[Federal Register Volume 69, Number 235 (Wednesday, December 8, 2004)]
[Rules and Regulations]
[Pages 71322-71329]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-26878]



[[Page 71321]]

-----------------------------------------------------------------------

Part V





Securities and Exchange Commission





-----------------------------------------------------------------------



17 CFR Part 248



Disposal of Consumer Report Information; Final Rule

  Federal Register / Vol. 69, No. 235 / Wednesday, December 8, 2004 / 
Rules and Regulations  

[[Page 71322]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 248

[Release Nos. 34-50781, IA-2332, IC-26685; File No. S7-33-04]
RIN 3235-AJ24


Disposal of Consumer Report Information

AGENCY: Securities and Exchange Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'') is 
adopting amendments to the rule under Regulation S-P requiring 
financial institutions to adopt policies and procedures to safeguard 
customer information. The amended rule implements the provision in 
section 216 of the Fair and Accurate Credit Transactions Act of 2003 
requiring proper disposal of consumer report information and records. 
Section 216 directs the Commission and other federal agencies to adopt 
regulations requiring that any person who maintains or possesses 
consumer report information or any compilation of consumer report 
information derived from a consumer report for a business purpose must 
properly dispose of the information. The amendments also require the 
policies and procedures adopted under the safeguard rule to be in 
writing.

DATES: Effective Date: January 11, 2005.
    Compliance Date: July 1, 2005. Existing contracts with service 
providers for services involving the disposal or destruction of 
consumer report information must comply with Sec.  248.30(b) by July 1, 
2006.

FOR FURTHER INFORMATION CONTACT: For information regarding the rule 
amendments as they relate to investment companies or to investment 
advisers registered with the Commission, contact Penelope W. Saltzman, 
Branch Chief, or Vincent M. Meehan, Attorney, Office of Regulatory 
Policy, at the Division of Investment Management, (202) 942-0690, as 
they relate to brokers or dealers, Catherine McGuire, Chief Counsel, 
Brian Bussey, Assistant Chief Counsel, or Tara Prigge, Attorney, Office 
of Chief Counsel, at the Division of Market Regulation, (202) 942-0073, 
or as they relate to transfer agents registered with the Commission 
contact Jerry Carpenter, Assistant Director, or David Karasik, Special 
Counsel, Office of Clearance and Settlement, at the Division of Market 
Regulation, (202) 942-4187, Securities and Exchange Commission, 450 
Fifth Street, NW., Washington, DC 20549.

SUPPLEMENTARY INFORMATION: The Commission is adopting amendments to 
Regulation S-P under section 501(b) of the Gramm-Leach Bliley Act 
(``GLBA'') [15 U.S.C. 6801(b)], section 216 of the Fair and Accurate 
Credit Transactions Act of 2003 (``FACT Act'' or ``Act'') [Pub. L. 108-
159, 117 Stat. 152 (2003)], the Securities Exchange Act of 1934 (the 
``Exchange Act'') [15 U.S.C. 78], the Investment Company Act of 1940 
(the ``Investment Company Act'') [15 U.S.C. 80a], and the Investment 
Advisers Act of 1940 (the ``Investment Advisers Act'') [15 U.S.C. 80b].

Table of Contents

I. Background
II. Discussion
    A. Rule 30(b): Disposal of consumer report information and 
records.
    B. Rule 30(a): Procedures to safeguard customer records and 
information.
    C. Effective Date; Compliance Date.
III. Cost-Benefit Analysis
IV. Paperwork Reduction Act
V. Final Regulatory Flexibility Analysis
VI. Consideration of Promotion of Efficiency, Competition, and 
Capital Formation
VII. Statutory Authority

I. Background

    Section 216 of the FACT Act amended the Fair Credit Reporting Act 
(``FCRA''),\1\ by imposing a new requirement on persons who possess or 
maintain, for a business purpose, consumer information derived from 
consumer reports. The provision is designed, in general, to protect a 
consumer against the risks associated with unauthorized access to 
information about the consumer contained in a consumer report, such as 
fraud and related crimes, including identity theft. The FACT Act 
requires that ``any person that maintains or otherwise possesses 
consumer information, or any compilation of consumer information, 
derived from consumer reports for a business purpose[,] properly 
dispose of any such information or compilation.'' \2\
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 1681. The FACT Act was signed into law on December 
4, 2003. Pub. L. No. 108-159, 117 Stat. 1952 (2003). Section 216 of 
the FACT Act adds a new section 628 of the FCRA, which is codified 
at 15 U.S.C. 1681w.
    \2\ FACT Act Sec.  216 (codified at 15 U.S.C. 1681w(a)(1)).
---------------------------------------------------------------------------

    The FACT Act requires the Office of the Comptroller of the 
Currency, the Board of Governors of the Federal Reserve System, the 
Federal Deposit Insurance Corporation, the Office of Thrift Supervision 
(collectively, the ``Banking Agencies''), the National Credit Union 
Administration, the Federal Trade Commission (``FTC'') (collectively 
with the Banking Agencies, the ``Agencies''), and the Commission to 
consult and coordinate with each other in order that, to the extent 
possible, regulations implementing section 216 are consistent and 
comparable. This provision also requires that the regulations must be 
consistent with the GLBA and other provisions of Federal law. 
Commission staff has coordinated with the Agencies to ensure that the 
regulations implementing section 216 are consistent and comparable with 
each other and with the GLBA.\3\
---------------------------------------------------------------------------

    \3\ The FTC has adopted a separate rule to implement section 216 
of the Act. See Disposal of Consumer Report Information and Records, 
69 FR 68690 (Nov. 24, 2004) (``FTC Rule''). The National Credit 
Union Administration implemented section 216 of the FACT Act by 
amending its existing rule governing security programs and 
guidelines regarding the rule. See Fair Credit Reporting--Proper 
Disposal of Consumer Information Under the Fair and Accurate Credit 
Transactions Act of 2003, 69 FR 69269 (Nov. 29, 2004). The Banking 
Agencies have proposed to implement section 216 by amending their 
guidelines establishing safeguards for customer information. See 
Proper Disposal of Consumer Information Under the Fair and Accurate 
Credit Transactions Act of 2003, 69 FR 31913 (June 8, 2004).
---------------------------------------------------------------------------

