * * *
A. Scope. * * * These Guidelines also apply to the proper
disposal of consumer information by such entities.
* * * * *
C. Definitions. * * *
2. * * *
a. Consumer information means any record about an individual,
whether in paper, electronic, or other form, that is a consumer
report or is derived from a consumer report and that is maintained
or otherwise possessed by you or on your behalf for a business
purpose. Consumer information also means a compilation of such
records.
b. Consumer report has the same meaning as set forth in the Fair
Credit Reporting Act, 15 U.S.C. 1681a(d), and as defined in part 571
of this chapter.
* * * * *
[[Page 31922]]
II. * * *
B. Objectives. * * *
4. Ensure the proper disposal of consumer information in a
manner consistent with the disposal of customer information.
III. * * *
C. Manage and Control Risk. * * *
4. Develop, implement, and maintain, as part of your information
security program, appropriate measures to properly dispose of
consumer information in a manner consistent with the disposal of
customer information, in accordance with each of the requirements in
this paragraph III.
* * * * *
G. Implement the Standards. * * *
3. Effective date for measures relating to the disposal of
consumer information. You must satisfy these Guidelines with respect
to the proper disposal of consumer information by [This date will be
90 days after the date of publication in the Federal Register of a
final rule].
4. Exception for existing agreements with service providers
relating to the disposal of consumer information. Notwithstanding
the requirement in paragraph III.G.3., your existing contracts with
your service providers with regard to any service involving the
disposal of consumer information must comply with these Guidelines
by [This date will be one year after the date of publication in the
Federal Register of a final rule].
PART 571--FAIR CREDIT REPORTING
7. The authority citation for part 571 continues to read as
follows:
Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1,
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).
8. Add a new subpart I to read as follows:
Subpart I--Duties of Users of Consumer Reports Regarding Identity Theft
Sec.
571.80-571.82 [Reserved]
571.83 Disposal of consumer information.
Subpart I--Duties of Users of Consumer Reports Regarding Identity
Theft
Sec. 571.80-571.82 [Reserved]
Sec. 571.83 Disposal of consumer information.
(a) In general. You must properly dispose of any consumer
information that you maintain or otherwise possess in accordance with
the Interagency Guidelines Establishing Standards for Safeguarding
Customer Information, as set forth in appendix B to part 570 of this
chapter.
(b) Rule of construction. Nothing in this section shall be
construed to:
(i) Require you to maintain or destroy any record pertaining to a
consumer that is not imposed under any other law; or
(ii) Alter or affect any requirement imposed under any other
provision of law to maintain or destroy such a record.
Dated: April 27, 2004.
By the Office of Thrift Supervision.
James E. Gilleran,
Director.
[FR Doc. 04-12317 Filed 6-7-04; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 6720-01-P
|