[Federal Register Volume 69, Number 248 (Tuesday, December 28, 2004)]
[Rules and Regulations]
[Pages 77610-77621]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-27962]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Parts 30 and 41

[Docket No. 04-13]
RIN 1557-AC84

FEDERAL RESERVE SYSTEM

12 CFR Parts 208, 211, 222, and 225

[Docket No. R-1199]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Parts 334 and 364

RIN 3064-AC77

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Parts 568, 570, and 571

[No. 2004-56]
RIN 1550-AB87


Proper Disposal of Consumer Information Under the Fair and 
Accurate Credit Transactions Act of 2003

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision, 
Treasury (OTS).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, and OTS (the Agencies) are adopting a 
final rule to implement section 216 of the Fair and Accurate Credit 
Transactions Act of 2003 by amending the Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information. The final 
rule generally requires each financial institution to develop, 
implement, and maintain, as part of its existing information security 
program, appropriate measures to properly dispose of consumer 
information derived from consumer reports to address the risks 
associated with identity theft.

EFFECTIVE DATE: July 1, 2005.

FOR FURTHER INFORMATION CONTACT: OCC: Aida Plaza Carter, Director, Bank 
Information Technology, (202) 874-4740; Amy Friend, Assistant Chief 
Counsel, (202) 874-5200; or Deborah Katz, Senior Counsel, Legislative 
and Regulatory Activities Division, (202) 874-5090.
    Board: Donna L. Parker, Supervisory Financial Analyst, Division of 
Supervision & Regulation, (202) 452-2614; Joshua H. Kaplan, Attorney, 
Legal Division, (202) 452-2249; Minh-Duc T. Le or Ky Tran-Trong, Senior 
Attorneys, Division of Consumer and Community Affairs, (202) 452-3667.
    FDIC: Jeffrey M. Kopchik, Senior Policy Analyst, Division of 
Supervision and Consumer Protection, (202) 898-3872; Kathryn M. 
Weatherby, Examination Specialist, Division of Supervision and Consumer 
Protection, (202) 898-6793; Robert A. Patrick, Counsel, Legal Division, 
(202) 898-3757; Janet V. Norcom, Counsel, Legal Division, (202) 898-
8886.
    OTS: Glenn Gimble, Senior Project Manager, Thrift Policy, (202) 
906-7158; Lewis C. Angel, Senior Project Manager, Technology Risk 
Management, (202) 906-5645; Richard Bennett, Counsel (Banking and 
Finance), Regulations and Legislation Division, (202) 906-7409.

SUPPLEMENTARY INFORMATION:

I. Introduction

    Section 216 of the Fair and Accurate Credit Transactions Act of 
2003 (FACT Act or the Act) adds a new section 628 to the Fair Credit 
Reporting Act (FCRA), at 15 U.S.C. 1681w, that, in general, is designed 
to protect a consumer against the risks associated with unauthorized 
access to information about the consumer contained in a consumer 
report, such as fraud and related crimes including identity theft. 
Section 216 of the Act requires each of the Agencies to adopt a 
regulation with respect to the entities that are subject to its 
enforcement authority ``requiring any person that maintains or 
otherwise possesses consumer information, or any compilation of 
consumer information, derived from consumer reports for a business 
purpose to properly dispose of any such information or compilation.'' 
Pub. L. 108-159, 117 Stat. 1985-86. The FACT Act mandates that the 
Agencies ensure that their respective regulations are consistent with 
the requirements issued pursuant to the Gramm-Leach-Bliley Act (GLB 
Act) (Pub. L. 106-102), as well as other provisions of Federal law.
    On June 8, 2004, the Agencies published a proposal to amend the 
Interagency Guidelines Establishing Standards for Safeguarding Customer 
Information (Guidelines) to require financial institutions to implement 
controls designed to ensure the proper disposal of ``consumer 
information'' within the meaning of section 216.\1\ A

[[Page 77611]]

total of 68 comments on the proposal were submitted to the Agencies, 
some of which were submitted to more than one of the Agencies. Most of 
these comments were submitted by financial institutions and 
associations that represent them. A few comments were submitted by 
trade associations from the information destruction industry.\2\
---------------------------------------------------------------------------

    \1\ 69 FR 31913 (June 8, 2004). The Guidelines are codified at 
12 CFR parts 30, app. B (OCC); 208, app. D-2 and 225, app. F 
(Board); 364, app. B (FDIC); 570, app. B (OTS). Citations to the 
Guidelines omit references to titles and publications and give only 
the appropriate paragraph or section number.
    \2\ Individual consumers and organizations representing 
consumers submitted comments on the proposed rule issued by the 
Federal Trade Commission (FTC), which was substantively similar to 
the Agencies' proposal. 69 FR 21388 (April 20, 2004); see http://www.ftc.gov/os/comments/disposal/index.htm. The Agencies have 
reviewed these and other comments submitted to the FTC in connection 
with this final rule.
---------------------------------------------------------------------------

