La lecture en ligne est gratuite
Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres
Télécharger Lire

Request for Comment on Interagency Proposal Regarding Disposal of Consumer Informationn - District

De
12 pages
ll★KFederal Reserve Bank of Dallas2200 N. PEARL ST.DALLAS, TX 75201-2272June 22, 2004Notice 04-34TO: The Chief Executive Officer of eachfinancial institution and others concernedin the Eleventh Federal Reserve DistrictSUBJECTRequest for Comment on InteragencyProposal Regarding Disposal of Consumer InformationDETAILSThe Board of Governors, Office of the Comptroller of the Currency, Federal DepositInsurance Corporation, and Office of Thrift Supervision have requested public comment on aproposal to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 byamending the Interagency Guidelines Establishing Standards for Safeguarding CustomerInformation. The proposal would require each financial institution to develop, implement, andmaintain appropriate measures to properly dispose of consumer information derived fromconsumer reports to address the risks associated with identity theft. Each institution would berequired to implement these measures as part of its information security program.The Board must receive comments by July 23, 2004. Please address comments toJennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Streetand Constitution Avenue, N.W., Washington, DC 20551. Also, you may mail comments elec-tronically to regs.comments@federalreserve.gov. All comments should refer to Docket No.R-1199.The public can also view and submit comments on proposals by the Board and otherfederal agencies ...
Voir plus Voir moins

ll★K
Federal Reserve Bank of Dallas
2200 N. PEARL ST.
DALLAS, TX 75201-2272
June 22, 2004
Notice 04-34
TO: The Chief Executive Officer of each
financial institution and others concerned
in the Eleventh Federal Reserve District
SUBJECT
Request for Comment on Interagency
Proposal Regarding Disposal of Consumer Information
DETAILS
The Board of Governors, Office of the Comptroller of the Currency, Federal Deposit
Insurance Corporation, and Office of Thrift Supervision have requested public comment on a
proposal to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 by
amending the Interagency Guidelines Establishing Standards for Safeguarding Customer
Information. The proposal would require each financial institution to develop, implement, and
maintain appropriate measures to properly dispose of consumer information derived from
consumer reports to address the risks associated with identity theft. Each institution would be
required to implement these measures as part of its information security program.
The Board must receive comments by July 23, 2004. Please address comments to
Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street
and Constitution Avenue, N.W., Washington, DC 20551. Also, you may mail comments elec-
tronically to regs.comments@federalreserve.gov. All comments should refer to Docket No.
R-1199.
The public can also view and submit comments on proposals by the Board and other
federal agencies from the www.regulations.gov web site.
For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal
Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012;
Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810.- 2 -
AT TACHMENT
A copy of the Board’s notice as it appears on pages 31913–22, Vol. 69, No. 110 of the
Federal Register dated June 8, 2004, is attached.
MORE INFORMATION
For more information, please contact Eugene Coy, Banking Supervision Department,
(214) 922-6201. Paper copies of this notice or previous Federal Reserve Bank notices can be
printed from our web site at www.dallasfed.org/banking/notices/index.html.31913
Federal RegisterProposed Rules
Vol. 69, No. 110
Tuesday, June 8, 2004
This section of the FEDERAL REGISTER appropriate measures to properly or personal information that you
contains notices to the public of the proposed dispose of consumer information provide. You may review the comments
issuance of rules and regulations. The derived from consumer reports to received by the OCC and other related
purpose of these notices is to give interested address the risks associated with materials by any of the following
persons an opportunity to participate in the identity theft. Each institution would be methods:
rule making prior to the adoption of the final
required to implement these measures • Viewing Comments Personally: You
rules.
as part of its information security may personally inspect and photocopy
program. comments received at the OCC’s Public
Reference Room, 250 E Street, SW., DEPARTMENT OF THE TREASURY DATES: Comments must be submitted on
Washington, DC. You can make an or before July 23, 2004.
Office of the Comptroller of the appointment to inspect comments by
ADDRESSES: Because the Agencies will
Currency calling (202) 874–5043. jointly review all of the comments
• Viewing Comments Electronically: submitted, you may comment to any of
12 CFR Parts 30 and 41 You may request e-mail or CD–ROM the Agencies and you need not send
copies of comments that the OCC has comments (or copies) to all of the [Docket No. 04–13] received by contacting the OCC’s Public Agencies. Because paper mail in the
Reference Room at RIN 1557–AC84 Washington area and at the Agencies is
regs.comments@occ.treas.gov.subject to delay, please submit your
FEDERAL RESERVE SYSTEM
• Docket: You may also request comments by e-mail whenever
available background documents using 1possible. Commenters are encouraged
12 CFR Parts 208, 211, 222, and 225 the methods described earlier. to use the title ‘‘FACT Act Disposal
Board: You may submit comments, Rule’’ in addition to the docket or RIN [Docket No. R–1199]
identified by Docket No. R–1199, by any number to facilitate the organization
of the following methods: FEDERAL DEPOSIT INSURANCE and distribution of comments among the
• Agency Web site: http://CORPORATION Agencies. Interested parties are invited
www.federalreserve.gov. Follow the to submit comments in accordance with
instructions for submitting comments at 12 CFR Parts 334 and 364 the following instructions:
http://www.federalreserve.gov/OCC: You should designate OCC in
RIN 3064–AC77 generalinfo/foia/ProposedRegs.cfm.your comment and include Docket
• Federal eRulemaking Portal: http://Number 04–13. You may submit DEPARTMENT OF THE TREASURY www.regulations.gov. Follow the comments by any of the following
instructions for submitting comments. methods: Office of Thrift Supervision
• E-mail:
• Federal eRulemaking Portal: http://
regs.comments@federalreserve.gov. www.regulations.gov. Follow the 12 CFR Parts 568, 570, and 571 Include docket number in the subject instructions for submitting comments.
line of the message. [No. 2004–26]
• OCC Web site: http://
• FAX: 202/452–3819 or 202/452–www.occ.treas.gov. Click on ‘‘Contact
RIN 1550–AB87 3102. the OCC,’’ scroll down and click on
• Mail: Jennifer J. Johnson, Secretary, ‘‘Comments on Proposed Regulations.’’ Proper Disposal of Consumer
Board of Governors of the Federal
• E-mail address: Information Under the Fair and
Reserve System, 20th Street and regs.comments@occ.treas.gov.Accurate Credit Transactions Act of
• Fax: (202) 874–4448. Constitution Avenue, NW., Washington, 2003
• Mail: Office of the Comptroller of DC 20551.