    On September 14, 2004, the Commission proposed rule amendments to 
implement the requirements of section 216 of the FACT Act.\4\ We 
proposed to implement section 216 by adopting an amendment, set forth 
as paragraph (b) (the ``disposal rule''), to rule 30 of Regulation S-
P.\5\ We also proposed to amend our ``safeguard rule,'' which we 
adopted in 2000 pursuant to section 501 of the GLBA, and redesignate 
this provision as paragraph (a) of rule 30.\6\ The safeguard rule 
requires that brokers, dealers, and investment companies, as well as 
investment advisers registered with the Commission (``registered 
investment advisers'') adopt policies and procedures to address 
administrative, technical, and physical safeguards for the protection 
of customer records and information. We proposed to require that these 
policies and procedures be ``written.''
---------------------------------------------------------------------------

    \4\ See Disposal of Consumer Report Information, Investment 
Company Act Release No. 26596 (Sept. 14, 2004) [69 FR 56304 (Sept. 
20, 2004)] (``Proposing Release'').
    \5\ See Proposing Release, supra note 4. Regulation S-P is set 
forth in 17 CFR part 248. Unless otherwise noted, all references to 
rule 30 or any paragraph of the rule will be to 17 CFR 248.30, as 
amended.
    \6\ See Proposing Release, supra note 4. See also Privacy of 
Consumer Financial Information (Regulation S-P), Securities Exchange 
Act Release No. 42974 (June 22, 2000) [65 FR 40334 (June 29, 2000)] 
(``Privacy Release'').
---------------------------------------------------------------------------

II. Discussion

    Firms regulated by the Commission may maintain or possess consumer 
reports or information derived or

[[Page 71323]]

compiled from consumer reports for a variety of business purposes. For 
example, a broker-dealer may possess the information in connection with 
margin accounts or the sale of variable annuities, an investment 
adviser may obtain a client's consumer report in connection with 
providing financial planning services, and any of these firms may 
possess the information in connection with making employment decisions. 
Our proposed rule to implement section 216 of the FACT Act would apply 
to brokers and dealers (other than brokers and dealers registered by 
notice with the Commission under section 15(b)(11) of the Exchange Act 
for the purpose of conducting business in security futures products 
(``notice-registered broker-dealers''), investment companies,\7\ 
registered investment advisers, and transfer agents registered with the 
Commission (``registered transfer agents'' and, collectively, with 
brokers-dealers other than notice-registered broker-dealers, investment 
companies, and registered investment advisers, ``covered entities''). 
The proposed disposal rule would require that covered entities that 
possess such information for a business purpose take reasonable 
measures to protect against unauthorized access to or use of the 
information in connection with its disposal.
---------------------------------------------------------------------------

    \7\ The term ``investment company'' is defined for purposes of 
the disposal rule in Regulation S-P. See 17 CFR 248.3(r). See also 
section II.A.1. The definition in Regulation S-P incorporates the 
definition of ``investment company'' under the Investment Company 
Act, including an investment company that is not registered with the 
Commission. See 15 U.S.C. 80a-3. Accordingly, a business development 
company, which is an investment company but is not required to 
register with the Commission, would be subject to the disposal rule. 
See Privacy Release, supra note 6, at n.74 and accompanying text.
---------------------------------------------------------------------------

    We received seven comment letters in response to our proposal, 
which generally supported a rule providing for the proper disposal of 
consumer report information.\8\ We are adopting the amendments to 
Regulation S-P substantially as proposed. Comments on specific 
provisions in the amendments are discussed below.
---------------------------------------------------------------------------

    \8\ Commenters included two individuals and associations 
representing investment advisers, investment companies, securities 
firms, the information destruction industry, and information 
management professionals.
---------------------------------------------------------------------------

A. Rule 30(b): Disposal of Consumer Report Information and Records

1. Rule 30(b)(1): Definitions
    Amended rule 30 is part of Regulation S-P and, therefore, the 
definitions set forth in Regulation S-P apply to terms used in the 
amended rule. The disposal rule also includes definitions of additional 
terms used in that rule.\9\
---------------------------------------------------------------------------

    \9\ See rule 30(b)(1).
---------------------------------------------------------------------------

    Consumer report. Rule 30(b)(1)(i) defines the term ``consumer 
report'' to have the same meaning as in section 603(d) of the FCRA.\10\ 
We received no comments suggesting changes to this definition, and we 
are adopting it as proposed.
---------------------------------------------------------------------------

    \10\ The FCRA defines ``consumer report'' to mean ``* * * any 
written, oral, or other communication of any information by a 
consumer reporting agency bearing on a consumer's credit worthiness, 
credit standing, credit capacity, character, general reputation, 
personal characteristics, or mode of living which is used or 
expected to be used or collected in whole or in part for the purpose 
of serving as a factor in establishing the consumer's eligibility 
for (A) credit or insurance to be used primarily for personal, 
family, or household purposes; (B) employment purposes; or (C) any 
other purpose authorized under section 604'' of the FCRA. See 15 
U.S.C. 1681a(d)(1). A ``consumer reporting agency'' is defined as 
``any person which, for monetary fees, dues, or on a cooperative 
nonprofit basis, regularly engages in whole or in part in the 
practice of assembling or evaluating consumer credit information or 
other information on consumers for the purpose of furnishing 
consumer reports to third parties, and which uses any means or 
facility of interstate commerce for the purpose of preparing or 
furnishing consumer reports.'' See 15 U.S.C. 1681a(f). The statute 
also provides exclusions from the definition, which include: ``any 
(i) report containing information solely as to transactions or 
experiences between the consumer and the person making the report; 
(ii) communication of that information among persons related by 
common ownership or affiliated by corporate control; or (iii) 
communication of other information among persons related by common 
ownership or affiliated by corporate control, if it is clearly and 
conspicuously disclosed to the consumer that the information may be 
communicated among such persons and the consumer is given the 
opportunity, before the time that the information is initially 
communicated, to direct that such information not be communicated 
among such persons * * * .'' See 15 U.S.C. 1681a(d)(2).
---------------------------------------------------------------------------

