[Federal Register Volume 69, Number 228 (Monday, November 29, 2004)]
[Rules and Regulations]
[Pages 69269-69274]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-25995]



 ========================================================================
 Rules and Regulations
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains regulatory documents 
 having general applicability and legal effect, most of which are keyed 
 to and codified in the Code of Federal Regulations, which is published 
 under 50 titles pursuant to 44 U.S.C. 1510.
 
 The Code of Federal Regulations is sold by the Superintendent of Documents. 
 Prices of new books are listed in the first FEDERAL REGISTER issue of each 
 week.
 
 ========================================================================
 

  Federal Register / Vol. 69, No. 228 / Monday, November 29, 2004 / 
Rules and Regulations  

[[Page 69269]]



NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Parts 717 and 748


Fair Credit Reporting--Proper Disposal of Consumer Information 
Under the Fair and Accurate Credit Transactions Act of 2003

AGENCY: National Credit Union Administration (NCUA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The NCUA Board is adopting a final rule to implement section 
216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) 
by amending security program regulations and NCUA's Guidelines for 
Safeguarding Member Information and establishing a section in new part 
717. The final rule generally requires federal credit unions (FCUs) to 
develop, implement, and maintain appropriate measures to properly 
dispose of consumer information derived from consumer reports to 
address the risks associated with identity theft. FCUs are expected to 
implement these measures consistent with the provisions in NCUA's 
Guidelines for Safeguarding Member Information.

DATES: Effective December 29, 2004.

FOR FURTHER INFORMATION CONTACT: Chrisanthy J. Loizos, Staff Attorney, 
Office of General Counsel, National Credit Union Administration, (703) 
518-6540.

SUPPLEMENTARY INFORMATION:

I. Introduction

    Section 216 of the FACT Act adds a new section 628 to the Fair 
Credit Reporting Act (FCRA) that, in general, is designed to protect a 
consumer against the risks associated with unauthorized access to 
information about the consumer contained in a consumer report, such as 
fraud and identity theft. 15 U.S.C. 1681w. Section 216 of the FACT Act 
requires NCUA to adopt a rule requiring any FCU ``that maintains or 
otherwise possesses consumer information, or any compilation of 
consumer information, derived from consumer reports for a business 
purpose to properly dispose of any such information or compilation.'' 
Pub. L. 108-159, 117 Stat. 1985-86. The FACT Act mandates that the rule 
be consistent with the requirements issued pursuant to the Gramm-Leach-
Bliley Act (GLBA) (Pub. L. 106-102), as well as other provisions of 
Federal law. The FACT Act also requires NCUA to consult and coordinate 
with the Office of the Comptroller of the Currency (OCC), Board of 
Governors of the Federal Reserve System (FRB), Federal Deposit 
Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), 
Federal Trade Commission (FTC), and Securities and Exchange Commission 
(collectively, the Agencies) so that, to the extent possible, NCUA's 
rule is consistent and comparable with the regulations issued by each 
of the other agencies.

II. Background

    In 2001, NCUA amended the security program rule to establish 
standards for federally insured credit unions (FICUs) relating to 
administrative, technical, and physical safeguards to protect the 
security and confidentiality of member records and information, 
pursuant to section 501 of GLBA. 15 U.S.C. 6805(b). NCUA worked with 
the Agencies and state insurance authorities to develop appropriate 
standards. 66 FR 8152 (Jan. 30, 2001). The Federal banking agencies 
issued their standards as guidelines under section 39 of the Federal 
Deposit Insurance Act. 12 U.S.C. 1831p.\1\ NCUA determined it could 
best meet the congressional directive to prescribe standards by 
amending the rule governing security programs and by providing guidance 
in an appendix to the rule. 12 CFR part 748, appendix A; 66 FR 8152 
(Jan. 30, 2001).
---------------------------------------------------------------------------

    \1\ 12 CFR parts 30, app. B; 208, app. D-2 and 225, app. F; 364, 
app. B; 570, app. B. See 66 FR 8616 Feb. 1, 2001.
---------------------------------------------------------------------------