the Currency, 250 E Street, SW., Public AGENCIES: Office of the Comptroller of All public comments are available from
Reference Room, Mail Stop 1–5, the Currency, Treasury (OCC); Board of the Board’s Web site at
Washington, DC 20219. Governors of the Federal Reserve www.federalreserve.gov/generalinfo/
• Hand Delivery/Courier: 250 E System (Board); Federal Deposit foia/ProposedRegs.cfm as submitted,
Street, SW., Attn: Public Reference Insurance Corporation (FDIC); and except as necessary for technical
Room, Mail Stop 1–5, Washington, DC Office of Thrift Supervision, Treasury reasons. Accordingly, your comments
20219. (OTS). will not be edited to remove any
Instructions: All submissions received identifying or contact information. ACTION: Notice of proposed rulemaking. must include the agency name (OCC) Public comments may also be viewed
and docket number or Regulatory SUMMARY: The OCC, Board, FDIC, and electronically or in paper in Room MP–
Information Number (RIN) for this OTS (the Agencies) are requesting 500 of the Board’s Martin Building (20th
notice of proposed rulemaking. In comment on a proposal to implement and C Streets, NW.) between 9 a.m. and
general, the OCC will enter all section 216 of the Fair and Accurate 5 p.m. on weekdays.
comments received into the docket Credit Transactions Act of 2003 by FDIC: You may submit comments,
without change, including any business amending the Interagency Guidelines identified by RIN number by any of the
Establishing Standards for Safeguarding following methods:
1 The Agencies do not edit personal, identifying Customer Information. The proposal • Agency Web site: http://
information such as names or e-mail addresses from
would require each financial institution www.fdic.gov/regulations/laws/federal/electronic submissions. Submit only information
to develop, implement, and maintain you wish to make publicly available. propose.html.
VerDate jul<14>2003 14:19 Jun 07, 2004 Jkt 203001 PO 00000 Frm 00001 Fmt 4702 Sfmt 4702 E:\FR\FM\08JNP1.SGM 08JNP131914 Federal Register/Vol. 69, No. 110/Tuesday, June 8, 2004/Proposed Rules
Follow instructions for submitting assist us in serving you.) We schedule requirements issued pursuant to the
comments on the Agency Web site. appointments on business days between Gramm-Leach-Bliley Act (GLB Act)
• E-mail: Comments@FDIC.gov. 10 a.m. and 4 p.m. In most cases, (Pub. L. 106–102), as well as other
Include the RIN number in the subject appointments will be available the next provisions of Federal law.
line of the message. business day following the date we The Agencies propose amendments to
• Mail: Robert E. Feldman, Executive receive a request. the Interagency Guidelines Establishing
Secretary, Attention: Comments, Federal FOR FURTHER INFORMATION CONTACT: Standards for Safeguarding Customer
Deposit Insurance Corporation, 550 17th 2OCC: Aida Plaza Carter, Director, Bank Information (Guidelines) to require
Street, NW., Washington, DC 20429. Information Technology, (202) 874– financial institutions to implement
• Hand Delivery/Courier: Guard 4740; Amy Friend, Assistant Chief controls designed to ensure the proper
station at the rear of the 550 17th Street Counsel, (202) 874–5200; or Deborah disposal of ‘‘consumer information’’
Building (located on F Street) on Katz, Senior Counsel, Legislative and within the meaning of section 216. In
business days between 7 a.m. and 5 p.m. Regulatory Activities Division, (202) accordance with section 216 of the Act,
• Instructions: All submissions 874–5090. the Agencies have consulted with the
received must include the agency name Board: Donna L. Parker, Supervisory Federal Trade Commission, the National
and RIN for this rulemaking. All Financial Analyst, Division of Credit Union Administration, and the
comments received will be posted Supervision & Regulation, (202) 452– Securities and Exchange Commission to
without change to http://www.fdic.gov/ 2614; Thomas E. Scanlon, Counsel, ensure that, to the extent possible, the
regulations/laws/federal/propose.html Legal Division, (202) 452–3594; Minh- rules proposed by the respective
including any personal information Duc T. Le or Ky Tran-Trong, Senior agencies are consistent and comparable.
provided. Attorneys, Division of Consumer and
Office of Thrift Supervision: You may II. Background
Community Affairs, (202) 452–3667.
submit comments, identified by No.
FDIC: Jeffrey M. Kopchik, Senior On February 1, 2001, the Agencies 2004–26, by any of the following
Policy Analyst, Division of Supervision issued the Guidelines pursuant to methods:
and Consumer Protection, (202) 898– sections 501 and 505 of the GLB Act (15
• Federal eRulemaking Portal: http://
3872; Kathryn M. Weatherby, U.S.C. 6801 and 6805). The Guidelines www.regulations.gov. Follow the
Examination Specialist, Division of establish standards relating to the instructions for submitting comments.
Supervision and Consumer Protection, development and implementation of
• E-mail:
(202) 898–6793; Robert A. Patrick, administrative, technical, and physical regs.comments@ots.treas.gov. Please
Counsel, Legal Division, (202) 898– safeguards to protect the security, include No. 2004–26 in the subject line
3757; Janet V. Norcom, Counsel, Legal confidentiality, and integrity of of the message and include your name
Division, (202) 898–8886. customer information. The Guidelines and telephone number in the message.
OTS: Lewis C. Angel, Senior Project apply to the financial institutions
• Fax: (202) 906–6518.
Manager, Technology Risk Management, subject to the Agencies’ respective
• Mail: Regulation Comments, Chief
(202) 906–5645; Richard Bennett, jurisdictions. As mandated by section Counsel’s Office, Office of Thrift
Counsel (Banking and Finance), 501(b) of the GLB Act, the Guidelines Supervision, 1700 G Street, NW.,
Regulations and Legislation Division, require each financial institution to Washington, DC 20552, Attention: No.
(202) 906–7409; Paul Robin, Special develop a written information security 2004–26.
Counsel, Regulations and Legislation program that is designed to: (1) Ensure
• Hand Delivery/Courier: Guard’s
Division, (202) 906–6648. the security and confidentiality of Desk, East Lobby Entrance, 1700 G
customer information; (2) protect Street, NW., from 9 a.m. to 4 p.m. on SUPPLEMENTARY INFORMATION:
against any anticipated threats or business days, Attention: Regulation
I. Introduction hazards to the security or integrity of Comments, Chief Counsel’s Office,
Section 216 of the Fair and Accurate such information; and (3) protect against Attention: No. 2004–26.
