The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Federal Reserve Bank of Dallas 2200 N. PEARL ST. DALLAS, TX 75201-2272 January 11, 2005 Notice 05-04 TO: The Chief Executive Officer of each financial institution and others concerned in the Eleventh Federal Reserve District SUBJECT Proper Disposal of Consumer Information Under the Fair and Accurate Credit Transactions Act of 2003 DETAILS The Board, OCC, FDIC, and OTS have adopted a final rule to implement Section 216 of the Fair and Accurate Credit Transactions Act of 2003 by amending the Interagency Guidelines Establishing Standards for Safeguarding Customer Information. The final rule generally requires each financial institution to develop, implement, and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports to address the risks associated with identity theft. The final rule becomes effective on July 1, 2005. ATTACHMENT A copy of the agencies’ notice as it appears on pages 77610–21, Vol. 69, No. 248 of the Federal Register dated December 28, 2004, is attached. MORE INFORMATION For more information, please contact Diane van Gelder, Banking Supervision Department, at (214) 922-6282. Paper copies of this notice or previous Federal Reserve Bank notices can be printed from our web site at www.dallasfed.org/banking/notices/index.html. For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012; Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810. 77610 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations DEPARTMENT OF THE TREASURY available for public inspection during regular work hours at the 300 7th Street, SW., address listed above. Office of the Comptroller of the Currency FOR FURTHER INFORMATION CONTACT: Sue 12 CFR Parts 30 and 41 Harris-Green, Deputy Director, MultiFamily Housing Direct Loan Division, Rural Housing Service, U.S. Department of Agriculture, Room 1241, South Building, Stop 0781, 1400 Independence Avenue, SW., Washington, DC 20250–0781, telephone (202) 720–1660. [Docket No. 04–13] RIN 1557–AC84 FEDERAL RESERVE SYSTEM 12 CFR Parts 208, 211, 222, and 225 [Docket No. R–1199] SUPPLEMENTARY INFORMATION: In the Federal Register dated November 26, 2004, the Rural Housing Service (RHS) published an interim final rule which had the intent of streamlining and reengineering its regulations, as well as utilizing several private sector processes and techniques in the administration of the origination, management, servicing, and preservation of its Multi-Family Housing programs. These programs include the section 515 Rural Rental Housing (RRH) loan program, the section 514/516 Farm Labor Housing loan and grant program, and the section 521 Rental Assistance (RA) program. This interim final rule combines the provisions of the Streamlining and Consolidation of the sections 514, 515, 516, and 521 Multi-Family Housing (MFH) Programs Proposed Rule published on June 2, 2003, and the Operating Assistance for Off-Farm Migrant Farmworker Projects Proposed Rule published on November 2, 2000. Due to the complex nature of the changes in the regulation, it is in the best interest of the public to extend the period of time in which comments will be accepted. Initially, the comment period was to end on December 27, 2004. The revised ending date for the receipt of comments is now January 26, 2005. Dated: December 16, 2004. Gilbert Gonzalez, Acting Under Secretary, Rural Development. [FR Doc. 04–28240 Filed 12–27–04; 8:45 am] BILLING CODE 3410–XV–U VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Parts 334 and 364 RIN 3064–AC77 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Parts 568, 570, and 571 [No. 2004–56] RIN 1550–AB87 Proper Disposal of Consumer Information Under the Fair and Accurate Credit Transactions Act of 2003 AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision, Treasury (OTS). ACTION: Final rule. SUMMARY: The OCC, Board, FDIC, and OTS (the Agencies) are adopting a final rule to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 by amending the Interagency Guidelines Establishing Standards for Safeguarding Customer Information. The final rule generally requires each financial institution to develop, implement, and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports to address the risks associated with identity theft. EFFECTIVE DATE: July 1, 2005. FOR FURTHER INFORMATION CONTACT: OCC: Aida Plaza Carter, Director, Bank Information Technology, (202) 874– 4740; Amy Friend, Assistant Chief Counsel, (202) 874–5200; or Deborah Katz, Senior Counsel, Legislative and Regulatory Activities Division, (202) 874–5090. PO 00000 Frm 00002 Fmt 4700 Sfmt 4700 Board: Donna L. Parker, Supervisory Financial Analyst, Division of Supervision & Regulation, (202) 452– 2614; Joshua H. Kaplan, Attorney, Legal Division, (202) 452–2249; Minh-Duc T. Le or Ky Tran-Trong, Senior Attorneys, Division of Consumer and Community Affairs, (202) 452–3667. FDIC: Jeffrey M. Kopchik, Senior Policy Analyst, Division of Supervision and Consumer Protection, (202) 898– 3872; Kathryn M. Weatherby, Examination Specialist, Division of Supervision and Consumer Protection, (202) 898–6793; Robert A. Patrick, Counsel, Legal Division, (202) 898– 3757; Janet V. Norcom, Counsel, Legal Division, (202) 898–8886. OTS: Glenn Gimble, Senior Project Manager, Thrift Policy, (202) 906–7158; Lewis C. Angel, Senior Project Manager, Technology Risk Management, (202) 906–5645; Richard Bennett, Counsel (Banking and Finance), Regulations and Legislation Division, (202) 906–7409. SUPPLEMENTARY INFORMATION: I. Introduction Section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act or the Act) adds a new section 628 to the Fair Credit Reporting Act (FCRA), at 15 U.S.C. 1681w, that, in general, is designed to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report, such as fraud and related crimes including identity theft. Section 216 of the Act requires each of the Agencies to adopt a regulation with respect to the entities that are subject to its enforcement authority ‘‘requiring any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation.’’ Pub. L. 108–159, 117 Stat. 1985–86. The FACT Act mandates that the Agencies ensure that their respective regulations are consistent with the requirements issued pursuant to the Gramm-LeachBliley Act (GLB Act) (Pub. L. 106–102), as well as other provisions of Federal law. On June 8, 2004, the Agencies published a proposal to amend the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) to require financial institutions to implement controls designed to ensure the proper disposal of ‘‘consumer information’’ within the meaning of section 216.1 A 1 69 FR 31913 (June 8, 2004). The Guidelines are codified at 12 CFR parts 30, app. B (OCC); 208, app. E:\FR\FM\28DER1.SGM 28DER1 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations total of 68 comments on the proposal were submitted to the Agencies, some of which were submitted to more than one of the Agencies. Most of these comments were submitted by financial institutions and associations that represent them. A few comments were submitted by trade associations from the information destruction industry.2 In general, commenters expressed support for the Agencies’ proposal because the new requirements would allow financial institutions sufficient latitude to adopt controls that suit their particular circumstances. Commenters offered revisions to several aspects of the proposal, notably the definitions and compliance deadlines, and the Agencies have considered each of these suggestions. The Agencies also proposed to amend their respective regulations that implement the FCRA by adding a new provision setting forth the duties of users of consumer reports regarding identity theft. The proposed provision would require a financial institution to properly dispose of consumer information in accordance with the standards set forth in the Guidelines. The Agencies also proposed to amend their respective FCRA regulations by incorporating a rule of construction, which generally provides that the duty to properly dispose of consumer information shall not be construed to require a financial institution to maintain or destroy any record pertaining to a consumer that is not imposed under any other law or alter any requirement under any other law to maintain or destroy such a record. This rule of construction closely tracks section 628(b) of the FCRA, as added by section 216 of the FACT Act. In general, commenters supported the Agencies’ proposal to amend their FCRA regulations and, in particular, urged the Agencies to retain the rule of construction in the final rule. In accordance with section 216 of the Act, the Agencies have consulted with the FTC, the National Credit Union Administration, and the Securities and Exchange Commission to ensure that, to the extent possible, the rules adopted by D–2 and 225, app. F (Board); 364, app. B (FDIC); 570, app. B (OTS). Citations to the Guidelines omit references to titles and publications and give only the appropriate paragraph or section number. 2 Individual consumers and organizations representing consumers submitted comments on the proposed rule issued by the Federal Trade Commission (FTC), which was substantively similar to the Agencies’ proposal. 