    Consumer report information. The proposed disposal rule defined 
``consumer report information'' as any record about an individual, 
whether in paper, electronic, or other form, that is a consumer report 
or is derived from a consumer report. The Proposing Release stated that 
the phrase ``derived from consumer reports'' would cover all of the 
information about a consumer that is derived from any consumer 
report(s), including information taken from a consumer report, 
information that results in whole or in part from manipulation of 
information taken from a consumer report, and information that has been 
combined with other types of information.\11\ The Proposing Release 
further explained that because the definition of ``consumer report 
information'' refers to records ``about an individual,'' information 
that does not identify particular consumers would not be covered under 
the proposed disposal rule.\12\ Commenters generally supported the 
proposed definition, although some requested clarification or 
modification of the definition of consumer report information.
---------------------------------------------------------------------------

    \11\ See Proposing Release, supra note 4, at n.16 and text 
preceding and accompanying n.16.
    \12\ See id., at n.11 and accompanying text.
---------------------------------------------------------------------------

    One commenter noted that the term ``consumer report information'' 
does not appear in section 216 of the FACT Act, and that the definition 
of the term does not follow the language set forth in section 216. We 
believe that the definition of ``consumer report information'' is 
consistent with the statutory language.\13\ Nevertheless, consistent 
with the FTC Rule, we have modified the definition of ``consumer report 
information'' to include compilations of information derived from a 
consumer report. Although the proposed rule covered compilations of 
this information, the revised definition more closely follows the 
statutory language of section 216, and makes the definition 
clearer.\14\
---------------------------------------------------------------------------

    \13\ Section 216 requires a person that possesses ``consumer 
information, or any compilation of consumer information derived from 
consumer reports'' for a business purpose to properly dispose of the 
information. See supra note 2 and accompanying text. Information 
that is derived from a consumer report would include the consumer 
report itself.
    The disposal rule uses the term ``consumer report information'' 
rather than ``consumer information'' (the term used in section 216 
of the FACT Act) to reduce potential confusion with the terms 
``consumer financial information'' and ``customer information,'' 
which are used in connection with the other provisions of Regulation 
S-P adopted under the GLBA. As noted in the Proposing Release, 
consumer or customer information subject to the GLBA and other 
sections of Regulation S-P and consumer report information subject 
to the FACT Act and rule 30(b) are separate, but overlapping, sets 
of information. See Proposing Release, supra note 4, at n.20.
    \14\ See Proposing Release, supra note 4 (proposed rule 30(b)(2) 
set forth the standards for disposal of consumer report information 
or any compilation of that information).
---------------------------------------------------------------------------

    Several commenters specifically supported the application of the 
proposed disposal rule only to information that identifies particular 
individuals, and requested that the disposal rule be more explicit on 
this point. In response to those comments, and in order to provide 
additional guidance and clarity, we have added language emphasizing 
that information that does not identify individuals, such as aggregate 
information or blind data, is not covered by the definition of 
``consumer report information.'' \15\
---------------------------------------------------------------------------

    \15\ The terms ``aggregate information'' and ``blind data'' as 
used in the disposal rule are intended to have the same meaning as 
in Sec.  248.3(u)(2)(ii)(B). 17 CFR 248.3(u)(2)(ii)(B).
---------------------------------------------------------------------------

    One commenter also sought guidance on the kinds of information that 
would be considered subject to the proposed

[[Page 71324]]

rule. We note that any information derived from a consumer report that 
identifies an individual, including a person's name and a variety of 
other personal identifiers, would bring information within the scope of 
the disposal rule. These identifiers include, but are not limited to, a 
social security number, phone number, physical address, and e-mail 
address. We have not included a rigid definition in the disposal rule, 
however, because, depending on the circumstances, items of information 
that are not inherently identifying can, in combination, identify 
particular individuals.
    Disposal. Proposed rule 30(b)(1)(iii) defined ``disposal'' to mean 
the (i) discarding or abandonment of consumer report information, as 
well as the (ii) sale, donation, or transfer of any medium, including 
computer equipment, on which consumer report information is stored. The 
Proposing Release noted that the sale, donation, or transfer of 
consumer report information, by itself, would not be considered 
``disposal'' under this definition.\16\ For example, an entity subject 
to the disposal rule that transfers consumer report information to a 
third party for marketing purposes would not be discarding the 
information for purposes of the disposal rule.\17\ Commenters generally 
supported the two meanings, and we have adopted this definition 
substantially as proposed. In addition, consistent with the FTC's final 
rule, the disposal rule makes clear that disposal means either (i) the 
discarding or abandonment of consumer report information, or (ii) the 
sale, donation, or transfer of any medium, including computer 
equipment, on which consumer report information is stored. Although one 
commenter requested the rule text provide additional clarification, we 
believe our statements above, and in the Proposing Release are 
sufficiently clear that the sale of consumer report information in 
connection with a business transaction or the transfer of that 
information for marketing purposes would not be considered 
``disposal.'' \18\
---------------------------------------------------------------------------

    \16\ See Proposing Release, supra note 4, at text preceding 
n.12.
    \17\ The ability of the entity to transfer information to a 
third party may, however, be limited by other laws and regulations, 
such as the GLBA and Regulation S-P.
    \18\ See supra note 17 and accompanying text; Proposing Release, 
supra note 4, at text preceding n.12.
---------------------------------------------------------------------------

