View PDF

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

l l★K

Federal Reserve Bank
of Dallas

March 5, 2001

DALLAS, TEXAS
75265-5906

Notice 01-22

TO: The Chief Executive Officer of each
financial institution and others concerned
in the Eleventh Federal Reserve District
SUBJECT
Interagency Guidelines Establishing
Standards for Safeguarding Customer Information
and Rescission of Year 2000 Standards
for Safety and Soundness
DETAILS
The Board of Governors of the Federal Reserve System, the Office of the Comptroller
of the Currency, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision
(collectively, the agencies) have published final guidelines establishing standards for safeguarding customer information. The guidelines implement sections 501 and 505(b) of the GrammLeach-Bliley Act.
Section 501 requires the agencies to establish appropriate standards for the financial
institutions subject to their respective jurisdictions relating to administrative, technical, and
physical safeguards for customer records and information. These safeguards will:

• Ensure the security and confidentiality of customer records and information;
• Protect against any anticipated threats or hazards to the security or integrity of
such records; and

• Protect against unauthorized access to or use of such records or information that
could result in substantial harm or inconvenience to any customer.
The standards will be implemented in the same manner, to the extent practicable, as standards
prescribed pursuant to section 39(a) of the Federal Deposit Insurance Act.

For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal
Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012;
Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810.

-2-

Also, the agencies previously issued guidelines establishing Year 2000 safety and
soundness standards for insured depository institutions. Since the events for which these guidelines were issued have passed, the agencies have concluded that the guidelines are no longer
necessary; and they have been rescinded.
ATTACHMENT
A copy of the agencies’ notice as it appears on pages 8616–41, Vol. 66, No. 22 of the
Federal Register dated February 1, 2001, is attached.
MORE INFORMATION
For more information about standards for safeguarding customer information, please
contact Gary Krumm, Banking Supervision Department, at (214) 922-6218. For more information about rescission of the Year 2000 safety and soundness standards, please contact Ann
Worthy, Banking Supervision Department, at (214) 922-6156.
For additional copies of this Bank’s notice, contact the Public Affairs Department
at (214) 922-5254 or access District Notices on our web site at
http://www.dallasfed.org/banking/notices/index.html.

Thursday,
February 1, 2001

Part II

Department of the
Treasury
Office of the Comptroller of the
Currency
Office of Thrift Supervision

Federal Reserve System
Federal Deposit
Insurance Corporation
12 CFR Part 30, et al.
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information and Rescission of Year 2000
Standards for Safety and Soundness; Final
Rule

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

PO 00000

Frm 00001

Fmt 4717

Sfmt 4717

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8616

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

[Docket No. 2000–112]

such records; and protect against
unauthorized access to or use of such
records or information that could result
in substantial harm or inconvenience to
any customer. The Agencies are to
implement these standards in the same
manner, to the extent practicable, as
standards prescribed pursuant to section
39(a) of the Federal Deposit Insurance
Act (FDI Act). These final Guidelines
implement the requirements described
above.
The Agencies previously issued
guidelines establishing Year 2000 safety
and soundness standards for insured
depository institutions pursuant to
section 39 of the FDI Act. Since the
events for which these guidelines were
issued have passed, the Agencies have
concluded that the guidelines are no
longer necessary and are rescinding
these guidelines.
EFFECTIVE DATE: The joint final rule is
effective July 1, 2001.
Applicability date: The Year 2000
Standards for Safety and Soundness are
no longer applicable as of March 5,
2001.

RIN 1550–AB36

FOR FURTHER INFORMATION CONTACT:

DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
12 CFR Part 30
[Docket No. 00–35]
RIN 1557–AB84

FEDERAL RESERVE SYSTEM
12 CFR Parts 208, 211, 225, and 263
[Docket No. R–1073]

FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 308 and 364
RIN 3064–AC39

DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 568 and 570

Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information and Rescission of Year
2000 Standards for Safety and
Soundness
AGENCIES: The Office of the Comptroller
of the Currency (OCC), Treasury; Board
of Governors of the Federal Reserve
System (Board); Federal Deposit
Insurance Corporation (FDIC); and
Office of Thrift Supervision (OTS),
Treasury.
ACTION: Joint final rule.
SUMMARY: The Office of the Comptroller
of the Currency, Board of Governors of
the Federal Reserve System, Federal
Deposit Insurance Corporation, and
Office of Thrift Supervision
(collectively, the Agencies) are
publishing final Guidelines establishing
standards for safeguarding customer
information that implement sections
501 and 505(b) of the Gramm-LeachBliley Act (the G–L–B Act or Act).
Section 501 of the G-L-B Act requires
the Agencies to establish appropriate
standards for the financial institutions
subject to their respective jurisdictions
relating to administrative, technical, and
physical safeguards for customer
records and information. As described
in the Act, these safeguards are to:
insure the security and confidentiality
of customer records and information;
protect against any anticipated threats
or hazards to the security or integrity of

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

OCC
John Carlson, Deputy Director for
Bank Technology, (202) 874–5013; or
Deborah Katz, Senior Attorney,
Legislative and Regulatory Activities
Division, (202) 874–5090.
Board
Heidi Richards, Assistant Director,
Division of Banking Supervision and
Regulation, (202) 452–2598; Stephanie
Martin, Managing Senior Counsel, Legal
Division, (202) 452–3198; or Thomas E.
Scanlon, Senior Attorney, Legal
Division, (202) 452–3594. For the
hearing impaired only, contact Janice
Simms, Telecommunication Device for
the Deaf (TDD) (202) 452–3544, Board of
Governors of the Federal Reserve
System, 20th and C Streets, NW,
Washington, DC 20551.

The
contents of this preamble are listed in
the following outline:

SUPPLEMENTARY INFORMATION:

I. Background
II. Overview of Comments Received
III. Section-by-Section Analysis
IV. Regulatory Analysis
A. Paperwork Reduction Act
B. Regulatory Flexibility Act
C. Executive Order 12866
D. Unfunded Mandates Act of 1995

I. Background
On November 12, 1999, President
Clinton signed the G–L–B Act (Pub. L.
106–102) into law. Section 501, titled
‘‘Protection of Nonpublic Personal
Information’’, requires the Agencies, the
National Credit Union Administration,
the Securities and Exchange
Commission, and the Federal Trade
Commission to establish appropriate
standards for the financial institutions
subject to their respective jurisdictions
relating to the administrative, technical,
and physical safeguards for customer
records and information. As stated in
section 501, these safeguards are to: (1)
Insure the security and confidentiality
of customer records and information; (2)
protect against any anticipated threats
or hazards to the security or integrity of
such records; and (3) protect against
unauthorized access to or use of such
records or information that would result
in substantial harm or inconvenience to
any customer.
Section 505(b) of the G–L–B Act
provides that these standards are to be
implemented by the Agencies in the
same manner, to the extent practicable,
as standards prescribed pursuant to
section 39(a) of the FDI Act.1 Section
39(a) of the FDI Act authorizes the
Agencies to establish operational and
managerial standards for insured
depository institutions relative to,
among other things, internal controls,
information systems, and internal audit
systems, as well as such other
operational and managerial standards as
the Agencies determine to be
appropriate.2

FDIC
Thomas J. Tuzinski, Review
Examiner, Division of Supervision,
(202) 898–6748; Jeffrey M. Kopchik,
Senior Policy Analyst, Division of
Supervision, (202) 898–3872; or Robert
A. Patrick, Counsel, Legal Division,
(202) 898–3757.
OTS
Jennifer Dickerson, Manager,
Information Technology, Examination
Policy, (202) 906–5631; or Christine
Harrington, Counsel, Banking and
Finance, Regulations and Legislation
Division, (202) 906–7957.

PO 00000

Frm 00002

Fmt 4701

Sfmt 4700

1 Section 39 applies only to insure depository
institutions, including insured branches of foreign
banks. The Guidelines, however, will also apply to
certain uninsured institutions, such as bank holding
companies, certain nonbank subsidiaries of bank
holding companies and insured depository
institutions, and uninsured branches and agencies
of foreign banks. See sections 501 and 505(b) of the
G–L–B Act.
2 OTS has placed its information security
guidelines in appendix B to 12 CFR part 570, with
the provisions implementing section 39 of the FDI
Act. At the same time, OTS has adopted a
regulatory requirement that the institutions OTS
regulates comply with the proposed Guidelines.
Because information security guidelines are similar
to physical security procedures, OTS has included
a provision in 12 CFR part 568, which covers
primarily physical security procedures, requiring

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
II. Overview of Comments Received
On June 26, 2000, the Agencies
published for comment the proposed
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information and Rescission of Year 2000
Standards for Safety and Soundness in
the Federal Register (65 FR 39472). The
public comment period closed August
25, 2000. The Agencies collectively
received a total of 206 comments in
response to the proposal, although many
commenters sent copies of the same
letter to each of the Agencies. Those
combined comments included 49 from
banks, 7 from savings associations, 60
from financial institution holding
companies; 50 from financial institution
trade associations; 33 from other
business entities; and four from state
regulators. The Federal Reserve also
received comments from three Federal
Reserve Banks.
The Agencies invited comment on all
aspects of the proposed Guidelines,
including whether the rules should be
issued as guidelines or as regulations.
Commenters overwhelmingly supported
the adoption of guidelines, with many
commenters offering suggestions for
ways to improve the proposed
Guidelines as discussed below. Many
commenters cited the benefits of
flexibility and the drawbacks of
prescriptive requirements that could
become rapidly outdated as a result of
changes in technology.
The Agencies also requested
comments on the impact of the proposal
on community banks, recognizing that
community banks operate with more
limited resources than larger
institutions and may present a different
risk profile. In general, community
banks urged the Agencies to issue
guidelines that are not prescriptive, that
do not require detailed policies or
reporting by banks that share little or no
information outside the bank, and that
provide flexibility in the design of an
information security program. Some
community banks indicated that the
Guidelines are unnecessary because
they already have information security
programs in place. Others requested
clarification of the impact of the
Guidelines on banks that do not share
any information in the absence of a
customer’s consent.
In light of the comments received, the
Agencies have decided to adopt the
Guidelines, with several changes as
discussed below to respond to the
commenters’ suggestions. The
respective texts of the Agencies’
Guidelines are substantively identical.
compliance with the Guidelines in appendix B to
part 570.

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

In directing the Agencies to issue
standards for the protection of customer
records and information, Congress
provided that the standards apply to all
financial institutions, regardless of the
extent to which they may disclose
information to affiliated or nonaffiliated
third parties, electronically transfer data
with customers or third parties, or
record data electronically. Because the
requirements of the Act apply to a broad
range of financial institutions, the
Agencies believe that the Guidelines
must establish appropriate standards
that allow each institution the
discretion to design an information
security program that suits its particular
size and complexity and the nature and
scope of its activities. In many
instances, financial institutions already
will have information security programs
that are consistent with these
Guidelines, because key components of
the Guidelines were derived from
security-related supervisory guidance
previously issued by the Agencies and
the Federal Financial Institutions
Examination Council (FFIEC). In such
situations, little or no modification to an
institution’s program will be required.
Below is a section-by-section analysis
of the final Guidelines.
III. Section-by-Section Analysis
The discussion that follows applies to
each Agency’s Guidelines.
I. Introduction
Paragraph I. of the proposal set forth
the general purpose of the Guidelines,
which is to provide guidance to each
financial institution in establishing and
implementing administrative, technical,
and physical safeguards to protect the
security, confidentiality, and integrity of
customer information. This paragraph
also set forth the statutory authority for
the Guidelines, including section 39(a)
of the FDI Act (12 U.S.C. 1831p–1) and
sections 501 and 505(b) of the G–L–B
Act (15 U.S.C. 6801 and 6805(b) ). The
Agencies received no comments on this
paragraph, and have adopted it as
proposed.
I.A. Scope
Paragraph I.A. of the proposal
described the scope of the Guidelines.
Each Agency defined specifically those
entities within its particular scope of
coverage in this paragraph of the
Guidelines.
The Agencies received no comments
on the issue of which entities are
covered by the Guidelines, and have
adopted paragraph I.A. as proposed.

PO 00000

Frm 00003

Fmt 4701

Sfmt 4700

8617

I.B. Preservation of Existing Authority
Paragraph I.B. of the proposal made
clear that in issuing these Guidelines
none of the Agencies is, in any way,
limiting its authority to address any
unsafe or unsound practice, violation of
law, unsafe or unsound condition, or
other practice, including any condition
or practice related to safeguarding
customer information. As noted in the
preamble to the proposal, any action
taken by any Agency under section 39(a)
of the FDI Act and these Guidelines may
be taken independently of, in
conjunction with, or in addition to any
other enforcement action available to
the Agency. The Agencies received no
comments on this paragraph, and have
adopted paragraph I.B. as proposed.
I.C.1. Definitions
Paragraph I.C. set forth the definitions
of various terms for purposes of the
Guidelines.3 It also stated that terms
used in the Guidelines have the same
meanings as set forth in sections 3 and
39 of the FDI Act (12 U.S.C. 1813 and
1831p–1).
The Agencies received several
comments on the proposed definitions,
and have made certain changes as
discussed below. The Agencies also
have reordered proposed paragraph I.C.
so that the statement concerning the
reliance on sections 3 and 39(a) of the
FDI Act is now in paragraph I.C.1., with
the definitions appearing in paragraphs
I.C.2.a.-e. The defined terms have been
placed in alphabetical order in the final
Guidelines.
I.C.2.a. Board of Directors
The proposal defined ‘‘board of
directors’’ to mean, in the case of a
branch or agency of a foreign bank, the
managing official in charge of the
branch or agency.4 The Agencies
received no comments on this proposed
definition, and have adopted it without
change.
I.C.2.b. Customer
The proposal defined ‘‘customer’’ in
the same way as that term is defined in
section l.3(h) of the Agencies’ rule
captioned ‘‘Privacy of Consumer
Financial Information’’ (Privacy Rule).5
3 In addition to the definitions discussed below,
the Board’s Guidelines in 12 CFR parts 208 and 225
contain a definition of ‘‘subsidiary’’, which
described the state member bank and bank holding
company subsidiaries that are subject to the
Guidelines.
4 The OTS version of the Guidelines does not
include this definition because OTS does not
regulate foreign institutions. Paragraph I of the OTS
Guidelines has been renumbered accordingly.
6 See 65 FR 35162 (June 1, 2000). Citations to the
interagency Privacy Rule in this preamble are to

E:\FR\FM\01FER2.SGM

Continued

pfrm01

PsN: 01FER2

8618

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

The Agencies proposed to use this
definition in the Guidelines because
section 501(b) refers to safeguarding the
security and confidentiality of
‘‘customer’’ information. Given that
Congress used the same term for both
the 501(b) standards and for the sections
concerning financial privacy, the
Agencies have concluded that it is
appropriate to use the same definition
in the Guidelines that was adopted in
the Privacy Rule.
Under the Privacy Rule, a customer is
a consumer who has established a
continuing relationship with an
institution under which the institution
provides one or more financial products
or services to the consumer to be used
primarily for personal, family or
household purposes. ‘‘Customer’’ does
not include a business, nor does it
include a consumer who has not
established an ongoing relationship
with a financial institution (e.g., an
individual who merely uses an
institution’s ATM or applies for a loan).
See sectionsl.3(h) and (i) of the Privacy
Rule. The Agencies solicited comment
on whether the definition of ‘‘customer’’
should be broadened to provide a
common information security program
for all types of records under the control
of a financial institution.
The Agencies received many
comments on this definition, almost all
of which agreed with the proposed
definition. Although a few commenters
indicated they would apply the same
security program to both business and
consumer records, the vast majority of
commenters supported the use of the
same definition of ‘‘customer’’ in the
Guidelines as is used in the Privacy
Rule. They observed that the use of the
term ‘‘customer’’ in section 501 of the
G–L–B Act, when read in the context of
the definitions of ‘‘consumer’’ and
‘‘customer relationship’’ in section 509,
reflects the Congressional intent to
distinguish between certain kinds of
consumers for the information security
standards and the other privacy
provisions established under subtitle A
of Title V.
The Agencies have concluded that the
definition of ‘‘customer’’ used in the
Guidelines should be consistent with
the definition established in
sectionl.3(h) of the Privacy Rule. The
Agencies believe, therefore, that the
most reasonable interpretation of the
applicable provisions of subtitle A of
Title V of the Act is that a financial
institution is obligated to protect the
security and confidentiality of the
nonpublic personal information of its
sections only, leaving blank the citations to the part
numbers used by each agency.

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

consumers with whom it has a customer
relationship. As a practical manner, a
financial institution may also design or
implement its information security
program in a manner that encompasses
the records and information of its other
consumers and its business clients.6
I.C.2.c. Customer Information
The proposal defined ‘‘customer
information’’ as any records containing
nonpublic personal information, as
defined in sectionl.3(n) of the Privacy
Rule, about a customer. This included
records, data, files, or other information
in paper, electronic, or other form that
are maintained by any service provider
on behalf of an institution. Although
section 501(b) of the G–L–B Act refers
to the protection of both customer
‘‘records’’ and ‘‘information’’, for the
sake of simplicity, the proposed
Guidelines used the term ‘‘customer
information’’ to encompass both
information and records.
The Agencies received several
comments on this definition. The
commenters suggested that the proposed
definition was too broad because it
included files ‘‘containing’’ nonpublic
personal information. The Agencies
believe, however, that a financial
institution’s security program must
apply to files that contain nonpublic
personal information in order to
adequately protect the customer’s
information. In deciding what level of
protection is appropriate, a financial
institution may consider the fact that a
given file contains very little nonpublic
personal information, but that fact
would not render the file entirely
beyond the scope of the Guidelines.
Accordingly, the Agencies have adopted
6 The Agencies recognize that ‘‘customer’’ is
defined more broadly under Subtitle B of Title V
of the Act, which, in general, makes it unlawful for
any person to obtain or attempt to obtain customer
information of a financial institution by making
false, fictitious, or fraudulent statements. For the
purpose of that subtitle, the term ‘‘customer’’ means
‘‘any person (or authorized representative of a
person) to whom the financial institution provides
a product or service, including that of acting as a
fiduciary.’’ (See section 527(1) of the Act.) In light
of the statutory mandate to ‘‘prescribe such
revisions to such regulations and guidelines as may
be necessary to ensure that such financial
institutions have policies, procedures, and controls
in place to prevent the unauthorized disclosure of
customer financial information’’ (section 525), the
Agencies considered modifying these Guidelines to
cover other customers, namely, business entities
and individuals who obtain financial products and
services for purposes other than personal, family, or
household purposes. The Agencies have concluded,
however, that defining ‘‘customer’’ to accommodate
the range of objectives set forth in Title V of the Act
is unnecessary. Instead, the Agencies have included
a new paragraph III.C.1.a, described below, and
plan to issue guidance and other revisions to the
applicable regulations, as may be necessary, to
satisfy the requirements of section 525 of the Act.