69 FR 21388 (April 20, 2004); see http://www.ftc.gov/os/comments/ disposal/index.htm. The Agencies have reviewed these and other comments submitted to the FTC in connection with this final rule. VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 the respective agencies are consistent and comparable. II. Background On February 1, 2001, the Agencies issued the Guidelines pursuant to sections 501 and 505 of the GLB Act (15 U.S.C. 6801 and 6805).3 The Guidelines establish standards relating to the development and implementation of administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. The Guidelines apply to the financial institutions subject to the Agencies’ respective jurisdictions. As mandated by section 501(b) of the GLB Act, the Guidelines require each financial institution to develop a written information security program that is designed to: (1) Ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.4 The Guidelines direct financial institutions to assess the risks to their customer information and customer information systems and, in turn, implement appropriate security measures to control those risks.5 For example, under the risk-assessment framework currently imposed by the Guidelines, each financial institution must evaluate whether the controls the institution has developed sufficiently protect its customer information from unauthorized access, misuse, or alteration when the institution disposes of the information.6 III. Proper Disposal of Consumer Information and Customer Information To implement section 216 of the FACT Act, the Agencies are adopting amendments to the Guidelines 7 that require each financial institution to develop and maintain, as part of its information security program, appropriate controls designed to ensure that the institution properly disposes of ‘‘consumer information.’’ The amendments to the Guidelines generally FR 8616 (Feb. 1, 2001). II.B. 5 See generally, III.B. and III.C. 6 See 66 FR 8618. (‘‘Under the final Guidelines, a financial institution’s responsibility to safeguard customer information continues through the disposal process.’’) 7 The Agencies are renaming the ‘‘Interagency Guidelines Establishing Standards for Safeguarding Customer Information’’ to read ‘‘Interagency Guidelines Establishing Standards for Information Security’’ to make clear that the Guidelines encompass the disposal of consumer information. PO 00000 3 66 4 Guidelines, Frm 00003 Fmt 4700 Sfmt 4700 77611 require a financial institution to properly dispose of ‘‘consumer information’’ derived from a consumer report in a manner consistent with a financial institution’s existing obligations under the Guidelines to properly dispose of customer information. Although the Guidelines currently address an institution’s obligations to properly dispose of customer information, the amendments now state this obligation more directly and combine it with the new requirement to properly dispose of consumer information. The Agencies have incorporated this new requirement into the Guidelines by: (1) Adding a definition of ‘‘consumer information,’’ including illustrations of the information covered by the new term; (2) adding an objective (in paragraph II) regarding the proper disposal of customer information and consumer information; and (3) adding a provision (in paragraph III) that requires a financial institution to implement appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements in paragraph III. The final rule requires each financial institution to implement the appropriate measures to properly dispose of ‘‘consumer information’’ by July 1, 2005. The Agencies believe that any changes to an institution’s existing information security program likely will be minimal because many of the measures that an institution already uses to dispose of ‘‘customer information’’ can be adapted to properly dispose of ‘‘consumer information.’’ Nevertheless, a few of the comments noted that the proposed period for compliance would be relatively short in light of the work required to locate and track all ‘‘consumer information’’ in a financial institution’s existing information systems. Accordingly, the Agencies have determined that financial institutions should be afforded a sixmonth period to adjust their systems and controls. A discussion of each proposed amendment to the Guidelines and the addition of cross-references to the Guidelines in the Agencies’ FCRA regulations follows. Consumer Information The proposal defined ‘‘consumer information’’ to mean ‘‘any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the [institution] for a business E:\FR\FM\28DER1.SGM 28DER1 77612 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations purpose.’’ ‘‘Consumer information’’ also was defined to mean ‘‘a compilation of such records.’’ Commenters generally supported the Agencies’ proposed definition of this term, but argued that the Agencies should include statements or illustrations to clarify the nature and scope of ‘‘consumer information.’’ Several commenters found the proposed phrase ‘‘about an individual’’ to be ambiguous and urged the Agencies to adopt a definition expressly stating that ‘‘consumer information’’ only includes information that identifies a particular individual. Similarly, some commenters supported the Agencies’ explanation in the proposal that ‘‘consumer information’’ does not include information derived from a consumer report that does not identify any particular consumer, such as the mean credit score derived from a group of consumer reports. These commenters suggested that the Agencies include this example (or similar examples) in the definition. In the final rule, as in the proposed rule, the Agencies have continued to define ‘‘consumer information’’ to mean ‘‘any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the [institution] for a business purpose.’’ In addition, the Agencies have continued to define ‘‘consumer information’’ to mean ‘‘a compilation of such records,’’ as proposed. The Agencies have modified the term ‘‘consumer information,’’ however, to expressly exclude from the definition ‘‘any record that does not identify an individual.’’ The Agencies believe that qualifying the term ‘‘consumer information’’ to cover only personally identifiable information appropriately focuses on the information derived from a consumer report that, if improperly disposed, could be used to commit fraud or identity theft against a consumer. The Agencies believe that limiting ‘‘consumer information’’ to information that identifies a consumer is consistent with the current law relating to the scope of the term ‘‘consumer report’’ under the FCRA and the purposes of section 216 of the FACT Act. Under the final rule, a financial institution must implement measures to properly dispose of ‘‘consumer information’’ that identifies a consumer, such as the consumer’s name and the credit score derived from a consumer report. However, this requirement does VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 not apply to aggregate information, such as the mean credit score that is derived from a group of consumer reports, or blind data, such as a series of credit scores that do not identify the subjects of the consumer reports from which those scores are derived. The Agencies have included examples of records that illustrate this aspect of the Guidelines, but have not rigidly defined the nature and scope of personally identifiable information. The Agencies note that there are a variety of types of information apart from an individual’s name, account number, or address that, depending on the circumstances or when used in combination, could identify the individual. A few commenters argued that the term ‘‘consumer information’’ should exclude non-sensitive information about a consumer, such as names and addresses that are publicly available. These commenters urged the Agencies to limit ‘‘consumer information’’ to information about an individual’s specific financial characteristics, such as payment history or account numbers, or personal characteristics, such as driver’s license information. In their view, only sensitive, non-public information should be subject to the requirements of the rule because unauthorized access to or misuse of that information poses the greatest threats of identity theft against consumers. The Agencies believe that there is no basis to exclude certain classes of relatively non-sensitive information from the scope of ‘‘consumer information’’ under section 216 of the Act. Some commenters urged the Agencies to eliminate references to businessrelated transactions in the discussion of the definition of ‘‘consumer information.’’ These commenters argued that the FCRA defines a ‘‘consumer report’’ only with respect to information used to determine a consumer’s eligibility for ‘‘credit or insurance to be used primarily for personal, family, or household purposes.’’ 8 Thus, these commenters recommended that the Agencies remove references to business transactions that, in their view, would be inconsistent with the scope of the FCRA. The Agencies note that the FCRA defines a ‘‘consumer report’’ as encompassing a communication by a consumer reporting agency of information about a consumer that, in general, is used as a factor in establishing the consumer’s eligibility for ‘‘any other purpose authorized under section 604 [of the FCRA].’’ 9 Among other permissible purposes, a consumer PO 00000 8 15 9 15 U.S.C. 1681a(d)(1)(A). U.S.C. 1681a(d)(1)(C). Frm 00004 Fmt 4700 Sfmt 4700 reporting agency lawfully may furnish a consumer report to a person which it has reason to believe ‘‘otherwise has a legitimate business need for the information in connection with a business transaction that is initiated by the consumer.’’ 