Digital Compliance

[Federal Register: February 1, 2001 (Volume 66, Number 22)]

[Rules and Regulations]

[Page 8615-8641]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr01fe01-9]

[[Page 8615]]

-----------------------------------------------------------------------

Part II

Department of the Treasury

-----------------------------------------------------------------------

Office of the Comptroller of the Currency

Office of Thrift Supervision

-----------------------------------------------------------------------

Federal Reserve System

Federal Deposit Insurance Corporation

-----------------------------------------------------------------------

12 CFR Part 30, et al.

Interagency Guidelines Establishing Standards for Safeguarding Customer

Information and Rescission of Year 2000 Standards for Safety and

Soundness; Final Rule

[[Page 8616]]

-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 30

[Docket No. 00-35]

RIN 1557-AB84

FEDERAL RESERVE SYSTEM

12 CFR Parts 208, 211, 225, and 263

[Docket No. R-1073]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Parts 308 and 364

RIN 3064-AC39

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Parts 568 and 570

[Docket No. 2000-112]

RIN 1550-AB36

Interagency Guidelines Establishing Standards for Safeguarding

Customer Information and Rescission of Year 2000 Standards for Safety

and Soundness

AGENCIES: The Office of the Comptroller of the Currency (OCC),

Treasury; Board of Governors of the Federal Reserve System (Board);

Federal Deposit Insurance Corporation (FDIC); and Office of Thrift

Supervision (OTS), Treasury.

ACTION: Joint final rule.

-----------------------------------------------------------------------

SUMMARY: The Office of the Comptroller of the Currency, Board of

Governors of the Federal Reserve System, Federal Deposit Insurance

Corporation, and Office of Thrift Supervision (collectively, the

Agencies) are publishing final Guidelines establishing standards for

safeguarding customer information that implement sections 501 and

505(b) of the Gramm-Leach-Bliley Act (the G-L-B Act or Act).

    Section 501 of the G-L-B Act requires the Agencies to establish

appropriate standards for the financial institutions subject to their

respective jurisdictions relating to administrative, technical, and

physical safeguards for customer records and information. As described

in the Act, these safeguards are to: insure the security and

confidentiality of customer records and information; protect against

any anticipated threats or hazards to the security or integrity of such

records; and protect against unauthorized access to or use of such

records or information that could result in substantial harm or

inconvenience to any customer. The Agencies are to implement these

standards in the same manner, to the extent practicable, as standards

prescribed pursuant to section 39(a) of the Federal Deposit Insurance

Act (FDI Act). These final Guidelines implement the requirements

described above.

    The Agencies previously issued guidelines establishing Year 2000

safety and soundness standards for insured depository institutions

pursuant to section 39 of the FDI Act. Since the events for which these

guidelines were issued have passed, the Agencies have concluded that

the guidelines are no longer necessary and are rescinding these

guidelines.

Effective Date: The joint final rule is effective July 1, 2001.

    Applicability date: The Year 2000 Standards for Safety and

Soundness are no longer applicable as of March 5, 2001.

FOR FURTHER INFORMATION CONTACT:

OCC

    John Carlson, Deputy Director for Bank Technology, (202) 874-5013;

or Deborah Katz, Senior Attorney, Legislative and Regulatory Activities

Division, (202) 874-5090.

Board

    Heidi Richards, Assistant Director, Division of Banking Supervision

and Regulation, (202) 452-2598; Stephanie Martin, Managing Senior

Counsel, Legal Division, (202) 452-3198; or Thomas E. Scanlon, Senior

Attorney, Legal Division, (202) 452-3594. For the hearing impaired

only, contact Janice Simms, Telecommunication Device for the Deaf (TDD)

(202) 452-3544, Board of Governors of the Federal Reserve System, 20th

and C Streets, NW, Washington, DC 20551.

FDIC

    Thomas J. Tuzinski, Review Examiner, Division of Supervision, (202)

898-6748; Jeffrey M. Kopchik, Senior Policy Analyst, Division of

Supervision, (202) 898-3872; or Robert A. Patrick, Counsel, Legal

Division, (202) 898-3757.

OTS

    Jennifer Dickerson, Manager, Information Technology, Examination

Policy, (202) 906-5631; or Christine Harrington, Counsel, Banking and

Finance, Regulations and Legislation Division, (202) 906-7957.