    Notice-registered broker-dealers. Proposed rule 30(b) also included 
definitions of ``notice-registered broker-dealers'' and ``transfer 
agent.'' We received no comments on those definitions and are adopting 
them as proposed.
2. Rule 30(b)(2)(i): Proper Disposal of Consumer Report Information
    The disposal rule requires covered entities that maintain or 
possess ``consumer report information'' for a business purpose to take 
``reasonable measures to protect against unauthorized access to or use 
of the information in connection with its disposal.'' Recognizing that 
there are few foolproof methods of record destruction, the Proposing 
Release stated that the proposed disposal rule would not require 
covered entities to ensure perfect destruction of consumer report 
information in every instance; rather, it would require covered 
entities to take reasonable measures to protect against unauthorized 
access to or use of the information in connection with its disposal. In 
determining what measures are ``reasonable'' under the disposal rule, 
we stated that we expect covered entities to consider the sensitivity 
of the consumer report information, the nature and size of the entity's 
operations, the costs and benefits of different disposal methods, and 
relevant technological changes. We also noted that ``reasonable 
measures'' are very likely to require elements such as the 
establishment of policies and procedures governing disposal, as well as 
appropriate employee training.
    The majority of commenters supported this flexible standard for 
disposal, and no commenter opposed the standard. One commenter, 
however, suggested that recipients of information about consumers may 
not always know whether the information they receive was derived from a 
consumer report. The commenter suggested, therefore, that only if a 
recipient knows or should have known it has received consumer report 
information should it be required to dispose of the information in 
compliance with the disposal rule.
    We note that the protections mandated by the FACT Act and disposal 
rule do not assume knowledge by covered entities, and knowledge is not 
an element or a prerequisite to enforcement under either the Act or the 
rule. Nevertheless, we also note that in most, if not all, 
circumstances covered by the rule, covered entities will or should know 
if they possess consumer report information.
    In order to provide additional clarity, the Proposing Release 
included examples intended to provide guidance on disposal measures 
that would be deemed reasonable under the disposal rule. Commenters 
that mentioned the examples found them to be helpful, but did not 
advocate that they be included in the rule text. One commenter 
requested that the examples be included in the final release. 
Accordingly, we note that, while each covered entity would have to 
evaluate what is appropriate for its size and the complexity of its 
operations, reasonable disposal measures for purposes of the disposal 
rule could include:

    (i) Implementing and monitoring compliance with policies and 
procedures that require the burning, pulverizing, or shredding of 
papers containing consumer report information so that the 
information cannot practicably be read or reconstructed;
    (ii) Implementing and monitoring compliance with policies and 
procedures that require the destruction or erasure of electronic 
media containing consumer report information so that the information 
cannot practicably be read or reconstructed;
    (iii) After due diligence, entering into a contract with another 
party engaged in the business of record destruction to dispose of 
material, specifically identified as consumer report information, in 
a manner consistent with the disposal rule. In this context, due 
diligence could include reviewing an independent audit of the 
disposal company's operations and/or its compliance with the 
disposal rule, obtaining information about the disposal company from 
several references or other reliable sources, requiring that the 
disposal company be certified by a recognized trade association or 
similar third party, reviewing and evaluating the disposal company's 
information security policies or procedures, or taking other 
appropriate measures to determine the competency and integrity of 
the potential disposal company;
    (iv) For covered entities that maintain or otherwise possess 
consumer report information through their provision of services 
directly to a person subject to the disposal rule, implementing and 
monitoring compliance with policies and procedures that protect 
against unauthorized or unintentional disposal of consumer report 
information, and disposing of the information in accordance with the 
first two examples; and
    (v) For covered entities subject to the GLBA and the 
Commission's safeguard rule, incorporating the proper disposal of 
consumer report information as required by the disposal rule into 
the safeguard policies and procedures required by the safeguard 
rule.

    We have revised the third example and added a fourth example to 
clarify the ``reasonable measures'' standard requirements when 
information is transferred or otherwise provided to service providers. 
We revised the third example so that it explicitly contemplates that a 
record owner will tell a service provider when it is providing the 
service provider with consumer report information.\19\ The

[[Page 71325]]

revised example is intended clearly to illustrate that, if a covered 
entity transfers or otherwise provides consumer report information to a 
service provider, the ``reasonable measures'' standard will generally 
require the covered entity to take reasonable steps to select and 
retain a service provider that is capable of properly disposing of the 
consumer report information at issue; notify the service provider that 
the information is consumer report information; and enter into a 
contract that requires the service provider to dispose of the 
information in accordance with the disposal rule. The fourth example is 
intended to clarify that covered entities have responsibilities with 
respect to service providers while also ensuring that covered entities 
that act as service providers have sufficient information so that they 
can make the arrangements needed to fulfill their responsibilities to 
properly dispose of consumer report information.
---------------------------------------------------------------------------

    \19\ Although the example involves a disposal service provider, 
the measures it contemplates would also generally be reasonable with 
respect to other types of services providers.
---------------------------------------------------------------------------

    We have also added a fifth example to reflect our discussion in the 
Proposing Release regarding the relationship between the disposal rule 
and the safeguard rule. In the Proposing Release, we recognized that in 
some circumstances, ``customer records and information'' subject to the 
safeguard rule may overlap with ``consumer report information'' subject 
to the disposal rule. To the extent there is overlap, customer records 
and information would be subject to the disposal rule. We explained 
that proper disposal policies and procedures are encompassed within, 
and should be a part of, the overall policies and procedures required 
under the safeguard rule.\20\ Accordingly, a covered entity could 
comply with the disposal rule by applying its policies and procedures 
under the safeguard rule, including methods for the proper disposal of 
customer information, consumer report information or any compilation of 
that information. We note, however, that in those circumstances, the 
disposal methods applied under the safeguard rule would have to satisfy 
the standards for proper disposal set forth in the disposal rule.
---------------------------------------------------------------------------

    \20\ See Proposing Release, supra note 4, at text following 
n.21.
---------------------------------------------------------------------------

3. Rule 30(b)(2)(ii): Relation to Other Laws
    Proposed rule 30(b)(2)(ii) made clear that nothing in the disposal 
rule was intended to create a requirement that a person maintain or 
destroy any record pertaining to a consumer. The Proposing Release also 
stated that the proposed disposal rule is not intended to affect any 
requirement imposed under any other provision of law to maintain or 
destroy such records. We are adopting the provision substantially as 
proposed; we are adding the word ``other'' before the word 
``provision'' in paragraph (b)(2)(ii)(B) consistent with the statutory 
language.
4. Scope of the Disposal Rule
    The FACT Act differs in scope from the GLBA. As discussed in the 
Proposing Release, Regulation S-P (including the safeguard rule) and 
the disposal rule have some differences in scope with respect both to 
the information and entities that are subject to the respective 
rules.\21\ Our proposal contained four provisions to address those 
differences.\22\ First, we proposed to amend Sec.  248.1(b) of 
Regulation S-P to except the disposal rule from the provision that 
describes the scope of information subject to Regulation S-P. Second, 
we proposed to revise Sec.  248.2(b) to except the disposal rule from 
the provision in Regulation S-P that permits notice-registered broker-
dealers to comply with the regulation by complying with financial 
privacy rules adopted by the Commodity Futures Trading Commission. 
Third, the proposed disposal rule would exclude notice-registered 
broker-dealers from its application. Finally, the proposed disposal 
rule would apply to transfer agents registered with the Commission.\23\
---------------------------------------------------------------------------

    \21\ See Proposing Release, supra note 4, section II.A.4. See 
also supra note 13.
    \22\ See Proposing Release, supra note 4, at section II.A.4.
    \23\ See amended rules 1(b), 2(b); 30(b)(2) [17 CFR 248.1(b); 
248.2(b); 248.30(b)(2)].
---------------------------------------------------------------------------

    We received no comments on these provisions. Accordingly, we are 
adopting them as proposed.