PO 00000

Frm 00004

Fmt 4701

Sfmt 4700

a definition of ‘‘customer record’’ that is
substantively the same as the proposed
definition. The Agencies have, however,
deleted the reference to ‘‘data, files, or
other information’’ from the final
Guidelines, since each is included in
the term ‘‘records’’ and also is covered
by the reference to ‘‘paper, electronic, or
other form’’.
I.C.2.d. Customer Information System
The proposal defined ‘‘customer
information system’’ to be electronic or
physical methods used to access,
collect, store, use, transmit, or protect
customer information. The Agencies
received a few comments on this
definition, mostly from commenters
who stated that it is too broad. The
Agencies believe that the definition
needs to be sufficiently broad to protect
all customer information, wherever the
information is located within a financial
institution and however it is used.
Nevertheless, the broad scope of the
definition of ‘‘customer information
system’’ should not result in an undue
burden because, in other important
respects, the Guidelines allow a high
degree of flexibility for each institution
to design a security program that suits
its circumstances.
For these reasons, the Agencies have
adopted the definition of ‘‘customer
information system’’ largely as
proposed. However, the phrase
‘‘electronic or physical’’ in the proposal
has been deleted because each is
included in the term ‘‘any methods’’.
The Agencies also have added a specific
reference to records disposal in the
definition of ‘‘customer information
system.’’ This is consistent with the
proposal’s inclusion of access controls
in the list of items a financial institution
is to consider when establishing
security policies and procedures (see
discussion of paragraph III.C.1.a.,
below), given that inadequate disposal
of records may result in identity theft or
other misuse of customer information.
Under the final Guidelines, a financial
institution’s responsibility to safeguard
customer information continues through
the disposal process.
I.C.2.e. Service Provider
The proposal defined a ‘‘service
provider’’ as any person or entity that
maintains or processes customer
information for a financial institution,
or is otherwise granted access to
customer information through its
provision of services to an institution.
One commenter urged the Agencies to
modify this definition so that it would
not include a financial institution’s
attorneys, accountants, and appraisers.
Others suggested deleting the phrase ‘‘or

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
is otherwise granted access to customer
information through its provision of
services to an institution’’.
The Agencies believe that the Act
requires each financial institution to
adopt a comprehensive information
security program that is designed to
protect against unauthorized access to
or use of customers’ nonpublic personal
information. Disclosing information to a
person or entity that provides services
to a financial institution creates
additional risks to the security and
confidentiality of the information
disclosed. In order to protect against
these risks, a financial institution must
take appropriate steps to protect
information that it provides to a service
provider, regardless of who the service
provider is or how the service provider
obtains access. The fact that an entity
obtains access to customer information
through, for instance, providing
professional services does not obviate
the need for the financial institution to
take appropriate steps to protect the
information. Accordingly, the Agencies
have determined that, in general, the
term ‘‘service provider’’ should be
broadly defined to encompass a variety
of individuals or companies that
provide services to the institution.
This does not mean, however, that a
financial institution’s methods for
overseeing its service provider
arrangements will be the same for every
provider. As explained in the discussion
of paragraph III.D., a financial
institution’s oversight responsibilities
will be shaped by the institution’s
analysis of the risks posed by a given
service provider. If a service provider is
subject to a code of conduct that
imposes a duty to protect customer
information consistent with the
objectives of these Guidelines, a
financial institution may take that duty
into account when deciding what level
of oversight it should provide.
Moreover, a financial institution will
be responsible under the final
Guidelines for overseeing its service
provider arrangements only when the
service is provided directly to the
financial institution. The Agencies
clarified this point by amending the
definition of ‘‘service provider’’ in the
final Guidelines to state that it applies
only to a person or entity that
maintains, processes, or otherwise is
permitted access to customer
information through its provision of
services directly to the financial
institution. Thus, for instance, a
payment intermediary involved in the
collection of a check but that has no
correspondent relationship with a
financial institution would not be
considered a service provider of that

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

financial institution under this rule. By
contrast, a financial institution’s
correspondent bank would be
considered its service provider.
Nevertheless, the financial institution
may take into account the fact that the
correspondent bank is itself a financial
institution that is subject to security
standards under section 501(b) when it
determines the appropriate level of
oversight for that service provider.7
In situations where a service provider
hires a subservicer,8 the subservicer
would not be a ‘‘service provider’’ under
the final Guidelines. The Agencies
recognize that it would be inappropriate
to impose obligations on a financial
institution to select and monitor
subservicers in situations where the
financial institution has no contractual
relationship with that person or entity.
When conducting due diligence in
selecting its service providers (see
discussion of paragraph III.D., below),
however, a financial institution must
determine that the service provider has
adequate controls to ensure that the
subservicer will protect the customer
information in a way that meets the
objectives of these Guidelines.
II. Standards for Safeguarding Customer
Information
II.A. Information Security Program
The proposed Guidelines described
the Agencies’ expectations for the
creation, implementation, and
maintenance of a comprehensive
information security program. As noted
in the proposal, this program must
include administrative, technical, and
physical safeguards appropriate to the
size and complexity of the institution
and the nature and scope of its
activities.
Several commenters representing
large and complex organizations were
concerned that the term
‘‘comprehensive information security
program’’ required a single and uniform
document that must apply to all
component parts of the organization. In
response, the Agencies note that a
program that includes administrative,
technical, and physical safeguards will,
in many instances, be composed of more
than one document. Moreover, use of
this term does not require that all parts
7 Similarly, in the case of a service provider that
is not subject to these Guidelines but is subject to
standards adopted by its primary regulator under
section 501(b) of the G–L–B Act, a financial
institution may take that fact into consideration
when deciding what level of oversight is
appropriate for that service provider.
8 The term ‘‘subservicer’’ means any person who
has access to an institution’s customer information
through its provision of services to the service
provider and is not limited to mortgage
subservicers.

PO 00000

Frm 00005

Fmt 4701

Sfmt 4700

8619

of an organization implement a uniform
program. However, the Agencies will
expect an institution to coordinate all
the elements of its information security
program. Where the elements of the
program are dispersed throughout the
institution, management should be
aware of these elements and their
locations. If they are not maintained on
a consolidated basis, management
should have an ability to retrieve the
current documents from those
responsible for the overall coordination
and ongoing evaluation of the program.
The Board received comment on its
proposal to revise the appendix to
Regulation Y regarding the provision
that would require a bank holding
company to ensure that each of its
subsidiaries is subject to a
comprehensive information security
program.9 This comment urged the
Board to eliminate that provision and
argued, in part, that the requirement
assumes that a bank holding company
has the power to impose such controls
upon its subsidiary companies. These
commenters recommended, instead, that
the standards should be limited to
customer information in the possession
or control of the bank holding company.
Under the Bank Holding Company
Act of 1956 and the Board’s Regulation
Y, a subsidiary is presumed to be
controlled directly or indirectly by the
holding company. 12 U.S.C. 1841(d); 12
CFR 225.2(o). Moreover, the Board
believes that a bank holding company is
ultimately responsible for ensuring that
its subsidiaries comply with the
standards set forth under these
Guidelines. The Board recognizes,
however, that a bank holding company
may satisfy its obligations under section
501 of the GLB Act through a variety of
measures, such as by including a
subsidiary within the scope of its
information security program or by
causing the subsidiary to implement a
separate information security program
in accordance with these Guidelines.
II.B. Objectives
Paragraph II.B. of the proposed
Guidelines described the objectives that
each financial institution’s information
security program should be designed to
achieve. These objectives tracked the
objectives as stated in section 501(b)(1)–
(3), adding only that the security
9 The appendix provided that the proposed
Guidelines would be applicable to customer
information maintained by or on behalf of bank
holding companies and their nonbank subsidiaries
or affiliates (except brokers, dealers, persons
providing insurance, investment companies, and
investment advisors) for which the Board has
supervisory authority. See 65 FR 39484 (June 26,
2000).

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8620

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

program is to protect against
unauthorized access that could risk the
safety and soundness of the institution.
The Agencies requested comment on
whether there are additional or
alternative objectives that should be
included in the Guidelines.
The Agencies received several
comments on this proposed paragraph,
most of which objected to language that,
in the commenters’ view, required
compliance with objectives that were
impossible to meet. Many commenters
stated, for instance, that no information
security program can ensure that there
will be no problems with the security or
confidentiality of customer information.
Others criticized the objective that
required protection against any
anticipated threat or hazard. A few
commenters questioned the objective of
protecting against unauthorized access
that could result in inconvenience to a
customer, while others objected to the
addition of the safety and soundness
standard noted above.
The Agencies do not believe the
statute mandates a standard of absolute
liability for a financial institution that
experiences a security breach. Thus, the
Agencies have clarified these objectives
by stating that each security program is
to be designed to accomplish the
objectives stated. With the one
exception discussed below, the
Agencies have otherwise left unchanged
the statement of the objectives, given
that these objectives are identical to
those set out in the statute.
In response to comments that objected
to the addition of the safety and
soundness standard, the Agencies have
deleted that reference in order to make
the statement of objectives identical to
the objectives identified in the statute.
The Agencies believe that risks to the
safety and soundness of a financial
institution may be addressed through
other supervisory or regulatory means,
making it unnecessary to expand the
statement of objectives in this
rulemaking.
Some commenters asked for
clarification of a financial institution’s
responsibilities when a customer
authorizes a third party to access that
customer’s information. For purposes of
the Guidelines, access to or use of
customer information is not
‘‘unauthorized’’ access if it is done with
the customer’s consent. When a
customer gives consent to a third party
to access or use that customer’s
information, such as by providing the
third party with an account number,
PIN, or password, the Guidelines do not
require the financial institution to
prevent such access or monitor the use
or redisclosure of the customer’s

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

information by the third party. Finally,
unauthorized access does not mean
disclosure pursuant to one of the
exceptions in the Privacy Rule.
III. Develop and Implement Information
Security Program
III.A. Involve the Board of Directors
Paragraph III.A. of the proposal
described the involvement of the board
and management in the development
and implementation of an information
security program. As explained in the
proposal, the board’s responsibilities are
to: (1) Approve the institution’s written
information security policy and
program; and (2) oversee efforts to
develop, implement, and maintain an
effective information security program,
including reviewing reports from
management. The proposal also laid out
management’s responsibilities for
developing, implementing, and
maintaining the security program.
The Agencies received a number of
comments regarding the requirement of
board approval of the information
security program. Some commenters
stated that each financial institution
should be allowed to decide for itself
whether to obtain board approval of its
program. Others suggested that approval
by either a board committee or at the
holding company level might be
appropriate. Still others suggested
modifying the Guidelines to require
only that the board approve the initial
information security program and
delegate subsequent review and
approval of the program to either a
committee or an individual.
The Agencies believe that a financial
institution’s overall information security
program is critical to the safety and
soundness of the institution. Therefore,
the final Guidelines continue to place
responsibility on an institution’s board
to approve and exercise general
oversight over the program. However,
the Guidelines allow the entire board of
a financial institution, or an appropriate
committee of the board to approve the
institution’s written security program.
In addition, the Guidelines permit the
board to assign specific implementation
responsibilities to a committee or an
individual.
One commenter suggested that the
Guidelines be revised to provide that if
a holding company develops, approves,
and oversees the information security
program that applies to its bank and
nonbank subsidiaries, there should be
no separate requirement for each
subsidiary to do the same thing, as long
as those subsidiaries agree to abide by
the holding company’s security
program. The Agencies agree that

PO 00000

Frm 00006

Fmt 4701

Sfmt 4700

subsidiaries within a holding company
can use the security program developed
at the holding company level. However,
if subsidiary institutions choose to use
a security program developed at the
holding company level, the board of
directors or an appropriate committee at
each subsidiary institution must
conduct an independent review to
ensure that the program is suitable and
complies with the requirements
prescribed by the subsidiary’s primary
regulator. See 12 U.S.C. 505. Once the
subsidiary institution’s board, or a
committee thereof, has approved the
security program, it must oversee the
institution’s efforts to implement and
maintain an effective program.
The Agencies also received comments
suggesting that use of the term
‘‘oversee’’ conveyed the notion that a
board is expected to be involved in dayto-day monitoring of the development,
implementation, and maintenance of an
information security program. The
Agencies’ use of the term ‘‘oversee’’ is
meant to convey a board’s conventional
supervisory responsibilities. Day-to-day
monitoring of any aspect of an
information security program is a
management responsibility. The final
Guidelines reflect this by providing that
the board must oversee the institution’s
information security program but may
assign specific responsibility for its
implementation.
The Agencies invited comment on
whether the Guidelines should require
that the board designate a Corporate
Information Security Officer or other
responsible individual who would have
the authority, subject to the board’s
approval, to develop and administer the
institution’s information security
program. The Agencies received a
number of comments suggesting that the
Agencies should not require the creation
of a new position for this purpose. Some
financial institutions also stated that
hiring one or more additional staff for
this purpose would impose a significant
burden. The Agencies believe that a
financial institution will not need to
create a new position with a specific
title for this purpose, as long as the
institution has adequate staff in light of
the risks to its customer information.
Regardless of whether new staff are
added, the lines of authority and
responsibility for development,
implementation, and administration of a
financial institution’s information
security program need to be well
defined and clearly articulated.10
10 The Agencies note that other regulations
already require a financial institution to designate
a security officer for different purposes. See 12 CFR
21.2; 12 CFR 208.61(b).

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
The proposal identified three
responsibilities of management in the
development of an information security
program. They were to: (1) Evaluate the
impact on a financial institution’s
security program of changing business
arrangements and changes to customer
information systems; (2) document
compliance with these Guidelines; and
(3) keep the board informed of the
overall status of the institution’s
information security program. A few
commenters objected to the Agencies
assigning specific tasks to management.
These commenters did not object to the
tasks per se, but suggested that the
Agencies allow an institution’s board
and management to decide who within
the institution is to carry out the tasks.
The Agencies agree that a financial
institution is in the best position to
determine who should be assigned
specific roles in implementing the
institution’s security program.
Accordingly, the Agencies have deleted
the separate provision assigning specific
roles to management. The
responsibilities that were contained in
this provision are now included in other
paragraphs of the Guidelines.
III.B. Assess Risk
Paragraph III.B. of the proposal
described the risk assessment process to
be used in the development of the
information security program. Under the
proposal, a financial institution was to
identify and assess the risks to customer
information. As part of that assessment,
the institution was to determine the
sensitivity of the information and the
threats to the institution’s systems. The
institution also was to assess the
sufficiency of its policies, procedures,
systems, and other arrangements in
place to control risk. Finally, the
institution was to monitor, evaluate, and
adjust its risk assessment in light of
changes in areas identified in the
proposal.
The Agencies received several
comments on these provisions, most of
which focused on the requirement that
financial institutions do a sensitivity
analysis. One commenter noted that
‘‘customer information’’ is defined to
mean ‘‘nonpublic personal information’’
as defined in the G–L–B Act, and that
the G–L–B Act provides the same level
of coverage for all nonpublic personal
information. The commenter stated that
it is therefore unclear how the level of
sensitivity would affect an institution’s
obligations with respect to the security
of this information.
While the Agencies agree that all
customer information requires
protection, the Agencies believe that
requiring all institutions to afford the

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

same degree of protection to all
customer information may be
unnecessarily burdensome in many
cases. Accordingly, the final Guidelines
continue to state that institutions should
take into consideration the sensitivity of
customer information. Disclosure of
certain information (such as account
numbers or access codes) might be
particularly harmful to customers if the
disclosure is not authorized. Individuals
who try to breach the institution’s
security systems may be likely to target
this type of information. When such
information is housed on systems that
are accessible through public
telecommunications networks, it may
require more and different protections,
such as encryption, than if it were
located in a locked file drawer. To
provide flexibility to respond to these
different security needs in the way most
appropriate, the Guidelines confer upon
institutions the discretion to determine
the levels of protection necessary for
different categories of information.
Institutions may treat all customer
information the same, provided that the
level of protection is adequate for all the
information.
Other commenters suggested that the
risk assessment requirement be tied to
reasonably foreseeable risks. The
Agencies agree that the security program
should be focused on reasonably
foreseeable risks and have amended the
final Guidelines accordingly.
The final Guidelines make several
other changes to this paragraph to
improve the order of the Guidelines and
to eliminate provisions that were
redundant in light of responsibilities
outlined elsewhere. For instance, while
the proposal stated that the risk
assessment function included the need
to monitor for relevant changes to
technology, sensitivity of customer
information, and threats to information
security and make adjustments as
needed, that function has been
incorporated into the discussion of
managing and controlling risk in
paragraphs III.C.3. and III.E.
Thus, under the Guidelines as
adopted, a financial institution should
identify the reasonably foreseeable
internal and external threats that could
result in unauthorized disclosure,
misuse, alteration, or destruction of
customer information or customer
information systems. Next, the risk
assessment should consider the
potential damage that a compromise of
customer information from an identified
threat would have on the customer
information, taking into consideration
the sensitivity of the information to be
protected in assessing the potential
damage. Finally, a financial institution

PO 00000

Frm 00007

Fmt 4701

Sfmt 4700

8621

should conduct an assessment of the
sufficiency of existing policies,
procedures, customer information
systems, and other arrangements
intended to control the risks it has
identified.
III.C. Manage and Control Risk
Paragraph III.C. describes the steps an
institution should take to manage and
the control risks identified in paragraph
III.B.
Establish policies and procedures
(III.C.1.). Paragraph III.C.1 of the
proposal described the elements of a
comprehensive risk management plan
designed to control identified risks and
to achieve the overall objective of
ensuring the security and
confidentiality of customer information.
It identified eleven factors an institution
should consider in evaluating the
adequacy of its policies and procedures
to effectively manage these risks.
The Agencies received a large number
of comments on this paragraph. Most of
the comments were based on a
perception that every institution would
have to adopt every security measure
listed in proposed III.C.1.a.-k. as part of
the institution’s policies and
procedures. In particular, a number of
commenters were concerned that the
proposed Guidelines would require the
encryption of all customer data.
The Agencies did not intend for the
security measures listed in paragraph
III.C.1. to be seen as mandatory for all
financial institutions and for all data.
Rather, the Agencies intended only that
an institution would consider whether
the protections listed were appropriate
for the institution’s particular
circumstances, and, if so, adopt those
identified as appropriate. The Agencies
continue to believe that these elements
may be adapted by institutions of
varying sizes, scope of operations, and
risk management structures. Consistent
with that approach, the manner of
implementing a particular element may
vary from institution to institution. For
example, while a financial institution
that offers Internet-based transaction
accounts may conclude that encryption
is appropriate, a different institution
that processes all data internally and
does not have a transactional web site
may consider other kinds of access
restrictions that are adequate to
maintain the confidentiality of customer
information. To underscore this point,
the final Guidelines have been amended
to state that each financial institution
must consider whether the security
elements discussed in paragraphs
III.C.1.a.-h. are appropriate for the
institution and, if so, adopt those

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8622

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

elements an institution concludes are
appropriate.
The Agencies invited comment on the
degree of detail that should be included
in the Guidelines regarding the risk
management program, including which
elements should be specified in the
Guidelines, and any other components
of a risk management program that
should be listed. With the exception of
those commenters who thought some or
all of the elements of the risk
management program were intended to
be mandatory for all financial
institutions, the comments supported
the level of detail conveyed in the
proposed Guidelines. The Agencies
have adopted the provision regarding
management and control of risks with
the changes discussed below. Comments
addressing proposed security measures
that have been adopted without change
also are discussed below.
Access rights. The Agencies received
a number of comments suggesting that
the reference to ‘‘access rights to
customer information’’ in paragraph
III.C.1.a. of the proposal could be
interpreted to mean providing
customers with a right of access to
financial information. The reference was
intended to refer to limitations on
employee access to customer financial
information, not to customer access to
financial information. However, this
element has been deleted since
limitations on employee access are
covered adequately in other parts of
paragraph III.C.1. (See discussion of
‘‘access controls’’ in paragraph III.C.1.a.
of the final Guidelines, below.)
Access controls. Paragraph III.C.1.b. of
the proposed Guidelines required a
financial institution to consider
appropriate access controls when
establishing its information security
policies and procedures. These controls
were intended to address unauthorized
access to an institution’s customer
information by anyone, whether or not
employed by the institution.
The Agencies believe that this
element sufficiently addresses the
concept of unauthorized access,
regardless of who is attempting to obtain
access. This would cover, for instance,
attempts through pretext calling to
gather information about a financial
institution’s customers.11 The Agencies
have amended the final Guidelines to
refer specifically to pretext calling in
new III.C.1.a. The Agencies do not
intend for the final Guidelines to require
a financial institution to provide its
customers with access to information
11 Pretext calling is a fraudulent means of
obtaining an individual’s personal information by
persons posing as bank customers.

