Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Fair and Accurate Credit Transactions Act of 2003 Guidelines Requiring the Proper Disposal of Consumer Information

Summary: The federal bank and thrift regulatory agencies have jointly issued final guidelines to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 is designed to protect consumers against the risks associated with identity theft and other types of fraud. The guidelines require the proper disposal of consumer information. 

Highlights: 

  • The FACT Act requires any financial institution that maintains or otherwise possesses consumer information derived from consumer reports to properly dispose of it.
  • To implement section 216 of the FACT Act, the banking and thrift regulatory agencies have amended their "Guidelines Establishing Standards for Safeguarding Customer Information," and renamed them "Interagency Guidelines Establishing Information Security Standards," to require the proper disposal of consumer information.
  • The new guidelines will take effect on July 1, 2005.

Continuation of FIL-7-2005 

Distribution: 
FDIC-Supervised Banks (Commercial and Savings) 

Suggested Routing: 
Chief Executive Officer 
Chief Information Officer 
Compliance Officer 
Legal Counsel 

Federal Register , December 28, 2004, pages 77610-77621 - PDF 102k ( PDF Help

 

Note: 
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/financial-institution-letters/2005/index.html

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200). 
 



 

Financial Institution Letters 
FIL-7-2005 
February 2, 2005 

Fair and Accurate Credit Transactions Act of 2003 
Guidelines Requiring the Proper Disposal of Consumer Information 

The federal bank and thrift regulatory agencies have jointly issued final guidelines to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 is designed to protect consumers against the risks associated with identity theft and other types of fraud. The guidelines require the proper disposal of consumer information.

The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (agencies) have adopted the attached final rule to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 of the FACT Act is designed to protect a consumer against the risks associated with identity theft and other types of fraud.

Under the final rule, the agencies have amended their "Guidelines Establishing Standards for Safeguarding Customer Information," as mandated by the Gramm-Leach-Bliley Act, to require the proper disposal of consumer information. The guidelines have been renamed "Interagency Guidelines Establishing Information Security Standards."

The amendments to the guidelines require each financial institution to develop and maintain, as part of its information security program, appropriate controls designed to ensure that it properly disposes of "consumer information" derived from a consumer report in a manner consistent with the financial institution’s existing obligation under the guidelines to properly dispose of customer information. The guidelines direct financial institutions to assess the risks to their consumer information as well as customer information by evaluating security measures to control these risks. Therefore, financial institutions must design their information security programs to dispose properly of customer information and consumer information.

Each bank must satisfy these guidelines with respect to the proper disposal of consumer information by July 1, 2005. Financial institutions must modify any affected contracts with service providers no later than July 1, 2006.

Definition of Consumer Information 

"Consumer information" is defined as "any record about an individual, whether in paper, electronic, or other form that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the institution for a business purpose." "Consumer information" is also defined to mean "a compilation of such records." The term, however, excludes from the definition any record that does not identify the individual. Therefore, the requirement concerning consumer information does not apply to aggregate information that does not identify the subjects of the consumer reports.

Definition of Service Provider 

"Service provider" is defined as any person or entity that maintains, processes or otherwise is permitted access to customer information or consumer information through its provision of services directly to the bank. The guidelines direct financial institutions to require service providers by contract to implement appropriate measures designed to meet the obligations of the guidelines regarding the proper disposal of consumer information.

Michael J. Zamorski

Director

Division of Supervision and Consumer Protection


Additional Related Topics:

  • Interagency Guidelines Establishing Standards for Safeguarding of Customer Information
  • FFIEC Information Security Handbook issued January 2003
Attachment(s)

Last Updated: February 2, 2005