10 If used in whole or in part to establish a consumer’s eligibility for a business transaction that is initiated by the consumer, such as an application for a small business loan that is initiated by a sole proprietor, then that information could be a consumer report. Accordingly, a financial institution that maintains information derived from a consumer report for a business purpose including a consumer report originally obtained in connection with a ‘‘business transaction that is initiated by the consumer,’’ would be subject to the requirement to properly dispose of such information, pursuant to section 216 of the FACT Act. As discussed in the proposal, the Agencies note that the scope of information covered by the terms ‘‘consumer information’’ and ‘‘customer information’’ will sometimes overlap, but will not always coincide. The definition of ‘‘consumer information’’ is drawn from the term ‘‘consumer’’ in section 603(c) of the FCRA, which defines a ‘‘consumer’’ as an individual, without elaboration. 15 U.S.C. 1681a(c). By contrast, ‘‘customer information’’ under the Guidelines, means nonpublic personal information about a ‘‘customer,’’ namely, an individual who obtains a financial product or service to be used primarily for personal, family, or household purposes and who has a continuing relationship with the financial institution.11 The relationship between ‘‘consumer information’’ and ‘‘customer information’’ can be illustrated through the following examples. Payment history information from a consumer report about an individual, who is a financial institution’s customer, will be both ‘‘consumer information’’ because it comes from a consumer report and ‘‘customer information’’ because it is nonpublic personal information about a customer. In some circumstances, ‘‘customer information’’ will be broader than ‘‘consumer information.’’ For instance, information about a financial institution’s own transactions with its customer is ‘‘customer information’’ but is not ‘‘consumer information’’ because it does not come from a consumer report. In other circumstances, ‘‘consumer information’’ will be broader than ‘‘customer information.’’ 10 15 U.S.C. 1681b(a)(3)(F))i). 11 I.C.2.b. E:\FR\FM\28DER1.SGM 28DER1 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations ‘‘Consumer information’’ includes information from a consumer report that an institution obtains about an individual who applies for but does not receive a loan, an individual who guarantees a loan (including a loan to a business entity), an employee or a prospective employee, or an individual in connection with a loan to the individual’s sole proprietorship. In each of these instances, the consumer reports are not ‘‘customer information’’ because the information is not about a ‘‘customer’’ within the meaning of the Guidelines. The Agencies believe that the phrase ‘‘derived from consumer reports’’ covers all of the information about a consumer that is taken from a consumer report, including information that results in whole or in part from manipulation of information from a consumer report or information from a consumer report that has been combined with other types of information. Consequently, a financial institution that possesses any of this information must properly dispose of it. For example, any record about a consumer derived from a consumer report, such as the consumer’s name and credit score, that is shared among affiliates must be disposed of properly by each affiliate that possesses that information.12 Similarly, a consumer report that is shared among affiliated companies after the consumer has been given a notice and has elected not to opt out of that sharing, and therefore is no longer a ‘‘consumer report’’ under the FCRA,13 would still be ‘‘consumer information.’’ Accordingly, an affiliate that receives ‘‘consumer information’’ under these circumstances must properly dispose of the information. A few commenters suggested that the Agencies modify this provision to limit the obligation of a financial institution to properly dispose of consumer information only when the institution knows that the information has been derived from a consumer report. The Agencies believe that implementing such a limitation is unwarranted in light of the general duty established in section 216 of the Act which applies to ‘‘any person that maintains or otherwise possesses consumer information,’’ 12 An affiliate subject to the jurisdiction of the OCC, Board, FDIC, or OTS must properly dispose of consumer information that it possesses or maintains in accordance with the agency’s rule. An affiliate subject to the jurisdiction of the FTC or the SEC must properly dispose of consumer information that it possesses or maintains in accordance with the FTC’s or SEC’s final rules, as applicable, which are consistent and comparable to this final rule. Savings associations and savings association subsidiaries that are not functionally regulated are subject to the OTS’s Guidelines. 13 15 U.S.C. 1681a(d)(2)(A)(iii). VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 without regard to whether the person actually knows that it possesses such information. The Agencies note that the proposed definition of ‘‘consumer information’’ includes the qualification ‘‘for a business purpose,’’ as set forth in section 216 of the Act. The Agencies believe that the phrase ‘‘for a business purpose’’ encompasses any commercial purpose for which a financial institution might maintain or possess ‘‘consumer information.’’ Commenters did not raise concerns about this interpretation. Some commenters urged the Agencies to define the term ‘‘disposal’’ to clarify whether the sale, donation, or transfer of any medium containing ‘‘consumer information’’ is covered by the requirements imposed under the Guidelines. A few other commenters, however, disagreed with this suggestion and supported the Agencies’ proposal, which was silent with respect to this particular term. The Agencies believe that there is no need to adopt a definition of the term ‘‘disposal’’ because, in the context of the duty imposed under section 216 of the FACT Act, the ordinary meaning of that term applies. The Agencies note that any sale, lease, or other transfer of any medium containing ‘‘consumer information’’ constitutes disposal of the information insofar as the information itself is not the subject of the sale, lease, or other transfer between the parties. By contrast, the sale, lease, or other transfer of consumer information from a financial institution to another party (which may be subject to limitations imposed under other laws) can be distinguished from the act of throwing out or getting rid of consumer information, and accordingly, does not constitute ‘‘disposal’’ that is subject to the Agencies’ rule. New Objective for an Information Security Program The Agencies proposed to add a new objective regarding the proper disposal of consumer information in paragraph II.B. of the Guidelines. A few commenters expressed objections to this aspect of the proposal, mainly insofar as this provision relates to service providers. Under the final rule, a financial institution must design its information security program to satisfy the general objective to ‘‘[e]nsure the proper disposal of customer information and consumer information.’’ The added reference to ‘‘customer information’’ more directly states an institution’s overall duties with respect to disposing of information. However, because proper disposal of customer information PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 77613 already is part of a financial institution’s obligation in designing and maintaining its information security program under the Guidelines, the inclusion of ‘‘customer information’’ in the objective does not impose a new requirement on an institution’s compliance with the Guidelines. The general objective to ‘‘[e]nsure the proper disposal of customer information and consumer information’’ replaces the proposed provision that would require an institution to develop controls ‘‘in a manner consistent with the disposal of customer information.’’ The Agencies believe that setting forth the obligation in this manner more directly states a financial institution’s obligation to develop and maintain risk-based measures to dispose of both types of information properly and is consistent with the Guidelines and the Act. The Agencies continue to believe that imposing this additional objective in paragraph II.B is important because this disposal requirement applies to a financial institution’s ‘‘consumer information’’ maintained or otherwise in the possession of the institution’s service providers. The Guidelines require, in part, that a financial institution ‘‘[r]equire its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines.’’ 14 By expressly incorporating a provision in paragraph II.B., each financial institution must contractually require its service providers to develop appropriate measures for the proper disposal of consumer information and, where warranted, to monitor its service providers to confirm that they have satisfied their contractual obligations. As several commenters observed, the particular contractual arrangements that an institution may negotiate with a service provider may take varied forms or use general terms. As a result, some institutions may have existing contracts that cover the proper disposal of customer information and consumer information. The Agencies continue to believe that the parties should be allowed substantial latitude in negotiating the contractual terms appropriate to their arrangement in any manner that satisfies the objectives of the Guidelines. Accordingly, the Agencies have not prescribed any particular standards that relate to this contract requirement. The Agencies have made a technical amendment to the definition of ‘‘service provider’’ in paragraph I.C.2. to include a reference to ‘‘consumer information’’ 14 III.D.2. This requirement applies to service providers located domestically and abroad. E:\FR\FM\28DER1.SGM 28DER1 77614 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations in addition to ‘‘customer information.’’ Thus the amended definition of service provider is ‘‘any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to the bank.’’ Consistent with section 216 and the amendments to the Guidelines, a financial institution’s obligation with respect to a service provider that has access to consumer information is limited to ensuring that the service provider properly disposes of consumer information. The Agencies also have amended paragraph III.G.2. to allow a financial institution a reasonable period of time, after the final regulations are issued, to amend its contracts with its service providers to incorporate the necessary requirements in connection with the proper disposal of consumer information. After reviewing the comments on this provision of the proposal, which uniformly advocated a longer period of time for modifying contracts with service providers if necessary, the Agencies have determined that financial institutions must modify any affected contracts not later than July 1, 2006. New Provision To Implement Measures To Properly Dispose of Consumer Information The Agencies have amended paragraph III.C. (Manage and Control Risk) of the Guidelines by adding a new provision to require a financial institution to develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information. Like the provision described in the proposal, this new provision requires an institution to implement these measures ‘‘in accordance with each of the requirements in this paragraph III.’’ of the Guidelines. Paragraph III. of the Guidelines presently requires a financial institution to undertake measures to design, implement, and maintain its information security program to protect customer information and customer information systems. Because ‘‘customer information systems’’ is defined to include any methods used to dispose of customer information, a financial institution presently must use riskbased measures to protect customer information in the course of disposing of it. Building on this provision in the Guidelines, the Agencies proposed a provision in paragraph III.C. that would require a financial institution to develop controls ‘‘in a manner consistent with VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 the disposal of customer information.’’ Commenters generally supported this provision because a financial institution would be permitted to develop and implement risk-based protections, rather than adopt particular methods for disposing of consumer information that would comply with a prescriptive standard. Under the final rule, an institution must adopt procedures and controls to properly dispose of ‘‘consumer information’’ and ‘‘customer information.’’ Instead of describing a financial institution’s obligation to dispose of ‘‘consumer information’’ in relation to the standard for ‘‘customer information’’ (which is currently set forth in discrete provisions of the Guidelines), the Agencies have determined that the obligation should be stated directly and generally. A provision that requires each financial institution to develop and maintain riskbased measures to properly dispose of customer information and consumer information more clearly states an institution’s responsibilities to properly dispose of both classes of information and is consistent with the Guidelines and the Act. Under this provision of the final rule, a financial institution must broaden the scope of its risk assessment to include an assessment of the reasonably foreseeable internal and external threats associated with the methods it uses to dispose of ‘‘consumer information,’’ and adjust its risk assessment in light of the relevant changes relating to such threats. By expressly adding this new provision, the Agencies are requiring a financial institution to integrate into its information security program each of those risk-based measures in connection with the disposal of ‘‘consumer information,’’ as set forth in paragraph III. of the Guidelines. Some commenters urged the Agencies to adopt a detailed standard for the destruction of information or criteria that define ‘‘proper’’ methods or levels of disposal, rather than a provision that tracks the general obligation imposed under section 216 of the FACT Act. Other commenters favored the approach set forth in the proposal and argued that the general duty to ‘‘properly dispose of consumer information’’ is appropriately suited to the varying circumstances that financial institutions confront. After reviewing the comments, the Agencies continue to believe that it is not necessary to propose a prescriptive rule describing proper methods of disposal. Nonetheless, consistent with interagency guidance previously issued through the Federal Financial Institutions Examination Council PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 (FFIEC),15 the Agencies expect institutions to have appropriate disposal procedures for records maintained in paper-based or electronic form. The Agencies note that an institution’s information security program should ensure that paper records containing either customer or consumer information should be rendered unreadable as indicated by the institution’s risk assessment, such as by shredding or any other means. Institutions also should recognize that computer-based records present unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive electronic data.16 Proposed Amendments to the Agencies’ FCRA Regulations As set forth in the proposal, the Agencies’ final rules create a crossreference to the Guidelines in their respective regulations that implement the FCRA 17 by adding a provision setting forth the duties of users of consumer reports regarding identity theft. Commenters generally agreed with the Agencies’ proposal to create the cross-reference. In particular, commenters supported the Agencies’ proposal to make explicit in the regulations the rule of construction in the statute stating that the requirement pertaining to proper disposal under the FCRA shall not be construed as requiring a person to maintain or destroy a record containing consumer information and does not alter any requirement imposed under other law to maintain or destroy such a record. The new provision requires a financial institution to properly dispose of consumer information in accordance with the standards set forth in the Guidelines. This provision applies to an institution to the extent that the institution is covered by the scope of the Guidelines.18 The provision also 15 See FFIEC Information Technology Examination Handbook, Information Security Booklet, page 63 at: http://www.ffiec. gov/ ffiecinfobase/ booklets/information_ security/ information_ security.pdf. 16 See id. 17 12 CFR part 41 (OCC); 12 CFR part 222 (Board); 12 CFR part 334 (FDIC); and 12 CFR part 571 (OTS). Several of the Agencies proposed establishing new parts to house their respective regulations implementing the FCRA in a notice of proposed rulemaking titled ‘‘Fair Credit Reporting Medical Information Regulations.’’ See 69 FR 23380 (April 28, 2004). As these regulations are not yet final, the new parts are established in this final rule. 18 Bank holding companies will be subject to the FTC’s disposal rule (16 CFR part 682) and functionally regulated subsidiaries of financial institutions will be subject to the SEC’s disposal E:\FR\FM\28DER1.SGM 28DER1 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations incorporates a rule of construction that closely tracks the terms of section 628(b) of the FCRA, as added by section 216 of the FACT Act.19 IV. Regulatory Analysis Paperwork Reduction Act In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) and its implementing regulations at 5 CFR part 1320, including Appendix A.1, the Agencies have reviewed the final rules and determined that they contain no collections of information. The Board made this determination under authority delegated by the Office of Management and Budget. Regulatory Flexibility Act In accordance with the Regulatory Flexibility Act, each agency must publish a final regulatory flexibility analysis with its final rule, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. (5 U.S.C. 601–612). Each of the Agencies hereby certifies that its final rule does not have a significant economic impact on a substantial number of small entities. The rules require a financial institution subject to the jurisdiction of the appropriate agency to implement appropriate controls designed to ensure the proper disposal of ‘‘consumer information.’’ A financial institution must develop and maintain these controls as part of implementing its existing information security program for ‘‘customer information,’’ as required under the Guidelines.20 Any modifications to a financial institution’s information security program needed to address the proper disposal of ‘‘consumer information’’ could be incorporated through the process the institution presently uses to adjust its program under paragraph III.E. of the Guidelines, particularly because of the similarities between customer information and consumer information and the measures commonly used to properly dispose of both types of information. To the extent that these rules impose new requirements for rule (17 CFR part 248) or the FTC’s disposal rule, as applicable. 19 The OTS is making additional conforming changes to its regulations at 12 CFR 568.1 and 568.5, as well. 20 In 2001, the Agencies issued final Guidelines requiring financial institutions to develop and maintain an information security program, including procedures to dispose of customer information, and each agency provided a final regulatory flexibility analysis at that time. See 66 FR 8625–32 (Feb. 1, 2001). VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 77615 certain types of ‘‘consumer information,’’ developing appropriate measures to properly dispose of that information likely would require only a minor modification of an institution’s existing information security program. Because some ‘‘consumer information’’ will be ‘‘customer information’’ and because segregating particular records for special treatment may entail considerable costs, the Agencies believe that many banks and savings associations, including small institutions, already are likely to have implemented measures to properly dispose of both ‘‘customer’’ and ‘‘consumer’’ information. In addition, the Agencies, through the Federal Financial Institutions Examination Council (FFIEC), already have issued guidance regarding their expectations concerning the proper disposal of all of an institution’s paper and electronic records. See FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002, p. 63.21 Therefore, the rules do not require any significant changes for institutions that currently have procedures and systems designed to comply with this guidance. The Agencies anticipate that, in light of current practices relating to the disposal of information in accordance with the Guidelines and the guidance issued by the FFIEC, the final rules will not impose undue costs on financial institutions. Therefore, the Agencies believe that the controls that small financial institutions will develop and implement, if any, to comply with the rules likely pose a minimal economic impact on those entities. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination FDIC—Small Business Regulatory Enforcement Fairness Act The Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA) (Pub. L. 104–121, 110 Stat. 857) provides generally for agencies to report rules to Congress and for Congress to review these rules. The reporting requirement is triggered in instances where the FDIC issues a final rule as defined by the Administrative Procedure Act (APA) (5 U.S.C. 551, et seq.). Because the FDIC is issuing a final rule as defined by the APA, the FDIC will file the reports required by SBREFA. 12 CFR Part 208 OCC and OTS Executive Order 12866 Determination The OCC and OTS each have determined that this rule is not a ‘‘significant regulatory action’’ under Executive Order 12866. PO 00000 21 See footnote 15, supra. Frm 00007 Fmt 4700 Sfmt 4700 Under Section 202 of the Unfunded Mandates Reform Act of 1995, Pub. L. 104–4 (2 U.S.C. 1532) (Unfunded Mandates Act), the OCC and OTS must prepare budgetary impact statements before promulgating any rule likely to result in a federal mandate that may result in the expenditure by state, local, and tribal governments, in the aggregate, or by the private sector of $100 million or more in any one year. If a budgetary impact statement is required, under section 205 of the Unfunded Mandates Act, the OCC and OTS must identify and consider a reasonable number of regulatory alternatives before promulgating a rule. For the reasons outlined earlier, the OCC and OTS have determined that this proposal will not result in expenditures by state, local, and tribal governments, or by the private sector, of $100 million or more, in any one year. Accordingly, a budgetary impact statement is not required under section 202 of the Unfunded Mandates Reform Act of 1995 and this rulemaking requires no further analysis under the Unfunded Mandates Act. List of Subjects 12 CFR Part 30 Banks, Banking, Consumer protection, National banks, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 41 Banks, Banking, Consumer protection, National Banks, Reporting and recordkeeping requirements. Banks, Banking, Consumer protection, Information, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 211 Exports, Foreign banking, Holding companies, Reporting and recordkeeping requirements. 12 CFR Part 222 Banks, Banking, Holding companies, State member banks. 12 CFR Part 225 Banks, Banking, Holding companies, Reporting and recordkeeping requirements. 12 CFR Part 334 Administrative practice and procedure, Bank deposit insurance, Banks, Banking, Reporting and recordkeeping requirements, Safety and Soundness. E:\FR\FM\28DER1.SGM 28DER1 77616 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations 12 CFR Part 364 Administrative practice and procedure, Bank deposit insurance, Banks, Banking, Reporting and recordkeeping requirements, Safety and Soundness. 12 CFR Part 568 Consumer protection, Privacy, Reporting and recordkeeping requirements, Savings associations, Security measures. 12 CFR Part 570 Accounting, Administrative practice and procedure, Bank deposit insurance, Consumer protection, Holding companies, Privacy, Reporting and recordkeeping requirements, Safety and soundness, Savings associations. 12 CFR Part 571 Consumer protection, Credit, Fair Credit Reporting Act, Privacy, Reporting and recordkeeping requirements, Savings associations. Department of the Treasury Office of the Comptroller of the Currency 12 CFR CHAPTER I Authority and Issuance Customer Information’’ to read ‘‘Standards for Information Security’’; ■ g. Removing in paragraph II.B.2. the word ‘‘and’’ at the end of the sentence; ■ h. Removing in paragraph II.B.3. the period at the end of the sentence and replacing it with ‘‘; and;’’ ■ i. Adding a new paragraph II.B.4.; ■ j. Adding a new paragraph III.C.4.; and ■ k. Adding new paragraphs III.G.3. and 4. to read as follows: Appendix B to Part 30—Interagency Guidelines Establishing Information Security Standards * * * * * I. Introduction The Interagency Guidelines Establishing Information Security Standards (Guidelines) set forth standards pursuant to section 39 of the Federal Deposit Insurance Act (section 39, codified at 12 U.S.C. 1831p–1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b) of the Gramm-Leach Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These Guidelines also address standards with respect to the proper disposal of consumer information, pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w). A. Scope. * * * The Guidelines also apply to the proper disposal of consumer information by or on behalf of such entities. For the reasons discussed in the joint preamble, the Office of the Comptroller * * * * * of the Currency amends chapter V of title C. Definitions. * * * 12 of the Code of Federal Regulations by 2. * * *b. Consumer information means amending 12 CFR part 30 and adding a any record about an individual, whether in paper, electronic, or other form, that is a new part 41 as follows: ■ consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the bank for a business purpose. Consumer ■ 1. The authority citation for part 30 is information also means a compilation of such records. The term does not include any revised to read as follows: record that does not identify an individual. Authority: 12 U.S.C. 93a, 1818, 1831–p and i. Examples. (1) Consumer information 3102(b); 15 U.S.C. 1681s, 1681w, 6801, and includes: 6805(b)(1). (A) A consumer report that a bank obtains; ■ 2. Appendix B to part 30 is amended (B) Information from a consumer report by: that the bank obtains from its affiliate after the consumer has been given a notice and has ■ a. Revising the heading for Appendix elected not to opt out of that sharing; B to part 30 entitled ‘‘Interagency (C) Information from a consumer report Guidelines Establishing Standards for that the bank obtains about an individual Safeguarding Customer Information’’ to who applies for but does not receive a loan, read ‘‘Interagency Guidelines including any loan sought by an individual Establishing Information Security for a business purpose; Standards’’ wherever it appears in Title (D) Information from a consumer report that the bank obtains about an individual 12, Chapter 2, part 30; who guarantees a loan (including a loan to ■ b. Revising paragraph I. Introduction; a business entity); or ■ c. Revising paragraph I.A. by adding a new sentence at the end of the paragraph; (E) Information from a consumer report that the bank obtains about an employee or ■ d. Redesignating paragraphs I.C.2.b. through e. as paragraphs I.C.2.d. through prospective employee. (2) Consumer information does not g., respectively; include: ■ e. Adding new paragraphs I.C.2.b. and (A) Aggregate information, such as the c., and amending redesignated paragraph mean credit score, derived from a group of g.; consumer reports; or ■ f. Revising the heading for paragraph (B) Blind data, such as payment history on accounts that are not personally identifiable, II. entitled ‘‘Standards for Safeguarding PART 30—SAFETY AND SOUNDNESS STANDARDS VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 PO 00000 Frm 00008 Fmt 4700 Sfmt 4700 that may be used for developing credit scoring models or for other purposes. c. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). * * * * * g. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to the bank. * * * * * II. * * * B. * * * 4. Ensure the proper disposal of customer information and consumer information. III. * * * C. * * * 4. Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements of this paragraph III. * * * * * G. Implement the Standards. * * * 3. Effective date for measures relating to the disposal of consumer information. Each bank must satisfy these Guidelines with respect to the proper disposal of consumer information by July 1, 2005. 4. Exception for existing agreements with service providers relating to the disposal of consumer information. Notwithstanding the requirement in paragraph III.G.3., a bank’s contracts with its service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must comply with the provisions of the Guidelines relating to the proper disposal of consumer information by July 1, 2006. ■ 3. Add part 41 to read as follows: PART 41—FAIR CREDIT REPORTING Subpart A—General Provisions Sec. 41.1 41.2 41.3 Purpose. [Reserved] Definitions. Subparts B–H—[Reserved] Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft § 41.80–82 § 41.83 [Reserved] Disposal of consumer information Authority: 12 U.S.C. 1 et seq., 24 (Seventh), 93a, 481, 484, and 1818; 15 U.S.C. 1681s, 1681w, 6801 and 6805. Subpart A—General Provisions § 41.1 Purpose. (a) Purpose. The purpose of this part is to establish standards for national banks regarding consumer report information. In addition, the purpose of E:\FR\FM\28DER1.SGM 28DER1 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations this part is to specify the extent to which national banks may obtain, use, or share certain information. This part also contains a number of measures national banks must take to combat consumer fraud and related crimes, including identity theft. (b) [Reserved] § 41.2 [Reserved] § 41.3 Definitions. As used in this part, unless the context requires otherwise: (a)–(d) [Reserved] (e) Consumer means an individual. (f)–(n) [Reserved] PART 208—MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL RESERVE SYSTEM (REGULATION H) 1. The authority citation for 12 CFR part 208 is revised to read as follows: ■ Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321–338a, 371d, 461, 481–486, 601, 611, 1814, 1816, 1820(d)(9), 1823(j), 1828(o), 1831, 1831o, 1831p–1, 1831r–1, 1831w, 1831x, 1835a, 1882, 2901–2907, 3105, 3310, 3331–3351, and 3906–3909, 15 U.S.C. 78b, 78l(b), 78l(g), 78l(i), 78o–4(c)(5), 78q, 78q–1, 78w, 1681s, 1681w, 6801 and 6805; 31 U.S.C. 5318, 42 U.S.C. 4012a, 4104a, 4104b, 4106, and 4128. 2. In § 208.3 revise paragraph (d)(1) to read as follows: ■ § 208.3 Application and conditions for membership in the Federal Reserve System. Subparts B–H—[Reserved] * * * * (d) Conditions of membership. (1) Safety and soundness. Each member bank shall at all times conduct its business and exercise its powers with § 41.80–82 [Reserved] due regard to safety and soundness. § 41.83 Disposal of consumer information. Each member bank shall comply with (a) Definitions as used in this section. the Interagency Guidelines Establishing Standards for Safety and Soundness (1) Bank means national banks, Federal prescribed pursuant to section 39 of the branches and agencies of foreign banks, FDI Act (12 U.S.C. 1831p–1), set forth in and their respective operating appendix D–1 to this part, and the subsidiaries. Interagency Guidelines Establishing (b) In general. Each bank must Information Security Standards properly dispose of any consumer prescribed pursuant to sections 501 and information that it maintains or 505 of the Gramm-Leach-Bliley Act (15 otherwise possesses in accordance with U.S.C. 6801 and 6805) and section 216 the Interagency Guidelines Establishing of the Fair and Accurate Credit Information Security Standards, as set Transactions Act of 2003 (15 U.S.C. forth in appendix B to 12 CFR part 30, 1681w), set forth in appendix D–2 to to the extent that the bank is covered by this part. the scope of the Guidelines. * * * * * (c) Rule of construction. Nothing in ■ 3. Amend Appendix D–2 to part 208, this section shall be construed to: as follows: ■ a. The heading for Appendix D–2 to (1) Require a bank to maintain or Part 208 entitled ‘‘Interagency destroy any record pertaining to a consumer that is not imposed under any Guidelines Establishing Standards for Safeguarding Customer Information’’ is other law; or revised to read ‘‘Interagency Guidelines (2) Alter or affect any requirement Establishing Information Security imposed under any other provision of Standards’’ wherever it appears in Title law to maintain or destroy such a 12, chapter 2, part 208; record. ■ b. In section I., Introduction, a new sentence is added at the end of the Dated: December 16, 2004. introductory paragraph. Julie L. Williams, ■ c. In section I.A., Scope, a new Acting Comptroller of the Currency. sentence is added at the end of the paragraph. Federal Reserve System ■ d. In section I.C.2., paragraphs b. 12 CFR Chapter II through f. are redesignated as paragraphs Authority and Issuance 2.d. through 2.h., respectively, new paragraphs 2.b. and 2.c. are added and ■ For the reasons set forth in the joint redesignated paragraph g. is amended. preamble, parts 208, 211, 222, and 225 of ■ e. In paragraph II. the heading entitled chapter II of title 12 of the Code of ‘‘Standards for Safeguarding Customer Federal regulations are amended as Information’’ is revised to read follows: ‘‘Standards for Information Security’’. Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 * PO 00000 Frm 00009 Fmt 4700 Sfmt 4700 77617 f. At the end of paragraph II.B.2. the word ‘‘and’’ is removed. ■ g. At the end of paragraph II.B.3 the period is removed and replaced with ‘‘; and’’. ■ h. In section II.B. a new paragraph 4. is added. ■ i. In section III.C., Manage and Control Risk, a new paragraph 4. is added. ■ j. In section III.G., Implement the Standards, new paragraphs 3. and 4. are added. ■ Appendix D–2 to Part 208—Interagency Guidelines Establishing Information Security Standards * * * * * I. * * * * * * These Guidelines also address standards with respect to the proper disposal of consumer information, pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w). A. Scope. * * * These Guidelines also apply to the proper disposal of consumer information by or on behalf of such entities. * * * * * C. * * * 2. * * * b. Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the bank for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual. i. Examples. (1) Consumer information includes: (A) A consumer report that a bank obtains; (B) Information from a consumer report that the bank obtains from its affiliate after the consumer has been given a notice and has elected not to opt out of that sharing; (C) Information from a consumer report that the bank obtains about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose; (D) Information from a consumer report that the bank obtains about an individual who guarantees a loan (including a loan to a business entity); or (E) Information from a consumer report that the bank obtains about an employee or prospective employee. (2) Consumer information does not include: (A) Aggregate information, such as the mean credit score, derived from a group of consumer reports; or (B) Blind data, such as payment history on accounts that are not personally identifiable, that may be used for developing credit scoring models or for other purposes. c. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). * * * * * g. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information E:\FR\FM\28DER1.SGM 28DER1 77618 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations or consumer information through its provision of services directly to the bank. * * * * * II. * * * B. * * * 4. Ensure the proper disposal of customer information and consumer information. * * * * * III. * * * C. * * * 4. Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements in this paragraph III. * * * * * G. * * * 3. Effective date for measures relating to the disposal of consumer information. Each bank must satisfy these Guidelines with respect to the proper disposal of consumer information by July 1, 2005. 4. Exception for existing agreements with service providers relating to the disposal of consumer information. Notwithstanding the requirement in paragraph III.G.3., a bank’s contracts with its service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must comply with the provisions of the Guidelines relating to the proper disposal of consumer information by July 1, 2006. 4. The authority citation for part 211 is revised to read as follows: ■ Authority: 12 U.S.C. 221 et seq., 1818, 1835a, 1841 et seq., 3101 et seq., and 3901 et seq.; 15 U.S.C. 1681s, 1681w, 6801 and 6805. 