B. Rule 30(a): Procedures To Safeguard Customer Records and Information

    The Proposing Release also contained a proposed amendment to the 
safeguard rule. As discussed in more detail in the Proposing Release, 
our staff found that some firms it examined lack written policies and 
procedures that address the safeguard requirements. We noted that in 
the absence of reasonable documentation it is difficult to identify 
these policies and procedures and test for compliance with the 
safeguard rule. We also questioned whether an organization of any size 
and complexity could reasonably manage to safeguard customer records 
and information without written policies and procedures. To help ensure 
reasonable protection for customer records and information, and to 
permit compliance oversight by our examiners, we proposed to require 
that policies and procedures under the safeguard rule be written. 
Commenters supported the proposed amendment, and we are adopting it as 
proposed.
    Our Proposing Release also asked for comment on ways to maintain a 
flexible approach to the safeguard rule, while establishing certain 
elements that firms would be required to consider in developing their 
policies and procedures. We specifically asked for comment on whether 
the safeguard rule should adopt similar standards as those set forth in 
the FTC's safeguard rule.\24\ The commenters that specifically 
addressed the issue opposed requiring elements that each safeguard 
program should address. We will take these comments into consideration 
in the event we propose any further amendments to the safeguard rule. 
We are not adopting any additional changes to the safeguard rule today.
---------------------------------------------------------------------------

    \24\ See Federal Trade Commission, Standards for Safeguarding 
Customer Information, 67 FR 36484 (May 23, 2002) (``FTC Safeguard 
Rule'').
---------------------------------------------------------------------------

C. Effective Date; Compliance Date

    The amendments will become effective on January 11, 2005. Two 
commenters requested we require compliance after the effective date in 
order to allow covered entities to evaluate how the rule applies to 
current business practices and to develop and implement disposal 
policies. These commenters suggested we require compliance 180 days and 
24 months after adoption of the amendments. As we noted in the 
Proposing Release, we believe that most firms have policies and 
procedures for disposal of customer information as part of the policies 
and procedures required under the safeguard rule that could be applied 
to consumer report information.\25\ In addition, it should be 
relatively easy for a covered entity that does not currently have 
policies and procedures that could apply to consumer report information 
to address the disposal of that information by adopting policies and 
procedures as one part of its overall safeguarding program. 
Accordingly, we are requiring that covered entities comply with the 
amendments no later than July 1, 2005.
---------------------------------------------------------------------------

    \25\ As discussed above, the policies and procedures applied 
under the safeguard rule would have to satisfy the standard set 
forth in the disposal rule for disposing of consumer report 
information.
---------------------------------------------------------------------------

    We also received a request that we exempt information that is 
disposed under existing service contracts from the standards for 
disposal of consumer

[[Page 71326]]

report information. We do not believe that an exemption is necessary if 
covered entities are given a longer period in which to amend these 
contracts. Accordingly, we are requiring covered entities to bring any 
existing contracts with service providers for services involving the 
disposal or destruction of consumer report information into compliance 
with rule 30(b) by July 1, 2006.

III. Cost-Benefit Analysis

    We are sensitive to the costs and benefits that result from our 
rules. As discussed above, the amendments implement section 216 of the 
FACT Act by requiring covered entities that maintain or possess 
consumer report information for a business purpose to properly dispose 
of the information. The amendments also require that an institution's 
safeguarding policies and procedures be in writing. In the Proposing 
Release, we requested comment and specific data regarding the costs and 
benefits of the proposed amendments.\26\ We received one comment that 
generally supported our analysis in the Proposing Release, and we 
received no comments that provided specific data on the costs and 
benefits of the proposed amendments.
---------------------------------------------------------------------------

    \26\ See Proposing Release, supra note 4, at section IV.C.
---------------------------------------------------------------------------

A. Benefits

    The disposal rule seeks to prevent the unauthorized disclosure of 
information contained in consumer reports and reduce the risk of fraud 
and related crimes, including identity theft. The unauthorized 
disclosure of this information results in significant expense for the 
consumers, businesses and financial institutions that are the victims 
of these crimes. Requiring covered entities to take reasonable measures 
to protect against unauthorized access to consumer report information 
during its disposal will benefit consumers and covered entities by 
reducing the incidence of identity theft and lessening related losses.
    The amendment to the safeguard rule will benefit firms because 
written policies and procedures will eliminate uncertainty for 
employees and promote more systematic and organized reviews of the 
firms' own safeguard policies and procedures. Firms and their customers 
may also benefit from the amendment if firms develop more comprehensive 
and effective policies as they translate informal, unwritten policies 
into writing. Moreover, investors should benefit from our examiners' 
enhanced ability to conduct compliance oversight. The Commission has no 
way of quantifying these benefits.

B. Costs

    We believe that the disposal rule and the safeguard rule amendment 
will impose minimal costs on firms. The disposal rule does not 
establish specific requirements for the disposal of consumer report 
information, and it will only affect firms that do not currently 
provide adequate protections for the disposal of consumer report 
information as a part of the existing requirement to protect customer 
records and information. Covered entities, depending on their 
particular circumstances, may have to provide employee training, or 
establish clear procedures for consumer report information disposal. 
Costs to firms that are not already in compliance will vary depending 
on the size of the firm, the adequacy of its existing disposal policy, 
and the nature of the firm's operation. As noted above, the flexible 
standard in the disposal rule is specifically designed to minimize the 
burden of compliance for smaller entities. The emphasis on performance 
rather than design standards in the rule takes account of the entity's 
size, operations, and sophistication, as well as the costs and benefits 
of alternative disposal methods. In addition, the ``reasonable 
measures'' standard in the rule is consistent with the current 
safeguard rule. Therefore, it should be relatively easy for a firm that 
does not currently have policies and procedures that could apply to 
consumer report information to address the disposal of that information 
by adopting reasonable disposal measures as one part of its overall 
safeguarding policies and procedures.
    Similarly, we do not anticipate that drafting or implementing the 
safeguard rule amendment's requirement to document policies and 
procedures in writing will be costly. Firms have been required to have 
reasonable polices and procedures in place since 2001. As part of this 
requirement and as a good business practice, we believe that most firms 
have already established their policies in writing. For the minority of 
firms that have unwritten policies, the cost will involve transcribing 
what is understood and accepted practice. If a firm has not given 
significant thought to the safeguarding of customer records and 
information, the firm may incur additional costs if it develops more 
comprehensive and effective policies in the course of documentation.