    Section 748.0 requires an FICU to develop a security program that 
implements safeguards designed to: (1) Ensure the security and 
confidentiality of member records and information; (2) protect against 
any anticipated threats or hazards to the security or integrity of such 
records; and (3) protect against unauthorized access to or use of such 
records or information that could result in substantial harm or 
inconvenience to a member. 12 CFR 748.0(b)(2).
    Appendix A to part 748 sets forth NCUA's Guidelines for 
Safeguarding Member Information (Guidelines), which are substantially 
identical to the guidelines issued by the Agencies. 66 FR 8152 (Jan. 
30, 2001). The Guidelines ``are intended to outline industry best 
practices and assist credit unions to develop meaningful and effective 
security programs to ensure their compliance with the safeguards 
contained in the regulation.'' Id.
    The Guidelines direct FICUs to assess the risks to their member 
information and member information systems and, in turn, implement 
appropriate security measures to control those risks. 12 CFR part 748, 
appendix A. For example, under the risk-assessment framework, FICUs 
should evaluate whether the controls the FICU has developed 
sufficiently protect its member information from unauthorized access, 
misuse, or alteration when the FICU disposes of the information. ``[A] 
credit union's responsibility to safeguard member information continues 
through the disposal process.'' 66 FR 8152, 8155.
    On May 28, 2004, the NCUA Board published a proposal to add a 
section to the new fair credit reporting rule and amend the security 
program rule and Guidelines for Safeguarding Member Information 
(Guidelines) to require FCUs to implement controls designed to ensure 
the proper disposal of consumer information within the meaning of 
section 216. 69 FR 30601 (May 28, 2004). NCUA's proposed regulation and 
the preamble were substantively similar to a joint notice of proposed 
rulemaking issued by the FRB, OCC, FDIC and OTS (the Federal banking 
agencies). 69 FR 31913 (June 8, 2004).
    In the proposal, NCUA noted that section 216 of the FACT Act 
requires NCUA to issue final regulations for entities under its 
enforcement authority under section 621 of the FCRA. Unlike the current 
provisions in the security program rule, which apply to all FICUs, the 
requirements in NCUA's final rule apply solely to FCUs. See 15 U.S.C. 
1681s(b)(3). Federally insured state-chartered credit unions are 
subject to the enforcement jurisdiction of the FTC for purposes of the 
FCRA. See 15 U.S.C. 1681s(a). State charters, therefore,

[[Page 69270]]

should refer to the final rule issued by the FTC regarding the proper 
disposal of consumer information under section 216.

III. Summary of Comments

    NCUA received fourteen comment letters: One from a corporate credit 
union; four from natural person credit unions; five from credit union 
trades or leagues; one from a consumer; two from financial services 
trade organizations; and a joint letter from seven consumer rights 
organizations. The Agencies also received numerous letters from 
financial institutions, industry trade organizations, consumer advocacy 
groups, consumers, and trade associations from the information 
destruction industry. NCUA and the Agencies considered the comments and 
suggestions submitted.
    Of the letters received by NCUA, twelve commenters generally 
supported the proposed regulation requiring FCUs to properly dispose of 
consumer information. One commenter stated that the proposal balanced 
the concerns of consumers and the industry by providing reasonable 
protections from identity theft and the unintended disclosure of 
consumer information while giving FCUs sufficient latitude for the 
disposal of consumer information. One comment letter, submitted on 
behalf of seven consumer groups, found the proposed rule weak and 
inadequate to meet Congress' intended purpose of preventing identity 
theft and other fraud.

IV. Analysis of Final Rule

Section-by-Section Overview

Section 717.83--Disposal of Consumer Information
    As set forth in the proposal, NCUA is establishing a new part 717 
to house its fair credit reporting rules and adds a subpart setting 
forth the duties of users of consumer reports regarding identity theft. 
To implement section 216, NCUA is adding Sec.  717.83 to require FCUs 
to develop and maintain, as part of their information security 
programs, appropriate controls designed to ensure that they properly 
dispose of consumer information. The final rule retains the statute's 
rule of construction as proposed stating that this requirement does not 
impose any requirements to maintain or destroy consumer records beyond 
those imposed by any other law. The final rule also does not affect any 
requirement to maintain or destroy consumer records imposed under any 
other provision of law.
    The only revisions to Sec.  717.83 from the proposed rule 
incorporate examples of appropriate measures to properly dispose of 
consumer information and clarify ``consumer information'' in its 
definition and through examples. These additions required a renumbering 
of the section and are discussed in further detail below.
    The final rule also includes a general definitions section, Sec.  
717.3, to define the terms ``you'' and ``consumer.'' Although these 
definitions were not included in the proposed disposal rule, they were 
published in another FACT Act proposal.\2\ The final rule refers to 
FCUs using the plain language term ``you'' because section 216 requires 
NCUA to adopt a final disposal rule for FCUs. The final rule also uses 
the term ``consumer.'' Paragraph (e) of Sec.  717.3 defines the term 
``consumer'' to mean an individual, which follows the statutory 
definition in section 603(c) of the FCRA. 15 U.S.C. 1681a(c). NCUA will 
add more definitions to Sec.  717.3 as the agency adopts other rules to 
implement provisions of the FCRA.
---------------------------------------------------------------------------