Credit Transactions Act of 2003 (FACT Instructions: All submissions received unauthorized access to or use of such
Act or the Act) adds a new section 628 must include the agency name and information that could result in
to the Fair Credit Reporting Act (FCRA), number or Regulatory Information substantial harm or inconvenience to
3at 15 U.S.C. 1681w, that, in general, is Number (RIN) for this rulemaking. All any customer. The Guidelines direct
designed to protect a consumer against comments received will be posted financial institutions to assess the risks
the risks associated with unauthorized without change to http:// to their customer information and
access to information about the www.ots.treas.gov/ customer information systems and, in
consumer contained in a consumer pagehtml.cfm?catNumber=67&an=1, turn, implement appropriate security
4report, such as fraud and related crimes including any personal information measures to control those risks. For
including identity theft. Section 216 of provided. example, under the risk-assessment
Docket: For access to the docket to the Act requires each of the Agencies to framework currently imposed by the
read background documents or adopt a regulation with respect to the Guidelines, each financial institution
comments received, go to http:// entities that are subject to its must evaluate whether the controls the
www.ots.treas.gov/ enforcement authority ‘‘requiring any institution has developed sufficiently
pagehtml.cfm?catNumber=67&an=1. In person that maintains or otherwise protect its customer information from
addition, you may inspect comments at possesses consumer information, or any unauthorized access, misuse, or
the Public Reading Room, 1700 G Street, compilation of consumer information,
NW., by appointment. To make an derived from consumer reports for a 2 12 CFR Parts 30, app. B (OCC); 208, app. D–2
appointment for access, call (202) 906– business purpose to properly dispose of and 225, app. F (Board); 364, app. B (FDIC); 570,
app. B (OTS). See 66 FR 8616 Feb. 1, 2001. 5922, send an e-mail to any such information or compilation.’’
Citations to the Guidelines omit references to titles public.info@ots.treas.gov, or send a Public Law 108–159, 117 Stat. 1985–86.
and publications and give only the appropriate
facsimile transmission to (202) 906– The FACT Act mandates that the paragraph or section number.
7755. (Prior notice identifying the Agencies ensure that their respective 3 Guidelines, II.B.
4materials you will be requesting will regulations are consistent with the See generally III.B and III.C.
VerDate jul<14>2003 14:19 Jun 07, 2004 Jkt 203001 PO 00000 Frm 00002 Fmt 4702 Sfmt 4702 E:\FR\FM\08JNP1.SGM 08JNP1Federal Register/Vol. 69, No. 110/Tuesday, June 8, 2004/Proposed Rules 31915
alteration when the institution disposes is defined to mean ‘‘a compilation of example, a financial institution must
5of the information. such records.’’ implement measures to properly
The scope of information covered by dispose of ‘‘consumer information’’ that
III. Proper Disposal of Consumer the terms ‘‘consumer information,’’ and identifies a consumer, such as the
Information and Customer Information ‘‘customer information’’ as defined consumer’s name and the credit score
under the Guidelines, will sometimes The Agencies are proposing to amend derived from a consumer report.
overlap, but will not always coincide. the Guidelines to require each financial However, this requirement would not
institution to develop and maintain, as The Agencies note that the proposed apply to the mean credit score that is
part of its information security program, definition of ‘‘consumer information’’ is derived from a group of consumer
appropriate controls designed to ensure drawn from the term ‘‘consumer’’ in reports. The Agencies believe that
that the institution properly disposes of section 603(c) of the FCRA, which limiting ‘‘consumer information’’ to
‘‘consumer information.’’ The proposed defines a ‘‘consumer’’ as an individual. information that identifies a consumer
amendments to the Guidelines generally 15 U.S.C. 1681a(c). By contrast, is consistent with the current law
‘‘customer information’’ under the would require a financial institution to relating to the scope of the term
Guidelines, only covers nonpublic dispose of ‘‘consumer information’’ ‘‘consumer report’’ under the FCRA and
personal information about a derived from a consumer report in a the purposes of section 216 of the FACT
‘‘customer,’’ namely, an individual who manner consistent with the existing Act.
obtains a financial product or service to requirements that apply to the disposal The Agencies request suggestions for
be used primarily for personal, family, of ‘‘customer information.’’ The clarifying the scope of information
or household purposes and who has a Agencies propose to incorporate this covered under the term ‘‘consumer
continuing relationship with the new requirement into the Guidelines by: information.’’ Among other issues, the
6financial institution. The relationship (1) Adding a definition of ‘‘consumer Agencies believe that the phrase
between ‘‘consumer information’’ and information’’; (2) adding an objective (in ‘‘derived from consumer reports’’ covers
‘‘customer information’’ can be paragraph II) regarding the proper all of the information about a consumer
illustrated through the following disposal of consumer information; and that is taken from a consumer report,
examples. Payment history information (3) adding a provision (in paragraph III) including information that results in
from a consumer report about an that would require a financial whole or in part from manipulation of
individual, who is a financial institution to implement appropriate information from a consumer report or
institution’s customer, will be both measures to properly dispose of information from a consumer report that
‘‘consumer information’’ because it consumer information in a manner has been combined with other types of
comes from a consumer report and consistent with the disposal of customer information. Consequently, a financial
‘‘customer information’’ because it is information. institution that possesses any of this
nonpublic personal information about a The Agencies propose to require each information must properly dispose of it.