SUPPLEMENTARY INFORMATION: The contents of this preamble are listed in

the following outline:

I. Background

II. Overview of Comments Received

III. Section-by-Section Analysis

IV. Regulatory Analysis

    A. Paperwork Reduction Act

    B. Regulatory Flexibility Act

    C. Executive Order 12866

    D. Unfunded Mandates Act of 1995

I. Background

    On November 12, 1999, President Clinton signed the G-L-B Act (Pub.

L. 106-102) into law. Section 501, titled ``Protection of Nonpublic

Personal Information'', requires the Agencies, the National Credit

Union Administration, the Securities and Exchange Commission, and the

Federal Trade Commission to establish appropriate standards for the

financial institutions subject to their respective jurisdictions

relating to the administrative, technical, and physical safeguards for

customer records and information. As stated in section 501, these

safeguards are to: (1) Insure the security and confidentiality of

customer records and information; (2) protect against any anticipated

threats or hazards to the security or integrity of such records; and

(3) protect against unauthorized access to or use of such records or

information that would result in substantial harm or inconvenience to

any customer.

    Section 505(b) of the G-L-B Act provides that these standards are

to be implemented by the Agencies in the same manner, to the extent

practicable, as standards prescribed pursuant to section 39(a) of the

FDI Act.\1\ Section 39(a) of the FDI Act authorizes the Agencies to

establish operational and managerial standards for insured depository

institutions relative to, among other things, internal controls,

information systems, and internal audit systems, as well as such other

operational and managerial standards as the Agencies determine to be

appropriate.\2\

---------------------------------------------------------------------------

    \1\ Section 39 applies only to insure depository institutions,

including insured branches of foreign banks. The Guidelines,

however, will also apply to certain uninsured institutions, such as

bank holding companies, certain nonbank subsidiaries of bank holding

companies and insured depository institutions, and uninsured

branches and agencies of foreign banks. See sections 501 and 505(b)

of the G-L-B Act.

    \2\ OTS has placed its information security guidelines in

appendix B to 12 CFR part 570, with the provisions implementing

section 39 of the FDI Act. At the same time, OTS has adopted a

regulatory requirement that the institutions OTS regulates comply

with the proposed Guidelines. Because information security

guidelines are similar to physical security procedures, OTS has

included a provision in 12 CFR part 568, which covers primarily

physical security procedures, requiring compliance with the

Guidelines in appendix B to part 570.

---------------------------------------------------------------------------

[[Page 8617]]

II. Overview of Comments Received

    On June 26, 2000, the Agencies published for comment the proposed

Interagency Guidelines Establishing Standards for Safeguarding Customer

Information and Rescission of Year 2000 Standards for Safety and

Soundness in the Federal Register (65 FR 39472). The public comment

period closed August 25, 2000. The Agencies collectively received a

total of 206 comments in response to the proposal, although many

commenters sent copies of the same letter to each of the Agencies.

Those combined comments included 49 from banks, 7 from savings

associations, 60 from financial institution holding companies; 50 from

financial institution trade associations; 33 from other business

entities; and four from state regulators. The Federal Reserve also

received comments from three Federal Reserve Banks.

    The Agencies invited comment on all aspects of the proposed

Guidelines, including whether the rules should be issued as guidelines

or as regulations. Commenters overwhelmingly supported the adoption of

guidelines, with many commenters offering suggestions for ways to

improve the proposed Guidelines as discussed below. Many commenters

cited the benefits of flexibility and the drawbacks of prescriptive

requirements that could become rapidly outdated as a result of changes

in technology.

    The Agencies also requested comments on the impact of the proposal

on community banks, recognizing that community banks operate with more

limited resources than larger institutions and may present a different

risk profile. In general, community banks urged the Agencies to issue

guidelines that are not prescriptive, that do not require detailed

policies or reporting by banks that share little or no information

outside the bank, and that provide flexibility in the design of an

information security program. Some community banks indicated that the

Guidelines are unnecessary because they already have information

security programs in place. Others requested clarification of the

impact of the Guidelines on banks that do not share any information in

the absence of a customer's consent.

    In light of the comments received, the Agencies have decided to

adopt the Guidelines, with several changes as discussed below to

respond to the commenters' suggestions. The respective texts of the

Agencies' Guidelines are substantively identical. In directing the

Agencies to issue standards for the protection of customer records and

information, Congress provided that the standards apply to all

financial institutions, regardless of the extent to which they may

disclose information to affiliated or nonaffiliated third parties,

electronically transfer data with customers or third parties, or record

data electronically. Because the requirements of the Act apply to a

broad range of financial institutions, the Agencies believe that the

Guidelines must establish appropriate standards that allow each

institution the discretion to design an information security program

that suits its particular size and complexity and the nature and scope

of its activities. In many instances, financial institutions already

will have information security programs that are consistent with these

Guidelines, because key components of the Guidelines were derived from

security-related supervisory guidance previously issued by the Agencies

and the Federal Financial Institutions Examination Council (FFIEC). In

such situations, little or no modification to an institution's program

will be required.

