AMERICAN BANKERS ASSOCIATION
July
23, 2004
Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, N.W.
Washington, DC 20551
Office of the Comptroller of the Currency
250 E Street, S.W.
Public Reference Room, Mail Stop 1—5
Washington, DC 20219
Robert E. Feldman, Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, DC 20429
Regulation Comments
Chief Counsel’s Office
Office of Thrift Supervision
1700 G Street, N.W.
Washington, DC 20552
Attention No. 2004-26
Re: Proper Disposal of Consumer Information Under the Fair and Accurate
Credit Transactions Act of 2003, OCC Docket No. 04-13; FRB Docket
No. R-1199; FDIC RIN 3064-AC77; OTS No. 2004-26; 69 Federal
Register 31913 (June 8,
2004)
Dear Sir or Madam:
The American Bankers Association (“ABA”) offers the following
comments on
the interagency proposal to implement section 216 of the Fair and Accurate
Credit
Transactions Act of 2003 (“the FACT Act”) by amending the
Interagency
Guidelines Establishing Standards for Safeguarding Customer Information
(“Guidelines”). The proposal would require each financial
institution to include
as part of its information security program appropriate measures to properly
dispose of consumer information derived from consumer reports to address
the
risks associated with identity theft.
The ABA brings together all elements of the banking community to represent
the
interests of this rapidly changing industry. Its membership – which
includes
community, regional, and money center banks and holding companies, as
well as
savings associations, trust companies, and savings banks – makes
ABA the largest
banking trade association in the country.
The ABA and its membership have long been active in the battle to prevent
identity theft. In June 2000, the ABA Task Force on Responsible Use of
Customer information developed voluntary guidelines that reaffirmed the
industry
commitment to maintaining confidentiality and security of customer data.
In the
same period, ABA published its Communications Kit for Identity Theft to assist
member efforts to promote the sensible and secure handling and disposal
of
financial information among bank employees and their customers. In 2002,
ABA
released its Safeguarding Customer Information Toolbox, a member service
to
guide banks through the process of assessing information security risks
and
establishing appropriate policies and controls to manage those risks
and protect
customer information.
The ABA supports this proposal as a flexible and sound method for achieving
appropriate disposal of consumer information consistent with the banking
industry’s commitment to safeguard an individual’s sensitive
financial
information and combat the risks of identity theft that threaten both
consumers
and their banks. We recognize and endorse the agencies’ efforts
to integrate the
obligations mandated by section 216 of the FACT Act within the established
Guidelines that govern the implementation of industry customer information
systems. By incorporating the consumer information disposal requirements
within
the Guidelines, the agencies’ proposal fosters the adoption of
a comprehensive
and secure information disposal program, while avoiding undue regulatory
burden
that could otherwise result from imposing separate standards independent
from
the existing guidance regimen. ABA applauds this integrated approach.
We comment more specifically below on certain features of the proposal.
Personally Identifiable Records
The ABA considers the proposal’s inclusion of the requirement
that any record of
consumer information be “about an individual” to be vital
to properly tailoring the
Guidelines to the information security risks relevant to guarding against
identity
theft. As explained in the preamble, a record is not “about an
individual,” if “it
does not identify a particular consumer.” This element of the
definition of
consumer information is essential to drawing the necessary operational
lines for
staff to follow to distinguish between information whose disposal does
or does not
contribute to the risk of identity theft. This requirement also ensures
parallel
treatment by the Guidelines of customer information and consumer information,
because both will be predicated on the concept of being personally identifiable.
Accordingly, ABA recommends that the Guidelines’ definition of
consumer
information explicitly incorporate the requirement of “personally
identifiable” in
addition to the qualification that a record be “about an individual.” The
current
definition of customer information contains a similar emphasis by using
both the
description “nonpublic personal information as defined in [§XXX.3(n)]” and
the
qualifying phrase “about a customer.” The regulatory definition
of “nonpublic
personal information” expressly requires such information to be “personally
identifiable.” See e.g., 12 C.F.R. §40.3(n)(1)(i). It is
therefore consistent with the
existing definition of customer information in the Guidelines to have
the parallel
definition of consumer information expressly include both modifiers: “personally
identifiable” and “about an individual.” Consequently,
ABA urges the agencies
to change the proposed definition to begin as follows: “Consumer
information
means any personally identifiable record about an individual, …” Making
this
insertion in the final rule will clarify the agencies’ intent
as expressed in the
preamble, underscore the identity theft prevention goals of section 216
of the
FACT Act and realize the statutory direction to ensure information security
requirements under GLBA and the FACT Act are consistent.
Information from Consumer Reports
The agencies solicit comment on the definition’s use of the statutorily
required
phrase “derived from [a] consumer report[s]” as applied
by examples in the
preamble. ABA understands that the point of the examples and commentary
is to
capture as consumer information, personally identifiable records that
(i) contain
information extracted from a consumer report, (ii) combine information
from a
consumer report with information from other sources, and (iii) have lost
their
legal status as consumer reports by operation of affiliate sharing after
opt-out
under FCRA. ABA considers this scope to be a reasonable application of
the
statute’s intent in using “derived from consumer reports.”