IV. Paperwork Reduction Act

    As discussed in the Proposing Release, the disposal rule does not 
impose any recordkeeping requirement or otherwise constitute a 
``collection of information'' as it is defined in the regulations 
implementing the Paperwork Reduction Act of 1995 (``PRA'').\27\ As 
discussed further in the Proposing Release, however, the safeguard rule 
amendment contains a ``collection of information'' within the meaning 
of the PRA.
---------------------------------------------------------------------------

    \27\ See 5 CFR 1320.3(c); 44 U.S.C. 3506.
---------------------------------------------------------------------------

    Today we are adopting the amendment to the safeguard rule 
substantially as proposed. To aid our compliance examiners to determine 
whether institutions have met the safeguard requirements, the amendment 
requires that policies and procedures under the safeguard rule be 
written. As we stated in the Proposing Release, while we believe that 
most of the institutions that we regulate have adopted written 
safeguard policies and procedures as a matter of good business 
practice, those that have not already documented their policies and 
procedures will be required to do so. We published notice soliciting 
comments on the collection of information requirement in the Proposing 
Release and submitted the proposed collection of information to the 
Office of Management and Budget (``OMB'') for review in accordance with 
44 U.S.C. 3507(d) and 5 CFR 1320.11.\28\ None of the commenters 
addressed the PRA burden associated with this amendment. The new 
information collection requirement is mandatory. Under the amendment, 
the written safeguard policies and procedures will not be filed with or 
otherwise submitted to the Commission. Accordingly, we make no 
assurance of confidentiality with respect to the collection of 
information.
---------------------------------------------------------------------------

    \28\ In the Proposing Release, we estimated that the aggregate 
burden for all covered entities in the first year after adoption 
would be 631,925 hours. We further estimated that the average 
weighted annual burden for all covered entities over the three-year 
period for which we requested approval of the information collection 
burden would be approximately 276,780 hours. See Proposing Release, 
supra note 4, at section V.
---------------------------------------------------------------------------

    The title for the collection of information is ``Procedures to 
safeguard customer records and information; disposal of consumer report 
information.'' An agency may not conduct or sponsor, and a person is 
not required to respond to, a collection of information unless it 
displays a currently valid OMB control number.

V. Final Regulatory Flexibility Analysis

    This Final Regulatory Flexibility Analysis has been prepared in 
accordance with 5 U.S.C. 604. It relates to the disposal rule, which 
requires that reasonable measures be taken to protect

[[Page 71327]]

against unauthorized access to consumer report information during its 
disposal. It also relates to the amendment to the safeguard rule that 
requires financial institutions to document policies and procedures to 
safeguard customer information in writing. The Initial Regulatory 
Flexibility Analysis (``IRFA''), which was prepared in accordance with 
5 U.S.C. 603, was published in the Proposing Release.\29\
---------------------------------------------------------------------------

    \29\ See Proposing Release, supra note 4, at section VI.
---------------------------------------------------------------------------

A. Reasons for the Rule Amendments

    As described more fully in section I of this Release, section 216 
of the FACT Act requires the Commission to issue regulations regarding 
the proper disposal of consumer report information in order to prevent 
sensitive financial and personal information from falling into the 
hands of identity thieves or others who might use the information to 
victimize consumers. The disposal rule is intended to implement the 
requirements of section 216.
    As discussed above, the amendment to the safeguard rule requires 
entities subject to the rule to document their policies and procedures 
in writing. The amendment is intended to ensure reasonable protection 
for customer records and information and to permit compliance oversight 
by our examiners.

B. Significant Issues Raised by Public Comment

    In the IRFA, we requested comment on any aspect of the IRFA and 
specifically requested comment on the number of small entities that 
would be affected by the proposed amendments and the likely impact of 
the proposal on small entities. We received no comments on the IRFA. 
The commenters generally supported the Commission's proposal to 
implement section 216 of the FACT Act. Three of the commenters 
supported the proposed amendment to the safeguard rule. No commenters 
opposed the amendments.

C. Small Entities Subject to the Amendments

    The disposal rule applies to brokers and dealers (other than 
notice-registered broker-dealers), investment companies, registered 
investment advisers, and registered transfer agents that maintain or 
otherwise possess consumer report information for a business purpose. 
Institutions covered by the amendment to the safeguard rule will 
include brokers and dealers (other than notice-registered broker-
dealers), investment companies, and registered investment advisers. Of 
the entities registered with the Commission, 906 broker-dealers, 233 
investment companies, 592 registered investment advisers, and 170 
registered transfer agents are considered small entities.\30\
---------------------------------------------------------------------------

    \30\ For purposes of the Regulatory Flexibility Act, under the 
Exchange Act a small entity is a broker or dealer that had total 
capital of less than $500,000 on the date of its prior fiscal year 
and is not affiliated with any person that is not a small entity. 17 
CFR 240.0-10. Under the Investment Company Act a ``small entity'' is 
an investment company that, together with other investment companies 
in the same group of related investment companies, has net assets of 
$50 million or less as of the end of its most recent fiscal year. 17 
CFR 270.0-10. Under the Investment Advisers Act, a small entity is 
an investment adviser that ``(i) manages less than $25 million in 
assets, (ii) has total assets of less than $5 million on the last 
day of its most recent fiscal year, and (iii) does not control, is 
not controlled by, and is not under common control with another 
investment adviser that manages $25 million or more in assets, or 
any person that had total assets of $5 million or more on the last 
day of the most recent fiscal year.'' 17 CFR 275.0-7. A small entity 
in the transfer agent context is defined to be any transfer agent 
that (i) received less than 500 items for transfer and less than 500 
items for processing during the preceding six months; (ii) 
transferred only items of issuers that would be deemed ``small 
businesses'' or ``small organizations'' under rule 0-10 under the 
Exchange Act; (iii) maintained master shareholder files that in the 
aggregate contained less than 1,000 shareholder accounts at all 
times during the preceding fiscal year; and (iv) is not affiliated 
with any person (other than a natural person) that is not a small 
business or small organization under rule 0-10. 17 CFR 240.0-10.
---------------------------------------------------------------------------