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

the institution has gathered. Instead, the
provision in the final Guidelines
addressing access is limited solely to the
issue of preventing unauthorized access
to customer information.
The Agencies have deleted the
reference in the proposed paragraph
III.C.1.b. to providing access to
authorized companies. This change was
made partly in response to commenters
who objected to what they perceived to
be an inappropriate expansion of the
scope of the Guidelines to include
company records and partly in
recognition of the fact that access to
records would be obtained, in any case,
only through requests by individuals.
The final Guidelines require an
institution to consider the need for
access controls in light of the
institution’s various customer
information systems and adopt such
controls as appropriate.
Dual control procedures. Paragraph
III.C.1.f. of the proposed Guidelines
stated that financial institutions should
consider dual control procedures,
segregation of duties, and employee
background checks for employees with
responsibility for, or access to, customer
information. Most of the comments on
this paragraph focused on dual control
procedures, which refers to a security
technique that uses two or more
separate persons, operating together to
protect sensitive information. Both
persons are equally responsible for
protecting the information and neither
can access the information alone.
According to one commenter, dual
controls are part of normal audit
procedures and did not need to be
restated. Other commenters suggested
that dual control procedures are not
always necessary, implying that these
procedures are not the norm. The
Agencies recognize that dual-control
procedures are not necessary for all
activities, but might be appropriate for
higher-risk activities. Given that the
Guidelines state only that dual control
procedures should be considered by a
financial institution and adopted only if
appropriate for the institution, the
Agencies have retained a reference to
dual control procedures in the items to
be considered (paragraph III.C.1.e).
Oversight of servicers. Paragraph
III.C.1.g. of the proposal was deleted.
Instead, the final Guidelines consolidate
the provisions related to service
providers in paragraph III.D.
Physical hazards and technical
failures. The paragraphs of the proposed
Guidelines addressing protection
against destruction due to physical
hazards and technological failures
(paragraphs III.C.1.j. and k.,
respectively, of the proposal) have been

PO 00000

Frm 00008

Fmt 4701

Sfmt 4700

consolidated in paragraph III.C.1.h. of
the final Guidelines. The Agencies
believe that this change improves clarity
and recognizes that disaster recovery
from environmental and technological
failures often involve the same
considerations.
Training (III.C.2.). Paragraph III.C.2. of
the proposed Guidelines provided that
an institution’s information security
program should include a training
component designed to train employees
to recognize, respond to, and report
unauthorized attempts to obtain
customer information. The Agencies
received several comments suggesting
that this provision directed staff of
financial institutions to report suspected
attempts to obtain customer information
to law enforcement agencies rather than
to the management of the financial
institution. The Agencies did not intend
that result, and note that nothing in the
Guidelines alters other applicable
requirements and procedures for
reporting suspicious activities. For
purposes of these Guidelines, the
Agencies believe that, as part of a
training program, staff should be made
aware both of federal reporting
requirements and an institution’s
procedures for reporting suspicious
activities, including attempts to obtain
access to customer information without
proper authority.
The final Guidelines amend the
provision governing training to state
that a financial institution’s information
security program should include a
training component designed to
implement the institution’s information
security policies and procedures. The
Agencies believe that the appropriate
focus for the training should be on
compliance with the institution’s
security program generally and not just
on the limited aspects identified in
proposed III.C.2. The provisions
governing reporting have been moved to
paragraph III.C.1.g., which addresses
response programs in general.
Testing (III.C.3.). Paragraph III.C.3. of
the proposed Guidelines provided that
an information security program should
include regular testing of key controls,
systems, and procedures. The proposal
provided that the frequency and nature
of the testing should be determined by
the risk assessment and adjusted as
necessary to reflect changes in both
internal and external conditions. The
proposal also provided that the tests are
to be conducted, where appropriate, by
independent third parties or staff
independent of those that develop or
maintain the security program. Finally,
the proposal stated that test results are
to be reviewed by independent third
parties or staff independent of those that

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
conducted the test. The Agencies
requested comment on whether specific
types of security tests, such as
penetration tests or intrusion detection
tests, should be required.
The most frequent comment regarding
testing of key controls was that the
Agencies should not require specific
tests. Commenters noted that because
technology changes rapidly, the tests
specified in the Guidelines will become
obsolete and other tests will become the
standard. Consequently, according to
these commenters, the Guidelines
should identify areas where testing may
be appropriate without requiring a
financial institution to implement a
specific test or testing procedure.
Several commenters noted that periodic
testing of information security controls
is a sound idea and is an appropriate
standard for inclusion in these
Guidelines.
The Agencies believe that a variety of
tests may be used to ensure the controls,
systems, and procedures of the
information security program work
properly and also recognize that such
tests will progressively change over
time. The Agencies believe that the
particular tests that may be applied
should be left to the discretion of
management rather than specified in
advance in these Guidelines.
Accordingly, the final Guidelines do not
require a financial institution to apply
specific tests to evaluate the key control
systems of its information security
program.
The Agencies also invited comment
regarding the appropriate degree of
independence that should be specified
in the Guidelines in connection with the
testing of information security systems
and the review of test results. The
proposal asked whether the tests or
reviews of tests be conducted by
persons who are not employees of the
financial institution. The proposal also
asked whether employees may conduct
the testing or may review test results,
and what measures, if any, are
appropriate to assure their
independence.
Some commenters interpreted the
proposal as requiring three separate
teams of people to provide sufficient
independence to control testing: one
team to operate the system; a second
team to test the system; and a third team
to review test results. This approach,
they argued, would be too burdensome
and expensive to implement. The
Agencies believe that the critical need
for independence is between those who
operate the systems and those who
either test them or review the test
results. Therefore, the final Guidelines
now require that tests should be

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

conducted or reviewed by persons who
are independent of those who operate
the systems, including the management
of those systems.
Whether a financial institution should
use third parties to either conduct tests
or review their results depends upon a
number of factors. Some financial
institutions may have the capability to
thoroughly test certain systems in-house
and review the test results but will need
the assistance of third party testers to
assess other systems. For example, an
institution’s internal audit department
may be sufficiently trained and
independent for the purposes of testing
certain key controls and providing test
results to decision makers independent
of system managers. Some testing may
be conducted by third parties in
connection with the actual installation
or modification of a particular program.
In each instance, management needs to
weigh the benefits of testing and test
review by third parties against its own
resources in this area, both in terms of
expense and reliability.
Ongoing adjustment of program.
Paragraph III.C.4. of the proposal
required an institution to monitor,
evaluate and adjust, as appropriate, the
information security program in light of
any relevant changes in technology, the
sensitivity of its customer information,
and internal or external threats to
information security. This provision
was previously located in the paragraph
titled ‘‘Manage and Control Risk’’.
While there were no comments on this
provision, the Agencies wanted to
highlight this concept and clarify that
this provision is applicable to an
institutions’ entire information security
program. Therefore, this provision is
now separately identified as new
paragraph III.E. of the final Guidelines,
discussed below.
III.D. Oversee Service Provider
Arrangements
The Agencies’ proposal addressed
service providers in two provisions. The
Agencies provided that an institution
should consider contract provisions and
oversight mechanisms to protect the
security of customer information
maintained or processed by service
providers as one of the proposed
elements to be considered in
establishing risk management policies
and procedures (proposed paragraph
III.C.1.g.). Additionally, proposed
paragraph III.D. provided that, when an
institution uses an outsourcing
arrangement, the institution would
continue to be responsible for
safeguarding customer information that
it gives to the service provider. That
proposed paragraph also provided that

PO 00000

Frm 00009

Fmt 4701

Sfmt 4700

8623

the institution must use due diligence in
managing and monitoring the
outsourcing arrangement to confirm that
its service providers would protect
customer information consistent with
the Guidelines.
The Agencies requested comment on
the appropriate treatment of outsourcing
arrangements, such as whether industry
best practices are available regarding
effective monitoring of service provider
security precautions, whether service
providers accommodate requests for
specific contract provisions regarding
information security, and, to the extent
that service providers do not
accommodate these requests, whether
financial institutions implement
effective information security programs.
The Agencies also requested comment
on whether institutions would find it
helpful if the Guidelines contained
specific contract provisions requiring
service provider performance standards
in connection with the security of
customer information.
The Agencies received one example of
best practices, but the commenter did
not recommend that they be included in
the Guidelines. While some commenters
suggested that the Guidelines include
best practices, other commenters stated
that, given the various types of financial
institutions, there could be a variety of
best industry practices. Another
commenter stated that best practices
could become minimum requirements
that result in inappropriate burdens.
The Agencies recognize that information
security practices are likely to evolve
rapidly, and thus believe that it is
inappropriate to include best practices
in the final Guidelines.
Commenters were mixed as to
whether service providers are receptive
to contract modifications to protect
customer information. Commenters
were uniform, however, in stating that
an institution’s obligation to monitor
service providers should not include onsite audits by the institution or its agent.
The commenters stated that, in addition
to the expense for financial institutions,
the procedure would place an
inordinate burden on many service
providers that process customer
information for multiple institutions.
Several commenters noted that the
service providers often contract for
audits of their systems and that
institutions should be able to rely upon
those testing procedures. Some
commenters recommended that an
institution’s responsibility for
information given to service providers
require only that the institution enter
into appropriate contractual
arrangements. However, commenters
also indicated that requiring specific

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8624

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

contract provisions would not be
consistent with the development of
flexible Guidelines and recommended
against the inclusion of specific
provisions.
The Agencies believe that financial
institutions should enter into
appropriate contracts, but also believe
that these contracts, alone, are not
sufficient. Therefore, the final
Guidelines, in paragraph III.D., include
provisions relating to selecting,
contracting with, and monitoring
service providers.
The final Guidelines require that an
institution exercise appropriate due
diligence in the selection of service
providers. Due diligence should include
a review of the measures taken by a
service provider to protect customer
information. As previously noted in the
discussion of ‘‘service provider’’, it also
should include a review of the controls
the service provider has in place to
ensure that any subservicer used by the
service provider will be able to meet the
objectives of these Guidelines.
The final Guidelines also require that
a financial institution have a contract
with each of its service providers that
requires each provider to implement
appropriate measures designed to meet
the objectives of these Guidelines (as
stated in paragraph II.B.). This provision
does not require a service provider to
have a security program in place that
complies with each paragraph of these
Guidelines. Instead, by stating that a
service provider’s security measures
need only achieve the objectives of these
Guidelines, the Guidelines provide
flexibility for a service provider’s
information security measures to differ
from the program that a financial
institution implements. The Agencies
have provided a two-year transition
period during which institutions may
bring their outsourcing contracts into
compliance. (See discussion of
paragraph III.F.) The Agencies have not
included model contract language, given
our belief that the precise terms of
service contracts are best left to the
parties involved.
Each financial institution must also
exercise an appropriate level of
oversight over each of its service
providers to confirm that the service
provider is implementing the provider’s
security measures. The Agencies have
amended the Guidelines as proposed to
include greater flexibility with regard to
the monitoring of service providers. A
financial institution need only monitor
its outsourcing arrangements if such
oversight is indicated by an institution’s
own risk assessment. The Agencies
recognize that not all outsourcing
arrangements will need to be monitored

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

or monitored in the same fashion. Some
service providers will be financial
institutions that are directly subject to
these Guidelines or other standards
promulgated by their primary regulator
under section 501(b). Other service
providers may already be subject to
legal and professional standards that
require them to safeguard the
institution’s customer information.
Therefore, the final Guidelines permit
an institution to do a risk assessment
taking these factors into account and
determine for themselves which service
providers will need to be monitored.
Even where monitoring is warranted,
the Guidelines do not require on-site
inspections. Instead, the Guidelines
state that this monitoring can be
accomplished, for example, through the
periodic review of the service provider’s
associated audits, summaries of test
results, or equivalent measures of the
service provider. The Agencies expect
that institutions will arrange, when
appropriate, through contracts or
otherwise, to receive copies of audits
and test result information sufficient to
assure the institution that the service
provider implements information
security measures that are consistent
with its contract provisions regarding
the security of customer information.
The American Institute of Certified
Public Accountants Statement of
Auditing Standards No. 70, captioned
‘‘Reports on the Processing of
Transactions by Service Organizations’’
(SAS 70 report), is one commonly used
external audit tool for service providers.
Information contained in an SAS 70
report may enable an institution to
assess whether its service provider has
information security measures that are
consistent with representations made to
the institution during the service
provider selection process.
III.E. Adjust the Program
Paragraphs III.B.3 and III.C.4. of the
proposed Guidelines both addressed a
financial institution’s obligations when
circumstances change. Both paragraph
III.B.3. (which set forth management’s
responsibilities with respect to its risk
assessment) and paragraph III.C.4.
(which focused on the adequacy of an
institution’s information security
program) identified the possible need
for changes to an institution’s program
in light of relevant changes to
technology, the sensitivity of customer
information, and internal or external
threats to the information security.
The Agencies received no comments
objecting to the statements in these
paragraphs of the need to adjust a
financial institution’s program as
circumstances change. While the

PO 00000

Frm 00010

Fmt 4701

Sfmt 4700

Agencies have not changed the
substance of these provisions in the
final Guidelines, we have, however,
made a stylistic change to simplify the
Guidelines. The final Guidelines
combine, in paragraph III.E., the
provisions previously stated separately.
Consistent with the proposal, this
paragraph provides that each financial
institution must monitor, evaluate, and
adjust its information security program
in light of relevant changes in
technology, the sensitivity of its
customer information, internal or
external threats to information, and the
institution’s own changing business
arrangements. This would include an
analysis of risks to customer
information posed by new technology
(and any needed program adjustments)
before a financial institution adopts the
technology in order to determine
whether a security program remains
adequate in light of the new risks
presented.12
III.F. Report to the Board
Paragraph III.A.2.c. of the proposal set
out management’s responsibilities for
reporting to its board of directors. As
previously discussed, the final
Guidelines have removed specific
requirements for management, but
instead allow a financial institution to
determine who within the organization
should carry out a given responsibility.
The board reporting requirement thus
has been amended to require that a
financial institution report to its board,
and that this report be at least annual.
Paragraph III.F. of the final Guidelines
sets out this requirement.
The Agencies invited comment
regarding the appropriate frequency of
reports to the board, including whether
reports should be monthly, quarterly, or
annually. The Agencies received a
number of comments recommending
that no specific frequency be mandated
by the Guidelines and that each
financial institution be permitted to
establish its own reporting period.
12 For additional information concerning how a
financial institution should identify, measure,
monitor, and control risks associated with the use
of technology, see OCC Bulletin 98–3 concerning
technology risk management, which may be
obtained on the Internet at http://
www.occ.treas.gov/ftp/bulletin/98–3.txt.; Federal
Reserve SR Letter 98–9 on Assessment of
Information Technology in the Risk-Focused
Frameworks for the Supervision of Community
Banks and Large Complex Banking Organizations,
April 20, 1998, http://www.federalreserve.gov/
boarddocs/SRLETTERS/1998/SR9809.HTM; FDIC
FIL 99–68 concerning risk assessment tools and
practices for information security systems at http:/
/www.fdic.gov/news/news/financial/1999/
fil9968.html.; OTS’s CEO Letter 70, Statement on
Retail On-Line Personal Computer Banking, (June
23, 1997), available at http://www.ots.treas.gov/
docs/25070.pdf.

