BANK OF AMERICA
July 23, 2004
Office of the Comptroller of the Currency
250 E Street, S.W.
Public Reference Room, Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-13
Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and
Constitution Avenue, N.W.
Washington, D.C. 20551
Attention: Docket No. R-1199
Robert E. Feldman, Executive Secretary
Attention: Comments, Federal Deposit Insurance Corporation
550 17th
Street, N.W.
Washington, D.C. 20429
Attention: RIN No. 3064-AC77
Regulation Comments, Chief Counsel's Office
Office of Thrift
Supervision
1700 G Street, N.W.
Washington, D.C. 20552
Attention: No. 2004-26
Re: The FACT Act Disposal Rule
Ladies and Gentlemen:
Bank of America Corporation (Bank of America) welcomes the
opportunity to comment on the notice of proposed rulemaking (Proposed
Rule) and request for public comment by Federal Deposit Insurance
Corporation, the Federal Reserve Board, the Office of the Comptroller
of the Currency, and the Office of Thrift Supervision (the
Agencies), published in the Federal Register on June 8, 2004 in
regard to the appropriate disposal of consumer report information.
Bank of America is one of the world's largest financial institutions,
serving individual consumers, small businesses and large corporations
with a full range of banking, investing, asset management and other
financial and risk-management products and services. The company
provides unmatched convenience in the United States, serving 33
million consumer relationships with 5,700 retail banking offices, more
than 16,000 ATMs and award-winning online banking with more than ten
million active users.
Section 628 of the Fair Credit Reporting Act (FCRA), as added by
section 216 of the Fair and Accurate Credit Transactions Act of 2003,
requires the Federal Trade Commission, the Agencies, the National
Credit Union Administration and the Securities and Exchange Commission
to prescribe regulations that require any person that maintains or
otherwise possesses consumer information, or any compilation of
consumer information, derived from consumer reports for a business
purpose to properly dispose of the information or compilation.1
Section 628 also directs the Agencies to ensure that these regulations
are consistent with the requirements and regulations issued under the Gramm-Leach Bliley Act (GLBA) and other federal law.
The Proposed Rule would define consumer information as any
record about an individual, whether in paper, electronic, or other
form, that is a consumer report or is derived from a consumer report
and that is maintained or otherwise possessed by or on behalf of
[financial institutions] for a business purpose.2 The Supplementary
Information to the Proposed Rule states that records that are derived
from consumer reports would include any information about a consumer
that is taken from a consumer report, but that records that do not
identify a particular consumer would not qualify as consumer
information.3 We support the proposed definition of consumer
information. This definition will allow financial institutions and
companies providing services to financial institutions to apply
consistent disposal procedures and, therefore, a consistent level of
protection for all consumer information nationwide. We urge the
Agencies to include an express statement that consumer information
only includes information that identifies a specific individual in the
final rule.
In order to implement section 628, the Proposed Rule would amend
the Agencies FCRA rules and the Interagency Guidelines Establishing
Standards for Safeguarding Customer Information (Guidelines).4 The
Proposed Rule would add a new section to the FCRA rules that would
require financial institutions to properly dispose of any consumer
information that [financial institutions] maintain or otherwise
possess in accordance with the [Guidelines]. The Guidelines,
promulgated pursuant to sections 501 and 505 of the GLBA, provide that
financial institutions must assess the risks to their customer
information and customer information systems and implement appropriate
security measures to control these risks. The Proposed Rule would
amend the Guidelines to require financial institutions to [d]evelop,
implement, and maintain as part of [their] information security
program[s], appropriate measures to properly dispose of consumer
information in a manner consistent with the disposal of customer
information.5
We support the Agencies determination that consumer information
should be disposed of in a manner consistent with disposal of
customer information under the Guidelines. This standard allows
institutions to employ risk assessment techniques and use different
standards and procedures as applicable for that institution. This
approach also meets the statutory mandate that the regulations be
consistent with those issued under the GLBA. Bank of America strongly
supports the Agencies determination that the requirements for the
disposal of consumer information should be part of financial
institutions larger information security programs.
Bank of America is concerned, however, about the obligation to once
again go out to all service providers and re-negotiate and amend
existing contracts with those service providers to specifically
address the new obligation to ensure proper disposal of consumer
information. Many institutions overall information security programs,
and those they impose on their service providers, include elements for
disposal. With many service providers, the obligation to go back and
re-negotiate contracts is very large, time-consuming, and can result
in negative impacts on the institutions ability to obtain good
pricing or requests for give-backs from the service provider. If the
Agencies believe that it is necessary for institutions to include
specific language about disposal of consumer information in contracts
with service providers, we recommend that this obligation be
prospective only. In any event, the time period to complete any such
obligation to amend contracts with existing service providers should
be at least two years rather than the one-year period set forth in the
Proposed Rule.
Bank of America appreciates the opportunity to comment on the
Agencies proposal. If you have any questions regarding our comments,
please contact Kathryn D. Kohler, Assistant General Counsel, at (704)
386-9644.
Very truly yours,
Kathryn D. Kohler
Assistant General Counsel
Bank of America
Charlotte, NC
1 FCRA §§ 628(a)(1)-(2).
2 69 Fed. Reg. at 31,918, 31,919, & 31,921.
3 Id. at 31,915.
4 Id. at 31,918, 31,919, 31,920 & 31,922.
5 69 Fed. Reg. at 31,918, 31,919, 31,921 & 31,922.