    \2\ On April 8, 2004, NCUA issued its first proposal to add a 
new part 717, implementing section 411 of the FACT Act. See 69 FR 
23380 (Apr. 28, 2004). This final disposal rule, however, will be 
the first section to establish the new part 717.
---------------------------------------------------------------------------

Section 748.0--Security Program
    The final rule retains Sec.  748.0(c) as proposed. Paragraph (c) 
cross references the section 216 requirement in Sec.  717.83, for ease 
of reference when FCUs adopt or modify their information security 
programs.
Guidelines for Safeguarding Member Information
    The final rule amends the Guidelines to specifically address the 
disposal of consumer information by: (1) Defining ``consumer 
information'' as defined in Sec.  717.83; (2) adding an objective 
regarding the proper disposal of member information and consumer 
information; and (3) providing that an FCU should implement appropriate 
measures to properly dispose of member information and consumer 
information. NCUA discusses the final rule's slight variations from the 
proposal below.
    The changes to the Guidelines are intended to provide guidance to 
FCUs for compliance with Sec.  717.83. As noted above, the requirements 
of this final rule only apply to FCUs, while federally insured state-
chartered credit unions are subject to the jurisdiction of the FTC on 
this matter. NCUA believes, however, that federally insured state 
charters may find this guidance helpful in adopting meaningful and 
effective security programs that deal with the disposal of consumer 
information.
    In accordance with section 216, NCUA has consulted with the 
Agencies to ensure that, to the extent possible, the final rules issued 
by the respective agencies to implement section 216 are consistent and 
comparable.

Proper Disposal of Consumer Information and Member Information

Consumer Information
    Proposed Sec.  717.83(c)(1) defined ``consumer information'' to 
mean ``any record about an individual, whether in paper, electronic, or 
other form, that is a consumer report or is derived from a consumer 
report and that is maintained or otherwise possessed by or on behalf of 
the credit union for a business purpose.'' ``Consumer information'' was 
also defined to mean ``a compilation of such records.''
    Commenters generally supported NCUA's proposed definition of this 
term, but argued that NCUA should include statements or illustrations 
to clarify the nature and scope of ``consumer information.'' Several 
commenters found the proposed phrase ``about an individual'' to be 
ambiguous and urged NCUA to adopt a definition expressly stating that 
``consumer information'' only includes information that identifies a 
particular individual.
    Similarly, some commenters supported NCUA's explanation in the 
proposal that ``consumer information'' does not include information 
derived from a consumer report that does not identify any particular 
consumer, such as the mean credit score derived from a group of 
consumer reports. These commenters suggested that NCUA include this 
example or similar examples in the definition.
    In Sec.  717.83(d)(1), the final rule defines ``consumer 
information'' as proposed but modifies the term to expressly exclude 
from the definition ``any record that does not identify an 
individual.'' NCUA believes that qualifying the term ``consumer 
information'' to cover only personally identifiable information 
appropriately focuses on the information derived from a consumer report 
that, if improperly disposed, could be used to commit fraud or identity 
theft against a consumer. NCUA believes that limiting this definition 
to information that identifies a consumer is consistent with the 
current law relating to the scope of the term ``consumer report'' under 
the FCRA and the purposes of section 216 of the FACT Act.
    Under the final rule, an FCU must implement measures to properly 
dispose of consumer information that identifies a consumer, such as the