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
Several commenters stated that if a
reporting period is required, then it
should be not less than annually unless
some material event triggers the need for
an interim report.
The Agencies expect that in all cases,
management will provide its board (or
the appropriate board committee) a
written report on the information
security program consistent with the
Guidelines at least annually.
Management of financial institutions
with more complex information systems
may find it necessary to provide
information to the board (or a
committee) on a more frequent basis.
Similarly, more frequent reporting will
be appropriate whenever a material
event affecting the system occurs or a
material modification is made to the
system. The Agencies expect that the
content of these reports will vary for
each financial institution, depending
upon the nature and scope of its
activities as well as the different
circumstances that it will confront as it
implements and maintains its program.
III.G. Implement the Standards
Paragraph III.E. of the proposal
described the timing requirements for
the implementation of these standards.
It provided that each financial
institution is to take appropriate steps to
fully implement an information security
program pursuant to these Guidelines
by July 1, 2001.
The Agencies received several
comments suggesting that the proposed
effective date be extended for a period
of 12 to 18 months because financial
institutions are currently involved in
efforts to meet the requirements of the
final Privacy Rule by the compliance
deadline, July 1, 2001. The Agencies
believe that the dates for full
compliance with these Guidelines and
the Privacy Rule should coincide.
Financial institutions are required, as
part of their initial privacy notices, to
disclose their policies and practices
with respect to protecting the
confidentiality and security of
nonpublic personal information. See
§ l.6(a)(8). Each Agency has provided
in the appendix to its Privacy Rule that
a financial institution may satisfy this
disclosure requirement by advising its
customers that the institution maintains
physical, electronic, and procedural
safeguards that comply with federal
standards to guard customers’
nonpublic personal information. See
appendix A–7. The Agencies believe
that this disclosure will be meaningful
only if the final Guidelines are effective
when the disclosure is made. If the
effective date of these Guidelines is
extended beyond July 1, 2001, then a

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

financial institution may be placed in
the position of providing an initial
notice regarding confidentiality and
security and thereafter amending the
privacy policy to accurately refer to the
federal standards once they became
effective. For these reasons, the
Agencies have retained July 1, 2001, as
the effective date for these Guidelines.
However, the Agencies have included
a transition rule for contracts with
service providers. The transition rule,
which parallels a similar provision in
the Privacy Rule, provides a two-year
period for grandfathering existing
contracts. Thus a contract entered into
on or before the date that is 30 days after
publication of the final Guidelines in
the Federal Register satisfies the
provisions of this part until July 1, 2003,
even if the contract does not include
provisions delineating the servicer’s
duties and responsibilities to protect
customer information described in
paragraph III.D.
Location of Guidelines: These
guidelines have been published as an
appendix to each Agency’s Standards
for Safety and Soundness. For the OCC,
those regulations appear at 12 CFR part
30; for the Board, at 12 CFR part 208;
for the FDIC, at 12 CFR part 364; and for
the OTS, at 12 CFR part 570. The Board
also is amending 12 CFR parts 211 and
225 to apply the Guidelines to other
institutions that it supervises.
The Agencies will apply the rules
already in place to require the
submission of a compliance plan in
appropriate circumstances. For the OCC,
those regulations appear at 12 CFR part
30; for the Board at 12 CFR part 263; for
the FDIC at 12 CFR part 308, subpart R;
and for the OTS at 12 CFR part 570. The
final rules make conforming changes to
the regulatory text of these parts.
Rescission of Year 2000 Standards for
Safety and Soundness: The Agencies
previously issued guidelines
establishing Year 2000 safety and
soundness standards for insured
depository institutions pursuant to
section 39 of the FDI Act. Because the
events for which these standards were
issued have passed, the Agencies have
concluded that the guidelines are no
longer necessary and proposed to
rescind the standards as part of this
rulemaking. The Agencies requested
comment on whether rescission of these
standards is appropriate. Those
commenters responding to this request
were unanimous in recommending the
rescission of the Year 2000 Standards,
and the Agencies have rescinded these
standards. These standards appeared for
the OCC at 12 CFR part 30, appendix B
and C; for the Board at 12 CFR part 208,
appendix D–2; for the FDIC at 12 CFR

PO 00000

Frm 00011

Fmt 4701

Sfmt 4700

8625

part 364, appendix B; and for the OTS
at 12 CFR part 570, appendix B.
Accordingly, the Agencies hereby
rescind the Year 2000 Standards for
Safety and Soundness, effective thirty
(30) days after the publication date of
this notice of the joint final rule.
IV. Regulatory Analysis
A. Paperwork Reduction Act
The Agencies have determined that
this rule does not involve a collection of
information pursuant to the provisions
of the Paperwork Reduction Act (44
U.S.C. 3501 et seq.).
B. Regulatory Flexibility Act
OCC: Under the Regulatory Flexibility
Act (RFA), the OCC must either provide
a Final Regulatory Flexibility Analysis
(FRFA) with these final Guidelines or
certify that the final Guidelines ‘‘will
not, if promulgated’’, have a significant
economic impact on a substantial
number of small entities.13 The OCC has
evaluated the effects of these Guidelines
on small entities and is providing the
following FRFA.
Although the OCC specifically sought
comment on the costs to small entities
of establishing and operating
information security programs, no
commenters provided specific cost
information. Instead, commenters
confirmed the OCC’s conclusion that
most if not all institutions already have
information security programs in place,
because the standards reflect good
business practices and existing OCC and
FFIEC guidance. Some comments
indicated, however, that institutions
will have to formalize or enhance their
information security programs.
Accordingly, the OCC considered
certifying, under section 605(b) of the
RFA, that these Guidelines will not have
a significant economic impact on a
substantial number of small entities.
However, given that the guidance
previously issued by the OCC and the
FFIEC is not completely identical to the
Guidelines being adopted in this
rulemaking, the Guidelines are likely to
have some impact on all affected
institutions. While the OCC believes
that this impact will not be substantial
in the case of most small entities, we
nevertheless have prepared the
following FRFA.
13 The RFA defines the term ‘‘small entity’’ in 5
U.S.C. 601 by reference to a definition published by
the Small Business Administration (SBA). The SBA
has defined a ‘‘small entity’’ for banking purposes
as a national or commercial bank, or savings
institution with less than $100 million in assets.
See 13 CFR 121.201.

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8626

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

1. Reasons for Final Action
The OCC is issuing these Guidelines
under section 501(b) of the G–L–B Act.
Section 501(b) requires the OCC to
publish standards for financial
institutions subject to its jurisdiction
relating to administrative, technical and
physical standards to: (1) insure the
security and confidentiality of customer
records and information; (2) protect
against any anticipated threats or
hazards to the security or integrity of
such records; and (3) protect against
unauthorized access to or use of such
records or information which could
result in substantial harm or
inconvenience to any customer.
2. Objectives of and Legal Basis for Final
Action
The objectives of the Guidelines are
described in the Supplementary
Information section above. The legal
bases for the Guidelines are: 12 U.S.C.
93a, 1818, 1831p–1, and 3102(b) and 15
USC 6801 and 6805(b)(1).
3. Small Entities to Which the Rule Will
Apply
The OCC’s final Guidelines will apply
to approximately 2300 institutions,
including national banks, federal
branches and federal agencies of foreign
banks, and certain subsidiaries of such
entities. The OCC estimates that
approximately 1125 of these institutions
are small institutions with assets less
than $100 million.
4. Projected Reporting, Recordkeeping,
and Other Compliance Requirements;
Skills Required
The Guidelines do not require any
reports to the OCC, however, they
require all covered institutions to
develop and implement a written
information security program comprised
of several elements. Institutions must
assess the risks to their customer
information and adopt appropriate
measures to control those risks.
Institutions must then test these security
measures and adjust their information
security programs in light of any
relevant changes. In addition,
institutions must use appropriate due
diligence in selecting service providers,
and require service providers, by
contract, to implement appropriate
security measures. The Guidelines also
require institutions to monitor their
service providers, where appropriate, to
confirm they have met their contractual
obligations. Finally, the Guidelines
require the board of directors or an
appropriate committee of the board of
each institution to approve the
institution’s information security
program and to oversee its

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

implementation. To facilitate board
oversight, the institution must provide
to the board or to the board committee
a report, at least annually, describing
the overall status of the institution’s
information security program and the
institution’s compliance with the
Guidelines.
Because the information security
program described above reflects
existing supervisory guidance, the OCC
believes that most institutions already
have the expertise to develop,
implement, and maintain the program.
However, if they have not already done
so, institutions will have to retain the
services of someone capable of assessing
threats to the institution’s customer
information. Institutions that lack an
adequate information security program
also will have to have personnel capable
of developing, implementing and testing
security measures to address these
threats. Institutions that use service
providers may require legal skills to
draft appropriate language for contracts
with service providers.
5. Public Comment and Significant
Alternatives
The OCC did not receive any public
comment on its initial regulatory
flexibility analysis, although it did
receive comments on the proposed
Guidelines, and on the impact of the
Guidelines on small entities in
particular. The comments received by
the OCC and the other Agencies are
discussed at length in the
supplementary information above.
While some commenters suggested that
the OCC exempt small institutions
altogether, the OCC has no authority
under the statute to do so. The
discussion below reviews the changes
adopted in the final Guidelines that will
minimize the economic impact of the
Guidelines on all businesses.
The OCC carefully considered
comments from small entities that
encouraged the Agencies to issue
guidelines that are not overly
prescriptive, that provide flexibility in
the design of an information security
program, but that still provide small
entities with some guidance. After
considering these comments, the OCC
determined that it is appropriate to
issue the standards as Guidelines that
allow each institution the discretion to
design an information security program
that suits its particular size and
complexity and the nature and scope of
its activities. The OCC considered
issuing broader Guidelines that would
only identify objectives to be achieved
while leaving it up to each institution to
decide what steps it should take to
ensure that it meets these objectives.

PO 00000

Frm 00012

Fmt 4701

Sfmt 4700

However, the OCC concluded that such
broad guidance ultimately would be less
helpful than would be guidelines that
combine the flexibility sought by
commenters with meaningful guidance
on factors that an institution should
consider and steps that the institution
should take. The OCC also considered
the utility of more prescriptive
guidelines, but rejected that approach
out of concern that it likely would be
more burdensome, could interfere with
innovation, and could impose
requirements that would be
inappropriate in a given situation.
While the Guidelines are not overly
detailed, they provide guidance by
establishing the process an institution
will need to follow in order to protect
its customer information and by
identifying security measures that are
likely to have the greatest applicability
to national banks in general.
Most commenters supported the use
of the more narrow definition of
‘‘customer’’ in the Guidelines as is used
in the Privacy Rule rather than a broad
definition that would apply to all
records under the control of a financial
institution. Commenters maintained
that two different definitions would be
confusing and also inconsistent with the
use of the term ‘‘customer’’ in section
501 of the G–L–B Act. The OCC
considered using the broader definition,
but determined that information
security could be addressed more
broadly through other vehicles. For the
sake of consistency, the final Guidelines
adopt the narrower definition and apply
only to records of consumers who have
established a continuing relationship
with an institution under which the
institution provides one or more
financial products or services to the
consumer to be used primarily for
personal, family or household purposes,
the definition used in the Privacy Rule.
Many commenters criticized the list
of proposed objectives for each financial
institution’s information security
program which generally reflected the
statutory objectives in section 501(b).
According to these comments, the
objectives were stated in a manner that
made them absolute, unachievable, and
therefore burdensome. The final
Guidelines have been drafted to clarify
these objectives by stating that each
security program is to be ‘‘designed’’ to
accomplish the objectives stated.
Commenters wanted board
involvement in the development and
implementation of an information
security program left to the discretion of
the financial institution. Commenters
also asked the OCC to clarify that the
board may delegate to a committee
responsibility for involvement in the

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
institution’s security program. While the
final Guidelines as drafted continue to
place responsibility on an institution’s
board to approve and exercise general
oversight over the program, they now
clarify that a committee of the board
may approve the institution’s written
security program. In addition, the
Guidelines permit the board to assign
specific implementation responsibilities
to a committee or an individual.
The OCC considered requiring an
institution to designate a Corporate
Security Officer. However, the agency
agreed with commenters that a financial
institution is in the best position to
determine who should be assigned
specific roles in implementing the
institution’s security program.
Therefore, the Guidelines do not
include this requirement.
The proposal identifying various
security measures that an institution
should consider in evaluating the
adequacy of its policies and procedures
was criticized by many commenters.
These commenters misinterpreted the
list of measures and believed each
measure to be mandatory. Small entities
commented that these measures were
overly comprehensive and burdensome.
As discussed previously in the
preamble, the OCC did not intend to
suggest that every institution must
adopt every one of the measures. To
highlight the OCC’s intention that an
institution must determine for itself
which measures will be appropriate for
its own risk profile, the final Guidelines
now clearly state that each financial
institution must consider whether the
security elements listed are appropriate
for the institution and, if so, adopt those
elements an institution concludes are
appropriate.
Commenters noted that testing could
be burdensome and costly, especially
for small entities. The OCC considered
mandating specific tests, but determined
that with changes in technology, such
tests could become obsolete. Therefore,
the final Guidelines permit management
to exercise its discretion to determine
the frequency and types of tests that
need to be conducted. The OCC
considered required testing or the
review of tests to be conducted by
outside auditors. The OCC determined
that these duties could be performed
effectively by an institution’s own staff,
if staff selected is sufficiently
independent. Therefore, the Guidelines
permit financial institutions to
determine for themselves whether to use
third parties to either conduct tests or
review their results or to use staff
independent of those that develop or
maintain the institution’s security
program.

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

Many commenters objected to
provisions in the proposal requiring
institutions to monitor their service
providers. Commenters asserted that it
would be burdensome to require them
to monitor the activities of their service
providers and that information security
of service providers should be handled
through contractual arrangements. The
final Guidelines include greater
flexibility with regard to the monitoring
of service providers than was provided
in the proposal. The final Guidelines
recognize that some service providers
will be financial institutions that are
directly subject to these Guidelines or
other standards promulgated under
section 501(b) and that other service
providers may already be subject to
legal and professional standards that
require them to safeguard the
institution’s customer information.
Therefore, the final Guidelines permit
an institution to do a risk assessment
taking these factors into account and to
determine for themselves which service
providers will need to be monitored.
Where monitoring is warranted, the
Guidelines now specify that monitoring
can be accomplished, for example,
through the periodic review of the
service provider’s associated audits,
summaries of test results, or equivalent
measures of the service provider.
In addition, after considering the
comments about contracts with service
providers and the effective date of the
Guidelines, the OCC also adopted a
transition rule, similar to a provision in
the Privacy Rule, that grandfathers
existing contracts for a two-year period.
One commenter requested that
smaller community banks be given
additional time to comply with the
Guidelines because having to comply
with the new Privacy Rule and these
Guidelines will put a strain on the
resources of smaller banks. The OCC
considered this request but did not
change the effective date of the
Guidelines given the importance of
safeguarding customer information. In
addition, most institutions already have
information security programs in place,
and the OCC has addressed this concern
by adding flexibility to the final
Guidelines in a variety of other areas as
described above.
Board: The Regulatory Flexibility Act
(5 U.S.C. 604) requires an agency to
publish a final regulatory flexibility
analysis when promulgating a final rule
that was subject to notice and comment.
Need for and objectives of Guidelines:
As discussed above, these Guidelines
implement section 501 of the GLB Act.
The objective of the Guidelines is to
establish standards for financial
institutions that are subject to the

PO 00000

Frm 00013

Fmt 4701

Sfmt 4700

8627

Board’s jurisdiction to protect the
security and confidentiality of their
customers’ information. In particular,
the Guidelines require those financial
institutions to implement a
comprehensive written information
security program that includes:
(1) Assessing the reasonably
foreseeable internal and external threats
that could result in unauthorized
disclosure, misuse, alteration, or
destruction of customer information;
(2) Adopting security measures that
the financial institution concludes are
appropriate for it; and
(3) Overseeing its arrangements with
its service provider(s).
Comments on the initial regulatory
flexibility analysis: Although few
commenters addressed the initial
regulatory flexibility analysis
specifically, many commenters
addressed the regulatory burdens that
were discussed in that analysis. Several
commenters noted that certain aspects
of the proposal may tax the
comparatively limited resources of
small institutions, yet few commenters
quantified the potential costs of
compliance. The comments received by
the Board and the other Agencies were
discussed in the supplementary
information above. Those comments
that are closely related to regulatory
burden are highlighted below:
The Board requested comment on the
scope of the term ‘‘customer’’ for
purposes of the Guidelines. Many
commenters opposed expanding the
proposed scope of the Guidelines to
apply to information about business
customers and consumers who have not
established continuing relationships
with the financial institution. The
commenters stated that an expanded
scope would impose higher costs of
developing an information security
program and would be inconsistent with
the use of the term ‘‘customer’’ in
section 501 of the GLB Act and the
Agencies’ Privacy Rule. As explained in
the supplementary information above,
the Board has defined ‘‘customer’’ in the
final Guidelines in the same way as that
term is defined in section l.3(h) of the
Agencies’ Privacy Rule.
Many commenters urged the Board to
reduce the level of detail about the
kinds of measures that would be
required to implement an information
security program under the proposed
Guidelines. Commenters argued, for
instance, that requiring particular
testing procedures of security systems
would make the standards too onerous
for those institutions for which other
kinds of tests and audits would be more
suitable. In a similar vein, some
commenters proposed that the Board

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8628

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

should issue examples that would
illustrate the kinds of security measures
that, if adopted, would constitute
compliance with the Guidelines.
The Board believes that many
commenters may have misinterpreted
the intent of the original proposal
regarding the particular safeguards that
would be expected. The provision that
requires each financial institution to
consider a variety of security measures
has been redrafted in an effort to clarify
that the institution must determine for
itself which measures will be
appropriate to its own risk profile.
Although an institution is required to
consider each of the security measures
listed in paragraph III.C.1., it is not
obligated to incorporate any particular
security measures or particular testing
procedures into its information security
program. Rather, the institution may
adopt those measures and use those
tests that it concludes are appropriate.
The Board is mindful that institutions’
operations will vary in their complexity
and scope of activities and present
different risk profiles to their customer
information. Accordingly, the Board has
not established definitive security
measures that, if adopted, would
constitute compliance with the
Guidelines.
The Board asked for comments on
several issues related to the appropriate
security standards pertaining to an
institution’s arrangements with its
service providers. As discussed above,
many comments addressed these issues
and, notably, objected to a provision
that would require an institution to
monitor its service providers through
on-site audits. Several commenters
noted that the service providers often
contract for audits of their systems and
argued that an institution should be able
to rely upon those testing procedures.
Commenters also recommended that an
institution’s responsibility for
information given to service providers
require only that the institution enter
into appropriate contractual
arrangements. The Board has modified
the Guidelines to clarify an institution’s
responsibilities with respect to service
providers. The Board has not designed
a standard that would require a
financial institution to conduct an onsite audit of its service provider’s
security program. Instead, the Board
adopted a standard that requires an
institution to monitor its service
provider to confirm that it has satisfied
its contractual obligations, depending
upon the institution’s risk assessment.
In the course of conducting its risk
assessment and determining which
service providers will need to be
monitored, an institution may take into

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

account the fact that some of its service
providers may be financial institutions
that are directly subject to these
Guidelines or other standards
promulgated by their primary regulator
under section 501(b). Furthermore, after
considering the comments about
contracts with service providers and the
effective date of the Guidelines, the
Board also adopted a transition rule,
which parallels a similar provision in
the Privacy Rule, that provides a twoyear period for grandfathering existing
contracts.
Many commenters addressed the
burdens that would be imposed by the
proposal due to the effective date and
urged the Board to extend the proposed
July 1, 2001, effective date for period
ranging from one to two years. Most of
these commenters argued that
complying with the proposed
Guidelines by July 1, 2001, would place
a considerable burden on their
businesses, particularly because the
Guidelines would mandate changes to
computer software, employee training,
and compliance systems. As discussed
above, the Board believes that the dates
for full compliance with these
Guidelines and the Privacy Rule should
coincide. Financial institutions are
required, as part of their initial privacy
notices, to describe their policies and
practices with respect to protecting the
confidentiality and security of
nonpublic personal information (12 CFR
216.6). The Board believes that if the
effective date of these Guidelines is
extended beyond July 1, 2001, then a
financial institution may be placed in
the position of providing an initial
notice regarding confidentiality and
security and thereafter amending the
privacy policy to accurately refer to the
federal standards once they became
effective. Accordingly, the Board has
adopted the proposed effective date of
July 1, 2001.
Institutions covered. The Board’s final
Guidelines will apply to approximately
9,500 institutions, including state
member banks, bank holding companies
and certain of their nonbank
subsidiaries or affiliates, state uninsured
branches and agencies of foreign banks,
commercial lending companies owned
or controlled by foreign banks, and Edge
and Agreement corporations. The Board
estimates that over 4,500 of the
institutions are small institutions with
assets less than $100 million.
New compliance requirements. The
final Guidelines contain new
compliance requirements for all covered
institutions, many of which are
contained in existing supervisory
guidance and examination procedures.
Nonetheless, each must develop and