    In general, commenters expressed support for the Agencies' proposal 
because the new requirements would allow financial institutions 
sufficient latitude to adopt controls that suit their particular 
circumstances. Commenters offered revisions to several aspects of the 
proposal, notably the definitions and compliance deadlines, and the 
Agencies have considered each of these suggestions.
    The Agencies also proposed to amend their respective regulations 
that implement the FCRA by adding a new provision setting forth the 
duties of users of consumer reports regarding identity theft. The 
proposed provision would require a financial institution to properly 
dispose of consumer information in accordance with the standards set 
forth in the Guidelines. The Agencies also proposed to amend their 
respective FCRA regulations by incorporating a rule of construction, 
which generally provides that the duty to properly dispose of consumer 
information shall not be construed to require a financial institution 
to maintain or destroy any record pertaining to a consumer that is not 
imposed under any other law or alter any requirement under any other 
law to maintain or destroy such a record. This rule of construction 
closely tracks section 628(b) of the FCRA, as added by section 216 of 
the FACT Act. In general, commenters supported the Agencies' proposal 
to amend their FCRA regulations and, in particular, urged the Agencies 
to retain the rule of construction in the final rule.
    In accordance with section 216 of the Act, the Agencies have 
consulted with the FTC, the National Credit Union Administration, and 
the Securities and Exchange Commission to ensure that, to the extent 
possible, the rules adopted by the respective agencies are consistent 
and comparable.

II. Background

    On February 1, 2001, the Agencies issued the Guidelines pursuant to 
sections 501 and 505 of the GLB Act (15 U.S.C. 6801 and 6805).\3\ The 
Guidelines establish standards relating to the development and 
implementation of administrative, technical, and physical safeguards to 
protect the security, confidentiality, and integrity of customer 
information. The Guidelines apply to the financial institutions subject 
to the Agencies' respective jurisdictions. As mandated by section 
501(b) of the GLB Act, the Guidelines require each financial 
institution to develop a written information security program that is 
designed to: (1) Ensure the security and confidentiality of customer 
information; (2) protect against any anticipated threats or hazards to 
the security or integrity of such information; and (3) protect against 
unauthorized access to or use of such information that could result in 
substantial harm or inconvenience to any customer.\4\ The Guidelines 
direct financial institutions to assess the risks to their customer 
information and customer information systems and, in turn, implement 
appropriate security measures to control those risks.\5\ For example, 
under the risk-assessment framework currently imposed by the 
Guidelines, each financial institution must evaluate whether the 
controls the institution has developed sufficiently protect its 
customer information from unauthorized access, misuse, or alteration 
when the institution disposes of the information.\6\
---------------------------------------------------------------------------

    \3\ 66 FR 8616 (Feb. 1, 2001).
    \4\ Guidelines, II.B.
    \5\ See generally, III.B. and III.C.
    \6\ See 66 FR 8618. (``Under the final Guidelines, a financial 
institution's responsibility to safeguard customer information 
continues through the disposal process.'')
---------------------------------------------------------------------------

III. Proper Disposal of Consumer Information and Customer Information

    To implement section 216 of the FACT Act, the Agencies are adopting 
amendments to the Guidelines \7\ that require each financial 
institution to develop and maintain, as part of its information 
security program, appropriate controls designed to ensure that the 
institution properly disposes of ``consumer information.'' The 
amendments to the Guidelines generally require a financial institution 
to properly dispose of ``consumer information'' derived from a consumer 
report in a manner consistent with a financial institution's existing 
obligations under the Guidelines to properly dispose of customer 
information. Although the Guidelines currently address an institution's 
obligations to properly dispose of customer information, the amendments 
now state this obligation more directly and combine it with the new 
requirement to properly dispose of consumer information.
---------------------------------------------------------------------------

    \7\ The Agencies are renaming the ``Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information'' to 
read ``Interagency Guidelines Establishing Standards for Information 
Security'' to make clear that the Guidelines encompass the disposal 
of consumer information.
---------------------------------------------------------------------------