[[Page 69271]]

consumer's name and the credit score derived from a consumer report. 
This requirement, however, does not apply to aggregate information, 
such as the mean credit score that is derived from a group of consumer 
reports, or blind data, such as a series of credit scores that do not 
identify the subjects of consumer reports from which those scores are 
derived. The final rule includes examples of records that illustrate 
this aspect, but it does not rigidly define the nature and scope of 
personally identifiable information. These examples are found in Sec.  
717.83(d)(1)(i). NCUA notes that there are a variety of types of 
information apart from an individual's name, account number, or address 
that, depending on the circumstances or when used in combination, could 
identify the individual.
    As discussed in the proposal, NCUA notes that the scope of 
information covered by the terms ``consumer information'' and ``member 
information'' will sometimes overlap, but will not always coincide. The 
definition of ``consumer information'' is drawn from the term 
``consumer'' in section 603(c) of the FCRA, which defines a 
``consumer'' as an individual. 15 U.S.C. 1681a(c). By contrast, 
``member information'' under the Guidelines, only covers nonpublic 
personal information about a ``member,'' as defined in Sec.  716.3(n), 
namely, an individual who obtains a financial product or service to be 
used primarily for personal, family, or household purposes and who has 
a continuing relationship with the FCU.
    The relationship between consumer information and member 
information can be illustrated through the following examples. Payment 
history information from a consumer report about an individual, who is 
an FCU's member, will be both consumer information because it comes 
from a consumer report and member information because it is nonpublic 
personal information about a member. In some circumstances, member 
information will be broader than consumer information. For instance, 
information that an FCU maintains about its member's transactions with 
the FCU would be only member information because it does not come from 
a consumer report. In other circumstances, consumer information will be 
broader than member information. Consumer information would include 
information from a consumer report that an FCU obtains about an 
individual who guarantees a loan for a business entity or who has 
applied for employment with the FCU. In these instances, the consumer 
reports would not be member information because the information would 
not be about a ``member'' within the meaning of the Guidelines but 
would be consumer information.
    NCUA believes the phrase ``derived from consumer reports'' covers 
all of the information about a consumer that is taken from a consumer 
report, including information that results in whole or in part from 
manipulation of information from a consumer report or information from 
a consumer report that has been combined with other types of 
information. Consequently, an FCU that possesses any of this 
information must properly dispose of it. For example, any record about 
a consumer derived from a consumer report, such as the consumer's name 
and credit score, that is shared between an FCU and its credit union 
service organization (CUSO) affiliate must be disposed of properly by 
each affiliate that possesses that information. Similarly, a consumer 
report that is shared among affiliates after the consumer has been 
given a notice and has elected not to opt out of that sharing, and 
therefore is no longer a ``consumer report'' under section 
603(d)(2)(A)(iii) of the FCRA, would still be consumer information. 
Accordingly, an affiliate that receives consumer information under 
these circumstances must properly dispose of the information. NCUA 
notes that a CUSO affiliate subject to the jurisdiction of the FTC must 
properly dispose of consumer information in accordance with the FTC's 
final rule.
    The proposed definition of consumer information included the 
qualification ``for a business purpose,'' as set forth in section 216. 
NCUA believes that this phrase encompasses any commercial purpose for 
which an FCU might maintain or possess consumer information. Commenters 
did not raise concerns about this interpretation.
Proper Disposal
    In the proposed rule, NCUA requested comment on the standard for 
proper disposal. Of the comment letters received by NCUA, five 
commenters thought that the concept was clear and sufficiently 
explained the nature and scope of an FCU's responsibilities under the 
rule, but two of those commenters welcomed additional clarification 
through guidance or examples. Four commenters believed ``proper 
disposal'' was not clear in the proposed rule and asked for either a 
definition or examples in the regulatory text like those used in the 
FTC's proposed rule. 69 FR 21388 (April 20, 2004). Some of these 
commenters stated that the rule should adopt a clear standard that 
requires FCUs to render paper and electronic data unreadable and 
incapable of being reconstructed. They also asked that the rule provide 
examples of proper disposal techniques consistent with the FTC's 
proposed regulatory text.
    NCUA believes that there is no need to adopt a definition of the 
term ``disposal'' because, in the context of the duty imposed under 
section 216, the ordinary meaning of that term applies. The final rule, 
however, includes examples of appropriate measures to properly dispose 
of consumer information as requested by the commenters in renumbered 
paragraph (b) of Sec.  717.83. NCUA believes these examples will be 
helpful as illustrative guidance for compliance with the rule.
    NCUA notes that any sale, lease, or other transfer of any medium 
containing consumer information constitutes disposal of the information 
insofar as the information itself is not the subject of the sale, lease 
or other transfer between the parties. By contrast, the sale, lease, or 
other transfer of consumer information from an FCU to another party can 
be distinguished from the act of throwing out or getting rid of 
consumer information, and accordingly, does not constitute disposal 
subject to NCUA's rule.