    Below is a section-by-section analysis of the final Guidelines.

III. Section-by-Section Analysis

    The discussion that follows applies to each Agency's Guidelines.

I. Introduction

    Paragraph I. of the proposal set forth the general purpose of the

Guidelines, which is to provide guidance to each financial institution

in establishing and implementing administrative, technical, and

physical safeguards to protect the security, confidentiality, and

integrity of customer information. This paragraph also set forth the

statutory authority for the Guidelines, including section 39(a) of the

FDI Act (12 U.S.C. 1831p-1) and sections 501 and 505(b) of the G-L-B

Act (15 U.S.C. 6801 and 6805(b) ). The Agencies received no comments on

this paragraph, and have adopted it as proposed.

I.A. Scope

    Paragraph I.A. of the proposal described the scope of the

Guidelines. Each Agency defined specifically those entities within its

particular scope of coverage in this paragraph of the Guidelines.

    The Agencies received no comments on the issue of which entities

are covered by the Guidelines, and have adopted paragraph I.A. as

proposed.

I.B. Preservation of Existing Authority

    Paragraph I.B. of the proposal made clear that in issuing these

Guidelines none of the Agencies is, in any way, limiting its authority

to address any unsafe or unsound practice, violation of law, unsafe or

unsound condition, or other practice, including any condition or

practice related to safeguarding customer information. As noted in the

preamble to the proposal, any action taken by any Agency under section

39(a) of the FDI Act and these Guidelines may be taken independently

of, in conjunction with, or in addition to any other enforcement action

available to the Agency. The Agencies received no comments on this

paragraph, and have adopted paragraph I.B. as proposed.

I.C.1. Definitions

    Paragraph I.C. set forth the definitions of various terms for

purposes of the Guidelines.\3\ It also stated that terms used in the

Guidelines have the same meanings as set forth in sections 3 and 39 of

the FDI Act (12 U.S.C. 1813 and 1831p-1).

---------------------------------------------------------------------------

    \3\ In addition to the definitions discussed below, the Board's

Guidelines in 12 CFR parts 208 and 225 contain a definition of

``subsidiary'', which described the state member bank and bank

holding company subsidiaries that are subject to the Guidelines.

---------------------------------------------------------------------------

    The Agencies received several comments on the proposed definitions,

and have made certain changes as discussed below. The Agencies also

have reordered proposed paragraph I.C. so that the statement concerning

the reliance on sections 3 and 39(a) of the FDI Act is now in paragraph

I.C.1., with the definitions appearing in paragraphs I.C.2.a.-e. The

defined terms have been placed in alphabetical order in the final

Guidelines.

I.C.2.a. Board of Directors

    The proposal defined ``board of directors'' to mean, in the case of

a branch or agency of a foreign bank, the managing official in charge

of the branch or agency.\4\ The Agencies received no comments on this

proposed definition, and have adopted it without change.

---------------------------------------------------------------------------

    \4\ The OTS version of the Guidelines does not include this

definition because OTS does not regulate foreign institutions.

Paragraph I of the OTS Guidelines has been renumbered accordingly.

---------------------------------------------------------------------------

I.C.2.b. Customer

    The proposal defined ``customer'' in the same way as that term is

defined in section __.3(h) of the Agencies' rule captioned ``Privacy of

Consumer Financial Information'' (Privacy Rule).\5\

[[Page 8618]]

The Agencies proposed to use this definition in the Guidelines because

section 501(b) refers to safeguarding the security and confidentiality

of ``customer'' information. Given that Congress used the same term for

both the 501(b) standards and for the sections concerning financial

privacy, the Agencies have concluded that it is appropriate to use the

same definition in the Guidelines that was adopted in the Privacy Rule.

---------------------------------------------------------------------------

    \6\ See 65 FR 35162 (June 1, 2000). Citations to the interagency

Privacy Rule in this preamble are to sections only, leaving blank

the citations to the part numbers used by each agency.