PO 00000

Frm 00014

Fmt 4701

Sfmt 4700

implement a written information
security program. As part of that
program, institutions will be required to
assess the reasonably foreseeable risks,
taking into account the sensitivity of
customer information, and assess the
sufficiency of policies and procedures
in place to control those risks.
Institutions that use third party service
providers to process customer
information must exercise appropriate
due diligence in selecting them, require
them by contract to implement
appropriate measures designed to meet
the objectives of these Guidelines, and
depending upon the institution’s risk
assessment, monitor them to confirm
that they have satisfied their contractual
obligations. As part of its compliance
measures, an institution may need to
train its employees or hire individuals
with professional skills suitable to
implementing the policies and
procedures of its information security
program, such as those skills necessary
to test or review tests of its security
measures. Some institutions may
already have programs that meet these
requirements, but others may not.
Minimizing impact on small
institutions. The Board believes the
requirements of the Act and these
Guidelines may create additional
burden for some small institutions. The
Guidelines apply to all covered
institutions, regardless of size. The Act
does not provide the Board with the
authority to exempt a small institution
from the requirement of implementing
administrative, technical, and physical
safeguards to protect the security and
confidentiality of customer information.
Although the Board could develop
different guidelines depending on the
size and complexity of a financial
institution, the Board believes that
differing treatment would not be
appropriate, given that one of the stated
purposes of the Act is to protect the
confidentiality and security of
customers’ nonpublic personal
information.
The Board believes that the
compliance burden is minimized for
small institutions because the
Guidelines expressly allow institutions
to develop security measures that are
‘‘appropriate to the size and complexity
of the [institution]’’. The Guidelines do
not mandate any particular policies,
procedures, or security measures for any
institution other than general
requirements, such as to ‘‘train staff’’ or
‘‘monitor its service providers to
confirm that they have satisfied their
[contractual] obligations’’. The Board
believes that the final Guidelines vest a
small institution with a broad degree of
discretion to design and implement an

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
information security program that suits
its own organizational structure and risk
profile.
FDIC: The Regulatory Flexibility Act
(5 U.S.C. 601–612) (RFA) requires,
subject to certain exceptions, that
federal agencies prepare an initial
regulatory flexibility analysis (IRFA)
with a proposed rule and a final
regulatory flexibility analysis (FRFA)
with a final rule, unless the agency
certifies that the rule will not have a
significant economic impact on a
substantial number of small entities.14
At the time of issuance of the proposed
Guidelines, the FDIC could not make
such a determination for certification.
Therefore, the FDIC issued an IRFA
pursuant to section 603 of the RFA.
After reviewing the comments
submitted in response to the proposed
Guidelines, the FDIC believes that it
does not have sufficient information to
determine whether the final Guidelines
would have a significant economic
impact on a substantial number of small
entities. Hence, pursuant to section 604
of the RFA, the FDIC provides the
following FRFA.
This FRFA incorporates the FDIC’s
initial findings, as set forth in the IRFA;
addresses the comments submitted in
response to the IRFA; and describes the
steps the FDIC has taken in the final
rule to minimize the impact on small
entities, consistent with the objectives
of the Gramm-Leach-Bliley Act (G–L–B
Act). Also, in accordance with section
212 of the Small Business Regulatory
Enforcement Fairness Act of 1996
(Public Law 104–121), in the near future
the FDIC will issue a compliance guide
to assist small entities in complying
with these Guidelines.
Small Entities to Which the Guidelines
Will Apply
The final Guidelines will apply to all
FDIC-insured state-nonmember banks,
regardless of size, including those with
assets of under $100 million. As of
September 2000, there were 3,331 small
banks out of a total of 5,130 FDICinsured state-nonmember banks with
assets of under $100 million. Title V,
Subtitle A, of the GLBA does not
provide either an exception for small
banks or statutory authority upon which
the FDIC could provide such an
exception in the Guidelines.
14 The RFA defines the term ‘‘small entity’’ in 5
U.S.C. 601 by reference to definitions published by
the Small Business Administration (SBA). The SBA
has defined a ‘‘small entity’’ for banking purposes
as a national or commercial bank, or savings
institution with less than $100 million in assets.
See 13 CFR 121.201.

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

Statement of the Need and Objectives of
the Rule
The final Guidelines implement the
provisions of Title V, Subtitle A, Section
501 of the GLBA addressing standards
for safeguarding customer information.
Section 501 requires the Agencies to
publish standards for financial
institutions relating to administrative,
technical, and physical standards to:
Insure the security and confidentiality of
customer records and information.
Protect against any anticipated threats or
hazards to the security or integrity of such
records.
Protect against unauthorized access to or
use of such records or information, which
could result in substantial harm or
inconvenience to any customer.

The final Guidelines do not represent
any change in the policies of the FDIC;
rather they implement the G–L–B Act
requirement to provide appropriate
standards relating to the security and
confidentiality of customer records.
Summary of Significant Issues Raised
by the Public Comments; Description of
Steps the Agency Has Taken in
Response to the Comments to Minimize
the Significant Economic Impact on
Small Entities.
In the IRFA, the FDIC specifically
requested information on whether small
entities would be required to amend
their operations in order to comply with
the final Guidelines and the costs for
such compliance. The FDIC also
requested comment or information on
the costs of establishing information
security programs. The FDIC also sought
comment on any significant alternatives,
consistent with the G–L–B Act that
would minimize the impact on small
entities. The FDIC received a total of 63
comment letters. However, none of the
comment letters specifically addressed
the initial regulatory flexibility act
section of the proposed Guidelines.
Instead, many commenters, representing
banks of various sizes, addressed the
regulatory burdens in connection with
their discussion of specific Guideline
provisions.
The FDIC has sought to minimize the
burden on all businesses, including
small entities, in promulgating this final
Guidelines. The statute does not
authorize the FDIC to create exemptions
from the G–L–B Act based on an
institution’s asset size. However, the
FDIC carefully considered comments
regarding alternatives designed to
minimize the economic and overall
burden of complying with the final
Guidelines. The discussion below
reviews some of the significant changes
adopted in the final Guidelines to
accomplish this purpose.

PO 00000

Frm 00015

Fmt 4701

Sfmt 4700

8629

1. Issue the Rule as Guidelines or
Regulations. The FDIC sought comment
on whether to issue the rule as
Guidelines or as regulations. All the
comment letters stated that the rule
should be issued in the form of
Guidelines. Some community banks
stated that the Guidelines were
unnecessary because they already have
information security programs in place
but would prefer Guidelines to
regulations. The commentary supported
the use of Guidelines because guidelines
typically provide more flexibility than
regulations. Since technology changes
rapidly, Guidelines would allow
institutions to adapt to a changing
environment more quickly than
regulations, which may become
outdated. The FDIC has issued these
standards as Guidelines. The final
Guidelines establish standards that will
allow each institution the flexibility to
design an information security program
to accommodate its particular level of
complexity and scope of activities.
2. Definition of Customer. In the
proposed Guidelines, the FDIC defined
‘‘customer’’ in the same manner as in
the Privacy Rule. A ‘‘customer’’ is
defined as a consumer who has
established a continuing relationship
with an institution under which the
institution provides one or more
financial products or services to the
consumer to be used primarily for
personal, family, or household
purposes. This definition does not
include a business or a consumer who
does not have an ongoing relationship
with a financial institution. Almost all
of the comments received by the FDIC
agreed with the proposed definition and
agreed that the definition should not be
expanded to provide a common
information security program for all
types of records under the control of a
financial institution. The Guidelines
will apply only to consumer records as
defined by the Privacy Rule, not
business records. This will allow for a
consistent interpretation of the term
‘‘customer’’ between the Guidelines and
the Privacy Rule.
3. Involvement of the Bank’s Board of
Directors. The FDIC sought comment on
how frequently management should
report to the board of directors
concerning the bank’s information
security program. Most of the comment
letters stated that the final Guidelines
should not dictate how frequently the
bank reports to the board of directors
and that the bank should have
discretion in this regard. The comment
letters clearly conveyed a preference to
not have a reporting requirement.
However, if there was to be one,
commenters suggested that it be annual.

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8630

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

The Agencies have amended the
Guidelines to require that a bank report
at least annually to its board of
directors. However, more frequent
reporting will be necessary if a material
event affecting the information security
system occurs or if material
modifications are made to the system.
4. Designation of Corporate
Information Security Officer. The
Agencies considered whether the
Guidelines should require that the
bank’s board of directors designate a
‘‘Corporate Information Security
Officer’’ with the responsibility to
develop and administer the bank’s
information security program. Most of
the comment letters requested that this
requirement not be adopted because
adding a new personnel position would
be financially burdensome. The FDIC
agrees that a new position with a
specific title is not necessary. The final
Guidelines do, however, require that the
authority for the development,
implementation, and administration of
the bank’s information security program
be clearly expressed although not
assigned to a particular individual.
5. Managing and Controlling Risk.
Many comments focused on the eleven
factors in the proposed Guidelines that
banks should consider when evaluating
the adequacy of their information
security programs. The Agencies did not
intend to mandate the security measures
listed in section III.C. of the proposed
Guidelines for all banks and all data.
Instead the Agencies believe the
security measures should be followed as
appropriate for each bank’s particular
circumstances. Some concern was
expressed that the proposed Guidelines
required encryption of all customer
information. The FDIC believes that a
bank that has Internet-based transaction
accounts or a transactional Web site
may decide that encryption is
appropriate, but a bank that processes
all data internally may need different
access restrictions. While a bank is to
consider each element in section III.C.
in the design of its information security
program, this is less burdensome than a
requirement to include each element
listed that section.
The proposed Guidelines provided
that institutions train employees to
recognize, respond to, and report
suspicious attempts to obtain customer
information directly to law enforcement
agencies and regulatory agencies. Some
comment letters stated that suspicious
activity should be reported to
management, not directly to law
enforcement agencies and regulatory
agencies. The FDIC believes employees
should be made aware of federal
reporting requirements and an

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

institution’s procedures for reporting
suspicious activity. However, the
Guidelines have been amended to allow
financial institutions to decide who is to
file a report to law enforcement
agencies, consistent with other
applicable regulations.
A significant number of comments
stated that the FDIC should not require
specific tests to ensure the security and
confidentiality of customer information.
Some comments stated that periodic
testing is appropriate. The final
Guidelines do not specify particular
tests but provide that management
should decide on the appropriate
testing. Also, the final Guidelines
require tests to be conducted or
reviewed by people independent of
those who operate the systems. Further,
banks must review their service
provider’s security program to
determine that it is consistent with the
Guidelines. However, the final
Guidelines do not require on-site
inspections.
6. Effective Date. The effective date
for the final Guidelines is July 1, 2001.
As discussed in the section-by-section
analysis, many of the comment letters
urged the FDIC to extend the effective
date of the Guidelines, particularly
since this is the effective date for
complying with the Privacy Rule.
Several of the comments suggested the
proposed effective date be extended for
12 to 18 months. However, the FDIC
believes that the effective date for the
Guidelines and the Privacy Rule should
coincide. The Privacy Rule requires a
financial institution to disclose to its
customers that the bank maintains
physical, electronic, and procedural
safeguards to protect customers’
nonpublic personal information.
Appendix A of the Privacy Rule
provides that this disclosure may refer
to these federal guidelines. This is only
meaningful if the final Guidelines for
safeguarding customer information are
effective when the disclosure is made.
The Guidelines do provide a transition
rule for contracts with service
providers—essentially allowing a twoyear compliance period for service
provider contracts. A contract entered
into on or before March 5, 2001, satisfies
the provisions of this part until July 1,
2003, even if the contract does not
include provisions delineating the
servicer’s duties and responsibilities to
protect customer information described
in section III.D. This additional time
will allow financial institutions to make
all necessary changes to service
provider contracts and to comply with
this segment of the Guidelines.

PO 00000

Frm 00016

Fmt 4701

Sfmt 4700

Summary of the Agency Assessment of
Issues Raised in Public Comments
Most of the comment letters did not
discuss actual compliance costs for
implementing the provisions of the
Guidelines. Some commenters stated
that their bank has an established
information security program and that
information security is a customary
business practice. The new compliance
and reporting requirements will create
additional costs for some institutions.
These costs include: (1) Training staff;
(2) monitoring outsourcing agreements;
(3) performing due diligence before
contracting with a service provider; (4)
testing security systems; and (5)
adjusting security programs due to
technology changes. The comments did
not provide data from which the FDIC
could quantify the cost of implementing
the requirements of the GLBA. The
compliance costs will vary among
institutions.
Description/Estimate of Small Entities
To Which the Guidelines Will Apply
The Guidelines will apply to
approximately 3,300 FDIC insured State
nonmember banks that are small entities
(assets less than $100 million) as
defined in the RFA.
Description of Projected Reporting,
Record-Keeping, and Other Compliance
Requirements
The final Guidelines contain
standards for the protection of customer
records and information that apply to all
FDIC-insured state-nonmember banks.
Institutions will be required to report
annually to the bank’s board of directors
concerning the bank’s information
security program. Institutions will need
to develop a training program that is
designed to implement the institution’s
information security policies and
procedures. An institution’s information
security system will be tested to ensure
the controls and procedures of the
program work properly. However, the
final Guidelines do not specify what
particular tests the bank should
undertake. The final Guidelines state
that the tests are to be conducted or
reviewed by persons who are
independent of those who operate the
systems. Institutions will have to
exercise due diligence in the selection
of service providers to ensure that the
bank’s customer information will be
protected consistent with these
Guidelines. And institutions will have
to monitor these service provider
arrangements to confirm that the
institution’s customer information is
protected, which may be accomplished
by reviewing service provider audits

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
and summaries of test results. Also,
institutions will need to adjust their
security program as technology changes.
The types of professional skills within
the institution necessary to prepare the
report to the board would include an
understanding of the institution’s
information security program, a level of
technical knowledge of the hardware
and software systems to evaluate test
results recommending substantial
modifications; and the ability to
evaluate and report on the institution’s
steps to oversee service provider
arrangements.
OTS: The Regulatory Flexibility Act
(RFA),15 requires OTS to prepare a final
regulatory flexibility analysis with these
final Guidelines unless the agency
certifies that the rule will not have a
significant economic impact on a
substantial number of small entities.
OTS has evaluated the effects these
Guidelines will have on small entities.
In issuing proposed Guidelines, OTS
specifically sought comment on the
costs of establishing and operating
information security programs, but no
commenters provided specific cost
information. Institutions cannot yet
know how they will implement their
information security programs and
therefore have difficulty quantifying the
associated costs. The Director of OTS
considered certifying, under section
605(b) of the RFA, that these guidelines
will not have a significant economic
impact on a substantial number of small
entities. However, because OTS cannot
quantify the impact the Guidelines will
have on small entities, and in the
interests of thoroughness, OTS does not
certify that the Guidelines will not have
a significant economic impact on a
substantial number of small entities.
Instead, OTS has prepared the following
final regulatory flexibility analysis.
A. Reasons for Final Action
OTS issues these Guidelines pursuant
to section 501 of the G-L-B Act. As
described in this preamble and in the
notice of proposed action, section 501
requires OTS to publish standards for
the thrift industry relating to
administrative, technical, and physical
safeguards to: (1) Insure the security and
confidentiality of customer records and
information; (2) protect against any
anticipated threats or hazards to the
security or integrity of such records, and
(3) protect against unauthorized access
to or use of such records or information
which could result in the substantial
harm or inconvenience to any customer.
15 U.S.C.

604(a).

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

B. Objectives of and Legal Basis for
Final Action
The objectives of the Guidelines are
described in the Supplementary
Information section above. The legal
bases for the final action are: section 501
of the G-L-B Act; section 39 of the FDI
Act; and sections 2, 4, and 5 of the
Home Owners’ Loan Act (12 U.S.C.
1462, 1463, and 1464).
C. Description of Entities To Which
Final Action Will Apply
These Guidelines will apply to all
savings associations whose deposits are
FDIC insured, and subsidiaries of such
savings associations, except subsidiaries
that are brokers, dealers, persons
providing insurance, investment
companies, and investment advisers.16
D. Projected Reporting, Recordkeeping,
and Other Compliance Requirements;
Skills Required
The Guidelines do not require any
reports to OTS. As discussed more fully
above, they do require institutions to
have a written information security
program, and to make an appropriate
report to the board of directors, or a
board committee, at least annually. The
Guidelines require institutions to
establish an information security
program, if they do not already have
one. The Guidelines require institutions
to assess the risks to their customer
security and to adopt appropriate
measures to control those risks.
Institutions must also test the key
controls, commensurate with the risks.
Institutions must use appropriate due
diligence in selecting outside service
providers, and require service providers,
by contract, to implement appropriate
security measures. Finally, where
appropriate, the Guidelines require
institutions to monitor their service
providers.
Professional skills, such as skills of
computer hardware and software, will
be necessary to assess information
security needs, and to design and
implement an information security
program. The particular skills needed
will be commensurate with the nature of
each institution’s system, i.e. more skills
will be needed in institutions with
sophisticated and extensive
computerization. As a result, small
entities with less extensive
computerization are likely to have less
burdensome compliance needs than
large entities. Institutions that use
16 For purposes of the Regulatory Flexibility Act,
a small savings association is one with less than
$100 million in assets. 13 CFR 121.201 (Division H).
There are approximately 487 such small savings
associations, approximately 97 of which have
subsidiaries.

PO 00000

Frm 00017

Fmt 4701

Sfmt 4700

8631

outside service providers may require
legal skills to draft appropriate language
for contracts with service providers.
E. Public Comment and Significant
Alternatives
OTS did not receive any public
comment on its initial regulatory
flexibility analysis, although it did
receive comments on the proposal in
general, and on the Guidelines’ impact
on small entities in particular. OTS
addresses these below.
OTS has considered publishing
standards using only the broad language
in section 501(b) of the G–L–B Act, as
supported by one commenter. The
Agencies rejected this alternative in
favor of more comprehensive
Guidelines. Using only the general
statutory language would permit
institutions maximum flexibility in
implementing information security
protections and would not put
institutions at a competitive
disadvantage with respect to institutions
not subject to the same security
standards. However, using the statutory
language alone would not provide
enough guidance to institutions about
what risks need to be addressed or what
types of protections are appropriate.
Small institutions in particular may
need guidance in this area. One trade
association that represents community
banks commented that institutions need
guidance to determine what level of
information security the Agencies will
look for, and that community banks in
particular need guidance in this area.
OTS believes that the alternative it
chose, more comprehensive standards,
provides helpful guidance without
sacrificing flexibility.
OTS has also considered the
alternative of defining ‘‘service
provider’’ more narrowly than in the
proposed Guidelines to reduce
regulatory burden. The Guidelines
require a financial institution to take
appropriate steps to protect customer
information provided to a service
provider. Due to limited resources,
small institutions may need to
outsource a disproportionately larger
number of functions than large
institutions outsource, and accordingly
have a greater need for service
providers. Thus, the burdens associated
with service providers may fall more
heavily on small institutions than on
large institutions. But the risks to
information security do not necessarily
vary depending on a service provider’s
identity. Rather, they vary depending on
the type and volume of information to
which a service provider has access, the
safeguards it has in place, and what the
service provider does with the

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8632

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

information. Basing the requirements as
to service providers on a service
provider’s identity would not
necessarily focus protections on areas of
risk. For this reason, the final
Guidelines focus the protections
regarding service providers on the risks
involved rather than on the service
provider’s identity. This approach
should provide the necessary
protections without unnecessary burden
on small institutions.
OTS reviewed the alternative of
requiring an institution’s board of
directors to designate a Corporate
Information Security Officer who would
have authority, with approval by the
board, to develop and administer the
institution’s information security
program. However, ultimately, the
agencies rejected the idea of having
financial institutions create a new
position to fulfill this purpose. Instead,
the Guidelines allow financial
institutions the flexibility to determine
who should be assigned specific roles in
implementing the institution’s security
program. As a result, small institutions
will be relieved of a potential burden.
The final Guidelines incorporate new
provisions not in the proposed
Guidelines designed to add flexibility to
assist all institutions, large and small.
For example, the final Guidelines,
unlike the proposal, do not specify
particular tasks for management.
Instead, the final Guidelines allow each
institution the flexibility to decide for
itself the most efficient allocation of its
personnel. Similarly, the final
Guidelines allow institutions to delegate
board duties to board committees.
Additionally, in the final guidelines the
Agencies removed the requirement that
information security programs ‘‘shall
* * * ensure’’ the security and
confidentiality of customer information.
Instead, the guidelines say the program
‘‘shall be designed to * * * ensure’’ the
security and confidentiality of customer
information. The final Guidelines
further incorporate more flexibility than
the proposal concerning testing systems.
The proposal required third parties of
staff independent of those who maintain
the program to test it, and required third
parties or staff independent of the
testers to review test results. To add
flexibility, the final Guidelines more
simply require staff or third parties
independent of those who develop or
maintain the programs to conduct or
review the tests. These changes should
serve to reduce the burden of the
Guidelines.
C. Executive Order 12866
The Comptroller of the Currency and
the Office of Thrift Supervision have

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

determined that this rule does not
constitute a ‘‘significant regulatory
action’’ for the purposes of Executive
Order 12866. The OCC and OTS are
issuing the Guidelines in accordance
with the requirements of Sections 501
and 505(b) of the G–L–B Act and not
under their own authority. Even absent
the requirements of the G–L–B Act, if
the OCC and OTS had issued the rule
under their own authority, the rule
would not constitute a ‘‘significant
regulatory action’’ for purposes of
Executive Order 12866.
The standards established by the
Guidelines are very flexible and allow
each institution the discretion to have
an information security program that
suits its particular size , complexity and
the nature and scope of its activities.
Further, the standards reflect good
business practices and guidance
previously issued by the OCC, OTS, and
the FFIEC. Accordingly, most if not all
institutions already have information
security programs in place that are
consistent with the Guidelines. In such
cases, little or no modification to an
institution’s program will be required.