New Objective for an Information Security Program

    NCUA proposed to add a new objective regarding the proper disposal 
of consumer information in paragraph II.B. of the Guidelines. A few 
commenters expressed objections to this aspect of the proposal 
primarily as it relates to service providers.
    The final rule slightly revises the proposal to add a new objective 
in the Guidelines providing that an FCU should design its information 
security program to ``[e]nsure the proper disposal of member 
information and consumer information.'' With this revision from the 
proposal, NCUA omitted the proposed provision stating that an FCU 
should ensure proper disposal of consumer information ``in a manner 
consistent with the disposal of member information.'' By making this 
change and adding the reference to ``member information'' in paragraph 
II.B., the Guidelines more clearly and fully state an FCU's information 
security objectives with respect to disposing of information. As noted 
in the proposal, a credit union should properly dispose of member 
information as part of designing and maintaining its information 
security program under the Guidelines. The inclusion of ``member 
information'' in the objective, therefore,

[[Page 69272]]

does not establish a new objective in the Guidelines.
    NCUA continues to believe that including this additional objective 
in paragraph II.B. of the Guidelines is important because section 216's 
disposal requirement applies to an FCU's consumer information 
maintained or otherwise in the possession of the FCU's service 
providers. NCUA notes that, under current paragraph III.D.2., an FCU is 
expected to ``[r]equire its service providers by contract to implement 
appropriate measures designed to meet the objectives'' of the 
Guidelines.
    By expressly incorporating a provision in paragraph II.B. of the 
Guidelines, FCUs should contractually require service providers to 
develop appropriate measures for the proper disposal of consumer 
information and, where warranted, monitor service providers to confirm 
that they have satisfied their contractual obligations. As some 
commenters observed, the particular contractual arrangement that an FCU 
may negotiate with a service provider may take varied forms or use 
general terms. As a result, some credit unions already may have 
existing contracts that are sufficiently broad to cover the proper 
disposal of member information and consumer information, and therefore 
they would not have to be amended. NCUA continues to believe that the 
parties should have substantial latitude in negotiating the contractual 
terms appropriate to their arrangement in any manner that satisfies the 
objectives of the Guidelines. NCUA, therefore, has not prescribed any 
particular standards that relate to these service provider contracts.
    The final rule also amends paragraph III.G.4. of the Guidelines to 
allow an FCU a reasonable period of time, after the final rule is 
issued, to amend its contracts with its service providers to 
incorporate the necessary requirements in connection with the proper 
disposal of consumer information. After reviewing the varying comments 
on this provision of the proposal, NCUA has determined that FCUs should 
modify contracts that will be affected by the final rule's 
requirements, if necessary, no later than July 1, 2006.