    The Agencies have incorporated this new requirement into the 
Guidelines by: (1) Adding a definition of ``consumer information,'' 
including illustrations of the information covered by the new term; (2) 
adding an objective (in paragraph II) regarding the proper disposal of 
customer information and consumer information; and (3) adding a 
provision (in paragraph III) that requires a financial institution to 
implement appropriate measures to properly dispose of customer 
information and consumer information in accordance with each of the 
requirements in paragraph III.
    The final rule requires each financial institution to implement the 
appropriate measures to properly dispose of ``consumer information'' by 
July 1, 2005. The Agencies believe that any changes to an institution's 
existing information security program likely will be minimal because 
many of the measures that an institution already uses to dispose of 
``customer information'' can be adapted to properly dispose of 
``consumer information.'' Nevertheless, a few of the comments noted 
that the proposed period for compliance would be relatively short in 
light of the work required to locate and track all ``consumer 
information'' in a financial institution's existing information 
systems. Accordingly, the Agencies have determined that financial 
institutions should be afforded a six-month period to adjust their 
systems and controls.
    A discussion of each proposed amendment to the Guidelines and the 
addition of cross-references to the Guidelines in the Agencies' FCRA 
regulations follows.

Consumer Information

    The proposal defined ``consumer information'' to mean ``any record 
about an individual, whether in paper, electronic, or other form, that 
is a consumer report or is derived from a consumer report and that is 
maintained or otherwise possessed by or on behalf of the [institution] 
for a business

[[Page 77612]]

purpose.'' ``Consumer information'' also was defined to mean ``a 
compilation of such records.''
    Commenters generally supported the Agencies' proposed definition of 
this term, but argued that the Agencies should include statements or 
illustrations to clarify the nature and scope of ``consumer 
information.'' Several commenters found the proposed phrase ``about an 
individual'' to be ambiguous and urged the Agencies to adopt a 
definition expressly stating that ``consumer information'' only 
includes information that identifies a particular individual.
    Similarly, some commenters supported the Agencies' explanation in 
the proposal that ``consumer information'' does not include information 
derived from a consumer report that does not identify any particular 
consumer, such as the mean credit score derived from a group of 
consumer reports. These commenters suggested that the Agencies include 
this example (or similar examples) in the definition.
    In the final rule, as in the proposed rule, the Agencies have 
continued to define ``consumer information'' to mean ``any record about 
an individual, whether in paper, electronic, or other form, that is a 
consumer report or is derived from a consumer report and that is 
maintained or otherwise possessed by or on behalf of the [institution] 
for a business purpose.'' In addition, the Agencies have continued to 
define ``consumer information'' to mean ``a compilation of such 
records,'' as proposed.
    The Agencies have modified the term ``consumer information,'' 
however, to expressly exclude from the definition ``any record that 
does not identify an individual.'' The Agencies believe that qualifying 
the term ``consumer information'' to cover only personally identifiable 
information appropriately focuses on the information derived from a 
consumer report that, if improperly disposed, could be used to commit 
fraud or identity theft against a consumer. The Agencies believe that 
limiting ``consumer information'' to information that identifies a 
consumer is consistent with the current law relating to the scope of 
the term ``consumer report'' under the FCRA and the purposes of section 
216 of the FACT Act.
    Under the final rule, a financial institution must implement 
measures to properly dispose of ``consumer information'' that 
identifies a consumer, such as the consumer's name and the credit score 
derived from a consumer report. However, this requirement does not 
apply to aggregate information, such as the mean credit score that is 
derived from a group of consumer reports, or blind data, such as a 
series of credit scores that do not identify the subjects of the 
consumer reports from which those scores are derived. The Agencies have 
included examples of records that illustrate this aspect of the 
Guidelines, but have not rigidly defined the nature and scope of 
personally identifiable information. The Agencies note that there are a 
variety of types of information apart from an individual's name, 
account number, or address that, depending on the circumstances or when 
used in combination, could identify the individual.
    A few commenters argued that the term ``consumer information'' 
should exclude non-sensitive information about a consumer, such as 
names and addresses that are publicly available. These commenters urged 
the Agencies to limit ``consumer information'' to information about an 
individual's specific financial characteristics, such as payment 
history or account numbers, or personal characteristics, such as 
driver's license information. In their view, only sensitive, non-public 
information should be subject to the requirements of the rule because 
unauthorized access to or misuse of that information poses the greatest 
threats of identity theft against consumers. The Agencies believe that 
there is no basis to exclude certain classes of relatively non-
sensitive information from the scope of ``consumer information'' under 
section 216 of the Act.
    Some commenters urged the Agencies to eliminate references to 
business-related transactions in the discussion of the definition of 
``consumer information.'' These commenters argued that the FCRA defines 
a ``consumer report'' only with respect to information used to 
determine a consumer's eligibility for ``credit or insurance to be used 
primarily for personal, family, or household purposes.'' \8\ Thus, 
these commenters recommended that the Agencies remove references to 
business transactions that, in their view, would be inconsistent with 
the scope of the FCRA. The Agencies note that the FCRA defines a 
``consumer report'' as encompassing a communication by a consumer 
reporting agency of information about a consumer that, in general, is 
used as a factor in establishing the consumer's eligibility for ``any 
other purpose authorized under section 604 [of the FCRA].'' \9\ Among 
other permissible purposes, a consumer reporting agency lawfully may 
furnish a consumer report to a person which it has reason to believe 
``otherwise has a legitimate business need for the information in 
connection with a business transaction that is initiated by the 
consumer.'' \10\ If used in whole or in part to establish a consumer's 
eligibility for a business transaction that is initiated by the 
consumer, such as an application for a small business loan that is 
initiated by a sole proprietor, then that information could be a 
consumer report. Accordingly, a financial institution that maintains 
information derived from a consumer report for a business purpose 
including a consumer report originally obtained in connection with a 
``business transaction that is initiated by the consumer,'' would be 
subject to the requirement to properly dispose of such information, 
pursuant to section 216 of the FACT Act.
---------------------------------------------------------------------------