5. In § 211.5, revise paragraph (l) to read as follows: ■ Edge and agreement corporations. * * * * * (l) Protection of customer information and consumer information. An Edge or agreement corporation shall comply with the Interagency Guidelines Establishing Information Security Standards prescribed pursuant to sections 501 and 505 of the GrammLeach-Bliley Act (15 U.S.C. 6801 and 6805) and, with respect to the proper disposal of consumer information, section 216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681w), set forth in appendix D– 2 to part 208 of this chapter. * * * * * 6. In § 211.24, revise paragraph (i) to read as follows: ■ VerDate jul<14>2003 19:30 Dec 27, 2004 Jkt 205001 * * * * * (i) Protection of customer information and consumer information. An uninsured state-licensed branch or agency of a foreign bank shall comply with the Interagency Guidelines Establishing Information Security Standards prescribed pursuant to sections 501 and 505 of the GrammLeach-Bliley Act (15 U.S.C. 6801 and 6805) and, with respect to the proper disposal of consumer information, section 216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681w), set forth in appendix D– 2 to part 208 of this chapter. PART 222—FAIR CREDIT REPORTING (REGULATION V) 7. The authority citation for part 222 is revised to read as follows: ■ Authority: 15 U.S.C. 1681, 1681b, 1681s, 1681s-2, and 1681w. 8. In § 222.1(b)(2)(i) remove the phrase ‘‘paragraph (b)(2)’’ and add in its place the word ‘‘part’’. ■ 9. Add a new subpart I to read as follows: ■ Subparts B–H—[Reserved] PART 211—INTERNATIONAL BANKING OPERATIONS (REGULATION K) § 211.5 § 211.24 Approval of offices of foreign banks; procedures for applications; standards for approval; representativeoffice activities and standards for approval; preservation of existing authority. Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft § 222.80–82 [Reserved] § 222.83 Disposal of consumer information. (a) Definitions as used in this section. (1) You means member banks of the Federal Reserve System (other than national banks) and their respective operating subsidiaries, branches and agencies of foreign banks (other than Federal branches, Federal agencies and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., 611 et seq.). (b) In general. You must properly dispose of any consumer information that you maintain or otherwise possess in accordance with the Interagency Guidelines Establishing Information Security Standards, as required under sections 208.3(d) (Regulation H), 211.5(l) and 211.24(i) (Regulation K) of this chapter, to the extent that you are covered by the scope of the Guidelines. (c) Rule of construction. Nothing in this section shall be construed to: PO 00000 Frm 00010 Fmt 4700 Sfmt 4700 (1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or (2) Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record. PART 225—BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL (REGULATION Y) 10. In section 225.4, revise paragraph (h) to read as follows: ■ § 225.4 Corporate practices. * * * * * (h) Protection of customer information and consumer information. A bank holding company shall comply with the Interagency Guidelines Establishing Information Security Standards, as set forth in appendix F of this part, prescribed pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805). A bank holding company shall properly dispose of consumer information in accordance with the rules set forth at 16 CFR part 682. * * * * * ■ 11. Amend Appendix F to part 225, as follows: ■ a. The heading for Appendix F to Part 225 entitled ‘‘Interagency Guidelines Establishing Standards for Safeguarding Customer Information’’ is revised to read ‘‘Interagency Guidelines Establishing Information Security Standards’’ wherever it appears in Title 12, Chapter 2, Part 225. By order of the Board of Governors of the Federal Reserve System, December 16, 2004. Jennifer J. Johnson, Secretary of the Board. Federal Deposit Insurance Corporation 12 CFR Chapter III Authority and Issuance For the reasons set forth in the joint preamble, the Federal Deposit Insurance Corporation amends parts 334 and 364 of chapter III of title 12 of the Code of Federal Regulations to read as follows: ■ PART 334—FAIR CREDIT REPORTING Subparts A–H—[Reserved] 1. The authority citation for part 334 reads as follows: ■ Authority: 12 U.S.C. 1818 and 1819 (Tenth); 15 U.S.C. 1681b, 1681s, and 1681w. 2. Add a new subpart I to read as follows: ■ Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft Sec. E:\FR\FM\28DER1.SGM 28DER1 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations 334.80–334.82 [Reserved] 334.83 Disposal of consumer information. Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft § 334.80–334.82 [Reserved] § 334.83 Disposal of consumer information. (a) In general. You must properly dispose of any consumer information that you maintain or otherwise possess in accordance with the Interagency Guidelines Establishing Information Security Standards, as set forth in appendix B to part 364 of this chapter, prescribed pursuant to section 216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681w) and section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)), to the extent the Guidelines are applicable to you. (b) Rule of construction. Nothing in this section shall be construed to: (1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or (2) Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record. PART 364—STANDARDS FOR SAFETY AND SOUNDNESS 3. The authority citation for part 364 is revised to read as follows: ■ Authority: 12 U.S.C. 1819(Tenth), 1831p– 1; 15 U.S.C. 1681s, 1681w, 6801(b), 6805(b)(1). 4. Revise § 364.101(b) to read as follows: ■ § 364.101 Standards for safety and soundness. * * * * * (b) Interagency Guidelines Establishing Information Security Standards. The Interagency Guidelines Establishing Information Security Standards prescribed pursuant to section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p–1), and sections 501 and 505(b) of the GrammLeach-Bliley Act (15 U.S.C. 6801, 6805(b)), and with respect to the proper disposal of consumer information requirements pursuant to section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w), as set forth in appendix B to this part, apply to all insured state nonmember banks, insured state licensed branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers). VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 77619 5. In Appendix B to part 364: a. The heading for Appendix B to part 364 entitled ‘‘Interagency Guidelines Establishing Standards for Safeguarding Customer Information’’ is revised to read ‘‘Interagency Guidelines Establishing Information Security Standards’’ wherever it appears in Title 12, Chapter 2, part 364. ■ b. In the Introduction, the first sentence is revised and a new sentence is added at the end of the introductory paragraph. ■ c. In section I.A., Scope, the first sentence is revised. ■ d. In section I.C.2., Definitions, paragraphs 2.b. through 2.e. are redesignated as paragraphs 2.d. through 2.g., respectively, new paragraphs 2.b. and 2.c. are added and redesignated paragraph g. is revised. ■ e. In paragraph II. the heading entitled ‘‘Standards for Safeguarding Customer Information’’ is revised to read ‘‘Standards for Information Security’’. ■ f. At the end of paragraph II.B.2. the word ‘‘and’’ is removed. ■ g. At the end of paragraph II.B.3 the period is removed and replaced with ‘‘; and’’. ■ h. In section II.B. a new paragraph 4. is added. ■ i. In section III.C., Manage and Control Risk, a new paragraph 4. is added. ■ j. In section III.G, Implement the Standards, new paragraphs 3. and 4. are added. business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not personally identify an individual. i. Examples: (1) Consumer information includes: (A) A consumer report that a bank obtains; (B) information from a consumer report that the bank obtains from its affiliate after the consumer has been given a notice and has elected not to opt out of that sharing; (C) information from a consumer report that the bank obtains about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose; (D) information from a consumer report that the bank obtains about an individual who guarantees a loan (including a loan to a business entity); or (E) information from a consumer report that the bank obtains about an employee or prospective employee. (2) Consumer information does not include: (A) aggregate information, such as the mean score, derived from a group of consumer reports; or (B) blind data, such as payment history on accounts that are not personally identifiable, that may be used for developing credit scoring models or for other purposes. c. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). Appendix B to Part 364—Interagency Guidelines Establishing Information Security Standards * ■ ■ * * * * * I. Introduction The Interagency Guidelines Establishing Information Security Standards (Guidelines) set forth standards pursuant to section 39 of the Federal Deposit Insurance Act, 12 U.S.C. 1831p–1, and sections 501 and 505(b), 15 U.S.C. 6801 and 6805(b), of the GrammLeach-Bliley Act. * * * These Guidelines also address standards with respect to the proper disposal of consumer information pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w). A. Scope. The Guidelines apply to customer information maintained by or on behalf of, and to the disposal of consumer information by or on behalf of, entities over which the Federal Deposit Insurance Corporation (FDIC) has authority. * * * * * * * * I. * * * C. * * * 2. * * * b. Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the bank for a PO 00000 Frm 00011 Fmt 4700 Sfmt 4700 * * * * * g. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to the bank. * * * * II. * * * B. Objectives. * * * 4. Ensure the proper disposal of customer information and consumer information. III. * * * C. * * * 4. Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements of this paragraph III. III. * * * G. * * * 3. Effective date for measures relating to the disposal of consumer information. Each bank must satisfy these Guidelines with respect to the proper disposal of consumer information by July 1, 2005. 4. Exception for existing agreements with service providers relating to the disposal of consumer information. Notwithstanding the requirement in paragraph III.G.3., a bank’s contracts with its service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must comply with the provisions of the Guidelines relating to the proper disposal of consumer information by July 1, 2006. By order of the Board of Directors. Dated at Washington, DC this 7th day of December, 2004. E:\FR\FM\28DER1.SGM 28DER1 77620 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary. 8. Amend § 570.1(c) by removing the phrase ‘‘Interagency Guidelines Establishing Standards for Safeguarding Customer Information, and adding the Office of Thrift Supervision phrase ‘‘Interagency Guidelines 12 CFR Chapter V Establishing Information Security Standards’’ in its place. Authority and Issuance ■ 9. Amend § 570.2(a) by removing the ■ For the reasons set forth in the joint phrase ‘‘Interagency Guidelines preamble, the Office of Thrift Establishing Standards for Safeguarding Supervision amends chapter V of title 12 Customer Information’’ and adding the of the Code of Federal Regulations by phrase ‘‘Interagency Guidelines amending parts 568 and 570 and adding Establishing Information Security a new part 571 as follows: Standards’’ in its place. ■ 10. Amend Appendix B to part 570 by: PART 568—SECURITY PROCEDURES ■ a. Revising the heading; ■ b. Revising the introductory paragraph ■ 1. The authority citation for part 568 is of section I. Introduction; revised to read as follows: ■ c. Adding a new sentence to the end Authority: 12 U.S.C. 1462a, 1463, 1464, of paragraph I.A. Scope; 1467a, 1828, 1831p–1, 1881–1884; 15 U.S.C. ■ d. Redesignating paragraphs 2.a. 1681s and 1681w; 15 U.S.C. 6801 and through 2.d. of paragraph I.C.2. 6805(b)(1). Definitions as paragraphs 2.c. through ■ 2. Revise the part heading for part 568 2.f., respectively, adding new paragraphs to read as shown above. 2.a. and 2.b., and amending redesignated ■ 3. Revise the first sentence of § 568.1(a) paragraph f.; to read as follows: ■ e. Revising the heading for section II.; ■ f. Removing the word ‘‘and’’ at the end § 568.1 Authority, purpose, and scope. (a) This part is issued by the Office of of paragraph II.B.2.; ■ g. Removing the period at the end of Thrift Supervision (OTS) under section 3 of the Bank Protection Act of 1968 (12 paragraph II.B.3 and replacing it with ‘‘; and’’; U.S.C 1882), sections 501 and 505(b)(1) ■ h. Adding a new paragraph II.B.4.; of the Gramm-Leach-Bliley Act (15 ■ i. Adding a new paragraph 4. to U.S.C. 6801 and 6805(b)(1)), and paragraph III.C. Manage and Control sections 621 and 628 of the Fair Credit Risk; and Reporting Act (15 U.S.C. 1681s and ■ j. Adding new paragraphs 3. and 4. to 1681w). * * * paragraph III.G. Implement the * * * * * Standards. ■ 4. Revise § 568.5 to read as follows: Appendix B to Part 570—Interagency § 568.5 Protection of customer Guidelines Establishing Information information. Security Standards Savings associations and their * * * * * subsidiaries (except brokers, dealers, I. Introduction persons providing insurance, The Interagency Guidelines Establishing investment companies, and investment Information Security Standards (Guidelines) advisers) must comply with the set forth standards pursuant to section 39(a) Interagency Guidelines Establishing of the Federal Deposit Insurance Act (12 Information Security Standards set forth U.S.C. 1831p–1), and sections 501 and 505(b) in appendix B to part 570 of this of the Gramm-Leach-Bliley Act (15 U.S.C. chapter. 6801 and 6805(b)). These Guidelines address ■ PART 570—SAFETY AND SOUNDNESS GUIDELINES AND COMPLIANCE PROCEDURES 6. The authority citation for part 570 is revised to read as follows: ■ Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p–1, 1881–1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1). 7. Amend § 570.1(b) by removing the phrase ‘‘Interagency Guidelines Establishing Standards for Safeguarding Customer Information’’ and adding the phrase ‘‘Interagency Guidelines Establishing Information Security Standards’’ in its place. ■ VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These Guidelines also address standards with respect to the proper disposal of consumer information, pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w). A. Scope. * * * These Guidelines also apply to the proper disposal of consumer information by or on behalf of such entities. * * * * * C. Definitions. * * * 2. * * * a. Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 and that is maintained or otherwise possessed by you or on your behalf for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual. i. Examples. (1) Consumer information includes: (A) A consumer report that a savings association obtains; (B) Information from a consumer report that you obtain from your affiliate after the consumer has been given a notice and has elected not to opt out of that sharing; (C) Information from a consumer report that you obtain about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose; (D) Information from a consumer report that you obtain about an individual who guarantees a loan (including a loan to a business entity); or (E) Information from a consumer report that you obtain about an employee or prospective employee. (2) Consumer information does not include: (A) Aggregate information, such as the mean credit score, derived from a group of consumer reports; or (B) Blind data, such as payment history on accounts that are not personally identifiable, that may be used for developing credit scoring models or for other purposes. b. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). * * * * * f. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information, through its provision of services directly to you. II. Standards for Information Security * * * B. Objectives. * * * 4. Ensure the proper disposal of customer information and consumer information. III. * * * C. Manage and Control Risk. * * * 4. Develop, implement, and maintain, as part of your information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements in this paragraph III. * * * * * G. Implement the Standards. * * * 3. Effective date for measures relating to the disposal of consumer information. You must satisfy these Guidelines with respect to the proper disposal of consumer information by July 1, 2005. 4. Exception for existing agreements with service providers relating to the disposal of consumer information. Notwithstanding the requirement in paragraph III.G.3., your contracts with service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must comply with the provisions of the Guidelines relating to the proper disposal of consumer information by July 1, 2006. E:\FR\FM\28DER1.SGM 28DER1 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations ■ 11. Add a new part 571 to read as follows: Subparts B–H [Reserved] PART 571—FAIR CREDIT REPORTING Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft Subpart A—General Provisions Sec. 571.1 571.2 571.3 § 571.80–82 Purpose and scope. [Reserved] Definitions. Subparts B–H [Reserved] Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft 571.80–82 [Reserved] § 571.83 Disposal of consumer information. Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p–1, 1881–1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1). Subpart A—General Provisions § 571.1 Purpose and scope. (a) Purpose. The purpose of this part is to establish standards regarding consumer report information. In addition, the purpose of this part is to specify the extent to which you may obtain, use, or share certain information. This part also contains a number of measures you must take to combat consumer fraud and related crimes, including identity theft. (b) Scope. (1) [Reserved] (2) Institutions covered. (i) Except as otherwise provided in this paragraph (b)(2), this part applies to savings associations whose deposits are insured by the Federal Deposit Insurance Corporation (and federal savings association operating subsidiaries in accordance with § 559.3(h)(1) of this chapter). (ii) [Reserved] (iii) [Reserved] § 571.2 [Reserved] § 571.3 Definitions. As used in this part, unless the context requires otherwise: (a)–(d) [Reserved] (e) Consumer means an individual. (f)–(n) [Reserved] (o) You means savings associations whose deposits are insured by the Federal Deposit Insurance Corporation and federal savings association operating subsidiaries. [Reserved] § 571.83 Disposal of consumer information. (a) In general. You must properly dispose of any consumer information that you maintain or otherwise possess in accordance with the Interagency Guidelines Establishing Information Security Standards, as set forth in appendix B to part 570, to the extent that you are covered by the scope of the Guidelines. (b) Rule of construction. Nothing in this section shall be construed to: (1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or (2) Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record. By the Office of Thrift Supervision, Dated: November 30, 2004. James E. Gilleran, Director. [FR Doc. 04–27962 Filed 12–27–04; 8:45 am] BILLING CODE 4819–13–P;6210–10–P;6714–01–P;6720– 01–P 77621