---------------------------------------------------------------------------

    Under the Privacy Rule, a customer is a consumer who has

established a continuing relationship with an institution under which

the institution provides one or more financial products or services to

the consumer to be used primarily for personal, family or household

purposes. ``Customer'' does not include a business, nor does it include

a consumer who has not established an ongoing relationship with a

financial institution (e.g., an individual who merely uses an

institution's ATM or applies for a loan). See sections__.3(h) and (i)

of the Privacy Rule. The Agencies solicited comment on whether the

definition of ``customer'' should be broadened to provide a common

information security program for all types of records under the control

of a financial institution.

    The Agencies received many comments on this definition, almost all

of which agreed with the proposed definition. Although a few commenters

indicated they would apply the same security program to both business

and consumer records, the vast majority of commenters supported the use

of the same definition of ``customer'' in the Guidelines as is used in

the Privacy Rule. They observed that the use of the term ``customer''

in section 501 of the G-L-B Act, when read in the context of the

definitions of ``consumer'' and ``customer relationship'' in section

509, reflects the Congressional intent to distinguish between certain

kinds of consumers for the information security standards and the other

privacy provisions established under subtitle A of Title V.

    The Agencies have concluded that the definition of ``customer''

used in the Guidelines should be consistent with the definition

established in section__.3(h) of the Privacy Rule. The Agencies

believe, therefore, that the most reasonable interpretation of the

applicable provisions of subtitle A of Title V of the Act is that a

financial institution is obligated to protect the security and

confidentiality of the nonpublic personal information of its consumers

with whom it has a customer relationship. As a practical manner, a

financial institution may also design or implement its information

security program in a manner that encompasses the records and

information of its other consumers and its business clients.\6\

---------------------------------------------------------------------------

    \6\ The Agencies recognize that ``customer'' is defined more

broadly under Subtitle B of Title V of the Act, which, in general,

makes it unlawful for any person to obtain or attempt to obtain

customer information of a financial institution by making false,

fictitious, or fraudulent statements. For the purpose of that

subtitle, the term ``customer'' means ``any person (or authorized

representative of a person) to whom the financial institution

provides a product or service, including that of acting as a

fiduciary.'' (See section 527(1) of the Act.) In light of the

statutory mandate to ``prescribe such revisions to such regulations

and guidelines as may be necessary to ensure that such financial

institutions have policies, procedures, and controls in place to

prevent the unauthorized disclosure of customer financial

information'' (section 525), the Agencies considered modifying these

Guidelines to cover other customers, namely, business entities and

individuals who obtain financial products and services for purposes

other than personal, family, or household purposes. The Agencies

have concluded, however, that defining ``customer'' to accommodate

the range of objectives set forth in Title V of the Act is

unnecessary. Instead, the Agencies have included a new paragraph

III.C.1.a, described below, and plan to issue guidance and other

revisions to the applicable regulations, as may be necessary, to

satisfy the requirements of section 525 of the Act.

---------------------------------------------------------------------------

I.C.2.c. Customer Information

    The proposal defined ``customer information'' as any records

containing nonpublic personal information, as defined in section__.3(n)

of the Privacy Rule, about a customer. This included records, data,

files, or other information in paper, electronic, or other form that

are maintained by any service provider on behalf of an institution.

Although section 501(b) of the G-L-B Act refers to the protection of

both customer ``records'' and ``information'', for the sake of

simplicity, the proposed Guidelines used the term ``customer

information'' to encompass both information and records.

    The Agencies received several comments on this definition. The

commenters suggested that the proposed definition was too broad because

it included files ``containing'' nonpublic personal information. The

Agencies believe, however, that a financial institution's security

program must apply to files that contain nonpublic personal information

in order to adequately protect the customer's information. In deciding

what level of protection is appropriate, a financial institution may

consider the fact that a given file contains very little nonpublic

personal information, but that fact would not render the file entirely

beyond the scope of the Guidelines. Accordingly, the Agencies have

adopted a definition of ``customer record'' that is substantively the

same as the proposed definition. The Agencies have, however, deleted

the reference to ``data, files, or other information'' from the final

Guidelines, since each is included in the term ``records'' and also is

covered by the reference to ``paper, electronic, or other form''.

I.C.2.d. Customer Information System

    The proposal defined ``customer information system'' to be

electronic or physical methods used to access, collect, store, use,

transmit, or protect customer information. The Agencies received a few

comments on this definition, mostly from commenters who stated that it

is too broad. The Agencies believe that the definition needs to be

sufficiently broad to protect all customer information, wherever the

information is located within a financial institution and however it is

used. Nevertheless, the broad scope of the definition of ``customer

information system'' should not result in an undue burden because, in

other important respects, the Guidelines allow a high degree of

flexibility for each institution to design a security program that

suits its circumstances.