    \8\ 15 U.S.C. 1681a(d)(1)(A).
    \9\ 15 U.S.C. 1681a(d)(1)(C).
    \10\ 15 U.S.C. 1681b(a)(3)(F))i).
---------------------------------------------------------------------------

    As discussed in the proposal, the Agencies note that the scope of 
information covered by the terms ``consumer information'' and 
``customer information'' will sometimes overlap, but will not always 
coincide. The definition of ``consumer information'' is drawn from the 
term ``consumer'' in section 603(c) of the FCRA, which defines a 
``consumer'' as an individual, without elaboration. 15 U.S.C. 1681a(c). 
By contrast, ``customer information'' under the Guidelines, means 
nonpublic personal information about a ``customer,'' namely, an 
individual who obtains a financial product or service to be used 
primarily for personal, family, or household purposes and who has a 
continuing relationship with the financial institution.\11\
---------------------------------------------------------------------------

    \11\ I.C.2.b.
---------------------------------------------------------------------------

    The relationship between ``consumer information'' and ``customer 
information'' can be illustrated through the following examples. 
Payment history information from a consumer report about an individual, 
who is a financial institution's customer, will be both ``consumer 
information'' because it comes from a consumer report and ``customer 
information'' because it is nonpublic personal information about a 
customer. In some circumstances, ``customer information'' will be 
broader than ``consumer information.'' For instance, information about 
a financial institution's own transactions with its customer is 
``customer information'' but is not ``consumer information'' because it 
does not come from a consumer report. In other circumstances, 
``consumer information'' will be broader than ``customer information.''

[[Page 77613]]

``Consumer information'' includes information from a consumer report 
that an institution obtains about an individual who applies for but 
does not receive a loan, an individual who guarantees a loan (including 
a loan to a business entity), an employee or a prospective employee, or 
an individual in connection with a loan to the individual's sole 
proprietorship. In each of these instances, the consumer reports are 
not ``customer information'' because the information is not about a 
``customer'' within the meaning of the Guidelines.
    The Agencies believe that the phrase ``derived from consumer 
reports'' covers all of the information about a consumer that is taken 
from a consumer report, including information that results in whole or 
in part from manipulation of information from a consumer report or 
information from a consumer report that has been combined with other 
types of information. Consequently, a financial institution that 
possesses any of this information must properly dispose of it. For 
example, any record about a consumer derived from a consumer report, 
such as the consumer's name and credit score, that is shared among 
affiliates must be disposed of properly by each affiliate that 
possesses that information.\12\ Similarly, a consumer report that is 
shared among affiliated companies after the consumer has been given a 
notice and has elected not to opt out of that sharing, and therefore is 
no longer a ``consumer report'' under the FCRA,\13\ would still be 
``consumer information.'' Accordingly, an affiliate that receives 
``consumer information'' under these circumstances must properly 
dispose of the information.
---------------------------------------------------------------------------

    \12\ An affiliate subject to the jurisdiction of the OCC, Board, 
FDIC, or OTS must properly dispose of consumer information that it 
possesses or maintains in accordance with the agency's rule. An 
affiliate subject to the jurisdiction of the FTC or the SEC must 
properly dispose of consumer information that it possesses or 
maintains in accordance with the FTC's or SEC's final rules, as 
applicable, which are consistent and comparable to this final rule. 
Savings associations and savings association subsidiaries that are 
not functionally regulated are subject to the OTS's Guidelines.
    \13\ 15 U.S.C. 1681a(d)(2)(A)(iii).
---------------------------------------------------------------------------