customer. In some circumstances, financial institution to implement the For example, any record about a
‘‘’’ will be broader appropriate measures to properly consumer derived from a consumer
than ‘‘consumer information.’’ For dispose of ‘‘consumer information’’ report, such as the consumer’s name
instance, information about a financial within three months after the final and credit score, that is shared among
institution’s transactions with its regulations are published in the Federal affiliates must be disposed of properly
customer would be only ‘‘customer Register. The Agencies believe that any by each affiliate that possesses that
information’’ because it does not come changes to an institution’s existing information. Similarly, a consumer
from a consumer report. In other information security program to report that is shared among affiliated
circumstances, ‘‘consumer information’’ properly dispose of ‘‘consumer companies after the consumer has been
will be broader than ‘‘customer information’’ likely will be minimal. given a notice and has elected not to opt information.’’ ‘‘Consumer information’’ Accordingly, the Agencies consider a out of that sharing, and therefore is no would include information from a three-month period sufficient to enable longer a ‘‘consumer report’’ under the consumer report that an institution financial institutions to adjust their 7FCRA, would still be ‘‘consumer obtains about an individual who applies systems and controls. information’’ under this proposal. for but does not receive a loan, an The Agencies invite comment on all Accordingly, a financial institution that individual who guarantees a loan for a aspects of the proposal. A discussion of receives ‘‘consumer information’’ under business entity, an employee or a each proposed amendment to the these circumstances must properly prospective employee, or an individual Guidelines and to the addition of cross- dispose of the information. The in connection with a loan to the references to the Guidelines in the Agencies seek comment on whether the individual’s sole proprietorship. In each Agencies’ FCRA regulations follows. definition of ‘‘’’ of these instances, the consumer reports
should be revised to further clarify this Consumer Information would not be ‘‘customer information’’
interpretation of the statutory phrase because the information would not be The proposal defines ‘‘consumer ‘‘derived from consumer reports,’’ such about a ‘‘customer’’ within the meaning information’’ to mean ‘‘any record about as by example or otherwise.of the Guidelines.an individual, whether in paper, The Agencies note that the proposed The Agencies propose to define
electronic, or other form, that is a definition of ‘‘consumer information’’ ‘‘consumer information’’ as ‘‘any record
consumer report or is derived from a includes the qualification ‘‘for a about an individual * * * that is a
consumer report and that is maintained business purpose,’’ as set forth in consumer report or is derived from a
or otherwise possessed by or on behalf section 216 of the Act. The Agencies consumer report.’’ Under this definition,
of the [institution] for a business believe that the phrase ‘‘for a business information that may be ‘‘derived from
purpose.’’ ‘‘Consumer information’’ also purpose’’ encompasses any commercial consumer reports’’ but does not identify
purpose for which a financial institution a particular consumer would not be
5 See 66 FR 8618 (‘‘Under the final Guidelines, a might maintain or possess ‘‘consumer covered under the proposal. For financial institution’s responsibility to safeguard
customer information continues through the
6 7disposal process.’’). I.C.2.b. 15 U.S.C. 1681a(d)(2)(A)(iii).
VerDate jul<14>2003 14:19 Jun 07, 2004 Jkt 203001 PO 00000 Frm 00003 Fmt 4702 Sfmt 4702 E:\FR\FM\08JNP1.SGM 08JNP131916 Federal Register/Vol. 69, No. 110/Tuesday, June 8, 2004/Proposed Rules
information’’ and request comment on new provision requires an institution to paragraph III.C. of the Guidelines
that interpretation. implement these measures ‘‘in a manner sufficiently explains the nature and
consistent with the disposal of customer scope of the obligations on each
New Objective for an Information information’’ and ‘‘in accordance with financial institution to modify its
Security Program each of the requirements in this information security program to include
The Agencies are proposing to add a paragraph III.’’ of the Guidelines. measures that must be implemented and
new objective regarding the proper Paragraph III. of the Guidelines adjusted, as appropriate, to properly
disposal of consumer information in presently requires a financial institution dispose of ‘‘consumer information.’’
paragraph II.B. of the Guidelines. The The Agencies request comment on to undertake measures to design,
proposal would require a financial whether the use in the Guidelines of the implement, and maintain its
institution to design its information statutory phrase ‘‘proper disposal’’ is information security program to protect
security program to ‘‘[e]nsure the proper sufficiently clear. Would a more specific customer information and customer
disposal of consumer information in a standard provide better guidance to information systems, including the
financial institutions, better protect manner consistent with the disposal of methods it uses to dispose of customer
consumers, or both? customer information.’’ information. Under the proposal, an
The Agencies believe that imposing institution must adopt a comparable set Proposed Amendments to the Agencies’
this additional objective in paragraph of procedures and controls to properly FCRA Regulations
II.B is important to ensure that the dispose of ‘‘consumer information.’’ For
The Agencies propose to amend their requirement to properly dispose of example, a financial institution must
respective regulations that implement ‘‘consumer information’’ applies to a broaden the scope of its risk assessment
11the FCRA by adding a new provision financial institution’s service providers. to include an assessment of the
setting forth the duties of users of The Guidelines require, in part, that a reasonably foreseeable internal and
consumer reports regarding identity financial institution ‘‘[r]equire its external threats associated with the
theft. As proposed, the new provision service providers by contract to methods it uses to dispose of ‘‘consumer
requires a financial institution to implement appropriate measures information,’’ and adjust its risk
properly dispose of consumer designed to meet the objectives of these assessment in light of the relevant
8 information in accordance with the Guidelines.’’ changes relating to such threats. The
standards set forth in the Guidelines. By expressly incorporating a Agencies, by expressly adding this new
The proposed provision also provision in paragraph II.B., the provision, are requiring a financial
incorporates a rule of construction that Agencies’ proposal requires each institution to integrate into its
closely tracks the terms of section 628(b) financial institution to contractually information security program each of
of the FCRA, as added by section 216 of require its service providers to develop those risk-based measures in connection
the FACT Act.appropriate measures for the proper with the disposal of ‘‘consumer
The Agencies request comment on the disposal of consumer information and, information,’’ as set forth in paragraph
proposed amendments to their where warranted, to monitor its service III. of the Guidelines.
respective FCRA rules. providers to confirm that they have The Agencies believe that it is not
satisfied their contractual obligations. necessary to propose a prescriptive rule IV. Regulatory Analysis
The Agencies also propose to amend describing proper methods of disposal.
Paperwork Reduction Act paragraph III.G.2. to allow a financial Nonetheless, consistent with
institution a reasonable period of time, In accordance with the Paperwork interagency guidance previously issued
after the final regulations are issued, to Reduction Act of 1995 (44 U.S.C. 3506; through the Federal Financial
amend its contracts with its service 5 CFR 1320 appendix A.1), the Agencies Institutions Examination Council
9providers to incorporate the necessary have reviewed the proposed rules. (The (FFIEC), the Agencies expect
requirements in connection with the Board has done so under authority institutions to have appropriate disposal
proper disposal of consumer delegated to the Board by the Office of procedures for records maintained in
information. The Agencies propose Management and Budget.) The proposed paper-based or electronic form. The
allowing one year after publication of rules contain no collections of Agencies note that an institution’s
the final regulations for financial information pursuant to the Paperwork information security program should
institutions to modify the contracts that Reduction Act. ensure that paper records containing
will be affected by the Guidelines. either customer or consumer Regulatory Flexibility Act The Agencies seek comment on information should be rendered
whether a one-year period for In accordance with the Regulatory unreadable as indicated by the
modification of agreements with service Flexibility Act, each agency must institution’s risk assessment, such as by
providers is appropriate. publish an initial regulatory flexibility shredding or any other means.
analysis with its proposed rule, unless Institutions also should recognize that New Provision To Implement Measures
the agency certifies that the rule will not computer-based records present unique To Properly Dispose of Consumer
have a significant economic impact on disposal problems. Residual data Information
a substantial number of small entities. (5 frequently remains on media after
The Agencies propose to amend U.S.C. 601–612). Each of the Agencies erasure. Since that data can be
paragraph III.C. (Manage and Control hereby certifies that its rule, if adopted recovered, additional disposal
Risk) by adding a new provision to as proposed, would not have a techniques should be applied to
require a financial institution to 10 significant economic impact on a sensitive electronic data.
develop, implement, and maintain, as substantial number of small entities. The Agencies seek comment on
part of its information security program, The proposed rules require a financial whether the proposed amendment to
appropriate measures to properly institution subject to the jurisdiction of
dispose of consumer information. This the appropriate agency to implement 9 See FFIEC Information Security Booklet, page 63
at: http://www.ffiec.gov/ffiecinfobase.html_pages/
8 it_01.html#infosec. 11III.D.2. This requirement applies to both 12 CFR part 41 (OCC); 12 CFR part 222 (Board);
10domestic and foreign-based service providers. See footnote 9, supra. 12 CFR part 334 (FDIC); and 12 CFR part 571 (OTS).
VerDate jul<14>2003 14:19 Jun 07, 2004 Jkt 203001 PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 E:\FR\FM\08JNP1.SGM 08JNP1Federal Register/Vol. 69, No. 110/Tuesday, June 8, 2004/Proposed Rules 31917
appropriate controls designed to ensure Agencies believe that the controls that regulatory alternatives before
the proper disposal of ‘‘consumer small financial institutions would promulgating a rule.
information.’’ A financial institution develop and implement, if any, to For the reasons outlined earlier, the
must develop and maintain these comply with the proposed rules likely OCC and OTS have determined that this
controls as part of implementing its pose a minimal economic impact on proposal will not result in expenditures
existing information security program those entities. Nonetheless, the by state, local, and tribal governments,
for ‘‘customer information,’’ as required Agencies specifically request comment or by the private sector, of $100 million
12under the Guidelines. on the burden the proposed rules would or more, in any one year. Accordingly,
Any modifications to a financial have on small financial institutions, and a budgetary impact statement is not
institution’s information security how the Agencies’ proposed rules might required under section 202 of the
program needed to address the proper minimize this burden, to the extent Unfunded Mandates Reform Act of 1995
disposal of ‘‘consumer information’’ consistent with the requirements of the and this rulemaking requires no further
could be incorporated through the FACT Act. analysis under the Unfunded Mandates
process the institution presently uses to Act. Solicitation of Comments on Use of
adjust its program under paragraph III.E.
Plain Language OCC Community Bank Comment of the Guidelines, particularly because
Request Section 722(a) of the GLB Act requires of the similarities between the consumer
the Federal banking agencies to use and customer information and the The OCC invites your comments on
plain language in all proposed and final measures commonly used to properly the impact of this proposal on
14rules. In light of this requirement, the dispose of both types of information. To community banks. The OCC recognizes
Agencies have sought to present the the extent that these proposed rules that community banks operate with
proposed rules in a simple and impose new requirements for certain more limited resources than larger
straightforward manner. The Agencies types of ‘‘consumer information,’’ institutions and may present a different
invite your comments on how to make developing appropriate measures to risk profile. Thus, the OCC specifically
the rules easier to understand. For properly dispose of that information requests comments on the impact of this
example:likely would require only a minor proposal on community banks’ current
• Have we organized the material to modification of an institution’s existing resources and available personnel with
suit your needs? If not, how could this information security program. the requisite expertise, and whether the
material be better organized? Because some ‘‘consumer goals of the proposed regulations could
• Do the regulations contain technical information’’ will be ‘‘customer be achieved, for community banks,
language or jargon that is not clear? If ’’ and because segregating through an alternative approach.
so, which language requires particular records for special treatment
List of Subjects clarification? may entail considerable costs, the
• Would a different format (grouping Agencies believe that many banks and 12 CFR Part 30
and order of sections, use of headings, savings associations, including small
Banks, banking, Consumer protection, paragraphing) make the regulations institutions, already are likely to have
National banks, Privacy, Reporting and easier to understand? If so, what implemented measures to properly
recordkeeping requirements. changes to the format would make the dispose of both ‘‘customer’’ and
regulations easier to understand? ‘‘consumer’’ information. In addition, 12 CFR Part 41
• What else could we do to make the the Agencies, through the Federal Financial Institutions Examination
National banks, Reporting and
Council (FFIEC), already have issued OCC and OTS Executive Order 12866
guidance regarding their expectations Determination
concerning the proper disposal of all of 12 CFR Part 208
The OCC and OTS each have an institution’s paper and electronic Banks, banking, Consumer protection, determined that this proposal is not a records. See FFIEC Information Security Information, Privacy, Reporting and ‘‘significant regulatory action’’ under 13Booklet, December 2002, p. 63. recordkeeping requirements. Executive Order 12866. Therefore, the proposed rules do not
12 CFR Part 211require any significant changes for OCC and OTS Unfunded Mandates
institutions that currently have Reform Act of 1995 Determination Exports, Foreign banking, Holding
procedures and systems designed to companies, Reporting and Under section 202 of the Unfunded
comply with this guidance.Mandates Reform Act of 1995, Public
The Agencies anticipate that, in light
Law 104–4 (2 U.S.C. 1532) (Unfunded 12 CFR Part 222of current practices relating to the
Mandates Act), the OCC and OTS must
disposal of information in accordance Banks, banking, Holding companies, prepare budgetary impact statements
with the Guidelines and the guidance State member banks. before promulgating any rule likely to
issued by the FFIEC, the proposed rules
result in a federal mandate that may 12 CFR Part 225would not impose undue costs on
result in the expenditure by state, local,
financial institutions. Therefore, the and tribal governments, in the aggregate,
Reporting and recordkeeping or by the private sector of $100 million
12 In 2001, the Agencies issued final Guidelines requirements. or more in any one year. If a budgetary requiring financial institutions to develop and
maintain an information security program, impact statement is required, under 12 CFR Part 334
including procedures to dispose of customer section 205 of the Unfunded Mandates
information, and each agency provided a final Administrative practice and Act, the OCC and OTS must identify
regulatory flexibility analysis at that time. See 66 procedure, Bank deposit insurance, and consider a reasonable number of FR 8625–32 Feb. 1, 2001.
Banks, Banking, Reporting and
13 See FFIEC Information Security Booklet, page
recordkeeping requirements, Safety and 1463 at: http://www.ffiec.gov/ffiecinfobase/ Pub. L. 106–102, 113 Stat. 1338 (1999), codified
html_pages/it_01.html#infosec. at 12 U.S.C. 4809. soundness.
VerDate jul<14>2003 14:19 Jun 07, 2004 Jkt 203001 PO 00000 Frm 00005 Fmt 4702 Sfmt 4702 E:\FR\FM\08JNP1.SGM 08JNP131918 Federal Register/Vol. 69, No. 110/Tuesday, June 8, 2004/Proposed Rules
Appendix B to Part 30—Interagency 12 CFR Part 364 5. A new subpart I, consisting of
Guidelines Establishing Standards for § 41.83, is added to read as follows:
Administrative practice and Safeguarding Customer Information
procedure, Bank deposit insurance, Subpart I—Duties of Users of * * * * *
Banks, Banking, Reporting and Consumer Reports Regarding Identity
I. * * *recordkeeping requirements, Safety and Theft
* * * These Guidelines also address soundness.
standards with respect to the proper disposal § 41.83 Disposal of consumer information.
12 CFR Part 568 of consumer information, pursuant to (a) In general. Each bank must
sections 621(b) and 628 of the Fair Credit properly dispose of any consumer Consumer protection, Privacy, Reporting Act (15 U.S.C. 1681s(b) and
information that it maintains or Reporting and recordkeeping 1681w).
otherwise possesses in accordance with requirements, Savings associations, A. Scope. * * * The Guidelines also apply
the Interagency Guidelines Establishing Security measures. to the proper disposal of consumer
Standards for Safeguarding Customer information by such entities.
12 CFR Part 570 Information, as set forth in appendix B * * * * *
to 12 CFR part 30. C. * * * Accounting, Administrative practice
(b) Rule of construction. Nothing in 2. * * * and procedure, Bank deposit insurance,
this section shall be construed to: b. Consumer information means any record Consumer protection, Holding
(1) Require a bank to maintain or about an individual, whether in paper, companies, Privacy, Reporting and
electronic, or other form, that is a consumer destroy any record pertaining to a
recordkeeping requirements, Safety and
report or is derived from a consumer report consumer that is not imposed under any
soundness, Savings associations. and that is maintained or otherwise other law; or
possessed by or on behalf of the bank for a (2) Alter or affect any requirement 12 CFR Part 571
business purpose. Consumer information also imposed under any other provision of
means a compilation of such records. Consumer protection, Credit, Fair law to maintain or destroy such a
c. Consumer report has the same meaning Credit Reporting Act, Privacy, Reporting record.
as set forth in 15 U.S.C. 1681a(d).and recordkeeping requirements,
Dated: May 14, 2004. * * * * *Savings associations.
John D. Hawke, Jr.,
II. * * * Department of the Treasury Comptroller of the Currency.
B. * * *
Office of the Comptroller of the Federal Reserve System4. Ensure the proper disposal of consumer
Currency information in a manner consistent with the
12 CFR Chapter II
disposal of customer information. 12 CFR Chapter I
Authority and Issuance
III. * * * Authority and Issuance
For the reasons set forth in the joint C. * * *
For the reasons discussed in the joint preamble, parts 208, 211, 222, and 225 4. Develop, implement, and maintain, as
preamble, 12 CFR part 30 and 12 CFR part of its information security program, of chapter II of title 12 of the Code of
part 41 (as proposed to be added at 69 appropriate measures to properly dispose of Federal regulations are proposed to be
consumer information in a manner consistent FR 23394, April 28, 2004), are proposed amended as follows:
with the disposal of customer information, in to be amended as follows:
accordance with each of the requirements of PART 208—MEMBERSHIP OF STATE
this paragraph III.PART 30—SAFETY AND SOUNDNESS BANKING INSTITUTIONS IN THE
STANDARDS * * * * * FEDERAL RESERVE SYSTEM
G. Implement the Standards. *** (REGULATION H)
1. The authority citation for part 30 is 3. Effective date for measures relating to
1. The authority citation for 12 CFR the disposal of consumer information. Each revised to read as follows:
bank must satisfy these Guidelines with Part 208 is revised to read as follows:
Authority: 12 U.S.C. 93a, 1818, 1831–p and
respect to the proper disposal of consumer
Authority: 12 U.S.C. 24, 36, 92a, 93a, 3102(b); 15 U.S.C. 1681s, 1681w, 6801, and
information by [This date will be 90 days
248(a), 248(c), 321–338a, 371d, 461, 481–486, 6805(b)(1).
after the date of publication in the Federal
601, 611, 1814, 1816, 1820(d)(9), 1823(j),
Register of a final rule]. 2. Appendix B to Part 30 is amended 1828(o), 1831, 1831o, 1831p–1, 1831r–1,
4. Exception for existing agreements with by: 1831w, 1831x, 1835a, 1882, 2901–2907,
service providers relating to the disposal of
3105, 3310, 3331–3351, and 3906–3909, 15 a. Amending paragraph I. consumer information. Notwithstanding the
U.S.C. 78b, 78l(b), 78l(g), 78l(i), 78o–4(c)(5), INTRODUCTION by adding a new requirement in paragraph III.G.3., a bank’s
78q, 78q–1, 78w, 1681s, 1681w, 6801 and
sentence at the end of the paragraph; existing contracts with its service providers
6805; 31 U.S.C. 5318, 42 U.S.C. 4012a, 4104a,
with regard to any service involving the b. Amending paragraph I.A. by adding 4104b, 4106, and 4128.
disposal of consumer information must a new sentence at the end of the 2. In § 208.3 revise paragraph (d)(1) to comply with these Guidelines by [This date
paragraph;
will be one year after the date of publication read as follows:
c. Redesignating paragraphs I.C.2.b. in the Federal Register of a final rule].
§ 208.3 Application and conditions for through e. as paragraphs I.C.2.d. through
membership in the Federal Reserve System.PART 41—FAIR CREDIT REPORTING g., respectively;
* * * * *d. Adding new paragraphs I.C.2.b. and 3. The authority citation for part 41 is (d) Conditions of membership. (1) c.; revised to read as follows: Safety and soundness. Each member
e. Adding a new paragraph II.B.4.; Authority: 12 U.S.C. 1 et seq., 24 (Seventh), bank shall at all times conduct its
f. Adding a new paragraph III.C.4.; 93a, 481, 484, and 1818; 15 U.S.C. 1681a, business and exercise its powers with
1681b, 1681s, 1681w, 6801 and 6805.and due regard to safety and soundness.
g. Adding new paragraphs III.G.3. and 4. Subparts E through H are added Each member bank shall comply with
4. to read as follows: and reserved. the Interagency Guidelines Establishing
VerDate jul<14>2003 14:19 Jun 07, 2004 Jkt 203001 PO 00000 Frm 00006 Fmt 4702 Sfmt 4702 E:\FR\FM\08JNP1.SGM 08JNP1Federal Register/Vol. 69, No. 110/Tuesday, June 8, 2004/Proposed Rules 31919
4. Ensure the proper disposal of consumer § 211.24 Approval of offices of foreign Standards for Safety and Soundness
banks; procedures for applications; information in a manner consistent with the prescribed pursuant to section 39 of the
standards for approval; representative-disposal of customer information.FDI Act (12 U.S.C. 1831p–1), set forth in
office activities and standards for approval; appendix D–1 to this part, and the * * * * * preservation of existing authority.
Interagency Guidelines Establishing
III.* * * * * * * *Standards for Safeguarding Customer
C. * * *Information prescribed pursuant to (i) Protection of customer and
4. Develop, implement, and maintain, as sections 501 and 505 of the Gramm- consumer information. An uninsured
part of its information security program, Leach-Bliley Act (15 U.S.C. 6801 and state-licensed branch or agency of a
appropriate measures to properly dispose of 6805) and, with respect to the proper foreign bank shall comply with the
consumer information in a manner consistent disposal of consumer information, Interagency Guidelines Establishing
with the disposal of customer information, in section 216 of the Fair and Accurate Standards for Safeguarding Customer
accordance with each of the requirements in Credit Transactions Act of 2003 (15 Information prescribed pursuant to
this paragraph III.U.S.C. 1681w), set forth in appendix D– sections 501 and 505 of the Gramm-
2 to this part. * * * * * Leach-Bliley Act (15 U.S.C. 6801 and
G. * * * 6805) and, with respect to the proper * * * * *
3. Effective date for measures relating to disposal of consumer information, 3. Amend Appendix D–2 to part 208,
the disposal of consumer information. Each section 216 of the Fair and Accurate as follows:
bank must satisfy these Guidelines with Credit Transactions Act of 2003 (15 a. In section I., Introduction, a new
respect to the proper disposal of consumer U.S.C. 1681w), set forth in appendix D–sentence is added at the end of the
information by [This date will be 90 days 2 to part 208 of this chapter.introductory paragraph.
after the date of publication in the Federal b. In section I.A., Scope, a new * * * * *
Register of a final rule].
4. Exception for existing agreements with PART 222—FAIR CREDIT REPORTING paragraph.
service providers relating to the disposal of (REGULATION V) c. In section I.C.2, paragraphs b.
consumer information. Notwithstanding the
through f. are redesignated as
requirement in paragraph III.G.3., a bank’s 7. The authority citation for part 222 paragraphs d. through h., respectively,
existing contracts with its service providers is revised to read as follows:and new paragraphs b. and c. are added. with regard to any service involving the
d. In section II.B., Objectives, a new Authority: 15 U.S.C. 1681b, 1681s, and disposal of consumer information must
paragraph 4 is added. 1681w; Secs. 3 and 217, Pub. L. 108–159, 117 comply with these Guidelines by [This date
e. In section III.C., Manage and Stat. 1952.will be one year after the date of publication
Control Risk, a new paragraph 4 is in the Federal Register of a final rule].
8. Add a new subpart I to read as added.
follows:f. In section III.G., Implement the PART 211—INTERNATIONAL
Standards, new paragraphs 3 and 4 are BANKING OPERATIONS Subpart I—Duties of Users of Consumer
added. (REGULATION K) Reports Regarding Identity Theft
Appendix D–2 to Part 208—Interagency Sec.
4. The authority citation for part 211 Guidelines Establishing Standards for 222.80–222.82 [Reserved]
is revised to read as follows:Safeguarding Customer Information 222.83 Disposal of consumer information.
* * * * * Authority: 12 U.S.C. 221 et seq., 1818,
Subpart I—Duties of Users of 1835a, 1841 et seq., 3101 et seq., and 3901
I. * * * Consumer Reports Regarding Identity et seq.; 15 U.S.C. 1681s, 1681w, 6801 and
* * * These Guidelines also address Theft6805.
standards with respect to the proper disposal
of consumer information, pursuant to § 222.80–222.82 [Reserved]5. In § 211.5, revise paragraph (l) to
sections 621(b) and 628 of the Fair Credit read as follows:
§ 222.83 Disposal of consumer Reporting Act (15 U.S.C. 1681s(b) and
information. 1681w). § 211.5 Edge and agreement corporations.
A. Scope. * * * These Guidelines also
* * * * * (a) In general. You must properly
apply to the proper disposal of consumer
dispose of any consumer information information by such entities. (l) Protection of customer information
that you maintain or otherwise possess and consumer information. An Edge or * * * * *
in accordance with the Interagency
C. * * * agreement corporation shall comply
Guidelines Establishing Standards for 2. * * * with the Interagency Guidelines
Safeguarding Customer Information, as b. Consumer information means any record Establishing Standards for Safeguarding
required under §§ 208.3(d) (Regulation about an individual, whether in paper, Customer Information prescribed
electronic, or other form, that is a consumer H), 211.5(l) and 211.24(i) (Regulation K), pursuant to sections 501 and 505 of the
report or is derived from a consumer report or 225.4(h) (Regulation Y) of this Gramm-Leach-Bliley Act (15 U.S.C.
and that is maintained or otherwise chapter, as applicable. 6801 and 6805) and, with respect to the possessed by or on behalf of the bank for a
(b) Rule of construction. Nothing in proper disposal of consumer business purpose. Consumer information also
this section shall be construed to: information, section 216 of the Fair and means a compilation of such records.
c. Consumer report has the same meaning Accurate Credit Transactions Act of (1) Require you to maintain or destroy
as set forth in the Fair Credit Reporting Act, 2003 (15 U.S.C. 1681w), set forth in any record pertaining to a consumer that
15 U.S.C. 1681a(d), and as defined in subpart appendix D–2 to part 208 of this is not imposed under any other law; or
A of part 222 (Regulation V) of this chapter. chapter.
(2) Alter or affect any requirement * * * * * * * * * * imposed under any other provision of
II.* * * 6. In § 211.24, revise paragraph (i) to law to maintain or destroy such a
B. * * * read as follows: record.
VerDate jul<14>2003 14:19 Jun 07, 2004 Jkt 203001 PO 00000 Frm 00007 Fmt 4702 Sfmt 4702 E:\FR\FM\08JNP1.SGM 08JNP131920 Federal Register/Vol. 69, No. 110/Tuesday, June 8, 2004/Proposed Rules
C. Definitions. *** 2. Add a new subpart I to read as PART 225—BANK HOLDING
2. * * * follows:COMPANIES AND CHANGE IN BANK
b. Consumer information means any record CONTROL (Regulation Y) Subpart I—Duties of Users of Consumer about an individual, whether in paper,
Reports Regarding Identity Theft electronic, or other form, that is a consumer 9. The authority citation for part 225
report or is derived from a consumer report Sec. is revised to read as follows:
and that is maintained or otherwise 334.80–334.82 [Reserved]
Authority: 12 U.S.C. 1817(j)(13), 1818, possessed by you or on your behalf for a 334.83 Disposal of consumer information.
1828(o), 1831i, 1831p–1, 1843(c)(8), 1844(b), business purpose. Consumer information also
1972(1), 3106, 3310, 3331–3351, 3906, and means a compilation of such records. Subpart I—Duties of Users of
3909; 15 U.S.C. 1681(b)(1), 1681s, 1681w, c. Consumer report has the same meaning Consumer Reports Regarding Identity
6801 and 6805. as set forth in the Fair Credit Reporting Act, Theft
15 U.S.C. 1681a(d), and as defined in subpart 10. In § 225.4, revise paragraph (h) to
A of part 222 (Regulation V) of this chapter. § 334.80–334.82 [Reserved]read as follows:
* * * * *
§ 334.83 Disposal of consumer
§ 225.4 Corporate practices.
information. II. * * *
* * * * * (a) In general. You must properly B. Objectives. ***(h) Protection of customer information dispose of any consumer information and consumer information. A bank that you maintain or otherwise possess 4. Ensure the proper disposal of consumer holding company, including a bank in accordance with the Interagency information in a manner consistent with the holding company that is a financial Guidelines Establishing Standards for disposal of customer information.
holding company, shall comply with the Safeguarding Customer Information, as
III. * * * Interagency Guidelines Establishing set forth in appendix B to part 364 of
Standards for Safeguarding Customer C. Manage and Control Risk. *** this chapter, prescribed pursuant to
Information, as set forth in appendix F 4. Develop, implement, and maintain, as section 216 of the Fair and Accurate
part of your information security program, of this part, prescribed pursuant to Credit Transactions Act of 2003 (15
appropriate measures to properly dispose of sections 501 and 505 of the Gramm- U.S.C. 1681w). consumer information in a manner consistent Leach-Bliley Act (15 U.S.C. 6801 and (b) Rule of construction. Nothing in with the disposal of customer information, in 6805) and, with respect to the proper this section shall be construed to: accordance with each of the requirements in
disposal of consumer information, (1) Require you to maintain or destroy this paragraph III.
section 216 of the Fair and Accurate any record pertaining to a consumer that * * * * *Credit Transactions Act of 2003 (15 is not imposed under any other law; or G. Implement the Standards. ***
U.S.C. 1681w). (2) Alter or affect any requirement 3. Effective date for measures relating to
11. In Appendix F to part 225, the imposed under any other provision of the disposal of consumer information. You
following amendments are made: must satisfy these Guidelines with respect to law to maintain or destroy such a
a. In section I., Introduction, a new the proper disposal of consumer information record.
sentence is added at the end of the by [This date will be 90 days after the date
of publication in the Federal Register of a introductory paragraph. PART 364—STANDARDS FOR SAFETY
final rule]. b. In section I.A., Scope, a new AND SOUNDNESS
4. Exception for existing agreements with
3. The authority citation for part 364 service providers relating to the disposal of paragraph.
consumer information. Notwithstanding the is revised to read as follows:
c. In section I.C.2., paragraphs 2.b.
requirement in paragraph III.G.3., your
Authority: 12 U.S.C. 1819 (Tenth), 1831p–through 2.f. are redesignated as existing contracts with your service providers 1; 15 U.S.C. 1681s, 1681w, 6801(b), paragraphs 2.d. through 2.h., with regard to any service involving the 6805(b)(1).
respectively, and new paragraphs 2.b disposal of consumer information must
4. Revise § 364.101(b) to read as and 2.c are added. comply with these Guidelines by [This date
follows:will be one year after the date of publication d. In section II.B., Objectives, a new
in the Federal Register of a final rule].paragraph 4 is added.
§ 364.101 Standards for safety and
e. In section III.C., Manage and By order of the Board of Governors of the soundness.
Control Risk, a new paragraph 4 is Federal Reserve System, May 25, 2004.
* * * * *
added. Jennifer J. Johnson, (b) Interagency Guidelines
f. In section III.G., Implement the Secretary of the Board. Establishing Standards for Safeguarding
Standards, new paragraphs 3 and 4 are Customer Information. The Interagency Federal Deposit Insurance Corporationadded. Guidelines Establishing Standards for
12 CFR Chapter III Appendix F To Part 225—Interagency Safeguarding Customer Information
Guidelines Establishing Standards For prescribed pursuant to section 39 of the Authority and Issuance
Safeguarding Customer Information Federal Deposit Insurance Act (12
For the reasons set forth in the joint
* * * * * U.S.C. 1831p–1), and sections 501 and
preamble, the Federal Deposit Insurance
505(b) of the Gramm-Leach-Bliley Act
I. * * * Corporation proposes to amend 12 CFR
(15 U.S.C. 6801, 6805(b)), and with
part 334 (as proposed to be added at 69 * * * These Guidelines also address respect to the proper disposal of
standards with respect to the proper disposal FR 2339, April 28, 2004), and 12 CFR
consumer information, requirements
of consumer information, pursuant to part 364 as follows:
pursuant to sections 621(b) and 628 of sections 621(b) and 628 of the Fair Credit
the Fair Credit Reporting Act (15 U.S.C. Reporting Act (15 U.S.C. 1681s(b) and PART 334—FAIR CREDIT REPORTING
1681s(b) and 1681w), as set forth in 1681w).
1. The authority citation for part 334 A. Scope. * * * These Guidelines also appendix B to this part, apply to all
is revised to read as follows:apply to the proper disposal of consumer insured state nonmember banks, insured
information by such entities. state licensed branches of foreign banks, Authority: 12 U.S.C. 1818 and 1819
* * * * * (Tenth); 15 U.S.C. 1681b, 1681s, and 1681w. and any subsidiaries of such entities
VerDate jul<14>2003 14:19 Jun 07, 2004 Jkt 203001 PO 00000 Frm 00008 Fmt 4702 Sfmt 4702 E:\FR\FM\08JNP1.SGM 08JNP1