Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations

BANK OF AMERICA

July 23, 2004

Office of the Comptroller of the Currency
250 E Street, S.W.
Public Reference Room, Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-13

Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, N.W.
Washington, D.C. 20551
Attention: Docket No. R-1199

Robert E. Feldman, Executive Secretary
Attention: Comments, Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429
Attention: RIN No. 3064-AC77

Regulation Comments, Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, N.W.
Washington, D.C. 20552
Attention: No. 2004-26

Re: The FACT Act Disposal Rule

Ladies and Gentlemen:

Bank of America Corporation (“Bank of America”) welcomes the opportunity to comment on the notice of proposed rulemaking (“Proposed Rule”) and request for public comment by Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (the “Agencies”), published in the Federal Register on June 8, 2004 in regard to the appropriate disposal of consumer report information. Bank of America is one of the world's largest financial institutions, serving individual consumers, small businesses and large corporations with a full range of banking, investing, asset management and other financial and risk-management products and services. The company provides unmatched convenience in the United States, serving 33 million consumer relationships with 5,700 retail banking offices, more than 16,000 ATMs and award-winning online banking with more than ten million active users.

Section 628 of the Fair Credit Reporting Act (“FCRA”), as added by section 216 of the Fair and Accurate Credit Transactions Act of 2003, requires the Federal Trade Commission, the Agencies, the National Credit Union Administration and the Securities and Exchange Commission to prescribe regulations that require “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose” to properly dispose of the information or compilation.1 Section 628 also directs the Agencies to ensure that these regulations are consistent with the requirements and regulations issued under the Gramm-Leach Bliley Act (“GLBA”) and other federal law.

The Proposed Rule would define “consumer information” as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of [financial institutions] for a business purpose.”2 The Supplementary Information to the Proposed Rule states that records that are “derived from consumer reports” would include any “information about a consumer that is taken from a consumer report,” but that records that do “not identify a particular consumer” would not qualify as “consumer information.”3  We support the proposed definition of “consumer information.” This definition will allow financial institutions and companies providing services to financial institutions to apply consistent disposal procedures and, therefore, a consistent level of protection for all consumer information nationwide. We urge the Agencies to include an express statement that “consumer information” only includes information that identifies a specific individual in the final rule.

In order to implement section 628, the Proposed Rule would amend the Agencies’ FCRA rules and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (“Guidelines”).4 The Proposed Rule would add a new section to the FCRA rules that would require financial institutions to “properly dispose of any consumer information that [financial institutions] maintain or otherwise possess in accordance with the [Guidelines].” The Guidelines, promulgated pursuant to sections 501 and 505 of the GLBA, provide that financial institutions must assess the risks to their customer information and customer information systems and implement appropriate security measures to control these risks. The Proposed Rule would amend the Guidelines to require financial institutions to “[d]evelop, implement, and maintain as part of [their] information security program[s], appropriate measures to properly dispose of consumer information in a manner consistent with the disposal of customer information.”5

We support the Agencies’ determination that “consumer information” should be disposed of in a manner consistent with disposal of “customer information” under the Guidelines. This standard allows institutions to employ risk assessment techniques and use different standards and procedures as applicable for that institution. This approach also meets the statutory mandate that the regulations be consistent with those issued under the GLBA. Bank of America strongly supports the Agencies’ determination that the requirements for the disposal of consumer information should be part of financial institutions’ larger information security programs.

Bank of America is concerned, however, about the obligation to once again go out to all service providers and re-negotiate and amend existing contracts with those service providers to specifically address the new obligation to ensure proper disposal of consumer information. Many institutions’ overall information security programs, and those they impose on their service providers, include elements for disposal. With many service providers, the obligation to go back and re-negotiate contracts is very large, time-consuming, and can result in negative impacts on the institutions’ ability to obtain good pricing or requests for “give-backs” from the service provider. If the Agencies believe that it is necessary for institutions to include specific language about disposal of consumer information in contracts with service providers, we recommend that this obligation be prospective only. In any event, the time period to complete any such obligation to amend contracts with existing service providers should be at least two years rather than the one-year period set forth in the Proposed Rule.

Bank of America appreciates the opportunity to comment on the Agencies’ proposal. If you have any questions regarding our comments, please contact Kathryn D. Kohler, Assistant General Counsel, at (704) 386-9644.

Very truly yours,

Kathryn D. Kohler
Assistant General Counsel
Bank of America
Charlotte, NC


1  FCRA §§ 628(a)(1)-(2).
2  69 Fed. Reg. at 31,918, 31,919, & 31,921.
3  Id. at 31,915.
4  Id. at 31,918, 31,919, 31,920 & 31,922.
5  69 Fed. Reg. at 31,918, 31,919, 31,921 & 31,922.
    

Last Updated 07/26/2004 regs@fdic.gov

Skip Footer back to content