D. Reporting, Recordkeeping, and Other Compliance Requirements

    As discussed above, the disposal rule does not impose any reporting 
or any specific recordkeeping requirements within the meaning of the 
Paperwork Reduction Act. The rule requires covered entities, when 
disposing of consumer report information, to take reasonable measures 
to protect against unauthorized access to or use of the information in 
connection with its disposal. What is considered ``reasonable'' will 
vary according to an entity's nature and size, the costs and benefits 
of available disposal methods, and the sensitivity of the information 
involved. In formulating the disposal rule, we considered alternatives 
to this approach, and determined that the flexibility afforded by the 
rule reduces the burden that might otherwise be imposed on small 
entities by a more rigid, prescriptive rule.
    With regard to the amendment to the safeguard rule, we note that 
firms are already required to have policies and procedures that address 
the safeguarding of customer information and records. This requirement 
provides a flexible standard that allows each firm to tailor these 
policies and procedures to the firm's particular systems, methods of 
information gathering, and customer needs. We assume that most 
institutions have already documented these policies and procedures, but 
the amendment requires all institutions to put their policies and 
procedures in writing. The amount of time it will take institutions 
that do not have written policies and procedures will vary based on the 
extent and complexity of the policies and procedures the institution 
has adopted.

E. Commission Action To Minimize Effect on Small Entities

    The Regulatory Flexibility Act directs us to consider significant 
alternatives that would accomplish the stated objective, while 
minimizing any significant adverse impact on small entities. 
Alternatives in this category would include: (i) The establishment of 
differing compliance or reporting requirements or timetables that take 
into account the resources available to small entities; (ii) the 
clarification, consolidation, or simplification of compliance and 
reporting requirements under the rules for small entities; (iii) the 
use of performance rather than design standards; and (iv) an exemption 
from coverage of the rules, or any part thereof, for small entities.
    With respect to the disposal rule, the Commission does not believe 
that an exemption from coverage or special compliance or reporting 
requirements for small entities would be consistent with the mandates 
of the FACT Act. In addition, the Commission does not believe that 
clarification, consolidation, or simplification of the amendment for 
small entities is feasible or necessary. Section 216 of the FACT Act 
addresses the protection of consumer privacy, and consumer privacy 
concerns do not depend on the size of the entity involved. 
Nevertheless, we have endeavored throughout the disposal rule to 
minimize the regulatory burden on all covered entities, including small 
entities, while meeting the statutory requirements. Small entities 
should benefit from the flexible standards in the disposal rule. In 
addition, the emphasis on performance rather than design standards in 
the rule takes account of the covered entity's size and sophistication, 
as well as the costs and benefits of alternative disposal methods.
    With respect to the amendment to the safeguard rule, we do not 
believe that an exemption from coverage or special reporting or 
compliance requirements for small entities is feasible or necessary. 
The requirement that covered entities document their safeguard policies 
and procedures in writing is necessary to promote systematic and

[[Page 71328]]

organized reviews of these policies and procedures by the entity, as 
well as to allow Commission staff to identify and test effectively for 
compliance with the safeguard rule.
    Similarly, the Commission does not believe that clarification, 
consolidation, or simplification of the amendment for small entities is 
feasible or necessary. The requirement that safeguard policies and 
procedures be in writing, as discussed above, is essential to allowing 
both the entity and Commission staff to review the entity's policies 
and procedures.
    The safeguard rule embodies performance rather than design 
standards. It affords each institution the flexibility to adopt and 
implement policies and procedures that are appropriate in light of the 
institution's size and the complexity of its operations. The 
documentation of the policies and procedures will reflect these 
performance standards. Accordingly, the writing required under the 
amendment will only be as technical or complex as the policies and 
procedures required to be documented.

VI. Consideration of Promotion of Efficiency, Competition, and Capital 
Formation

    Section 3(f) of the Exchange Act and section 2(c) of the Investment 
Company Act mandate that the Commission, when engaging in rulemaking 
that requires it to consider or determine whether an action is 
necessary or appropriate in the public interest, to consider, in 
addition to the protection of investors, whether the action will 
promote efficiency, competition, and capital formation. Section 
23(a)(2) of the Exchange Act prohibits the Commission from adopting any 
rule under the Exchange Act that would impose a burden on competition 
that is not necessary or appropriate in furtherance of the purposes of 
the Exchange Act.
    We do not believe that the disposal rule will have an anti-
competitive impact. The disposal rule applies to all brokers and 
dealers (other than notice-registered broker-dealers), investment 
companies, registered investment advisers, and registered transfer 
agents. Each of these entities must take reasonable measures to 
properly dispose of consumer report information.
    Other entities will be subject to substantially similar disposal 
requirements under the Agencies' rules. As directed by the FACT Act, 
the Agencies and the Commission have worked in consultation and 
coordination with one another to ensure the consistency and 
comparability of the regulations. Therefore, all financial institutions 
will have to bear the costs of implementing the rules or substantially 
similar rules. Although these costs will vary among entities subject to 
the rule, we do not believe that the costs will be significantly 
greater for any particular entity or entities when calculated as a 
percentage of overall costs.
    Furthermore, we believe the disposal rule will have little effect 
on efficiency and capital formation. The rule will result in some 
additional costs for some entities, particularly those entities that do 
not currently take reasonable measures to properly dispose of consumer 
report information. However, we believe the additional costs are small 
enough that they will not affect the efficiency of these entities. We 
also believe that any effect the disposal rule may have on capital 
formation will be positive. To the extent that the disposal rule gives 
investors greater confidence in the security of information possessed 
by covered entities, investors may be more likely to invest their 
assets in the capital markets through covered entities.
    With respect to the amendment to the safeguard rule, we do not 
believe the amendment will have an anti-competitive impact. As noted 
above, we believe that most brokers, dealers, investment companies, and 
registered investment advisers already have written safeguard policies 
and procedures. To the extent some do not, those firms will have to 
conform to standards that many firms have met voluntarily. This 
amendment also will be consistent with the guidelines issued by the 
Banking Agencies regarding the safeguarding of customer records and 
information and the FTC's Safeguard Rule, which require that the 
financial institutions the Agencies regulate document their policies 
and procedures in writing.\31\ Firms that currently do not have written 
policies and procedures will incur costs of documentation already borne 
by firms that have written policies and procedures. Although these 
costs will vary among institutions subject to the amendment, we do not 
believe that the costs will be significantly greater for any particular 
firm or firms when calculated as a percentage of overall costs.
---------------------------------------------------------------------------