    For these reasons, the Agencies have adopted the definition of

``customer information system'' largely as proposed. However, the

phrase ``electronic or physical'' in the proposal has been deleted

because each is included in the term ``any methods''. The Agencies also

have added a specific reference to records disposal in the definition

of ``customer information system.'' This is consistent with the

proposal's inclusion of access controls in the list of items a

financial institution is to consider when establishing security

policies and procedures (see discussion of paragraph III.C.1.a.,

below), given that inadequate disposal of records may result in

identity theft or other misuse of customer information. Under the final

Guidelines, a financial institution's responsibility to safeguard

customer information continues through the disposal process.

I.C.2.e. Service Provider

    The proposal defined a ``service provider'' as any person or entity

that maintains or processes customer information for a financial

institution, or is otherwise granted access to customer information

through its provision of services to an institution. One commenter

urged the Agencies to modify this definition so that it would not

include a financial institution's attorneys, accountants, and

appraisers. Others suggested deleting the phrase ``or

[[Page 8619]]

is otherwise granted access to customer information through its

provision of services to an institution''.

    The Agencies believe that the Act requires each financial

institution to adopt a comprehensive information security program that

is designed to protect against unauthorized access to or use of

customers' nonpublic personal information. Disclosing information to a

person or entity that provides services to a financial institution

creates additional risks to the security and confidentiality of the

information disclosed. In order to protect against these risks, a

financial institution must take appropriate steps to protect

information that it provides to a service provider, regardless of who

the service provider is or how the service provider obtains access. The

fact that an entity obtains access to customer information through, for

instance, providing professional services does not obviate the need for

the financial institution to take appropriate steps to protect the

information. Accordingly, the Agencies have determined that, in

general, the term ``service provider'' should be broadly defined to

encompass a variety of individuals or companies that provide services

to the institution.

    This does not mean, however, that a financial institution's methods

for overseeing its service provider arrangements will be the same for

every provider. As explained in the discussion of paragraph III.D., a

financial institution's oversight responsibilities will be shaped by

the institution's analysis of the risks posed by a given service

provider. If a service provider is subject to a code of conduct that

imposes a duty to protect customer information consistent with the

objectives of these Guidelines, a financial institution may take that

duty into account when deciding what level of oversight it should

provide.

    Moreover, a financial institution will be responsible under the

final Guidelines for overseeing its service provider arrangements only

when the service is provided directly to the financial institution. The

Agencies clarified this point by amending the definition of ``service

provider'' in the final Guidelines to state that it applies only to a

person or entity that maintains, processes, or otherwise is permitted

access to customer information through its provision of services

directly to the financial institution. Thus, for instance, a payment

intermediary involved in the collection of a check but that has no

correspondent relationship with a financial institution would not be

considered a service provider of that financial institution under this

rule. By contrast, a financial institution's correspondent bank would

be considered its service provider. Nevertheless, the financial

institution may take into account the fact that the correspondent bank

is itself a financial institution that is subject to security standards

under section 501(b) when it determines the appropriate level of

oversight for that service provider.\7\

---------------------------------------------------------------------------

    \7\ Similarly, in the case of a service provider that is not

subject to these Guidelines but is subject to standards adopted by

its primary regulator under section 501(b) of the G-L-B Act, a

financial institution may take that fact into consideration when

deciding what level of oversight is appropriate for that service

provider.

---------------------------------------------------------------------------

    In situations where a service provider hires a subservicer,\8\ the

subservicer would not be a ``service provider'' under the final

Guidelines. The Agencies recognize that it would be inappropriate to

impose obligations on a financial institution to select and monitor

subservicers in situations where the financial institution has no

contractual relationship with that person or entity. When conducting

due diligence in selecting its service providers (see discussion of

paragraph III.D., below), however, a financial institution must

determine that the service provider has adequate controls to ensure

that the subservicer will protect the customer information in a way

that meets the objectives of these Guidelines.

---------------------------------------------------------------------------

    \8\ The term ``subservicer'' means any person who has access to

an institution's customer information through its provision of

services to the service provider and is not limited to mortgage

subservicers.

---------------------------------------------------------------------------

II. Standards for Safeguarding Customer Information