    A few commenters suggested that the Agencies modify this provision 
to limit the obligation of a financial institution to properly dispose 
of consumer information only when the institution knows that the 
information has been derived from a consumer report. The Agencies 
believe that implementing such a limitation is unwarranted in light of 
the general duty established in section 216 of the Act which applies to 
``any person that maintains or otherwise possesses consumer 
information,'' without regard to whether the person actually knows that 
it possesses such information.
    The Agencies note that the proposed definition of ``consumer 
information'' includes the qualification ``for a business purpose,'' as 
set forth in section 216 of the Act. The Agencies believe that the 
phrase ``for a business purpose'' encompasses any commercial purpose 
for which a financial institution might maintain or possess ``consumer 
information.'' Commenters did not raise concerns about this 
interpretation.
    Some commenters urged the Agencies to define the term ``disposal'' 
to clarify whether the sale, donation, or transfer of any medium 
containing ``consumer information'' is covered by the requirements 
imposed under the Guidelines. A few other commenters, however, 
disagreed with this suggestion and supported the Agencies' proposal, 
which was silent with respect to this particular term. The Agencies 
believe that there is no need to adopt a definition of the term 
``disposal'' because, in the context of the duty imposed under section 
216 of the FACT Act, the ordinary meaning of that term applies. The 
Agencies note that any sale, lease, or other transfer of any medium 
containing ``consumer information'' constitutes disposal of the 
information insofar as the information itself is not the subject of the 
sale, lease, or other transfer between the parties. By contrast, the 
sale, lease, or other transfer of consumer information from a financial 
institution to another party (which may be subject to limitations 
imposed under other laws) can be distinguished from the act of throwing 
out or getting rid of consumer information, and accordingly, does not 
constitute ``disposal'' that is subject to the Agencies' rule.

New Objective for an Information Security Program

    The Agencies proposed to add a new objective regarding the proper 
disposal of consumer information in paragraph II.B. of the Guidelines. 
A few commenters expressed objections to this aspect of the proposal, 
mainly insofar as this provision relates to service providers.
    Under the final rule, a financial institution must design its 
information security program to satisfy the general objective to 
``[e]nsure the proper disposal of customer information and consumer 
information.'' The added reference to ``customer information'' more 
directly states an institution's overall duties with respect to 
disposing of information. However, because proper disposal of customer 
information already is part of a financial institution's obligation in 
designing and maintaining its information security program under the 
Guidelines, the inclusion of ``customer information'' in the objective 
does not impose a new requirement on an institution's compliance with 
the Guidelines.
    The general objective to ``[e]nsure the proper disposal of customer 
information and consumer information'' replaces the proposed provision 
that would require an institution to develop controls ``in a manner 
consistent with the disposal of customer information.'' The Agencies 
believe that setting forth the obligation in this manner more directly 
states a financial institution's obligation to develop and maintain 
risk-based measures to dispose of both types of information properly 
and is consistent with the Guidelines and the Act.
    The Agencies continue to believe that imposing this additional 
objective in paragraph II.B is important because this disposal 
requirement applies to a financial institution's ``consumer 
information'' maintained or otherwise in the possession of the 
institution's service providers. The Guidelines require, in part, that 
a financial institution ``[r]equire its service providers by contract 
to implement appropriate measures designed to meet the objectives of 
these Guidelines.'' \14\
    By expressly incorporating a provision in paragraph II.B., each 
financial institution must contractually require its service providers 
to develop appropriate measures for the proper disposal of consumer 
information and, where warranted, to monitor its service providers to 
confirm that they have satisfied their contractual obligations. As 
several commenters observed, the particular contractual arrangements 
that an institution may negotiate with a service provider may take 
varied forms or use general terms. As a result, some institutions may 
have existing contracts that cover the proper disposal of customer 
information and consumer information. The Agencies continue to believe 
that the parties should be allowed substantial latitude in negotiating 
the contractual terms appropriate to their arrangement in any manner 
that satisfies the objectives of the Guidelines. Accordingly, the 
Agencies have not prescribed any particular standards that relate to 
this contract requirement.
---------------------------------------------------------------------------

    \14\ III.D.2. This requirement applies to service providers 
located domestically and abroad.
---------------------------------------------------------------------------

    The Agencies have made a technical amendment to the definition of 
``service provider'' in paragraph I.C.2. to include a reference to 
``consumer information''

[[Page 77614]]

in addition to ``customer information.'' Thus the amended definition of 
service provider is ``any person or entity that maintains, processes, 
or otherwise is permitted access to customer information or consumer 
information through its provision of services directly to the bank.'' 
Consistent with section 216 and the amendments to the Guidelines, a 
financial institution's obligation with respect to a service provider 
that has access to consumer information is limited to ensuring that the 
service provider properly disposes of consumer information.
    The Agencies also have amended paragraph III.G.2. to allow a 
financial institution a reasonable period of time, after the final 
regulations are issued, to amend its contracts with its service 
providers to incorporate the necessary requirements in connection with 
the proper disposal of consumer information. After reviewing the 
comments on this provision of the proposal, which uniformly advocated a 
longer period of time for modifying contracts with service providers if 
necessary, the Agencies have determined that financial institutions 
must modify any affected contracts not later than July 1, 2006.

New Provision To Implement Measures To Properly Dispose of Consumer 
Information

    The Agencies have amended paragraph III.C. (Manage and Control 
Risk) of the Guidelines by adding a new provision to require a 
financial institution to develop, implement, and maintain, as part of 
its information security program, appropriate measures to properly 
dispose of customer information and consumer information. Like the 
provision described in the proposal, this new provision requires an 
institution to implement these measures ``in accordance with each of 
the requirements in this paragraph III.'' of the Guidelines.
    Paragraph III. of the Guidelines presently requires a financial 
institution to undertake measures to design, implement, and maintain 
its information security program to protect customer information and 
customer information systems. Because ``customer information systems'' 
is defined to include any methods used to dispose of customer 
information, a financial institution presently must use risk-based 
measures to protect customer information in the course of disposing of 
it. Building on this provision in the Guidelines, the Agencies proposed 
a provision in paragraph III.C. that would require a financial 
institution to develop controls ``in a manner consistent with the 
disposal of customer information.'' Commenters generally supported this 
provision because a financial institution would be permitted to develop 
and implement risk-based protections, rather than adopt particular 
methods for disposing of consumer information that would comply with a 
prescriptive standard.
    Under the final rule, an institution must adopt procedures and 
controls to properly dispose of ``consumer information'' and ``customer 
information.'' Instead of describing a financial institution's 
obligation to dispose of ``consumer information'' in relation to the 
standard for ``customer information'' (which is currently set forth in 
discrete provisions of the Guidelines), the Agencies have determined 
that the obligation should be stated directly and generally. A 
provision that requires each financial institution to develop and 
maintain risk-based measures to properly dispose of customer 
information and consumer information more clearly states an 
institution's responsibilities to properly dispose of both classes of 
information and is consistent with the Guidelines and the Act.
    Under this provision of the final rule, a financial institution 
must broaden the scope of its risk assessment to include an assessment 
of the reasonably foreseeable internal and external threats associated 
with the methods it uses to dispose of ``consumer information,'' and 
adjust its risk assessment in light of the relevant changes relating to 
such threats. By expressly adding this new provision, the Agencies are 
requiring a financial institution to integrate into its information 
security program each of those risk-based measures in connection with 
the disposal of ``consumer information,'' as set forth in paragraph 
III. of the Guidelines.
    Some commenters urged the Agencies to adopt a detailed standard for 
the destruction of information or criteria that define ``proper'' 
methods or levels of disposal, rather than a provision that tracks the 
general obligation imposed under section 216 of the FACT Act. Other 
commenters favored the approach set forth in the proposal and argued 
that the general duty to ``properly dispose of consumer information'' 
is appropriately suited to the varying circumstances that financial 
institutions confront.
    After reviewing the comments, the Agencies continue to believe that 
it is not necessary to propose a prescriptive rule describing proper 
methods of disposal. Nonetheless, consistent with interagency guidance 
previously issued through the Federal Financial Institutions 
Examination Council (FFIEC),\15\ the Agencies expect institutions to 
have appropriate disposal procedures for records maintained in paper-
based or electronic form. The Agencies note that an institution's 
information security program should ensure that paper records 
containing either customer or consumer information should be rendered 
unreadable as indicated by the institution's risk assessment, such as 
by shredding or any other means. Institutions also should recognize 
that computer-based records present unique disposal problems. Residual 
data frequently remains on media after erasure. Since that data can be 
recovered, additional disposal techniques should be applied to 
sensitive electronic data.\16\
---------------------------------------------------------------------------

    \15\ See FFIEC Information Technology Examination Handbook, 
Information Security Booklet, page 63 at: http://www.ffiec. gov/
ffiecinfobase/ booklets/information-- security/information-- 
security.pdf.
    \16\ See id.
---------------------------------------------------------------------------

Proposed Amendments to the Agencies' FCRA Regulations

    As set forth in the proposal, the Agencies' final rules create a 
cross-reference to the Guidelines in their respective regulations that 
implement the FCRA \17\ by adding a provision setting forth the duties 
of users of consumer reports regarding identity theft. Commenters 
generally agreed with the Agencies' proposal to create the cross-
reference. In particular, commenters supported the Agencies' proposal 
to make explicit in the regulations the rule of construction in the 
statute stating that the requirement pertaining to proper disposal 
under the FCRA shall not be construed as requiring a person to maintain 
or destroy a record containing consumer information and does not alter 
any requirement imposed under other law to maintain or destroy such a 
record.
---------------------------------------------------------------------------

    \17\ 12 CFR part 41 (OCC); 12 CFR part 222 (Board); 12 CFR part 
334 (FDIC); and 12 CFR part 571 (OTS). Several of the Agencies 
proposed establishing new parts to house their respective 
regulations implementing the FCRA in a notice of proposed rulemaking 
titled ``Fair Credit Reporting Medical Information Regulations.'' 
See 69 FR 23380 (April 28, 2004). As these regulations are not yet 
final, the new parts are established in this final rule.
---------------------------------------------------------------------------

    The new provision requires a financial institution to properly 
dispose of consumer information in accordance with the standards set 
forth in the Guidelines. This provision applies to an institution to 
the extent that the institution is covered by the scope of the 
Guidelines.\18\ The provision also

[[Page 77615]]

incorporates a rule of construction that closely tracks the terms of 
section 628(b) of the FCRA, as added by section 216 of the FACT 
Act.\19\
---------------------------------------------------------------------------

    \18\ Bank holding companies will be subject to the FTC's 
disposal rule (16 CFR part 682) and functionally regulated 
subsidiaries of financial institutions will be subject to the SEC's 
disposal rule (17 CFR part 248) or the FTC's disposal rule, as 
applicable.
    \19\ The OTS is making additional conforming changes to its 
regulations at 12 CFR 568.1 and 568.5, as well.
---------------------------------------------------------------------------

IV. Regulatory Analysis

Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3501 et seq.) and its implementing regulations at 5 CFR part 1320, 
including Appendix A.1, the Agencies have reviewed the final rules and 
determined that they contain no collections of information. The Board 
made this determination under authority delegated by the Office of 
Management and Budget.

Regulatory Flexibility Act

    In accordance with the Regulatory Flexibility Act, each agency must 
publish a final regulatory flexibility analysis with its final rule, 
unless the agency certifies that the rule will not have a significant 
economic impact on a substantial number of small entities. (5 U.S.C. 
601-612). Each of the Agencies hereby certifies that its final rule 
does not have a significant economic impact on a substantial number of 
small entities.
    The rules require a financial institution subject to the 
jurisdiction of the appropriate agency to implement appropriate 
controls designed to ensure the proper disposal of ``consumer 
information.'' A financial institution must develop and maintain these 
controls as part of implementing its existing information security 
program for ``customer information,'' as required under the 
Guidelines.\20\
---------------------------------------------------------------------------

    \20\ In 2001, the Agencies issued final Guidelines requiring 
financial institutions to develop and maintain an information 
security program, including procedures to dispose of customer 
information, and each agency provided a final regulatory flexibility 
analysis at that time. See 66 FR 8625-32 (Feb. 1, 2001).
---------------------------------------------------------------------------

    Any modifications to a financial institution's information security 
program needed to address the proper disposal of ``consumer 
information'' could be incorporated through the process the institution 
presently uses to adjust its program under paragraph III.E. of the 
Guidelines, particularly because of the similarities between customer 
information and consumer information and the measures commonly used to 
properly dispose of both types of information. To the extent that these 
rules impose new requirements for certain types of ``consumer 
information,'' developing appropriate measures to properly dispose of 
that information likely would require only a minor modification of an 
institution's existing information security program.
    Because some ``consumer information'' will be ``customer 
information'' and because segregating particular records for special 
treatment may entail considerable costs, the Agencies believe that many 
banks and savings associations, including small institutions, already 
are likely to have implemented measures to properly dispose of both 
``customer'' and ``consumer'' information. In addition, the Agencies, 
through the Federal Financial Institutions Examination Council (FFIEC), 
already have issued guidance regarding their expectations concerning 
the proper disposal of all of an institution's paper and electronic 
records. See FFIEC Information Technology Examination Handbook, 
Information Security Booklet, December 2002, p. 63.\21\ Therefore, the 
rules do not require any significant changes for institutions that 
currently have procedures and systems designed to comply with this 
guidance.
---------------------------------------------------------------------------

    \21\ See footnote 15, supra.
---------------------------------------------------------------------------

    The Agencies anticipate that, in light of current practices 
relating to the disposal of information in accordance with the 
Guidelines and the guidance issued by the FFIEC, the final rules will 
not impose undue costs on financial institutions. Therefore, the 
Agencies believe that the controls that small financial institutions 
will develop and implement, if any, to comply with the rules likely 
pose a minimal economic impact on those entities.

FDIC--Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act of 1996 
(SBREFA) (Pub. L. 104-121, 110 Stat. 857) provides generally for 
agencies to report rules to Congress and for Congress to review these 
rules. The reporting requirement is triggered in instances where the 
FDIC issues a final rule as defined by the Administrative Procedure Act 
(APA) (5 U.S.C. 551, et seq.). Because the FDIC is issuing a final rule 
as defined by the APA, the FDIC will file the reports required by 
SBREFA.

OCC and OTS Executive Order 12866 Determination

    The OCC and OTS each have determined that this rule is not a 
``significant regulatory action'' under Executive Order 12866.

OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

    Under Section 202 of the Unfunded Mandates Reform Act of 1995, Pub. 
L. 104-4 (2 U.S.C. 1532) (Unfunded Mandates Act), the OCC and OTS must 
prepare budgetary impact statements before promulgating any rule likely 
to result in a federal mandate that may result in the expenditure by 
state, local, and tribal governments, in the aggregate, or by the 
private sector of $100 million or more in any one year. If a budgetary 
impact statement is required, under section 205 of the Unfunded 
Mandates Act, the OCC and OTS must identify and consider a reasonable 
number of regulatory alternatives before promulgating a rule.
    For the reasons outlined earlier, the OCC and OTS have determined 
that this proposal will not result in expenditures by state, local, and 
tribal governments, or by the private sector, of $100 million or more, 
in any one year. Accordingly, a budgetary impact statement is not 
required under section 202 of the Unfunded Mandates Reform Act of 1995 
and this rulemaking requires no further analysis under the Unfunded 
Mandates Act.

List of Subjects

12 CFR Part 30

    Banks, Banking, Consumer protection, National banks, Privacy, 
Reporting and recordkeeping requirements.

12 CFR Part 41

    Banks, Banking, Consumer protection, National Banks, Reporting and 
recordkeeping requirements.

12 CFR Part 208

    Banks, Banking, Consumer protection, Information, Privacy, 
Reporting and recordkeeping requirements.

12 CFR Part 211

    Exports, Foreign banking, Holding companies, Reporting and 
recordkeeping requirements.

12 CFR Part 222

    Banks, Banking, Holding companies, State member banks.

12 CFR Part 225

    Banks, Banking, Holding companies, Reporting and recordkeeping 
requirements.

12 CFR Part 334

    Administrative practice and procedure, Bank deposit insurance, 
Banks, Banking, Reporting and recordkeeping requirements, Safety and 
Soundness.

[[Page 77616]]

12 CFR Part 364

    Administrative practice and procedure, Bank deposit insurance, 
Banks, Banking, Reporting and recordkeeping requirements, Safety and 
Soundness.

12 CFR Part 568

    Consumer protection, Privacy, Reporting and recordkeeping 
requirements, Savings associations, Security measures.

12 CFR Part 570

    Accounting, Administrative practice and procedure, Bank deposit 
insurance, Consumer protection, Holding companies, Privacy, Reporting 
and recordkeeping requirements, Safety and soundness, Savings 
associations.

12 CFR Part 571

    Consumer protection, Credit, Fair Credit Reporting Act, Privacy, 
Reporting and recordkeeping requirements, Savings associations.

Department of the Treasury

Office of the Comptroller of the Currency

12 CFR CHAPTER I

Authority and Issuance

0
For the reasons discussed in the joint preamble, the Office of the 
Comptroller of the Currency amends chapter V of title 12 of the Code of 
Federal Regulations by amending 12 CFR part 30 and adding a new part 41 
as follows:

PART 30--SAFETY AND SOUNDNESS STANDARDS

0
1. The authority citation for part 30 is revised to read as follows:

    Authority: 12 U.S.C. 93a, 1818, 1831-p and 3102(b); 15 U.S.C. 
1681s, 1681w, 6801, and 6805(b)(1).

0
2. Appendix B to part 30 is amended by:

0
a. