[Federal Register Volume 69, Number 110 (Tuesday, June 8, 2004)]
[Proposed Rules]
[Pages 31913-31922]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-12317]


 ========================================================================
 Proposed Rules
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains notices to the public of 
 the proposed issuance of rules and regulations. The purpose of these 
 notices is to give interested persons an opportunity to participate in 
 the rule making prior to the adoption of the final rules.
 
 ========================================================================
 

  Federal Register / Vol. 69, No. 110 / Tuesday, June 8, 2004 / 
Proposed Rules  

[[Page 31913]]



DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Parts 30 and 41

[Docket No. 04-13]
RIN 1557-AC84

FEDERAL RESERVE SYSTEM

12 CFR Parts 208, 211, 222, and 225

[Docket No. R-1199]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Parts 334 and 364

RIN 3064-AC77

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Parts 568, 570, and 571

[No. 2004-26]
RIN 1550-AB87


Proper Disposal of Consumer Information Under the Fair and 
Accurate Credit Transactions Act of 2003

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision, 
Treasury (OTS).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, and OTS (the Agencies) are requesting 
comment on a proposal to implement section 216 of the Fair and Accurate 
Credit Transactions Act of 2003 by amending the Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information. The 
proposal would require each financial institution to develop, 
implement, and maintain appropriate measures to properly dispose of 
consumer information derived from consumer reports to address the risks 
associated with identity theft. Each institution would be required to 
implement these measures as part of its information security program.

DATES: Comments must be submitted on or before July 23, 2004.

ADDRESSES: Because the Agencies will jointly review all of the comments 
submitted, you may comment to any of the Agencies and you need not send 
comments (or copies) to all of the Agencies. Because paper mail in the 
Washington area and at the Agencies is subject to delay, please submit 
your comments by e-mail whenever possible.\1\ Commenters are encouraged 
to use the title ``FACT Act Disposal Rule'' in addition to the docket 
or RIN number to facilitate the organization and distribution of 
comments among the Agencies. Interested parties are invited to submit 
comments in accordance with the following instructions:
---------------------------------------------------------------------------

    \1\ The Agencies do not edit personal, identifying information 
such as names or e-mail addresses from electronic submissions. 
Submit only information you wish to make publicly available.
---------------------------------------------------------------------------

    OCC: You should designate OCC in your comment and include Docket 
Number 04-13. You may submit comments by any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     OCC Web site: http://www.occ.treas.gov. Click on ``Contact 
the OCC,'' scroll down and click on ``Comments on Proposed 
Regulations.''
     E-mail address: [email protected].
     Fax: (202) 874-4448.
     Mail: Office of the Comptroller of the Currency, 250 E 
Street, SW., Public Reference Room, Mail Stop 1-5, Washington, DC 
20219.
     Hand Delivery/Courier: 250 E Street, SW., Attn: Public 
Reference Room, Mail Stop 1-5, Washington, DC 20219.
    Instructions: All submissions received must include the agency name 
(OCC) and docket number or Regulatory Information Number (RIN) for this 
notice of proposed rulemaking. In general, the OCC will enter all 
comments received into the docket without change, including any 
business or personal information that you provide. You may review the 
comments received by the OCC and other related materials by any of the 
following methods:
     Viewing Comments Personally: You may personally inspect 
and photocopy comments received at the OCC's Public Reference Room, 250 
E Street, SW., Washington, DC. You can make an appointment to inspect 
comments by calling (202) 874-5043.
     Viewing Comments Electronically: You may request e-mail or 
CD-ROM copies of comments that the OCC has received by contacting the 
OCC's Public Reference Room at [email protected].
     Docket: You may also request available background 
documents using the methods described earlier.
    Board: You may submit comments, identified by Docket No. R-1199, by 
any of the following methods:
     Agency Web site: http://www.federalreserve.gov. Follow the 
instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: [email protected]. Include docket 
number in the subject line of the message.
     FAX: 202/452-3819 or 202/452-3102.
     Mail: Jennifer J. Johnson, Secretary, Board of Governors 
of the Federal Reserve System, 20th Street and Constitution Avenue, 
NW., Washington, DC 20551.

All public comments are available from the Board's Web site at 
www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, 
except as necessary for technical reasons. Accordingly, your comments 
will not be edited to remove any identifying or contact information. 
Public comments may also be viewed electronically or in paper in Room 
MP-500 of the Board's Martin Building (20th and C Streets, NW.) between 
9 a.m. and 5 p.m. on weekdays.
    FDIC: You may submit comments, identified by RIN number by any of 
the following methods:
     Agency Web site: http://www.fdic.gov/regulations/laws/federal/propose.html.

[[Page 31914]]

    Follow instructions for submitting comments on the Agency Web site.
     E-mail: [email protected]. Include the RIN number in the 
subject line of the message.
     Mail: Robert E. Feldman, Executive Secretary, Attention: 
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
     Hand Delivery/Courier: Guard station at the rear of the 
550 17th Street Building (located on F Street) on business days between 
7 a.m. and 5 p.m.
     Instructions: All submissions received must include the 
agency name and RIN for this rulemaking. All comments received will be 
posted without change to http://www.fdic.gov/regulations/laws/federal/propose.html including any personal information provided.
    Office of Thrift Supervision: You may submit comments, identified 
by No. 2004-26, by any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: [email protected]. Please include No. 
2004-26 in the subject line of the message and include your name and 
telephone number in the message.
     Fax: (202) 906-6518.
     Mail: Regulation Comments, Chief Counsel's Office, Office 
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, 
Attention: No. 2004-26.
     Hand Delivery/Courier: Guard's Desk, East Lobby Entrance, 
1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: 
Regulation Comments, Chief Counsel's Office, Attention: No. 2004-26.
    Instructions: All submissions received must include the agency name 
and number or Regulatory Information Number (RIN) for this rulemaking. 
All comments received will be posted without change to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1, including any 
personal information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1. In addition, you may inspect comments 
at the Public Reading Room, 1700 G Street, NW., by appointment. To make 
an appointment for access, call (202) 906-5922, send an e-mail to 
public.info@ots.treas.gov">public.info@ots.treas.gov, or send a facsimile transmission to (202) 
906-7755. (Prior notice identifying the materials you will be 
requesting will assist us in serving you.) We schedule appointments on 
business days between 10 a.m. and 4 p.m. In most cases, appointments 
will be available the next business day following the date we receive a 
request.

FOR FURTHER INFORMATION CONTACT: OCC: Aida Plaza Carter, Director, Bank 
Information Technology, (202) 874-4740; Amy Friend, Assistant Chief 
Counsel, (202) 874-5200; or Deborah Katz, Senior Counsel, Legislative 
and Regulatory Activities Division, (202) 874-5090.
    Board: Donna L. Parker, Supervisory Financial Analyst, Division of 
Supervision & Regulation, (202) 452-2614; Thomas E. Scanlon, Counsel, 
Legal Division, (202) 452-3594; Minh-Duc T. Le or Ky Tran-Trong, Senior 
Attorneys, Division of Consumer and Community Affairs, (202) 452-3667.
    FDIC: Jeffrey M. Kopchik, Senior Policy Analyst, Division of 
Supervision and Consumer Protection, (202) 898-3872; Kathryn M. 
Weatherby, Examination Specialist, Division of Supervision and Consumer 
Protection, (202) 898-6793; Robert A. Patrick, Counsel, Legal Division, 
(202) 898-3757; Janet V. Norcom, Counsel, Legal Division, (202) 898-
8886.
    OTS: Lewis C. Angel, Senior Project Manager, Technology Risk 
Management, (202) 906-5645; Richard Bennett, Counsel (Banking and 
Finance), Regulations and Legislation Division, (202) 906-7409; Paul 
Robin, Special Counsel, Regulations and Legislation Division, (202) 
906-6648.

SUPPLEMENTARY INFORMATION:

I. Introduction

    Section 216 of the Fair and Accurate Credit Transactions Act of 
2003 (FACT Act or the Act) adds a new section 628 to the Fair Credit 
Reporting Act (FCRA), at 15 U.S.C. 1681w, that, in general, is designed 
to protect a consumer against the risks associated with unauthorized 
access to information about the consumer contained in a consumer 
report, such as fraud and related crimes including identity theft. 
Section 216 of the Act requires each of the Agencies to adopt a 
regulation with respect to the entities that are subject to its 
enforcement authority ``requiring any person that maintains or 
otherwise possesses consumer information, or any compilation of 
consumer information, derived from consumer reports for a business 
purpose to properly dispose of any such information or compilation.'' 
Public Law 108-159, 117 Stat. 1985-86. The FACT Act mandates that the 
Agencies ensure that their respective regulations are consistent with 
the requirements issued pursuant to the Gramm-Leach-Bliley Act (GLB 
Act) (Pub. L. 106-102), as well as other provisions of Federal law.
    The Agencies propose amendments to the Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information 
(Guidelines)\2\ to require financial institutions to implement controls 
designed to ensure the proper disposal of ``consumer information'' 
within the meaning of section 216. In accordance with section 216 of 
the Act, the Agencies have consulted with the Federal Trade Commission, 
the National Credit Union Administration, and the Securities and 
Exchange Commission to ensure that, to the extent possible, the rules 
proposed by the respective agencies are consistent and comparable.
---------------------------------------------------------------------------

    \2\ 12 CFR Parts 30, app. B (OCC); 208, app. D-2 and 225, app. F 
(Board); 364, app. B (FDIC); 570, app. B (OTS). See 66 FR 8616 Feb. 
1, 2001. Citations to the Guidelines omit references to titles and 
publications and give only the appropriate paragraph or section 
number.
---------------------------------------------------------------------------

II. Background

    On February 1, 2001, the Agencies issued the Guidelines pursuant to 
sections 501 and 505 of the GLB Act (15 U.S.C. 6801 and 6805). The 
Guidelines establish standards relating to the development and 
implementation of administrative, technical, and physical safeguards to 
protect the security, confidentiality, and integrity of customer 
information. The Guidelines apply to the financial institutions subject 
to the Agencies' respective jurisdictions. As mandated by section 
501(b) of the GLB Act, the Guidelines require each financial 
institution to develop a written information security program that is 
designed to: (1) Ensure the security and confidentiality of customer 
information; (2) protect against any anticipated threats or hazards to 
the security or integrity of such information; and (3) protect against 
unauthorized access to or use of such information that could result in 
substantial harm or inconvenience to any customer.\3\ The Guidelines 
direct financial institutions to assess the risks to their customer 
information and customer information systems and, in turn, implement 
appropriate security measures to control those risks.\4\ For example, 
under the risk-assessment framework currently imposed by the 
Guidelines, each financial institution must evaluate whether the 
controls the institution has developed sufficiently protect its 
customer information from unauthorized access, misuse, or

[[Page 31915]]

alteration when the institution disposes of the information.\5\
---------------------------------------------------------------------------

    \3\ Guidelines, II.B.
    \4\ See generally III.B and III.C.
    \5\ See 66 FR 8618 (``Under the final Guidelines, a financial 
institution's responsibility to safeguard customer information 
continues through the disposal process.'').
---------------------------------------------------------------------------

III. Proper Disposal of Consumer Information and Customer Information

    The Agencies are proposing to amend the Guidelines to require each 
financial institution to develop and maintain, as part of its 
information security program, appropriate controls designed to ensure 
that the institution properly disposes of ``consumer information.'' The 
proposed amendments to the Guidelines generally would require a 
financial institution to dispose of ``consumer information'' derived 
from a consumer report in a manner consistent with the existing 
requirements that apply to the disposal of ``customer information.'' 
The Agencies propose to incorporate this new requirement into the 
Guidelines by: (1) Adding a definition of ``consumer information''; (2) 
adding an objective (in paragraph II) regarding the proper disposal of 
consumer information; and (3) adding a provision (in paragraph III) 
that would require a financial institution to implement appropriate 
measures to properly dispose of consumer information in a manner 
consistent with the disposal of customer information.
    The Agencies propose to require each financial institution to 
implement the appropriate measures to properly dispose of ``consumer 
information'' within three months after the final regulations are 
published in the Federal Register. The Agencies believe that any 
changes to an institution's existing information security program to 
properly dispose of ``consumer information'' likely will be minimal. 
Accordingly, the Agencies consider a three-month period sufficient to 
enable financial institutions to adjust their systems and controls.
    The Agencies invite comment on all aspects of the proposal. A 
discussion of each proposed amendment to the Guidelines and to the 
addition of cross-references to the Guidelines in the Agencies' FCRA 
regulations follows.

Consumer Information

    The proposal defines ``consumer information'' to mean ``any record 
about an individual, whether in paper, electronic, or other form, that 
is a consumer report or is derived from a consumer report and that is 
maintained or otherwise possessed by or on behalf of the [institution] 
for a business purpose.'' ``Consumer information'' also is defined to 
mean ``a compilation of such records.''
    The scope of information covered by the terms ``consumer 
information,'' and ``customer information'' as defined under the 
Guidelines, will sometimes overlap, but will not always coincide. The 
Agencies note that the proposed definition of ``consumer information'' 
is drawn from the term ``consumer'' in section 603(c) of the FCRA, 
which defines a ``consumer'' as an individual. 15 U.S.C. 1681a(c). By 
contrast, ``customer information'' under the Guidelines, only covers 
nonpublic personal information about a ``customer,'' namely, an 
individual who obtains a financial product or service to be used 
primarily for personal, family, or household purposes and who has a 
continuing relationship with the financial institution.\6\ The 
relationship between ``consumer information'' and ``customer 
information'' can be illustrated through the following examples. 
Payment history information from a consumer report about an individual, 
who is a financial institution's customer, will be both ``consumer 
information'' because it comes from a consumer report and ``customer 
information'' because it is nonpublic personal information about a 
customer. In some circumstances, ``customer information'' will be 
broader than ``consumer information.'' For instance, information about 
a financial institution's transactions with its customer would be only 
``customer information'' because it does not come from a consumer 
report. In other circumstances, ``consumer information'' will be 
broader than ``customer information.'' ``Consumer information'' would 
include information from a consumer report that an institution obtains 
about an individual who applies for but does not receive a loan, an 
individual who guarantees a loan for a business entity, an employee or 
a prospective employee, or an individual in connection with a loan to 
the individual's sole proprietorship. In each of these instances, the 
consumer reports would not be ``customer information'' because the 
information would not be about a ``customer'' within the meaning of the 
Guidelines.
---------------------------------------------------------------------------

    \6\ I.C.2.b.
---------------------------------------------------------------------------

    The Agencies propose to define ``consumer information'' as ``any 
record about an individual * * * that is a consumer report or is 
derived from a consumer report.'' Under this definition, information 
that may be ``derived from consumer reports'' but does not identify a 
particular consumer would not be covered under the proposal. For 
example, a financial institution must implement measures to properly 
dispose of ``consumer information'' that identifies a consumer, such as 
the consumer's name and the credit score derived from a consumer 
report. However, this requirement would not apply to the mean credit 
score that is derived from a group of consumer reports. The Agencies 
believe that limiting ``consumer information'' to information that 
identifies a consumer is consistent with the current law relating to 
the scope of the term ``consumer report'' under the FCRA and the 
purposes of section 216 of the FACT Act.
    The Agencies request suggestions for clarifying the scope of 
information covered under the term ``consumer information.'' Among 
other issues, the Agencies believe that the phrase ``derived from 
consumer reports'' covers all of the information about a consumer that 
is taken from a consumer report, including information that results in 
whole or in part from manipulation of information from a consumer 
report or information from a consumer report that has been combined 
with other types of information. Consequently, a financial institution 
that possesses any of this information must properly dispose of it.
    For example, any record about a consumer derived from a consumer 
report, such as the consumer's name and credit score, that is shared 
among affiliates must be disposed of properly by each affiliate that 
possesses that information. Similarly, a consumer report that is shared 
among affiliated companies after the consumer has been given a notice 
and has elected not to opt out of that sharing, and therefore is no 
longer a ``consumer report'' under the FCRA,\7\ would still be 
``consumer information'' under this proposal. Accordingly, a financial 
institution that receives ``consumer information'' under these 
circumstances must properly dispose of the information. The Agencies 
seek comment on whether the definition of ``consumer information'' 
should be revised to further clarify this interpretation of the 
statutory phrase ``derived from consumer reports,'' such as by example 
or otherwise.
---------------------------------------------------------------------------

    \7\ 15 U.S.C. 1681a(d)(2)(A)(iii).
---------------------------------------------------------------------------

    The Agencies note that the proposed definition of ``consumer 
information'' includes the qualification ``for a business purpose,'' as 
set forth in section 216 of the Act. The Agencies believe that the 
phrase ``for a business purpose'' encompasses any commercial purpose 
for which a financial institution might maintain or possess ``consumer

[[Page 31916]]

information'' and request comment on that interpretation.

New Objective for an Information Security Program

    The Agencies are proposing to add a new objective regarding the 
proper disposal of consumer information in paragraph II.B. of the 
Guidelines. The proposal would require a financial institution to 
design its information security program to ``[e]nsure the proper 
disposal of consumer information in a manner consistent with the 
disposal of customer information.''
    The Agencies believe that imposing this additional objective in 
paragraph II.B is important to ensure that the requirement to properly 
dispose of ``consumer information'' applies to a financial 
institution's service providers. The Guidelines require, in part, that 
a financial institution ``[r]equire its service providers by contract 
to implement appropriate measures designed to meet the objectives of 
these Guidelines.'' \8\
---------------------------------------------------------------------------

    \8\ III.D.2. This requirement applies to both domestic and 
foreign-based service providers.
---------------------------------------------------------------------------

    By expressly incorporating a provision in paragraph II.B., the 
Agencies' proposal requires each financial institution to contractually 
require its service providers to develop appropriate measures for the 
proper disposal of consumer information and, where warranted, to 
monitor its service providers to confirm that they have satisfied their 
contractual obligations.
    The Agencies also propose to amend paragraph III.G.2. to allow a 
financial institution a reasonable period of time, after the final 
regulations are issued, to amend its contracts with its service 
providers to incorporate the necessary requirements in connection with 
the proper disposal of consumer information. The Agencies propose 
allowing one year after publication of the final regulations for 
financial institutions to modify the contracts that will be affected by 
the Guidelines.
    The Agencies seek comment on whether a one-year period for 
modification of agreements with service providers is appropriate.

New Provision To Implement Measures To Properly Dispose of Consumer 
Information

    The Agencies propose to amend paragraph III.C. (Manage and Control 
Risk) by adding a new provision to require a financial institution to 
develop, implement, and maintain, as part of its information security 
program, appropriate measures to properly dispose of consumer 
information. This new provision requires an institution to implement 
these measures ``in a manner consistent with the disposal of customer 
information'' and ``in accordance with each of the requirements in this 
paragraph III.'' of the Guidelines.
    Paragraph III. of the Guidelines presently requires a financial 
institution to undertake measures to design, implement, and maintain 
its information security program to protect customer information and 
customer information systems, including the methods it uses to dispose 
of customer information. Under the proposal, an institution must adopt 
a comparable set of procedures and controls to properly dispose of 
``consumer information.'' For example, a financial institution must 
broaden the scope of its risk assessment to include an assessment of 
the reasonably foreseeable internal and external threats associated 
with the methods it uses to dispose of ``consumer information,'' and 
adjust its risk assessment in light of the relevant changes relating to 
such threats. The Agencies, by expressly adding this new provision, are 
requiring a financial institution to integrate into its information 
security program each of those risk-based measures in connection with 
the disposal of ``consumer information,'' as set forth in paragraph 
III. of the Guidelines.
    The Agencies believe that it is not necessary to propose a 
prescriptive rule describing proper methods of disposal. Nonetheless, 
consistent with interagency guidance previously issued through the 
Federal Financial Institutions Examination Council (FFIEC),\9\ the 
Agencies expect institutions to have appropriate disposal procedures 
for records maintained in paper-based or electronic form. The Agencies 
note that an institution's information security program should ensure 
that paper records containing either customer or consumer information 
should be rendered unreadable as indicated by the institution's risk 
assessment, such as by shredding or any other means. Institutions also 
should recognize that computer-based records present unique disposal 
problems. Residual data frequently remains on media after erasure. 
Since that data can be recovered, additional disposal techniques should 
be applied to sensitive electronic data.\10\
---------------------------------------------------------------------------

    \9\ See FFIEC Information Security Booklet, page 63 at: http://www.ffiec.gov/ffiecinfobase.html_pages/it_01.html#infosec.
    \10\ See footnote 9, supra.
---------------------------------------------------------------------------

    The Agencies seek comment on whether the proposed amendment to 
paragraph III.C. of the Guidelines sufficiently explains the nature and 
scope of the obligations on each financial institution to modify its 
information security program to include measures that must be 
implemented and adjusted, as appropriate, to properly dispose of 
``consumer information.''
    The Agencies request comment on whether the use in the Guidelines 
of the statutory phrase ``proper disposal'' is sufficiently clear. 
Would a more specific standard provide better guidance to financial 
institutions, better protect consumers, or both?

Proposed Amendments to the Agencies' FCRA Regulations

    The Agencies propose to amend their respective regulations that 
implement the FCRA \11\ by adding a new provision setting forth the 
duties of users of consumer reports regarding identity theft. As 
proposed, the new provision requires a financial institution to 
properly dispose of consumer information in accordance with the 
standards set forth in the Guidelines. The proposed provision also 
incorporates a rule of construction that closely tracks the terms of 
section 628(b) of the FCRA, as added by section 216 of the FACT Act.
---------------------------------------------------------------------------

    \11\ 12 CFR part 41 (OCC); 12 CFR part 222 (Board); 12 CFR part 
334 (FDIC); and 12 CFR part 571 (OTS).
---------------------------------------------------------------------------

    The Agencies request comment on the proposed amendments to their 
respective FCRA rules.

IV. Regulatory Analysis

Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3506; 5 CFR 1320 appendix A.1), the Agencies have reviewed the proposed 
rules. (The Board has done so under authority delegated to the Board by 
the Office of Management and Budget.) The proposed rules contain no 
collections of information pursuant to the Paperwork Reduction Act.

Regulatory Flexibility Act

    In accordance with the Regulatory Flexibility Act, each agency must 
publish an initial regulatory flexibility analysis with its proposed 
rule, unless the agency certifies that the rule will not have a 
significant economic impact on a substantial number of small entities. 
(5 U.S.C. 601-612). Each of the Agencies hereby certifies that its 
rule, if adopted as proposed, would not have a significant economic 
impact on a substantial number of small entities.
    The proposed rules require a financial institution subject to the 
jurisdiction of the appropriate agency to implement

[[Page 31917]]

appropriate controls designed to ensure the proper disposal of 
``consumer information.'' A financial institution must develop and 
maintain these controls as part of implementing its existing 
information security program for ``customer information,'' as required 
under the Guidelines.\12\
---------------------------------------------------------------------------

    \12\ In 2001, the Agencies issued final Guidelines requiring 
financial institutions to develop and maintain an information 
security program, including procedures to dispose of customer 
information, and each agency provided a final regulatory flexibility 
analysis at that time. See 66 FR 8625-32 Feb. 1, 2001.
---------------------------------------------------------------------------

    Any modifications to a financial institution's information security 
program needed to address the proper disposal of ``consumer 
information'' could be incorporated through the process the institution 
presently uses to adjust its program under paragraph III.E. of the 
Guidelines, particularly because of the similarities between the 
consumer and customer information and the measures commonly used to 
properly dispose of both types of information. To the extent that these 
proposed rules impose new requirements for certain types of ``consumer 
information,'' developing appropriate measures to properly dispose of 
that information likely would require only a minor modification of an 
institution's existing information security program.
    Because some ``consumer information'' will be ``customer 
information'' and because segregating particular records for special 
treatment may entail considerable costs, the Agencies believe that many 
banks and savings associations, including small institutions, already 
are likely to have implemented measures to properly dispose of both 
``customer'' and ``consumer'' information. In addition, the Agencies, 
through the Federal Financial Institutions Examination Council (FFIEC), 
already have issued guidance regarding their expectations concerning 
the proper disposal of all of an institution's paper and electronic 
records. See FFIEC Information Security Booklet, December 2002, p. 
63.\13\ Therefore, the proposed rules do not require any significant 
changes for institutions that currently have procedures and systems 
designed to comply with this guidance.
---------------------------------------------------------------------------

    \13\ See FFIEC Information Security Booklet, page 63 at: http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html#infosec.
---------------------------------------------------------------------------

    The Agencies anticipate that, in light of current practices 
relating to the disposal of information in accordance with the 
Guidelines and the guidance issued by the FFIEC, the proposed rules 
would not impose undue costs on financial institutions. Therefore, the 
Agencies believe that the controls that small financial institutions 
would develop and implement, if any, to comply with the proposed rules 
likely pose a minimal economic impact on those entities. Nonetheless, 
the Agencies specifically request comment on the burden the proposed 
rules would have on small financial institutions, and how the Agencies' 
proposed rules might minimize this burden, to the extent consistent 
with the requirements of the FACT Act.

Solicitation of Comments on Use of Plain Language

    Section 722(a) of the GLB Act requires the Federal banking agencies 
to use plain language in all proposed and final rules.\14\ In light of 
this requirement, the Agencies have sought to present the proposed 
rules in a simple and straightforward manner. The Agencies invite your 
comments on how to make the rules easier to understand. For example:
---------------------------------------------------------------------------

    \14\ Pub. L. 106-102, 113 Stat. 1338 (1999), codified at 12 
U.S.C. 4809.
---------------------------------------------------------------------------

     Have we organized the material to suit your needs? If not, 
how could this material be better organized?
     Do the regulations contain technical language or jargon 
that is not clear? If so, which language requires clarification?
     Would a different format (grouping and order of sections, 
use of headings, paragraphing) make the regulations easier to 
understand? If so, what changes to the format would make the 
regulations easier to understand?
     What else could we do to make the regulations easier to 
understand?

OCC and OTS Executive Order 12866 Determination

    The OCC and OTS each have determined that this proposal is not a 
``significant regulatory action'' under Executive Order 12866.

OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

    Under section 202 of the Unfunded Mandates Reform Act of 1995, 
Public Law 104-4 (2 U.S.C. 1532) (Unfunded Mandates Act), the OCC and 
OTS must prepare budgetary impact statements before promulgating any 
rule likely to result in a federal mandate that may result in the 
expenditure by state, local, and tribal governments, in the aggregate, 
or by the private sector of $100 million or more in any one year. If a 
budgetary impact statement is required, under section 205 of the 
Unfunded Mandates Act, the OCC and OTS must identify and consider a 
reasonable number of regulatory alternatives before promulgating a 
rule.
    For the reasons outlined earlier, the OCC and OTS have determined 
that this proposal will not result in expenditures by state, local, and 
tribal governments, or by the private sector, of $100 million or more, 
in any one year. Accordingly, a budgetary impact statement is not 
required under section 202 of the Unfunded Mandates Reform Act of 1995 
and this rulemaking requires no further analysis under the Unfunded 
Mandates Act.

OCC Community Bank Comment Request

    The OCC invites your comments on the impact of this proposal on 
community banks. The OCC recognizes that community banks operate with 
more limited resources than larger institutions and may present a 
different risk profile. Thus, the OCC specifically requests comments on 
the impact of this proposal on community banks' current resources and 
available personnel with the requisite expertise, and whether the goals 
of the proposed regulations could be achieved, for community banks, 
through an alternative approach.

List of Subjects

12 CFR Part 30

    Banks, banking, Consumer protection, National banks, Privacy, 
Reporting and recordkeeping requirements.

12 CFR Part 41

    Banks, banking, Consumer protection, National banks, Reporting and 
recordkeeping requirements.

12 CFR Part 208

    Banks, banking, Consumer protection, Information, Privacy, 
Reporting and recordkeeping requirements.

12 CFR Part 211

    Exports, Foreign banking, Holding companies, Reporting and 
recordkeeping requirements.

12 CFR Part 222

    Banks, banking, Holding companies, State member banks.

12 CFR Part 225

    Banks, banking, Holding companies, Reporting and recordkeeping 
requirements.

12 CFR Part 334

    Administrative practice and procedure, Bank deposit insurance, 
Banks, Banking, Reporting and recordkeeping requirements, Safety and 
soundness.

[[Page 31918]]

12 CFR Part 364

    Administrative practice and procedure, Bank deposit insurance, 
Banks, Banking, Reporting and recordkeeping requirements, Safety and 
soundness.

12 CFR Part 568

    Consumer protection, Privacy, Reporting and recordkeeping 
requirements, Savings associations, Security measures.

12 CFR Part 570

    Accounting, Administrative practice and procedure, Bank deposit 
insurance, Consumer protection, Holding companies, Privacy, Reporting 
and recordkeeping requirements, Safety and soundness, Savings 
associations.

12 CFR Part 571

    Consumer protection, Credit, Fair Credit Reporting Act, Privacy, 
Reporting and recordkeeping requirements, Savings associations.

Department of the Treasury

Office of the Comptroller of the Currency

12 CFR Chapter I

Authority and Issuance

    For the reasons discussed in the joint preamble, 12 CFR part 30 and 
12 CFR part 41 (as proposed to be added at 69 FR 23394, April 28, 
2004), are proposed to be amended as follows:

PART 30--SAFETY AND SOUNDNESS STANDARDS

    1. The authority citation for part 30 is revised to read as 
follows:

    Authority: 12 U.S.C. 93a, 1818, 1831-p and 3102(b); 15 U.S.C. 
1681s, 1681w, 6801, and 6805(b)(1).

    2. Appendix B to Part 30 is amended by:
    a. Amending paragraph I. INTRODUCTION by adding a new sentence at 
the end of the paragraph;
    b. Amending paragraph I.A. by adding a new sentence at the end of 
the paragraph;
    c. Redesignating paragraphs I.C.2.b. through e. as paragraphs 
I.C.2.d. through g., respectively;
    d. Adding new paragraphs I.C.2.b. and c.;
    e. Adding a new paragraph II.B.4.;
    f. Adding a new paragraph III.C.4.; and
    g. Adding new paragraphs III.G.3. and 4. to read as follows:

Appendix B to Part 30--Interagency Guidelines Establishing Standards 
for Safeguarding Customer Information

* * * * *

I. * * *

    * * * These Guidelines also address standards with respect to 
the proper disposal of consumer information, pursuant to sections 
621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b) 
and 1681w).
    A. Scope. * * * The Guidelines also apply to the proper disposal 
of consumer information by such entities.
* * * * *
    C. * * *
    2. * * *
    b. Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer 
report or is derived from a consumer report and that is maintained 
or otherwise possessed by or on behalf of the bank for a business 
purpose. Consumer information also means a compilation of such 
records.
    c. Consumer report has the same meaning as set forth in 15 
U.S.C. 1681a(d).
* * * * *

II. * * *

    B. * * *
    4. Ensure the proper disposal of consumer information in a 
manner consistent with the disposal of customer information.

III. * * *

    C. * * *
    4. Develop, implement, and maintain, as part of its information 
security program, appropriate measures to properly dispose of 
consumer information in a manner consistent with the disposal of 
customer information, in accordance with each of the requirements of 
this paragraph III.
* * * * *
    G. Implement the Standards. * * *
    3. Effective date for measures relating to the disposal of 
consumer information. Each bank must satisfy these Guidelines with 
respect to the proper disposal of consumer information by [This date 
will be 90 days after the date of publication in the Federal 
Register of a final rule].
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., a bank's existing contracts 
with its service providers with regard to any service involving the 
disposal of consumer information must comply with these Guidelines 
by [This date will be one year after the date of publication in the 
Federal Register of a final rule].

PART 41--FAIR CREDIT REPORTING

    3. The authority citation for part 41 is revised to read as 
follows:

    Authority: 12 U.S.C. 1 et seq., 24 (Seventh), 93a, 481, 484, and 
1818; 15 U.S.C. 1681a, 1681b, 1681s, 1681w, 6801 and 6805.

    4. Subparts E through H are added and reserved.
    5. A new subpart I, consisting of Sec.  41.83, is added to read as 
follows:

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  41.83  Disposal of consumer information.

    (a) In general. Each bank must properly dispose of any consumer 
information that it maintains or otherwise possesses in accordance with 
the Interagency Guidelines Establishing Standards for Safeguarding 
Customer Information, as set forth in appendix B to 12 CFR part 30.
    (b) Rule of construction. Nothing in this section shall be 
construed to:
    (1) Require a bank to maintain or destroy any record pertaining to 
a consumer that is not imposed under any other law; or
    (2) Alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.

    Dated: May 14, 2004.
John D. Hawke, Jr.,
Comptroller of the Currency.

Federal Reserve System

12 CFR Chapter II

Authority and Issuance

    For the reasons set forth in the joint preamble, parts 208, 211, 
222, and 225 of chapter II of title 12 of the Code of Federal 
regulations are proposed to be amended as follows:

PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL 
RESERVE SYSTEM (REGULATION H)

    1. The authority citation for 12 CFR Part 208 is revised to read as 
follows:

    Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a, 
371d, 461, 481-486, 601, 611, 1814, 1816, 1820(d)(9), 1823(j), 
1828(o), 1831, 1831o, 1831p-1, 1831r-1, 1831w, 1831x, 1835a, 1882, 
2901-2907, 3105, 3310, 3331-3351, and 3906-3909, 15 U.S.C. 78b, 
78l(b), 78l(g), 78l(i), 78o-4(c)(5), 78q, 78q-1, 78w, 1681s, 1681w, 
6801 and 6805; 31 U.S.C. 5318, 42 U.S.C. 4012a, 4104a, 4104b, 4106, 
and 4128.

    2. In Sec.  208.3 revise paragraph (d)(1) to read as follows:


Sec.  208.3  Application and conditions for membership in the Federal 
Reserve System.

* * * * *
    (d) Conditions of membership. (1) Safety and soundness. Each member 
bank shall at all times conduct its business and exercise its powers 
with due regard to safety and soundness. Each member bank shall comply 
with the Interagency Guidelines Establishing

[[Page 31919]]

Standards for Safety and Soundness prescribed pursuant to section 39 of 
the FDI Act (12 U.S.C. 1831p-1), set forth in appendix D-1 to this 
part, and the Interagency Guidelines Establishing Standards for 
Safeguarding Customer Information prescribed pursuant to sections 501 
and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) and, 
with respect to the proper disposal of consumer information, section 
216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. 
1681w), set forth in appendix D-2 to this part.
* * * * *
    3. Amend Appendix D-2 to part 208, as follows:
    a. In section I., Introduction, a new sentence is added at the end 
of the introductory paragraph.
    b. In section I.A., Scope, a new sentence is added at the end of 
the paragraph.
    c. In section I.C.2, paragraphs b. through f. are redesignated as 
paragraphs d. through h., respectively, and new paragraphs b. and c. 
are added.
    d. In section II.B., Objectives, a new paragraph 4 is added.
    e. In section III.C., Manage and Control Risk, a new paragraph 4 is 
added.
    f. In section III.G., Implement the Standards, new paragraphs 3 and 
4 are added.

Appendix D-2 to Part 208--Interagency Guidelines Establishing Standards 
for Safeguarding Customer Information

* * * * *

I. * * *

    * * * These Guidelines also address standards with respect to 
the proper disposal of consumer information, pursuant to sections 
621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b) 
and 1681w).
    A. Scope. * * * These Guidelines also apply to the proper 
disposal of consumer information by such entities.
* * * * *
    C. * * *
    2. * * *
    b. Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer 
report or is derived from a consumer report and that is maintained 
or otherwise possessed by or on behalf of the bank for a business 
purpose. Consumer information also means a compilation of such 
records.
    c. Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d), and as defined in subpart 
A of part 222 (Regulation V) of this chapter.
* * * * *

II.* * *

    B. * * *
    4. Ensure the proper disposal of consumer information in a 
manner consistent with the disposal of customer information.
* * * * *

III.* * *

    C. * * *
    4. Develop, implement, and maintain, as part of its information 
security program, appropriate measures to properly dispose of 
consumer information in a manner consistent with the disposal of 
customer information, in accordance with each of the requirements in 
this paragraph III.
* * * * *
    G. * * *
    3. Effective date for measures relating to the disposal of 
consumer information. Each bank must satisfy these Guidelines with 
respect to the proper disposal of consumer information by [This date 
will be 90 days after the date of publication in the Federal 
Register of a final rule].
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., a bank's existing contracts 
with its service providers with regard to any service involving the 
disposal of consumer information must comply with these Guidelines 
by [This date will be one year after the date of publication in the 
Federal Register of a final rule].

PART 211--INTERNATIONAL BANKING OPERATIONS (REGULATION K)

    4. The authority citation for part 211 is revised to read as 
follows:

    Authority: 12 U.S.C. 221 et seq., 1818, 1835a, 1841 et seq., 
3101 et seq., and 3901 et seq.; 15 U.S.C. 1681s, 1681w, 6801 and 
6805.

    5. In Sec.  211.5, revise paragraph (l) to read as follows:


Sec.  211.5  Edge and agreement corporations.

* * * * *
    (l) Protection of customer information and consumer information. An 
Edge or agreement corporation shall comply with the Interagency 
Guidelines Establishing Standards for Safeguarding Customer Information 
prescribed pursuant to sections 501 and 505 of the Gramm-Leach-Bliley 
Act (15 U.S.C. 6801 and 6805) and, with respect to the proper disposal 
of consumer information, section 216 of the Fair and Accurate Credit 
Transactions Act of 2003 (15 U.S.C. 1681w), set forth in appendix D-2 
to part 208 of this chapter.
* * * * *
    6. In Sec.  211.24, revise paragraph (i) to read as follows:


Sec.  211.24  Approval of offices of foreign banks; procedures for 
applications; standards for approval; representative-office activities 
and standards for approval; preservation of existing authority.

* * * * *
    (i) Protection of customer and consumer information. An uninsured 
state-licensed branch or agency of a foreign bank shall comply with the 
Interagency Guidelines Establishing Standards for Safeguarding Customer 
Information prescribed pursuant to sections 501 and 505 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 and 6805) and, with respect to the 
proper disposal of consumer information, section 216 of the Fair and 
Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681w), set forth 
in appendix D-2 to part 208 of this chapter.
* * * * *

PART 222--FAIR CREDIT REPORTING (REGULATION V)

    7. The authority citation for part 222 is revised to read as 
follows:

    Authority: 15 U.S.C. 1681b, 1681s, and 1681w; Secs. 3 and 217, 
Pub. L. 108-159, 117 Stat. 1952.

    8. Add a new subpart I to read as follows:
Subpart I--Duties of Users of Consumer Reports Regarding Identity Theft
Sec.
222.80-222.82 [Reserved]
222.83 Disposal of consumer information.

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  222.80-222.82  [Reserved]


Sec.  222.83  Disposal of consumer information.

    (a) In general. You must properly dispose of any consumer 
information that you maintain or otherwise possess in accordance with 
the Interagency Guidelines Establishing Standards for Safeguarding 
Customer Information, as required under Sec. Sec.  208.3(d) (Regulation 
H), 211.5(l) and 211.24(i) (Regulation K), or 225.4(h) (Regulation Y) 
of this chapter, as applicable.
    (b) Rule of construction. Nothing in this section shall be 
construed to:
    (1) Require you to maintain or destroy any record pertaining to a 
consumer that is not imposed under any other law; or
    (2) Alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.

[[Page 31920]]

PART 225--BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL 
(Regulation Y)

    9. The authority citation for part 225 is revised to read as 
follows:

    Authority: 12 U.S.C. 1817(j)(13), 1818, 1828(o), 1831i, 1831p-1, 
1843(c)(8), 1844(b), 1972(1), 3106, 3310, 3331-3351, 3906, and 3909; 
15 U.S.C. 1681(b)(1), 1681s, 1681w, 6801 and 6805.

    10. In Sec.  225.4, revise paragraph (h) to read as follows:


Sec.  225.4  Corporate practices.

* * * * *
    (h) Protection of customer information and consumer information. A 
bank holding company, including a bank holding company that is a 
financial holding company, shall comply with the Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information, as set 
forth in appendix F of this part, prescribed pursuant to sections 501 
and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) and, 
with respect to the proper disposal of consumer information, section 
216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. 
1681w).
    11. In Appendix F to part 225, the following amendments are made:
    a. In section I., Introduction, a new sentence is added at the end 
of the introductory paragraph.
    b. In section I.A., Scope, a new sentence is added at the end of 
the paragraph.
    c. In section I.C.2., paragraphs 2.b. through 2.f. are redesignated 
as paragraphs 2.d. through 2.h., respectively, and new paragraphs 2.b 
and 2.c are added.
    d. In section II.B., Objectives, a new paragraph 4 is added.
    e. In section III.C., Manage and Control Risk, a new paragraph 4 is 
added.
    f. In section III.G., Implement the Standards, new paragraphs 3 and 
4 are added.

Appendix F To Part 225--Interagency Guidelines Establishing Standards 
For Safeguarding Customer Information

* * * * *

I. * * *

     * * * These Guidelines also address standards with respect to 
the proper disposal of consumer information, pursuant to sections 
621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b) 
and 1681w).
    A. Scope. * * * These Guidelines also apply to the proper 
disposal of consumer information by such entities.
* * * * *
    C. Definitions. * * *
    2. * * *
    b. Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer 
report or is derived from a consumer report and that is maintained 
or otherwise possessed by you or on your behalf for a business 
purpose. Consumer information also means a compilation of such 
records.
    c. Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d), and as defined in subpart 
A of part 222 (Regulation V) of this chapter.
* * * * *

II. * * *

    B. Objectives. * * *
* * * * *
    4. Ensure the proper disposal of consumer information in a 
manner consistent with the disposal of customer information.

III. * * *

    C. Manage and Control Risk. * * *
    4. Develop, implement, and maintain, as part of your information 
security program, appropriate measures to properly dispose of 
consumer information in a manner consistent with the disposal of 
customer information, in accordance with each of the requirements in 
this paragraph III.
* * * * *
    G. Implement the Standards. * * *
    3. Effective date for measures relating to the disposal of 
consumer information. You must satisfy these Guidelines with respect 
to the proper disposal of consumer information by [This date will be 
90 days after the date of publication in the Federal Register of a 
final rule].
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., your existing contracts with 
your service providers with regard to any service involving the 
disposal of consumer information must comply with these Guidelines 
by [This date will be one year after the date of publication in the 
Federal Register of a final rule].

    By order of the Board of Governors of the Federal Reserve 
System, May 25, 2004.
Jennifer J. Johnson,
Secretary of the Board.

Federal Deposit Insurance Corporation

12 CFR Chapter III

Authority and Issuance

    For the reasons set forth in the joint preamble, the Federal 
Deposit Insurance Corporation proposes to amend 12 CFR part 334 (as 
proposed to be added at 69 FR 2339, April 28, 2004), and 12 CFR part 
364 as follows:

PART 334--FAIR CREDIT REPORTING

    1. The authority citation for part 334 is revised to read as 
follows:

    Authority: 12 U.S.C. 1818 and 1819 (Tenth); 15 U.S.C. 1681b, 
1681s, and 1681w.

    2. Add a new subpart I to read as follows:
Subpart I--Duties of Users of Consumer Reports Regarding Identity Theft
Sec.
334.80-334.82 [Reserved]
334.83 Disposal of consumer information.

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  334.80-334.82  [Reserved]


Sec.  334.83  Disposal of consumer information.

    (a) In general. You must properly dispose of any consumer 
information that you maintain or otherwise possess in accordance with 
the Interagency Guidelines Establishing Standards for Safeguarding 
Customer Information, as set forth in appendix B to part 364 of this 
chapter, prescribed pursuant to section 216 of the Fair and Accurate 
Credit Transactions Act of 2003 (15 U.S.C. 1681w).
    (b) Rule of construction. Nothing in this section shall be 
construed to:
    (1) Require you to maintain or destroy any record pertaining to a 
consumer that is not imposed under any other law; or
    (2) Alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.

PART 364--STANDARDS FOR SAFETY AND SOUNDNESS

    3. The authority citation for part 364 is revised to read as 
follows:

    Authority: 12 U.S.C. 1819 (Tenth), 1831p-1; 15 U.S.C. 1681s, 
1681w, 6801(b), 6805(b)(1).

    4. Revise Sec.  364.101(b) to read as follows:


Sec.  364.101  Standards for safety and soundness.

* * * * *
    (b) Interagency Guidelines Establishing Standards for Safeguarding 
Customer Information. The Interagency Guidelines Establishing Standards 
for Safeguarding Customer Information prescribed pursuant to section 39 
of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1), and sections 
501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801, 6805(b)), 
and with respect to the proper disposal of consumer information, 
requirements pursuant to sections 621(b) and 628 of the Fair Credit 
Reporting Act (15 U.S.C. 1681s(b) and 1681w), as set forth in appendix 
B to this part, apply to all insured state nonmember banks, insured 
state licensed branches of foreign banks, and any subsidiaries of such 
entities

[[Page 31921]]

(except brokers, dealers, persons providing insurance, investment 
companies, and investment advisers).
    5. In Appendix B to part 364, the following amendments are made:
    a. In the Introduction, a new sentence is added at the end of the 
introductory paragraph.
    b. In section I.A., Scope, the first sentence is revised.
    c. In section I.C.2., Definitions, paragraphs 2.b. through 2.e. are 
redesignated as paragraphs 2.d. through 2.g., respectively, and new 
paragraphs 2.b. and 2.c. are added.
    d. In section II.B., Objectives, a new paragraph 4. is added.
    e. In section III.C., Manage and Control Risk, a new paragraph 4. 
is added.
    f. In section III.G, new paragraphs 3. and 4. are added.

Appendix B to Part 364--Interagency Guidelines Establishing Standards 
for Safeguarding Customer Information

* * * * *

I. Introduction

     * * * These Guidelines also address standards with respect to 
the proper disposal of consumer information pursuant to section 
621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b) 
and 1681w).
    A. Scope. The Guidelines apply to customer information 
maintained by or on behalf of, and to the disposal of consumer 
information by, entities over which the Federal Deposit Insurance 
Corporation (FDIC) has authority. * * *
* * * * *
    C. * * *
    2. * * *
    b. Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer 
report or is derived from a consumer report and that is maintained 
or otherwise possessed by or on behalf of the bank for a business 
purpose. Consumer information also means a compilation of such 
records.
    c. Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d).
* * * * *

II. * * *

    B. * * *
    4. Ensure the proper disposal of consumer information in a 
manner consistent with the disposal of customer information.

III. * * *

    C. * * *
    4. Develop, implement, and maintain, as part of its information 
security program, appropriate measures to properly dispose of 
consumer information in a manner consistent with the disposal of 
customer information, in accordance with each of the requirements in 
this paragraph III.
* * * * *
    G. * * *
    3. Effective date. Each bank must satisfy these Guidelines with 
respect to the proper disposal of consumer information by [This date 
will be 90 days after the publication in the Federal Register of a 
final rule.]
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., a bank's existing contracts 
with its service providers with regard to any service involving the 
disposal of consumer information must comply with these Guidelines 
by [This date will be one year after the date of publication in the 
Federal Register of a final rule.]

    Dated at Washington, DC, this 21st day of May, 2004.

    By order of the Board of Directors.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.

Office of Thrift Supervision

12 CFR Chapter V

Authority and Issuance

    For the reasons set forth in the joint preamble, the Office of 
Thrift Supervision proposes to amend chapter V of title 12 of the Code 
of Federal Regulations by amending parts 568 and 570, and amending part 
571 (as proposed to be added at 69 FR 23402, April 28, 2004), as 
follows:

PART 568--SECURITY PROCEDURES

    1. The authority citation for part 568 is revised to read as 
follows:

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).

    2. Revise the part heading for part 568 to read as shown above.
    3. Revise the first sentence of Sec.  568.1(a) to read as follows:


Sec.  568.1  Authority, purpose, and scope.

    (a) This part is issued by the Office of Thrift Supervision (OTS) 
under section 3 of the Bank Protection Act of 1968 (12 U.S.C 1882), 
sections 501 and 505(b)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 
6801 and 6805(b)(1)), and sections 621 and 628 of the Fair Credit 
Reporting Act (15 U.S.C. 1681s and 1681w). * * *
* * * * *
    4. Revise Sec.  568.5 to read as follows:


Sec.  568.5  Protection of customer information.

    Savings associations and their subsidiaries (except brokers, 
dealers, persons providing insurance, investment companies, and 
investment advisers) must comply with the Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information set forth 
in appendix B to part 570 of this chapter.

PART 570--SAFETY AND SOUNDNESS GUIDELINES AND COMPLIANCE PROCEDURES

    5. The authority citation for part 570 is revised to read as 
follows:

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).

    6. Amend Appendix B of part 570 by:
    a. Revising the first sentence of the introductory paragraph of 
section I. Introduction;
    b. Adding a new sentence to the end of paragraph I.A. Scope;
    c. Redesignating paragraphs 2.a. through 2.d. of paragraph I.C.2. 
Definitions as paragraphs 2.c. through 2.f., respectively, and adding 
new paragraphs 2.a. and 2.b.;
    d. Adding a new paragraph 4. to paragraph II.B. Objectives;
    e. Adding a new paragraph 4. to paragraph III.C. Manage and Control 
Risk; and
    f. Adding new paragraphs 3. and 4. to paragraph III.G. Implement 
the Standards.

Appendix B to Part 570--Interagency Guidelines Establishing Standards 
for Safeguarding Customer Information

* * * * *

I. Introduction

    The Interagency Guidelines Establishing Standards for 
Safeguarding Customer Information (Guidelines) set forth standards 
pursuant to section 39(a) of the Federal Deposit Insurance Act (12 
U.S.C. 1831p-1), and sections 501 and 505(b) of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801 and 6805(b)). These Guidelines also 
address standards with respect to the proper disposal of consumer 
information, pursuant to sections 621 and 628 of the Fair Credit 
Reporting Act (15 U.S.C. 1681s and 1681w). * * *
    A. Scope. * * * These Guidelines also apply to the proper 
disposal of consumer information by such entities.
* * * * *
    C. Definitions. * * *
    2. * * *
    a. Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer 
report or is derived from a consumer report and that is maintained 
or otherwise possessed by you or on your behalf for a business 
purpose. Consumer information also means a compilation of such 
records.
    b. Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d), and as defined in part 571 
of this chapter.
* * * * *

[[Page 31922]]

II. * * *

    B. Objectives. * * *
    4. Ensure the proper disposal of consumer information in a 
manner consistent with the disposal of customer information.

III. * * *

    C. Manage and Control Risk. * * *
    4. Develop, implement, and maintain, as part of your information 
security program, appropriate measures to properly dispose of 
consumer information in a manner consistent with the disposal of 
customer information, in accordance with each of the requirements in 
this paragraph III.
* * * * *
    G. Implement the Standards. * * *
    3. Effective date for measures relating to the disposal of 
consumer information. You must satisfy these Guidelines with respect 
to the proper disposal of consumer information by [This date will be 
90 days after the date of publication in the Federal Register of a 
final rule].
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., your existing contracts with 
your service providers with regard to any service involving the 
disposal of consumer information must comply with these Guidelines 
by [This date will be one year after the date of publication in the 
Federal Register of a final rule].

PART 571--FAIR CREDIT REPORTING

    7. The authority citation for part 571 continues to read as 
follows:

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).

    8. Add a new subpart I to read as follows:
Subpart I--Duties of Users of Consumer Reports Regarding Identity Theft
Sec.
571.80-571.82 [Reserved]
571.83 Disposal of consumer information.

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  571.80-571.82  [Reserved]


Sec.  571.83  Disposal of consumer information.

    (a) In general. You must properly dispose of any consumer 
information that you maintain or otherwise possess in accordance with 
the Interagency Guidelines Establishing Standards for Safeguarding 
Customer Information, as set forth in appendix B to part 570 of this 
chapter.
    (b) Rule of construction. Nothing in this section shall be 
construed to:
    (i) Require you to maintain or destroy any record pertaining to a 
consumer that is not imposed under any other law; or
    (ii) Alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.

    Dated: April 27, 2004.

    By the Office of Thrift Supervision.
James E. Gilleran,
Director.
[FR Doc. 04-12317 Filed 6-7-04; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 6720-01-P