    \31\ See Federal Reserve System, Federal Deposit Insurance 
Corporation, Department of the Treasury Office of Thrift 
Supervision, and Department of the Treasury Office of the 
Comptroller of the Currency, Interagency Guidelines Establishing 
Standards for Safeguarding Customer Information, 66 FR 8616 (Feb. 1, 
2001); FTC Safeguard Rule, supra note 24.
---------------------------------------------------------------------------

    Furthermore, we believe the amendment will have little effect on 
efficiency and capital formation. We expect the amended rule will 
increase efficiency among those firms that do not currently have 
written policies and procedures because it should promote more 
systematic and organized reviews of these policies and procedures. The 
amendment will result in some additional costs for firms that do not 
currently have written policies and procedures. However, we believe the 
additional costs are small enough that they will not affect the 
efficiency of these firms. To the extent there is any effect, the 
amendment may foster capital formation. Our experience is that covered 
entities with effective safeguard programs that are documented in 
writing and communicated to all employees are less likely to violate 
the safeguard rule and harm to investors is less likely to result. To 
the extent this type of environment increases investor confidence in 
covered entities, investors and clients are more likely to make assets 
available through these entities for investment in the capital markets.
    In the Proposing Release, we solicited comment on our analysis of 
the impact of these amendments on efficiency, competition and capital 
formation. We did not receive any comment on our analysis.

VII. Statutory Authority

    The Commission is amending Regulation S-P pursuant to the authority 
set forth in section 501(b) of the GLBA [15 U.S.C. 6801(b)], section 
628 of the FCRA [15 U.S.C. 1681w], sections 17, 23, and 36 of the 
Exchange Act [15 U.S.C. 78q, 78w, and 78mm], sections 31(a) and 38 of 
the Investment Company Act [15 U.S.C. 80a-30(a) and 80a-37], and 
sections 204 and 211 of the Investment Advisers Act [15 U.S.C. 80b-4 
and 80b-11].

List of Subjects in 17 CFR Part 248

    Brokers, Dealers, Investment advisers, Investment companies, 
Privacy, Reporting and recordkeeping requirements, Transfer agents.

Text of Rules

0
For the reasons set out in the preamble, title 17, chapter II of the 
Code of Federal Regulations is amended as follows:

PART 248--REGULATION S-P: PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
1. The authority citation for part 248 is revised to read as follows:

    Authority: 15 U.S.C. 6801-6809; 15 U.S.C. 1681w; 15 U.S.C. 78q, 
78w, 78mm, 80a-30(a), 80a-37, 80b-4, and 80b-11.

[[Page 71329]]

Sec.  248.1  [Amended]

0
2. Section 248.1, the first sentence of paragraph (b) is amended by 
revising the phrase ``This part'' to read ``Except with respect to 
Sec.  248.30(b), this part''.


Sec.  248.2  [Amended]

0
3. Section 248.2, paragraph (b) is amended by revising the phrase ``Any 
futures commission merchant'' to read ``Except with respect to Sec.  
248.30(b), any futures commission merchant''.

0
4. Section 248.30 is amended as follows:
0
a. Revise the section heading;
0
b. Introductory text, paragraphs (a), (b), and (c) are redesignated as 
paragraphs (a) introductory text, (a)(1), (a)(2), and (a)(3) 
respectively;
0
c. In the newly redesignated introductory text of paragraph (a), add 
the word ``written'' before the phrase ``policies and procedures'' in 
the first and second sentences; and
0
d. Add new paragraph (b).
    The revision and addition read as follows:


Sec.  248.30  Procedures to safeguard customer records and information; 
disposal of consumer report information.

* * * * *
    (b) Disposal of consumer report information and records--(1) 
Definitions (i) Consumer report has the same meaning as in section 
603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).
    (ii) Consumer report information means any record about an 
individual, whether in paper, electronic or other form, that is a 
consumer report or is derived from a consumer report. Consumer report 
information also means a compilation of such records. Consumer report 
information does not include information that does not identify 
individuals, such as aggregate information or blind data.
    (iii) Disposal means:
    (A) The discarding or abandonment of consumer report information; 
or
    (B) The sale, donation, or transfer of any medium, including 
computer equipment, on which consumer report information is stored.
    (iv) Notice-registered broker-dealers means a broker or dealer 
registered by notice with the Commission under section 15(b)(11) of the 
Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)).
    (v) Transfer agent has the same meaning as in section 3(a)(25) of 
the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(25)).
    (2) Proper disposal requirements--(i) Standard. Every broker and 
dealer other than notice-registered broker-dealers, every investment 
company, and every investment adviser and transfer agent registered 
with the Commission, that maintains or otherwise possesses consumer 
report information for a business purpose must properly dispose of the 
information by taking reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal.
    (ii) Relation to other laws. Nothing in this section shall be 
construed:
    (A) To require any broker, dealer, or investment company, or any 
investment adviser or transfer agent registered with the Commission to 
maintain or destroy any record pertaining to an individual that is not 
imposed under other law; or
    (B) To alter or affect any requirement imposed under any other 
provision of law to maintain or destroy any of those records.

    By the Commission.

    Dated: December 2, 2004.
Margaret H. McFarland,
Deputy Secretary.
[FR Doc. 04-26878 Filed 12-7-04; 8:45 am]
BILLING CODE 8010-01-P