New Provision To Implement Measures to Properly Dispose of Consumer 
Information

    NCUA has amended paragraph III.C. of the Guidelines by adding a new 
provision stating that an FCU, as part of its information security 
program, should develop, implement, and maintain, appropriate measures 
to properly dispose of consumer information and member information. 
Like the proposal, this new provision also provides that FCUs should 
implement these measures ``in accordance with the provisions in 
paragraph III.'' of the Guidelines.
    Paragraph III. of the Guidelines presently states that an FCU 
should undertake measures to design, implement, and maintain its 
information security program to protect member information and member 
information systems. Because ``member information systems'' is defined 
to include any methods used to dispose of member information, an FCU 
presently must use risk-based measures to protect member information. 
Building on this provision in the Guidelines, NCUA proposed a provision 
in paragraph III.C.4. stating that FCUs should develop controls ``in a 
manner consistent with the disposal of member information.'' Commenters 
generally supported this provision because FCUs could develop and 
implement risk-based protections, rather than be subject to a 
prescriptive standard that required them to adopt particular methods 
for disposing of consumer information.
    In the final rule, NCUA has revised the proposed provision in 
paragraph III.C.4. by omitting ``in a manner consistent with the 
disposal of member information.'' In its place, the Guidelines now 
provide a more direct and general statement that FCUs should develop 
and maintain risk-based measures to properly dispose of consumer 
information and member information. Under this final amendment to the 
Guidelines, an FCU is expected to properly dispose of both classes of 
information, which is consistent with the Guidelines and the FACT Act.
    An FCU should broaden the scope of its risk assessment to include 
an assessment of the reasonably foreseeable internal and external 
threats associated with the methods it uses to dispose of consumer 
information, and adjust its risk assessment in light of the relevant 
changes relating to such threats. By expressly referencing the disposal 
requirement in Sec.  748.0(c) and the Guidelines, NCUA expects FCUs to 
integrate into their information security programs the risk-based 
measures in paragraph III of the Guidelines for the disposal of 
consumer information.
    After reviewing the comments, NCUA continues to believe that it is 
not necessary to propose a prescriptive rule describing proper methods 
of disposal.
    Nonetheless, consistent with interagency guidance previously issued 
through the Federal Financial Institutions Examination Council 
(FFIEC),\3\ NCUA expects FCUs to have appropriate disposal procedures 
for records maintained in paper-based or electronic form. In addition, 
as noted above, the final rule includes illustrative examples of 
appropriate measures to properly dispose of consumer information in 
Sec.  717.83(b). An FCU's information security program should ensure 
that paper records containing either member or consumer information 
should be rendered unreadable as indicated by the FCU's risk 
assessment, such as by shredding or any other means. FCUs also should 
recognize that computer-based records present unique disposal problems. 
Residual data frequently remains on media after erasure. Since that 
data can be recovered, FCUs should apply additional disposal techniques 
to sensitive electronic data.\4\
---------------------------------------------------------------------------

    \3\ See FFIEC Information Security Booklet, page 63 at: http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf.
    \4\ See footnote 3, supra.
---------------------------------------------------------------------------

Compliance

    The final rule requires FCUs to implement the appropriate measures 
to properly dispose of consumer information by July 1, 2005. NCUA 
believes that any changes to an FCU's existing information security 
program likely will be minimal because many of the measures that an FCU 
already uses to dispose of member information can be adapted to 
properly dispose of consumer information. Several commenters agreed 
with NCUA's assessment and noted that they already have appropriate 
disposal policies in place. Nevertheless, a comment on behalf of small 
credit unions and a few comments to the Federal banking agencies noted 
the proposed period for compliance would be relatively short in light 
of the work required to amend policies and locate and track consumer 
information in an institution's existing information system. 
Accordingly, NCUA has determined that the final rule should afford FCUs 
a six-month period to adjust their systems and controls.

V. Regulatory Procedures

Regulatory Flexibility Act

    The Regulatory Flexibility Act requires NCUA to prepare an analysis 
to describe any significant economic impact any proposed regulation may 
have on a substantial number of small entities (those under $10 million 
in assets). The NCUA Board has determined and certifies that the final 
rule will not have a significant economic impact on a substantial 
number of small credit unions.

[[Page 69273]]

Accordingly, a regulatory flexibility analysis is not required.
    The rule requires an FCU to implement appropriate controls designed 
to ensure the proper disposal of consumer information. An FCU must 
develop and maintain these controls as part of implementing its 
existing information security program as required by Sec.  748.0.
    Any modifications to an FCU's information security program needed 
to address the proper disposal of consumer information could be 
incorporated through the process the FCU presently uses to adjust its 
program under paragraph III.E. of the Guidelines, particularly because 
of the similarities between the consumer and member information and the 
measures commonly used to properly dispose of both types of 
information. To the extent the rule imposes new requirements for 
certain types of consumer information, developing appropriate measures 
to properly dispose of that information likely would require only a 
minor modification of an FCU's existing information security program.
    Because some consumer information will be member information and 
because segregating particular records for special treatment may entail 
considerable costs, NCUA believes that many FCUs, including small 
entities, already are likely to have implemented measures to properly 
dispose of both member and consumer information. In addition, NCUA and 
the Federal banking agencies, through the Federal Financial 
Institutions Examination Council (FFIEC), already have issued guidance 
regarding their expectations concerning the proper disposal of all of 
an institution's paper and electronic records. See FFIEC Information 
Security Booklet, December 2002, p. 63.\5\ Therefore, the rule does not 
require any significant changes for FCUs that currently have procedures 
and systems designed to comply with this guidance.
---------------------------------------------------------------------------

    \5\ See footnote 3, supra.
---------------------------------------------------------------------------

    NCUA anticipates that, in light of current practices relating to 
the disposal of information in accordance with Sec.  748.0, the 
Guidelines, and the guidance issued by the FFIEC, the final rule would 
not impose undue costs on FCUs. NCUA believes that the controls that 
small FCUs would need to develop and implement, if any, to comply with 
the rule likely pose a minimal economic impact on those entities.