List of Subjects

D. Unfunded Mandates Act of 1995
Section 202 of the Unfunded
Mandates Reform Act of 1995, 2 U.S.C.
1532 (Unfunded Mandates Act),
requires that an agency prepare a
budgetary impact statement before
promulgating any rule likely to result in
a federal mandate that may result in the
expenditure by state, local, and tribal
governments, in the aggregate, or by the
private sector, of $100 million or more
in any one year. If a budgetary impact
statement is required, section 205 of the
Unfunded Mandates Act also requires
the agency to identify and consider a
reasonable number of regulatory
alternatives before promulgating the
rule. However, an agency is not required
to assess the effects of its regulatory
actions on the private sector to the
extent that such regulations incorporate
requirements specifically set forth in
law. 2 U.S.C. 1531.
The OCC and OTS believe that most
institutions already have established an
information security program because it
is a sound business practice that also
has been addressed in existing
supervisory guidance. Therefore, the
OCC and OTS have determined that the
Guidelines will not result in
expenditures by state, local, and tribal
governments, in the aggregate, or by the
private sector, of $100 million or more
in any one year. Accordingly, the OCC
and OTS have not prepared a budgetary
impact statement or specifically
addressed the regulatory alternatives
considered.

Administrative practice and
procedure, Claims, Crime, Equal access
in justice, Federal Reserve System,
Lawyers, Penalties.

PO 00000

Frm 00018

Fmt 4701

Sfmt 4700

12 CFR Part 30
Banks, banking, Consumer protection,
National banks, Privacy, Reporting and
recordkeeping requirements.
12 CFR Part 208
Banks, banking, Consumer protection,
Federal Reserve System, Foreign
banking, Holding companies,
Information, Privacy, Reporting and
recordkeeping requirements.
12 CFR Part 211
Exports, Federal Reserve System,
Foreign banking, Holding companies,
Investments, Privacy, Reporting and
recordkeeping requirements.
12 CFR Part 225
Administrative practice and
procedure, Banks, banking, Federal
Reserve System, Holding companies,
Privacy, Reporting and recordkeeping
requirements, Securities.
12 CFR Part 263

12 CFR Part 308
Administrative practice and
procedure, Banks, banking, Claims,
Crime, Equal access of justice, Lawyers,
Penalties, State nonmember banks.
12 CFR Part 364
Administrative practice and
procedure, Bank deposit insurance,
Banks, banking, Reporting and
recordkeeping requirements, Safety and
soundness.
12 CFR Part 568
Reporting and recordkeeping
requirements, Savings associations,
Security measures. Consumer
protection, Privacy, Savings
associations.
12 CFR Part 570
Consumer protection, Privacy,
Savings associations.
Office of the Comptroller of the
Currency
12 CFR Chapter I
Authority and Issuance
For the reasons set forth in the joint
preamble, part 30 of the chapter I of title
12 of the Code of Federal Regulations is
amended as follows:

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
PART 30—SAFETY AND SOUNDNESS
STANDARDS
1. The authority citation for part 30 is
revised to read as follows:
Authority: 12 U.S.C. 93a, 1818, 1831–p,
3102(b); 15 U.S.C. 6801, 6805(b)(1).

2. Revise § 30.1 to read as follows:
§ 30.1

Scope.

(a) The rules set forth in this part and
the standards set forth in appendices A
and B to this part apply to national
banks and federal branches of foreign
banks, that are subject to the provisions
of section 39 of the Federal Deposit
Insurance Act (section 39)(12 U.S.C.
1831p–1).
(b) The standards set forth in
appendix B to this part also apply to
uninsured national banks, federal
branches and federal agencies of foreign
banks, and the subsidiaries of any
national bank, federal branch or federal
agency of a foreign bank (except brokers,
dealers, persons providing insurance,
investment companies and investment
advisers). Violation of these standards
may be an unsafe and unsound practice
within the meaning of 12 U.S.C. 1818.
3. In § 30.2, revise the last sentence to
read as follows:
§ 30.2

Purpose.

* * * The Interagency Guidelines
Establishing Standards for Safety and
Soundness are set forth in appendix A
to this part, and the Interagency
Guidelines Establishing Standards for
Safeguarding Customer Information are
set forth in appendix B to this part.
4. In § 30.3, revise paragraph (a) to
read as follows:
§ 30.3 Determination and notification of
failure to meet safety and soundness
standard and request for compliance plan.

(a) Determination. The OCC may,
based upon an examination, inspection,
or any other information that becomes
available to the OCC, determine that a
bank has failed to satisfy the safety and
soundness standards contained in the
Interagency Guidelines Establishing
Standards for Safety and Soundness set
forth in appendix A to this part, and the
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information set forth in appendix B to
this part.
*
*
*
*
*
5. Revise appendix B to part 30 to
read as follows:
Appendix B to Part 30—Interagency
Guidelines Establishing Standards For
Safeguarding Customer Information
Table of Contents
I. Introduction

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

A. Scope
B. Preservation of Existing Authority
C. Definitions
II. Standards for Safeguarding Customer
Information
A. Information Security Program
B. Objectives
III. Development and Implementation of
Customer Information Security Program
A. Involve the Board of Directors
B. Assess Risk
C. Manage and Control Risk
D. Oversee Service Provider Arrangements
E. Adjust the Program
F. Report to the Board
G. Implement the Standards
I. Introduction
The Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information (Guidelines) set forth standards
pursuant to section 39 of the Federal Deposit
Insurance Act (section 39, codified at 12
U.S.C. 1831p–1), and sections 501 and
505(b), codified at 15 U.S.C. 6801 and
6805(b), of the Gramm-Leach-Bliley Act.
These Guidelines address standards for
developing and implementing
administrative, technical, and physical
safeguards to protect the security,
confidentiality, and integrity of customer
information.
A. Scope. The Guidelines apply to
customer information maintained by or on
behalf of entities over which the OCC has
authority. Such entities, referred to as ‘‘the
bank,’’ are national banks, federal branches
and federal agencies of foreign banks, and
any subsidiaries of such entities (except
brokers, dealers, persons providing
insurance, investment companies, and
investment advisers).
B. Preservation of Existing Authority.
Neither section 39 nor these Guidelines in
any way limit the authority of the OCC to
address unsafe or unsound practices,
violations of law, unsafe or unsound
conditions, or other practices. The OCC may
take action under section 39 and these
Guidelines independently of, in conjunction
with, or in addition to, any other
enforcement action available to the OCC.
C. Definitions. 1. Except as modified in the
Guidelines, or unless the context otherwise
requires, the terms used in these Guidelines
have the same meanings as set forth in
sections 3 and 39 of the Federal Deposit
Insurance Act (12 U.S.C. 1813 and 1831p–1).
2. For purposes of the Guidelines, the
following definitions apply:
a. Board of directors, in the case of a
branch or agency of a foreign bank, means the
managing official in charge of the branch or
agency.
b. Customer means any customer of the
bank as defined in § 40.3(h) of this chapter.
c. Customer information means any record
containing nonpublic personal information,
as defined in § 40.3(n) of this chapter, about
a customer, whether in paper, electronic, or
other form, that is maintained by or on behalf
of the bank.
d. Customer information systems means
any methods used to access, collect, store,
use, transmit, protect, or dispose of customer
information.

PO 00000

Frm 00019

Fmt 4701

Sfmt 4700

8633

e. Service provider means any person or
entity that maintains, processes, or otherwise
is permitted access to customer information
through its provision of services directly to
the bank.
II. Standards for Safeguarding Customer
Information
A. Information Security Program. Each
bank shall implement a comprehensive
written information security program that
includes administrative, technical, and
physical safeguards appropriate to the size
and complexity of the bank and the nature
and scope of its activities. While all parts of
the bank are not required to implement a
uniform set of policies, all elements of the
information security program must be
coordinated.
B. Objectives. A bank’s information
security program shall be designed to:
1. Ensure the security and confidentiality
of customer information;
2. Protect against any anticipated threats or
hazards to the security or integrity of such
information; and
3. Protect against unauthorized access to or
use of such information that could result in
substantial harm or inconvenience to any
customer.
III. Development and Implementation of
Information Security Program
A. Involve the Board of Directors. The
board of directors or an appropriate
committee of the board of each bank shall:
1. Approve the bank’s written information
security program; and
2. Oversee the development,
implementation, and maintenance of the
bank’s information security program,
including assigning specific responsibility for
its implementation and reviewing reports
from management.
B. Assess Risk. Each bank shall:
1. Identify reasonably foreseeable internal
and external threats that could result in
unauthorized disclosure, misuse, alteration,
or destruction of customer information or
customer information systems.
2. Assess the likelihood and potential
damage of these threats, taking into
consideration the sensitivity of customer
information.
3. Assess the sufficiency of policies,
procedures, customer information systems,
and other arrangements in place to control
risks.
C. Manage and Control Risk. Each bank
shall:
1. Design its information security program
to control the identified risks, commensurate
with the sensitivity of the information as well
as the complexity and scope of the bank’s
activities. Each bank must consider whether
the following security measures are
appropriate for the bank and, if so, adopt
those measures the bank concludes are
appropriate:
a. Access controls on customer information
systems, including controls to authenticate
and permit access only to authorized
individuals and controls to prevent
employees from providing customer
information to unauthorized individuals who
may seek to obtain this information through
fraudulent means.

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8634

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

b. Access restrictions at physical locations
containing customer information, such as
buildings, computer facilities, and records
storage facilities to permit access only to
authorized individuals;
c. Encryption of electronic customer
information, including while in transit or in
storage on networks or systems to which
unauthorized individuals may have access;
d. Procedures designed to ensure that
customer information system modifications
are consistent with the bank’s information
security program;
e. Dual control procedures, segregation of
duties, and employee background checks for
employees with responsibilities for or access
to customer information;
f. Monitoring systems and procedures to
detect actual and attempted attacks on or
intrusions into customer information
systems;
g. Response programs that specify actions
to be taken when the bank suspects or detects
that unauthorized individuals have gained
access to customer information systems,
including appropriate reports to regulatory
and law enforcement agencies; and
h. Measures to protect against destruction,
loss, or damage of customer information due
to potential environmental hazards, such as
fire and water damage or technological
failures.
2. Train staff to implement the bank’s
information security program.
3. Regularly test the key controls, systems
and procedures of the information security
program. The frequency and nature of such
tests should be determined by the bank’s risk
assessment. Tests should be conducted or
reviewed by independent third parties or
staff independent of those that develop or
maintain the security programs.
D. Oversee Service Provider Arrangements.
Each bank shall:
1. Exercise appropriate due diligence in
selecting its service providers;
2. Require its service providers by contract
to implement appropriate measures designed
to meet the objectives of these Guidelines;
and
3. Where indicated by the bank’s risk
assessment, monitor its service providers to
confirm that they have satisfied their
obligations as required by section D.2. As
part of this monitoring, a bank should review
audits, summaries of test results, or other
equivalent evaluations of its service
providers.
E. Adjust the Program. Each bank shall
monitor, evaluate, and adjust, as appropriate,
the information security program in light of
any relevant changes in technology, the
sensitivity of its customer information,
internal or external threats to information,
and the bank’s own changing business
arrangements, such as mergers and
acquisitions, alliances and joint ventures,
outsourcing arrangements, and changes to
customer information systems.
F. Report to the Board. Each bank shall
report to its board or an appropriate
committee of the board at least annually.
This report should describe the overall status
of the information security program and the
bank’s compliance with these Guidelines.
The reports should discuss material matters

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

related to its program, addressing issues such
as: risk assessment; risk management and
control decisions; service provider
arrangements; results of testing; security
breaches or violations and management’s
responses; and recommendations for changes
in the information security program.
G. Implement the Standards. 1. Effective
date. Each bank must implement an
information security program pursuant to
these Guidelines by July 1, 2001.
2. Two-year grandfathering of agreements
with service providers. Until July 1, 2003, a
contract that a bank has entered into with a
service provider to perform services for it or
functions on its behalf satisfies the
provisions of section III.D., even if the
contract does not include a requirement that
the servicer maintain the security and
confidentiality of customer information, as
long as the bank entered into the contract on
or before March 5, 2001.

6. Appendix C to part 30 is removed.
Dated: December 21, 2000.
John D. Hawke, Jr.,
Comptroller of the Currency.

Federal Reserve System
12 CFR Chapter II
Authority and Issuance
For the reasons set forth in the joint
preamble, parts 208, 211, 225, and 263
of chapter II of title 12 of the Code of
Federal Regulations are amended as
follows:
PART 208—MEMBERSHIP OF STATE
BANKING INSTITUTIONS IN THE
FEDERAL RESERVE SYSTEM
(REGULATION H)
1. The authority citation for 12 CFR
part 208 is revised to read as follows:
Authority: 12 U.S.C. 24, 36, 92a, 93a,
248(a), 248(c), 321–338a, 371d, 461, 481–486,
601, 611, 1814, 1816, 1818, 1820(d)(9),
1823(j), 1828(o), 1831, 1831o, 1831p–1,
1831r–1, 1835a, 1882, 2901–2907, 3105,
3310, 3331–3351, and 3906–3909; 15 U.S.C.
78b, 78l(b), 78l(g), 78l(i), 78o–4(c)(5), 78q,
78q–1, 78w, 6801, and 6805; 31 U.S.C. 5318;
42 U.S.C. 4012a, 4104a, 4104b, 4106, and
4128.

2. Amend § 208.3 to revise paragraph
(d)(1) to read as follows:
§ 208.3 Application and conditions for
membership in the Federal Reserve System.

*

*
*
*
*
(d) Conditions of membership. (1)
Safety and soundness. Each member
bank shall at all times conduct its
business and exercise its powers with
due regard to safety and soundness.
Each member bank shall comply with
the Interagency Guidelines Establishing
Standards for Safety and Soundness
prescribed pursuant to section 39 of the
FDI Act (12 U.S.C. 1831p–1), set forth in
appendix D–1 to this part, and the
Interagency Guidelines Establishing

PO 00000

Frm 00020

Fmt 4701

Sfmt 4700

Standards for Safeguarding Customer
Information prescribed pursuant to
sections 501 and 505 of the GrammLeach-Bliley Act (15 U.S.C. 6801 and
6805), set forth in appendix D–2 to this
part.
*
*
*
*
*
3. Revise appendix D–2 to read as
follows:
Appendix D–2 To Part 208—
Interagency Guidelines Establishing
Standards For Safeguarding Customer
Information
Table of Contents
I. Introduction
A. Scope
B. Preservation of Existing Authority
C. Definitions
II. Standards for Safeguarding Customer
Information
A. Information Security Program
B. Objectives
III. Development and Implementation of
Customer Information Security Program
A. Involve the Board of Directors
B. Assess Risk
C. Manage and Control Risk
D. Oversee Service Provider Arrangements
E. Adjust the Program
F. Report to the Board
G. Implement the Standards

I. Introduction
These Interagency Guidelines
Establishing Standards for Safeguarding
Customer Information (Guidelines) set
forth standards pursuant to sections 501
and 505 of the Gramm-Leach-Bliley Act
(15 U.S.C. 6801 and 6805), in the same
manner, to the extent practicable, as
standards prescribed pursuant to section
39 of the Federal Deposit Insurance Act
(12 U.S.C. 1831p–1). These Guidelines
address standards for developing and
implementing administrative, technical,
and physical safeguards to protect the
security, confidentiality, and integrity of
customer information.
A. Scope. The Guidelines apply to
customer information maintained by or
on behalf of state member banks (banks)
and their nonbank subsidiaries, except
for brokers, dealers, persons providing
insurance, investment companies, and
investment advisors. Pursuant to
§§ 211.9 and 211.24 of this chapter,
these guidelines also apply to customer
information maintained by or on behalf
of Edge corporations, agreement
corporations, and uninsured statelicensed branches or agencies of a
foreign bank.
B. Preservation of Existing Authority.
Neither section 39 nor these Guidelines
in any way limit the authority of the
Board to address unsafe or unsound
practices, violations of law, unsafe or
unsound conditions, or other practices.
The Board may take action under

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
section 39 and these Guidelines
independently of, in conjunction with,
or in addition to, any other enforcement
action available to the Board.
C. Definitions.
1. Except as modified in the
Guidelines, or unless the context
otherwise requires, the terms used in
these Guidelines have the same
meanings as set forth in sections 3 and
39 of the Federal Deposit Insurance Act
(12 U.S.C. 1813 and 1831p–1).
2. For purposes of the Guidelines, the
following definitions apply:
a. Board of directors, in the case of a
branch or agency of a foreign bank,
means the managing official in charge of
the branch or agency.
b. Customer means any customer of
the bank as defined in § 216.3(h) of this
chapter.
c. Customer information means any
record containing nonpublic personal
information, as defined in § 216.3(n) of
this chapter, about a customer, whether
in paper, electronic, or other form, that
is maintained by or on behalf of the
bank.
d. Customer information systems
means any methods used to access,
collect, store, use, transmit, protect, or
dispose of customer information.
e. Service provider means any person
or entity that maintains, processes, or
otherwise is permitted access to
customer information through its
provision of services directly to the
bank.
f. Subsidiary means any company
controlled by a bank, except a broker,
dealer, person providing insurance,
investment company, investment
advisor, insured depository institution,
or subsidiary of an insured depository
institution.
II. Standards for Safeguarding
Customer Information
A. Information Security Program.
Each bank shall implement a
comprehensive written information
security program that includes
administrative, technical, and physical
safeguards appropriate to the size and
complexity of the bank and the nature
and scope of its activities. While all
parts of the bank are not required to
implement a uniform set of policies, all
elements of the information security
program must be coordinated. A bank
also shall ensure that each of its
subsidiaries is subject to a
comprehensive information security
program. The bank may fulfill this
requirement either by including a
subsidiary within the scope of the
bank’s comprehensive information
security program or by causing the
subsidiary to implement a separate

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

comprehensive information security
program in accordance with the
standards and procedures in sections II
and III of this appendix that apply to
banks.
B. Objectives. A bank’s information
security program shall be designed to:
1. Ensure the security and
confidentiality of customer information;
2. Protect against any anticipated
threats or hazards to the security or
integrity of such information; and
3. Protect against unauthorized access
to or use of such information that could
result in substantial harm or
inconvenience to any customer.
III. Development and Implementation
of Information Security Program
A. Involve the Board of Directors. The
board of directors or an appropriate
committee of the board of each bank
shall:
1. Approve the bank’s written
information security program; and
2. Oversee the development,
implementation, and maintenance of the
bank’s information security program,
including assigning specific
responsibility for its implementation
and reviewing reports from
management.
B. Assess Risk. Each bank shall:
1. Identify reasonably foreseeable
internal and external threats that could
result in unauthorized disclosure,
misuse, alteration, or destruction of
customer information or customer
information systems.
2. Assess the likelihood and potential
damage of these threats, taking into
consideration the sensitivity of
customer information.
3. Assess the sufficiency of policies,
procedures, customer information
systems, and other arrangements in
place to control risks.
C. Manage and Control Risk. Each
bank shall:
1. Design its information security
program to control the identified risks,
commensurate with the sensitivity of
the information as well as the
complexity and scope of the bank’s
activities. Each bank must consider
whether the following security measures
are appropriate for the bank and, if so,
adopt those measures the bank
concludes are appropriate:
a. Access controls on customer
information systems, including controls
to authenticate and permit access only
to authorized individuals and controls
to prevent employees from providing
customer information to unauthorized
individuals who may seek to obtain this
information through fraudulent means.
b. Access restrictions at physical
locations containing customer

PO 00000

Frm 00021

Fmt 4701

Sfmt 4700

8635

information, such as buildings,
computer facilities, and records storage
facilities to permit access only to
authorized individuals;
c. Encryption of electronic customer
information, including while in transit
or in storage on networks or systems to
which unauthorized individuals may
have access;
d. Procedures designed to ensure that
customer information system
modifications are consistent with the
bank’s information security program;
e. Dual control procedures,
segregation of duties, and employee
background checks for employees with
responsibilities for or access to customer
information;
f. Monitoring systems and procedures
to detect actual and attempted attacks
on or intrusions into customer
information systems;
g. Response programs that specify
actions to be taken when the bank
suspects or detects that unauthorized
individuals have gained access to
customer information systems,
including appropriate reports to
regulatory and law enforcement
agencies; and
h. Measures to protect against
destruction, loss, or damage of customer
information due to potential
environmental hazards, such as fire and
water damage or technological failures.
2. Train staff to implement the bank’s
information security program.
3. Regularly test the key controls,
systems and procedures of the
information security program. The
frequency and nature of such tests
should be determined by the bank’s risk
assessment. Tests should be conducted
or reviewed by independent third
parties or staff independent of those that
develop or maintain the security
programs.
D. Oversee Service Provider
Arrangements. Each bank shall:
1. Exercise appropriate due diligence
in selecting its service providers;
2. Require its service providers by
contract to implement appropriate
measures designed to meet the
objectives of these Guidelines; and
3. Where indicated by the bank’s risk
assessment, monitor its service
providers to confirm that they have
satisfied their obligations as required by
paragraph D.2. As part of this
monitoring, a bank should review
audits, summaries of test results, or
other equivalent evaluations of its
service providers.
E. Adjust the Program. Each bank
shall monitor, evaluate, and adjust, as
appropriate, the information security
program in light of any relevant changes
in technology, the sensitivity of its

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8636

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

customer information, internal or
external threats to information, and the
bank’s own changing business
arrangements, such as mergers and
acquisitions, alliances and joint
ventures, outsourcing arrangements, and
changes to customer information
systems.
F. Report to the Board. Each bank
shall report to its board or an
appropriate committee of the board at
least annually. This report should
describe the overall status of the
information security program and the
bank’s compliance with these
Guidelines. The reports should discuss
material matters related to its program,
addressing issues such as: risk
assessment; risk management and
control decisions; service provider
arrangements; results of testing; security
breaches or violations and
management’s responses; and
recommendations for changes in the
information security program.
G. Implement the Standards.
1. Effective date. Each bank must
implement an information security
program pursuant to these Guidelines
by July 1, 2001.
2. Two-year grandfathering of
agreements with service providers. Until
July 1, 2003, a contract that a bank has
entered into with a service provider to
perform services for it or functions on
its behalf satisfies the provisions of
section III.D., even if the contract does
not include a requirement that the
servicer maintain the security and
confidentiality of customer information,
as long as the bank entered into the
contract on or before March 5, 2001.
PART 211—INTERNATIONAL
BANKING OPERATIONS
(REGULATION K)
4. The authority citation for part 211
is revised to read as follows:
Authority: 12 U.S.C. 221 et seq., 1818,
1835a, 1841 et seq., 3101 et seq., and 3901
et seq.; 15 U.S.C. 6801 and 6805.

5. Add new § 211.9 to read as follows:
§ 211.9 Protection of customer
information.

An Edge or agreement corporation
shall comply with the Interagency
Guidelines Establishing Standards for
Safeguarding Customer Information
prescribed pursuant to sections 501 and
505 of the Gramm-Leach-Bliley Act (15
U.S.C. 6801 and 6805), set forth in
appendix D–2 to part 208 of this
chapter.
6. In § 211.24, add new paragraph (i)
to read as follows:

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

§ 211.24 Approval of offices of foreign
banks; procedures for applications;
standards for approval; representativeoffice activities and standards for approval;
preservation of existing authority; reports
of crimes and suspected crimes;
government securities sales practices.

*

*
*
*
*
(i) Protection of customer information.
An uninsured state-licensed branch or
agency of a foreign bank shall comply
with the Interagency Guidelines
Establishing Standards for Safeguarding
Customer Information prescribed
pursuant to sections 501 and 505 of the
Gramm-Leach-Bliley Act (15 U.S.C.
6801 and 6805), set forth in appendix
D–2 to part 208 of this chapter.
PART 225—BANK HOLDING
COMPANIES AND CHANGE IN BANK
CONTROL (REGULATION Y)
7. The authority citation for part 225
is revised to read as follows:
Authority: 12 U.S.C. 1817(j)(13), 1818,
1828(o), 1831i, 1831p–1, 1843(c)(8), 1844(b),
1972(1), 3106, 3108, 3310, 3331–3351, 3907,
and 3909; 15 U.S.C. 6801 and 6805.

8. In § 225.1, add new paragraph
(c)(16) to read as follows:
§ 225.1

Authority, purpose, and scope.

*

*
*
*
*
(c) * * *
(16) Appendix F contains the
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information.
9. In § 225.4, add new paragraph (h)
to read as follows:
§ 225.4

Corporate practices.

*

*
*
*
*
(h) Protection of nonpublic personal
information. A bank holding company,
including a bank holding company that
is a financial holding company, shall
comply with the Interagency Guidelines
Establishing Standards for Safeguarding
Customer Information, as set forth in
appendix F of this part, prescribed
pursuant to sections 501 and 505 of the
Gramm-Leach-Bliley Act (15 U.S.C.
6801 and 6805).
10. Add new appendix F to read as
follows:
Appendix F To Part 225—Interagency
Guidelines Establishing Standards For
Safeguarding Customer Information
Table of Contents
I. Introduction
A. Scope
B. Preservation of Existing Authority
C. Definitions
II. Standards for Safeguarding Customer
Information
A. Information Security Program
B. Objectives

PO 00000

Frm 00022

Fmt 4701

Sfmt 4700

III. Development and Implementation of
Customer Information Security Program
A. Involve the Board of Directors
B. Assess Risk
C. Manage and Control Risk
D. Oversee Service Provider Arrangements
E. Adjust the Program
F. Report to the Board
G. Implement the Standards
I. Introduction
These Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information (Guidelines) set forth standards
pursuant to sections 501 and 505 of the
Gramm-Leach-Bliley Act (15 U.S.C. 6801 and
6805) . These Guidelines address standards
for developing and implementing
administrative, technical, and physical
safeguards to protect the security,
confidentiality, and integrity of customer
information.
A. Scope. The Guidelines apply to
customer information maintained by or on
behalf of bank holding companies and their
nonbank subsidiaries or affiliates (except
brokers, dealers, persons providing
insurance, investment companies, and
investment advisors), for which the Board
has supervisory authority.
B. Preservation of Existing Authority.
These Guidelines do not in any way limit the
authority of the Board to address unsafe or
unsound practices, violations of law, unsafe
or unsound conditions, or other practices.
The Board may take action under these
Guidelines independently of, in conjunction
with, or in addition to, any other
enforcement action available to the Board.
C. Definitions. 1. Except as modified in the
Guidelines, or unless the context otherwise
requires, the terms used in these Guidelines
have the same meanings as set forth in
sections 3 and 39 of the Federal Deposit
Insurance Act (12 U.S.C. 1813 and 1831p–1).
2. For purposes of the Guidelines, the
following definitions apply:
a. Board of directors, in the case of a
branch or agency of a foreign bank, means the
managing official in charge of the branch or
agency.
b. Customer means any customer of the
bank holding company as defined in
§ 216.3(h) of this chapter.
c. Customer information means any record
containing nonpublic personal information,
as defined in § 216.3(n) of this chapter, about
a customer, whether in paper, electronic, or
other form, that is maintained by or on behalf
of the bank holding company.
d. Customer information systems means
any methods used to access, collect, store,
use, transmit, protect, or dispose of customer
information.
e. Service provider means any person or
entity that maintains, processes, or otherwise
is permitted access to customer information
through its provision of services directly to
the bank holding company.
f. Subsidiary means any company
controlled by a bank holding company,
except a broker, dealer, person providing
insurance, investment company, investment
advisor, insured depository institution, or
subsidiary of an insured depository
institution.

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
II. Standards for Safeguarding Customer
Information
A. Information Security Program. Each
bank holding company shall implement a
comprehensive written information security
program that includes administrative,
technical, and physical safeguards
appropriate to the size and complexity of the
bank holding company and the nature and
scope of its activities. While all parts of the
bank holding company are not required to
implement a uniform set of policies, all
elements of the information security program
must be coordinated. A bank holding
company also shall ensure that each of its
subsidiaries is subject to a comprehensive
information security program. The bank
holding company may fulfill this
requirement either by including a subsidiary
within the scope of the bank holding
company’s comprehensive information
security program or by causing the subsidiary
to implement a separate comprehensive
information security program in accordance
with the standards and procedures in
sections II and III of this appendix that apply
to bank holding companies.
B. Objectives. A bank holding company’s
information security program shall be
designed to:
1. Ensure the security and confidentiality
of customer information;
2. Protect against any anticipated threats or
hazards to the security or integrity of such
information; and
3. Protect against unauthorized access to or
use of such information that could result in
substantial harm or inconvenience to any
customer.
III. Development and Implementation of
Information Security Program
A. Involve the Board of Directors. The
board of directors or an appropriate
committee of the board of each bank holding
company shall:
1. Approve the bank holding company’s
written information security program; and
2. Oversee the development,
implementation, and maintenance of the
bank holding company’s information security
program, including assigning specific
responsibility for its implementation and
reviewing reports from management.
B. Assess Risk. Each bank holding
company shall:
1. Identify reasonably foreseeable internal
and external threats that could result in
unauthorized disclosure, misuse, alteration,
or destruction of customer information or
customer information systems.
2. Assess the likelihood and potential
damage of these threats, taking into
consideration the sensitivity of customer
information.
3. Assess the sufficiency of policies,
procedures, customer information systems,
and other arrangements in place to control
risks.
C. Manage and Control Risk. Each bank
holding company shall:
1. Design its information security program
to control the identified risks, commensurate
with the sensitivity of the information as well
as the complexity and scope of the bank
holding company’s activities. Each bank

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

holding company must consider whether the
following security measures are appropriate
for the bank holding company and, if so,
adopt those measures the bank holding
company concludes are appropriate:
a. Access controls on customer information
systems, including controls to authenticate
and permit access only to authorized
individuals and controls to prevent
employees from providing customer
information to unauthorized individuals who
may seek to obtain this information through
fraudulent means.
b. Access restrictions at physical locations
containing customer information, such as
buildings, computer facilities, and records
storage facilities to permit access only to
authorized individuals;
c. Encryption of electronic customer
information, including while in transit or in
storage on networks or systems to which
unauthorized individuals may have access;
d. Procedures designed to ensure that
customer information system modifications
are consistent with the bank holding
company’s information security program;
e. Dual control procedures, segregation of
duties, and employee background checks for
employees with responsibilities for or access
to customer information;
f. Monitoring systems and procedures to
detect actual and attempted attacks on or
intrusions into customer information
systems;
g. Response programs that specify actions
to be taken when the bank holding company
suspects or detects that unauthorized
individuals have gained access to customer
information systems, including appropriate
reports to regulatory and law enforcement
agencies; and
h. Measures to protect against destruction,
loss, or damage of customer information due
to potential environmental hazards, such as
fire and water damage or technological
failures.
2. Train staff to implement the bank
holding company’s information security
program.
3. Regularly test the key controls, systems
and procedures of the information security
program. The frequency and nature of such
tests should be determined by the bank
holding company’s risk assessment. Tests
should be conducted or reviewed by
independent third parties or staff
independent of those that develop or
maintain the security programs.
D. Oversee Service Provider Arrangements.
Each bank holding company shall:
1. Exercise appropriate due diligence in
selecting its service providers;
2. Require its service providers by contract
to implement appropriate measures designed
to meet the objectives of these Guidelines;
and
3. Where indicated by the bank holding
company’s risk assessment, monitor its
service providers to confirm that they have
satisfied their obligations as required by
paragraph D.2. As part of this monitoring, a
bank holding company should review audits,
summaries of test results, or other equivalent
evaluations of its service providers.
E. Adjust the Program. Each bank holding
company shall monitor, evaluate, and adjust,

PO 00000

Frm 00023

Fmt 4701

Sfmt 4700

8637

as appropriate, the information security
program in light of any relevant changes in
technology, the sensitivity of its customer
information, internal or external threats to
information, and the bank holding company’s
own changing business arrangements, such
as mergers and acquisitions, alliances and
joint ventures, outsourcing arrangements,
and changes to customer information
systems.
F. Report to the Board. Each bank holding
company shall report to its board or an
appropriate committee of the board at least
annually. This report should describe the
overall status of the information security
program and the bank holding company’s
compliance with these Guidelines. The
reports should discuss material matters
related to its program, addressing issues such
as: risk assessment; risk management and
control decisions; service provider
arrangements; results of testing; security
breaches or violations and management’s
responses; and recommendations for changes
in the information security program.
G. Implement the Standards.
1. Effective date. Each bank holding
company must implement an information
security program pursuant to these
Guidelines by July 1, 2001.
2. Two-year grandfathering of agreements
with service providers. Until July 1, 2003, a
contract that a bank holding company has
entered into with a service provider to
perform services for it or functions on its
behalf satisfies the provisions of section
III.D., even if the contract does not include
a requirement that the servicer maintain the
security and confidentiality of customer
information, as long as the bank holding
company entered into the contract on or
before March 5, 2001.

PART 263—RULES OF PRACTICE FOR
HEARINGS
11. The authority citation for part 263
is revised to read as follows:
Authority: 5 U.S.C. 504; 12 U.S.C. 248,
324, 504, 505, 1817(j), 1818, 1828(c), 1831o,
1831p–1, 1847(b), 1847(d), 1884(b),
1972(2)(F), 3105, 3107, 3108, 3907, 3909; 15
U.S.C. 21, 78o–4, 78o–5, 78u–2, 6801, 6805;
and 28 U.S.C. 2461 note.

12. Amend § 263.302 to revise
paragraph (a) to read as follows:
§ 263.302 Determination and notification of
failure to meet safety and soundness
standard and request for compliance plan.

(a) Determination. The Board may,
based upon an examination, inspection,
or any other information that becomes
available to the Board, determine that a
bank has failed to satisfy the safety and
soundness standards contained in the
Interagency Guidelines Establishing
Standards for Safety and Soundness or
the Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information, set forth in appendices D–
1 and D–2 to part 208 of this chapter,
respectively.
*
*
*
*
*

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8638

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

By order of the Board of Governors of the
Federal Reserve System, January 4, 2001.
Jennifer J. Johnson,
Secretary of the Board.

Federal Deposit Insurance Corporation
12 CFR Chapter III
Authority and Issuance
For the reasons set forth in the joint
preamble, parts 308 and 364 of chapter
III of title 12 of the Code of Federal
Regulations are amended as follows:
PART 308—RULES OF PRACTICE AND
PROCEDURE
1. The authority citation for part 308
is revised to read as follows:
Authority: 5 U.S.C. 504, 554–557; 12
U.S.C. 93(b), 164, 505, 1815(e), 1817, 1818,
1820, 1828, 1829, 1829b, 1831i, 1831o,
1831p–1, 1832(c), 1884(b), 1972, 3102,
3108(a), 3349, 3909, 4717; 15 U.S.C. 78(h)
and (i), 78o–4(c), 78o–5, 78q–1, 78s, 78u,
78u–2, 78u–3 and 78w; 6801(b), 6805(b)(1),
28 U.S.C. 2461 note; 31 U.S.C. 330, 5321; 42
U.S.C. 4012a; Sec. 3100(s), Pub. L. 104–134,
110 Stat. 1321–358.

1. Amend § 308.302 to revise
paragraph (a) to read as follows:
§ 308.302 Determination and notification of
failure to meet a safety and soundness
standard and request for compliance plan.

(a) Determination. The FDIC may,
based upon an examination, inspection
or any other information that becomes
available to the FDIC, determine that a
bank has failed to satisfy the safety and
soundness standards set out in part 364
of this chapter and in the Interagency
Guidelines Establishing Standards for
Safety and Soundness in appendix A
and the Interagency Guidelines
Establishing Standards for Safeguarding
Customer Information in appendix B to
part 364 of this chapter.
*
*
*
*
*
PART 364—STANDARDS FOR SAFETY
AND SOUNDNESS
2. The authority citation for part 364
is revised to read as follows:
Authority: 12 U.S.C. 1819(Tenth), 1831p–
1; 15 U.S.C. 6801(b), 6805(b)(1).