ABA is concerned that the concept of “derived from consumer reports” could
be
applied to information that is so manipulated and removed from the sensitive
information contained in the reports themselves as to have no relation
to the
legislation’s underlying purpose to prevent the compromise and
misuse of a
consumer’s identity. Exactly where this boundary may be is difficult
to ascertain.
As long as the revised Guidelines continue to couple consumer information
with
the risk assessment and control process for the disposal of customer
information,
ABA expects that agency examination for compliance with the Guidelines
will be
predicated on a prudent risk-based judgment of the scope of information
considered “derived from consumer reports.”
Proper Disposal
The proposal seeks comment on whether the use of “proper disposal” is
sufficiently clear. ABA supports the proposed use of the term “proper
disposal” in
the revised Guidelines without further specification. The existing Guidelines
have operated effectively without greater specification of the term “disposal.”
There is no demonstrated reason to devise a more detailed definition
that could
spawn interpretive confusion and the regulatory burden that often results
from
additional verbiage. Indeed the Federal Trade Commission’s proposed
disposal
rule illustrates the hazard. By including within its definition of
disposal “the
sale,
donation, or transfer of any medium … upon which computer information
is
stored,” the FTC opened the door to comments seeking to dispel
the notion that
“
disposal” included the sale, donation or transfer of consumer
information itself—
as opposed to the sale or transfer of the hardware that effectuated a
disposal of the
electronic records previously contained on such hardware. Accordingly,
ABA
supports the proposed simple reference to “proper disposal” as
being adequate for
the affected parties to understand the intended application.
Effective Date
ABA agrees with the agencies’ assumption that banks are already
disposing of
consumer information appropriately. Nevertheless, procedures that are
formally
described to comply with the existing Guidelines may require changes
that
expressly include the controls designed to cover consumer information
as well as
customer information. Updates to the formal systems, controls and audit
protocols to incorporate the scope of “consumer information” must
compete for
implementation resources with other operational changes. Mandating satisfaction
of the revised Guidelines within 90 days of Federal Register publication
may defy
the ability of some institutions that need to make requisite formal changes
to their
programs, even when their current disposal practices are sufficiently
protective.
In addition, under the proposed amendment to paragraph III of the existing
Guidelines, an institution is required (as described in the preamble)
to “broaden
the scope of its risk assessment to include the assessment of the reasonably
foreseeable internal and external threats associated with the methods
it uses to
dispose of ‘consumer information,’ and adjust its risk
assessment in light of the
relevant changes relating to such threats.” Such an evaluation
does not occur
overnight, even when the existing practices for information disposal
are in reality
broad enough to properly dispose of both consumer and customer information.
Accordingly, ABA urges the agencies to allow 180 days for achieving compliance
with the revised Guidelines. This modest extension of the compliance
deadline
will not undermine or impede the disposal practices that are already
in place to
protect consumer information throughout the banking industry.
Exemption Authority
ABA strongly urges all agencies to coordinate their exercise of jurisdiction
under
216 of the FACT Act to eliminate any discrepancy in disposal requirements,
duplicative oversight, or enforcement redundancy with respect to the
application
of their respective final rules. Redundant regulation imposes undue compliance
burdens on institutions by exposing them to conflicting oversight processes.
For
example, there is no reason for the FTC to apply its disposal rule to
financial
institutions that are subject to the banking agencies’ Guidelines.
The banking
industry is closely supervised for its information security systems through
periodic examinations, while there are whole industries subject to FTC
jurisdiction alone that have no similar comprehensive oversight. It is
a
misapplication of limited regulatory resources for the banking industry
to be
subject to unnecessary concurrent regulation. Despite well-intended efforts
by the
responsible agencies to coordinate regulatory text, the need for compliance
officers to monitor another agency’s rule or interpretive guidance
for consistency
with the bank’s or savings association’s primary supervisor
is an undue burden
and a waste of valuable time when there are so many rules and regulations
that
deserve attention. Banks or savings associations whose subsidiaries or
affiliates
are subject to the Guidelines should be exempt from any overlapping regulatory
jurisdiction under the authority provided in section 216(a)(3) of the
FACT Act.
Accordingly, ABA asks that the Federal banking agencies work with their
sister
financial regulators to implement corresponding exemptions to eliminate
redundant regulatory regimes.
In conclusion,
ABA supports the agencies’ proposal to integrate
the FACT Act
protections for disposal of consumer information into the established
Guidelines
for Safeguarding Customer Information and encourages them to adopt the
improvements to their proposal recommended by these comments. We believe
that the track record of the ABA, its members, and the banking industry
at large
demonstrates the commitment of America’s Bankers to protect
the confidentiality
of consumer credit information and to guard against the real threat of
identity
theft.
Respectfully submitted,
Richard R. Riese
Senior Compliance Counsel
|