Paperwork Reduction Act

    NCUA has determined that the final rule does not increase paperwork 
requirements under the Paperwork Reduction Act of 1995 and regulations 
of the Office of Management and Budget.

Executive Order 13132

    Executive Order 13132 encourages independent regulatory agencies to 
consider the impact of their regulatory actions on State and local 
interests. In adherence to fundamental federalism principles, NCUA, an 
independent regulatory agency as defined in 44 U.S.C. 3502(5), 
voluntarily complies with the executive order. This final rule will not 
have substantial direct effects on the States, on the relationship 
between the National Government and the States, or on the distribution 
of power and responsibilities among the various levels of government. 
NCUA has determined that the final rule does not constitute a policy 
that has federalism implications for purposes of the executive order.

Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act of 1996 
(Pub. L. 104-121) provides generally for congressional review of agency 
rules. A reporting requirement is triggered in instances where NCUA 
issues a final rule as defined by section 551 of the Administrative 
Procedures Act. 5 U.S.C. 551. The Office of Management and Budget (OMB) 
has determined that this rule is not a major rule for the purposes of 
the Small Business Regulatory Enforcement Fairness Act of 1996.

The Treasury and General Government Appropriations Act, 1999---
Assessment of Federal Regulations and Policies on Families

    NCUA has determined that this rule will not affect family well-
being within the meaning of section 654 of the Treasury and General 
Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681 
(1998).

List of Subjects

12 CFR Part 717

    Consumer protection, Credit unions, Information, Privacy, Reporting 
and recordkeeping requirements.

12 CFR Part 748

    Credit unions, Crime, Currency, Reporting and recordkeeping 
requirements, and Security measures.

    By the National Credit Union Administration Board on November 
18, 2004.
Mary F. Rupp,
Secretary of the Board.

0
For the reasons stated in the preamble, NCUA amends 12 CFR chapter VII 
as set forth below:

0
1. Part 717 is added to read as follows:

PART 717--FAIR CREDIT REPORTING

Subpart A--General Provisions
Sec.
717.1-717.2 [Reserved]
717.3 Definitions.
Subparts B-H [Reserved]
Subpart I--Duties of Users of Consumer Reports Regarding Identity Theft
717.80-717.82 [Reserved]
717.83 Disposal of consumer information.

    Authority: 15 U.S.C. 1681a, 1681s, 1681w, 6801 and 6805(b).

Subpart A-- General Provisions


Sec.  717.1-717.2  [Reserved]


Sec.  717.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) [Reserved]
    (b) [Reserved]
    (c) [Reserved]
    (d) [Reserved]
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]
    (i) [Reserved]
    (j) [Reserved]
    (k) [Reserved]
    (l) [Reserved]
    (m) [Reserved]
    (n) [Reserved]
    (o) You means a Federal credit union.

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  717.80-717.82  [Reserved]


Sec.  717.83  Disposal of consumer information.

    (a) In general. You must properly dispose of any consumer 
information that you maintain or otherwise possess in a manner 
consistent with the Guidelines for Safeguarding Member Information, in 
appendix A to part 748 of this chapter.
    (b) Examples. Appropriate measures to properly dispose of consumer 
information include the following examples. These examples are 
illustrative only and are not exclusive or exhaustive methods for 
complying with this section.
    (1) Burning, pulverizing, or shredding papers containing consumer

[[Page 69274]]