3. Amend § 364.101 to revise
paragraph (b) to read as follows:
§ 364.101 Standards for safety and
soundness.

*

*
*
*
*
(b) Interagency Guidelines
Establishing Standards for Safeguarding
Customer Information. The Interagency
Guidelines Establishing Standards for
Safeguarding Customer Information
prescribed pursuant to section 39 of the
Federal Deposit Insurance Act (12

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

U.S.C. 1831p–1) and sections 501 and
505(b) of the Gramm-Leach-Bliley Act
(15 U.S.C. 6801, 6805(b)), as set forth in
appendix B to this part, apply to all
insured state nonmember banks, insured
state licensed branches of foreign banks,
and any subsidiaries of such entities
(except brokers, dealers, persons
providing insurance, investment
companies, and investment advisers).
4. Revise appendix B to part 364 to
read as follows:
Appendix B to Part 364—Interagency
Guidelines Establishing Standards for
Safeguarding Customer Information
Table of Contents
I. Introduction
A. Scope
B. Preservation of Existing Authority
C. Definitions
II. Standards for Safeguarding Customer
Information
A. Information Security Program
B. Objectives
III. Development and Implementation of
Customer Information Security Program
A. Involve the Board of Directors
B. Assess Risk
C. Manage and Control Risk
D. Oversee Service Provider Arrangements
E. Adjust the Program
F. Report to the Board
G. Implement the Standards
I. Introduction
The Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information (Guidelines) set forth standards
pursuant to section 39 of the Federal Deposit
Insurance Act (section 39, codified at 12
U.S.C. 1831p–1), and sections 501 and
505(b), codified at 15 U.S.C. 6801 and
6805(b), of the Gramm-Leach-Bliley Act.
These Guidelines address standards for
developing and implementing
administrative, technical, and physical
safeguards to protect the security,
confidentiality, and integrity of customer
information.
A. Scope. The Guidelines apply to
customer information maintained by or on
behalf of entities over which the Federal
Deposit Insurance Corporation (FDIC) has
authority. Such entities, referred to as ‘‘the
bank’’ are banks insured by the FDIC (other
than members of the Federal Reserve
System), insured state branches of foreign
banks, and any subsidiaries of such entities
(except brokers, dealers, persons providing
insurance, investment companies, and
investment advisers).
B. Preservation of Existing Authority.
Neither section 39 nor these Guidelines in
any way limit the authority of the FDIC to
address unsafe or unsound practices,
violations of law, unsafe or unsound
conditions, or other practices. The FDIC may
take action under section 39 and these
Guidelines independently of, in conjunction
with, or in addition to, any other
enforcement action available to the FDIC.
C. Definitions. 1. Except as modified in the
Guidelines, or unless the context otherwise

PO 00000

Frm 00024

Fmt 4701

Sfmt 4700

requires, the terms used in these Guidelines
have the same meanings as set forth in
sections 3 and 39 of the Federal Deposit
Insurance Act (12 U.S.C. 1813 and 1831p–1).
2. For purposes of the Guidelines, the
following definitions apply:
a. Board of directors, in the case of a
branch or agency of a foreign bank, means the
managing official in charge of the branch or
agency.
b. Customer means any customer of the
bank as defined in § 332.3(h) of this chapter.
c. Customer information means any record
containing nonpublic personal information,
as defined in § 332.3(n) of this chapter, about
a customer, whether in paper, electronic, or
other form, that is maintained by or on behalf
of the bank.
d. Customer information systems means
any methods used to access, collect, store,
use, transmit, protect, or dispose of customer
information.
e. Service provider means any person or
entity that maintains, processes, or otherwise
is permitted access to customer information
through its provision of services directly to
the bank.
II. Standards for Safeguarding Customer
Information
A. Information Security Program. Each
bank shall implement a comprehensive
written information security program that
includes administrative, technical, and
physical safeguards appropriate to the size
and complexity of the bank and the nature
and scope of its activities. While all parts of
the bank are not required to implement a
uniform set of policies, all elements of the
information security program must be
coordinated.
B. Objectives. A bank’s information
security program shall be designed to:
1. Ensure the security and confidentiality
of customer information;
2. Protect against any anticipated threats or
hazards to the security or integrity of such
information; and
3. Protect against unauthorized access to or
use of such information that could result in
substantial harm or inconvenience to any
customer.
III. Development and Implementation of
Information Security Program
A. Involve the Board of Directors. The
board of directors or an appropriate
committee of the board of each bank shall:
1. Approve the bank’s written information
security program; and
2. Oversee the development,
implementation, and maintenance of the
bank’s information security program,
including assigning specific responsibility for
its implementation and reviewing reports
from management.
B. Assess Risk.
Each bank shall:
1. Identify reasonably foreseeable internal
and external threats that could result in
unauthorized disclosure, misuse, alteration,
or destruction of customer information or
customer information systems.
2. Assess the likelihood and potential
damage of these threats, taking into
consideration the sensitivity of customer
information.

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
3. Assess the sufficiency of policies,
procedures, customer information systems,
and other arrangements in place to control
risks.
C. Manage and Control Risk. Each bank
shall:
1. Design its information security program
to control the identified risks, commensurate
with the sensitivity of the information as well
as the complexity and scope of the bank’s
activities. Each bank must consider whether
the following security measures are
appropriate for the bank and, if so, adopt
those measures the bank concludes are
appropriate:
a. Access controls on customer information
systems, including controls to authenticate
and permit access only to authorized
individuals and controls to prevent
employees from providing customer
information to unauthorized individuals who
may seek to obtain this information through
fraudulent means.
b. Access restrictions at physical locations
containing customer information, such as
buildings, computer facilities, and records
storage facilities to permit access only to
authorized individuals;
c. Encryption of electronic customer
information, including while in transit or in
storage on networks or systems to which
unauthorized individuals may have access;
d. Procedures designed to ensure that
customer information system modifications
are consistent with the bank’s information
security program;
e. Dual control procedures, segregation of
duties, and employee background checks for
employees with responsibilities for or access
to customer information;
f. Monitoring systems and procedures to
detect actual and attempted attacks on or
intrusions into customer information
systems;
g. Response programs that specify actions
to be taken when the bank suspects or detects
that unauthorized individuals have gained
access to customer information systems,
including appropriate reports to regulatory
and law enforcement agencies; and
h. Measures to protect against destruction,
loss, or damage of customer information due
to potential environmental hazards, such as
fire and water damage or technological
failures.
2. Train staff to implement the bank’s
information security program.
3. Regularly test the key controls, systems
and procedures of the information security
program. The frequency and nature of such
tests should be determined by the bank’s risk
assessment. Tests should be conducted or
reviewed by independent third parties or
staff independent of those that develop or
maintain the security programs.
D. Oversee Service Provider Arrangements.
Each bank shall:
1. Exercise appropriate due diligence in
selecting its service providers;
2. Require its service providers by contract
to implement appropriate measures designed
to meet the objectives of these Guidelines;
and
3. Where indicated by the bank’s risk
assessment, monitor its service providers to
confirm that they have satisfied their

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

obligations as required by paragraph D.2. As
part of this monitoring, a bank should review
audits, summaries of test results, or other
equivalent evaluations of its service
providers.
E. Adjust the Program. Each bank shall
monitor, evaluate, and adjust, as appropriate,
the information security program in light of
any relevant changes in technology, the
sensitivity of its customer information,
internal or external threats to information,
and the bank’s own changing business
arrangements, such as mergers and
acquisitions, alliances and joint ventures,
outsourcing arrangements, and changes to
customer information systems.
F. Report to the Board. Each bank shall
report to its board or an appropriate
committee of the board at least annually.
This report should describe the overall status
of the information security program and the
bank’s compliance with these Guidelines.
The report, which will vary depending upon
the complexity of each bank’s program
should discuss material matters related to its
program, addressing issues such as: risk
assessment; risk management and control
decisions; service provider arrangements;
results of testing; security breaches or
violations, and management’s responses; and
recommendations for changes in the
information security program.
G. Implement the Standards. 1. Effective
date. Each bank must implement an
information security program pursuant to
these Guidelines by July 1, 2001.
2. Two-year grandfathering of agreements
with service providers. Until July 1, 2003, a
contract that a bank has entered into with a
service provider to perform services for it or
functions on its behalf, satisfies the
provisions of paragraph III.D., even if the
contract does not include a requirement that
the servicer maintain the security and
confidentiality of customer information as
long as the bank entered into the contract on
or before March 5, 2001.
By order of the Board of Directors.
Dated at Washington, D.C., this 21st day of
December, 2000.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.

Office of Thrift Supervision
Authority and Issuance
For the reasons set forth in the joint
preamble, parts 568 and 570 of chapter
V of title 12 of the Code of Federal
regulations are amended as follows:
PART 568—SECURITY PROCEDURES
1. The authority citation of part 568
is revised to read as follows:
Authority: Secs. 2–5, 82 Stat. 294–295 (12
U.S.C. 1881–1984); 12 U.S.C. 1831p-1; 15
U.S.C. 6801, 6805(b)(1).

2. Amend § 568.1 by revising
paragraph (a) to read as follows:

Frm 00025

Fmt 4701

Sfmt 4700

Authority, purpose, and scope.

(a) This part is issued by the Office of
Thrift Supervision (OTS) pursuant to
section 3 of the Bank Protection Act of
1968 (12 U.S.C. 1882), and sections 501
and 505(b)(1) of the Gramm-LeachBliley Act (12 U.S.C. 6801, 6805(b)(1)).
This part is applicable to savings
associations. It requires each savings
association to adopt appropriate
security procedures to discourage
robberies, burglaries, and larcenies and
to assist in the identification and
prosecution of persons who commit
such acts. Section 568.5 of this part is
applicable to savings associations and
their subsidiaries (except brokers,
dealers, persons providing insurance,
investment companies, and investment
advisers). Section 568.5 of this part
requires covered institutions to establish
and implement appropriate
administrative, technical, and physical
safeguards to protect the security,
confidentiality, and integrity of
customer information.
*
*
*
*
*
3. Add new § 568.5 to read as follows:
§ 568.5 Protection of customer
information.

Savings associations and their
subsidiaries (except brokers, dealers,
persons providing insurance,
investment companies, and investment
advisers) must comply with the
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information prescribed pursuant to
sections 501 and 505 of the GrammLeach-Bliley Act (15 U.S.C. 6801 and
6805), set forth in appendix B to part
570 of this chapter.
PART 570—SUBMISSION AND REVIEW
OF SAFETY AND SOUNDNESS
COMPLIANCE PLANS AND ISSUANCE
OF ORDERS TO CORRECT SAFETY
AND SOUNDNESS DEFICIENCIES
4. Amend § 570.1 by adding a
sentence at the end of paragraph (a) and
revising the last sentence of paragraph
(b) to read as follows:

12 CFR Chapter V

PO 00000

§ 568.1

8639

§ 570.1 Authority, purpose, scope and
preservation of existing authority.

(a) * * *Appendix B to this part is
further issued under sections 501(b) and
505 of the Gramm-Leach-Bliley Act
(Pub. L. 106–102, 113 Stat. 1338 (1999)).
(b)* * *Interagency Guidelines
Establishing Standards for Safeguarding
Customer Information are set forth in
appendix B to this part.
*
*
*
*
*
5. Amend § 570.2 by revising
paragraph (a) to read as follows:

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

8640

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

§ 570.2 Determination and notification of
failure to meet safety and soundness
standards and request for compliance plan.

(a) Determination. OTS may, based
upon an examination, inspection, or any
other information that becomes
available to OTS, determine that a
savings association has failed to satisfy
the safety and soundness standards
contained in the Interagency Guidelines
Establishing Standards for Safety and
Soundness as set forth in appendix A to
this part or the Interagency Guidelines
Establishing Standards for Safeguarding
Customer Information as set forth in
appendix B to this part.
*
*
*
*
*
6. Revise appendix B to part 570 to
read as follows:
Appendix B to Part 570—Interagency
Guidelines Establishing Standards for
Safeguarding Customer Information
Table of Contents
I. Introduction
A. Scope
B. Preservation of Existing Authority
C. Definitions
II. Standards for Safeguarding Customer
Information
A. Information Security Program
B. Objectives
III. Development and Implementation of
Customer Information Security Program
A. Involve the Board of Directors
B. Assess Risk
C. Manage and Control Risk
D. Oversee Service Provider Arrangements
E. Adjust the Program
F. Report to the Board
G. Implement the Standards
I. Introduction
The Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information (Guidelines) set forth standards
pursuant to section 39 of the Federal Deposit
Insurance Act (section 39, codified at 12
U.S.C. 1831p–1), and sections 501 and
505(b), codified at 15 U.S.C. 6801 and
6805(b), of the Gramm-Leach-Bliley Act.
These Guidelines address standards for
developing and implementing
administrative, technical, and physical
safeguards to protect the security,
confidentiality, and integrity of customer
information.
A. Scope. The Guidelines apply to
customer information maintained by or on
behalf of entities over which OTS has
authority. For purposes of this appendix,
these entities are savings associations whose
deposits are FDIC-insured and any
subsidiaries of such savings associations,
except brokers, dealers, persons providing
insurance, investment companies, and
investment advisers. This appendix refers to
such entities as ‘‘you’.
B. Preservation of Existing Authority.
Neither section 39 nor these Guidelines in
any way limit OTS’s authority to address
unsafe or unsound practices, violations of
law, unsafe or unsound conditions, or other

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

practices. OTS may take action under section
39 and these Guidelines independently of, in
conjunction with, or in addition to, any other
enforcement action available to OTS.
C. Definitions. 1. Except as modified in the
Guidelines, or unless the context otherwise
requires, the terms used in these Guidelines
have the same meanings as set forth in
sections 3 and 39 of the Federal Deposit
Insurance Act (12 U.S.C. 1813 and 1831p–1).
2. For purposes of the Guidelines, the
following definitions apply:
a. Customer means any of your customers
as defined in § 573.3(h) of this chapter.
b. Customer information means any record
containing nonpublic personal information,
as defined in § 573.3(n) of this chapter, about
a customer, whether in paper, electronic, or
other form, that you maintain or that is
maintained on your behalf.
c. Customer information systems means
any methods used to access, collect, store,
use, transmit, protect, or dispose of customer
information.
d. Service provider means any person or
entity that maintains, processes, or otherwise
is permitted access to customer information
through its provision of services directly to
you.
II. Standards for Safeguarding Customer
Information
A. Information Security Program. You shall
implement a comprehensive written
information security program that includes
administrative, technical, and physical
safeguards appropriate to your size and
complexity and the nature and scope of your
activities. While all parts of your
organization are not required to implement a
uniform set of policies, all elements of your
information security program must be
coordinated.
B. Objectives. Your information security
program shall be designed to:
1. Ensure the security and confidentiality
of customer information;
2. Protect against any anticipated threats or
hazards to the security or integrity of such
information; and
3. Protect against unauthorized access to or
use of such information that could result in
substantial harm or inconvenience to any
customer.
III. Development and Implementation of
Information Security Program
A. Involve the Board of Directors. Your
board of directors or an appropriate
committee of the board shall:
1. Approve your written information
security program; and
2. Oversee the development,
implementation, and maintenance of your
information security program, including
assigning specific responsibility for its
implementation and reviewing reports from
management.
B. Assess Risk. You shall:
1. Identify reasonably foreseeable internal
and external threats that could result in
unauthorized disclosure, misuse, alteration,
or destruction of customer information or
customer information systems.
2. Assess the likelihood and potential
damage of these threats, taking into

PO 00000

Frm 00026

Fmt 4701

Sfmt 4700

consideration the sensitivity of customer
information.
3. Assess the sufficiency of policies,
procedures, customer information systems,
and other arrangements in place to control
risks.
C. Manage and Control Risk. You shall:
1. Design your information security
program to control the identified risks,
commensurate with the sensitivity of the
information as well as the complexity and
scope of your activities. You must consider
whether the following security measures are
appropriate for you and, if so, adopt those
measures you conclude are appropriate:
a. Access controls on customer information
systems, including controls to authenticate
and permit access only to authorized
individuals and controls to prevent
employees from providing customer
information to unauthorized individuals who
may seek to obtain this information through
fraudulent means.
b. Access restrictions at physical locations
containing customer information, such as
buildings, computer facilities, and records
storage facilities to permit access only to
authorized individuals;
c. Encryption of electronic customer
information, including while in transit or in
storage on networks or systems to which
unauthorized individuals may have access;
d. Procedures designed to ensure that
customer information system modifications
are consistent with your information security
program;
e. Dual control procedures, segregation of
duties, and employee background checks for
employees with responsibilities for or access
to customer information;
f. Monitoring systems and procedures to
detect actual and attempted attacks on or
intrusions into customer information
systems;
g. Response programs that specify actions
for you to take when you suspect or detect
that unauthorized individuals have gained
access to customer information systems,
including appropriate reports to regulatory
and law enforcement agencies; and
h. Measures to protect against destruction,
loss, or damage of customer information due
to potential environmental hazards, such as
fire and water damage or technological
failures.
2. Train staff to implement your
information security program.
3. Regularly test the key controls, systems
and procedures of the information security
program. The frequency and nature of such
tests should be determined by your risk
assessment. Tests should be conducted or
reviewed by independent third parties or
staff independent of those that develop or
maintain the security programs.
D. Oversee Service Provider Arrangements.
You shall:
1. Exercise appropriate due diligence in
selecting your service providers;
2. Require your service providers by
contract to implement appropriate measures
designed to meet the objectives of these
Guidelines; and
3. Where indicated by your risk
assessment, monitor your service providers
to confirm that they have satisfied their

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2

Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
obligations as required by paragraph D.2. As
part of this monitoring, you should review
audits, summaries of test results, or other
equivalent evaluations of your service
providers.
E. Adjust the Program. You shall monitor,
evaluate, and adjust, as appropriate, the
information security program in light of any
relevant changes in technology, the
sensitivity of your customer information,
internal or external threats to information,
and your own changing business
arrangements, such as mergers and
acquisitions, alliances and joint ventures,
outsourcing arrangements, and changes to
customer information systems.
F. Report to the Board. You shall report to
your board or an appropriate committee of

VerDate 11<MAY>2000

18:01 Jan 31, 2001

Jkt 194001

the board at least annually. This report
should describe the overall status of the
information security program and your
compliance with these Guidelines. The
reports should discuss material matters
related to your program, addressing issues
such as: risk assessment; risk management
and control decisions; service provider
arrangements; results of testing; security
breaches or violations and management’s
responses; and recommendations for changes
in the information security program.
G. Implement the Standards. 1. Effective
date. You must implement an information
security program pursuant to these
Guidelines by July 1, 2001.
2. Two-year grandfathering of agreements
with service providers. Until July 1, 2003, a

PO 00000

Frm 00027

Fmt 4701

Sfmt 4700

8641

contract that you have entered into with a
service provider to perform services for you
or functions on your behalf satisfies the
provisions of paragraph III.D., even if the
contract does not include a requirement that
the servicer maintain the security and
confidentiality of customer information, as
long as you entered into the contract on or
before March 5, 2001.
Dated: December 19, 2000.
By the Office of Thrift Supervision.
Ellen Seidman,
Director.
[FR Doc. 01–1114 Filed 1–31–01; 8:45 am]
BILLING CODE 4810–33–P; 6210–01–P; 6714–01–P;
6720–01–P

E:\FR\FM\01FER2.SGM

pfrm01

PsN: 01FER2


Federal Reserve Bank of St. Louis, One Federal Reserve Bank Plaza, St. Louis, MO 63102