information so that the information cannot practicably be read or 
reconstructed.
    (2) Destroying or erasing electronic media containing consumer 
information so that the information cannot practicably be read or 
reconstructed.
    (c) Rule of construction. This section does not:
    (1) Require you to maintain or destroy any record pertaining to a 
consumer that is not imposed under any other law; or
    (2) Alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.
    (d) Definitions. As used in this section:
    (1) Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer report 
or is derived from a consumer report and that is maintained or 
otherwise possessed by or on behalf of the credit union for a business 
purpose. Consumer information also means a compilation of such records. 
The term does not include any record that does not identify an 
individual.
    (i) Consumer information includes:
    (A) A consumer report that you obtain;
    (B) Information from a consumer report that you obtain from your 
affiliate after the consumer has been given a notice and has elected 
not to opt out of that sharing;
    (C) Information from a consumer report that you obtain about an 
individual who applies for but does not receive a loan, including any 
loan sought by an individual for a business purpose;
    (D) Information from a consumer report that you obtain about an 
individual who guarantees a loan (including a loan to a business 
entity); or
    (E) Information from a consumer report that you obtain about an 
employee or prospective employee.
    (ii) Consumer information does not include:
    (A) Aggregate information, such as the mean credit score, derived 
from a group of consumer reports; or
    (B) Blind data, such as payment history on accounts that are not 
personally identifiable, you use for developing credit scoring models 
or for other purposes.
    (2) Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d). The meaning of consumer 
report is broad and subject to various definitions, conditions and 
exceptions in the Fair Credit Reporting Act. It includes written or 
oral communications from a consumer reporting agency to a third party 
of information used or collected for use in establishing eligibility 
for credit or insurance used primarily for personal, family or 
household purposes, and eligibility for employment purposes. Examples 
include credit reports, bad check lists, and tenant screening reports.

PART 748--SECURITY PROGRAM, REPORT OF CRIME AND CATASTROPHIC ACT 
AND BANK SECRECY ACT COMPLIANCE

0
2. The authority citation for part 748 is revised to read as follows:

    Authority: 12 U.S.C. 1766(a), 1786(q); 15 U.S.C. 1681s, 1681w, 
6801, and 6805(b); 31 U.S.C. 5311 and 5318.


0
3. Amend Sec.  748.0 by adding paragraph (c) to read as follows:


Sec.  748.0  Security program.

* * * * * *
    (c) Each Federal credit union, as part of its information security 
program, must properly dispose of any consumer information the Federal 
credit union maintains or otherwise possesses, as required under Sec.  
717.83 of this chapter.

0
4. Amend appendix A to part 748 as follows:
0
a. Add the following sentence at the end of paragraph I.: ``These 
Guidelines also address standards with respect to the proper disposal 
of consumer information pursuant to sections 621(b) and 628 of the Fair 
Credit Reporting Act (15 U.S.C. 1681s(b) and 1681w).'';
0
b. Add the following sentence as the end of paragraph I.A.: ``These 
Guidelines also apply to the proper disposal of consumer information by 
such entities.'';
0
c. Redesignate paragraphs I.B.2.a. through d. as I.B.2.c. through f.;
0
d. Add new paragraphs I.B.2.a. and b., III.C.4., and III.G.3. and 
III.G.4. to read as set forth below; and
0
e. Amend paragraph II.B. by removing the word ``and'' after the word 
``information;'' and adding the following phrase after the word 
``member'' at the end of the sentence: ``; and ensure the proper 
disposal of member information and consumer information''.

Appendix A to Part 748--Guidelines for Safeguarding Member Information

    I. * * *
    B. * * *
    2. * * *
    a. Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer 
report or is derived from a consumer report and that is maintained 
or otherwise possessed by or on behalf of the credit union for a 
business purpose. Consumer information also means a compilation of 
such records. The term does not include any record that does not 
identify an individual.
    b. Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d). The meaning of consumer 
report is broad and subject to various definitions, conditions and 
exceptions in the Fair Credit Reporting Act. It includes written or 
oral communications from a consumer reporting agency to a third 
party of information used or collected for use in establishing 
eligibility for credit or insurance used primarily for personal, 
family or household purposes, and eligibility for employment 
purposes. Examples include credit reports, bad check lists, and 
tenant screening reports.
* * * * *
    III. * * *
    C. * * *
    4. Develop, implement, and maintain, as part of its information 
security program, appropriate measures to properly dispose of member 
information and consumer information in accordance with the 
provisions in paragraph III.
* * * * *
    G. * * *
    3. Effective date for measures relating to the disposal of 
consumer information. Each Federal credit union must properly 
dispose of consumer information in a manner consistent with these 
Guidelines by July 1, 2005.
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., a Federal credit union's 
existing contracts with its service providers with regard to any 
service involving the disposal of consumer information should 
implement the objectives of these Guidelines by July 1, 2006.

[FR Doc. 04-25995 Filed 11-26-04; 8:45 am]
BILLING CODE 7535-01-P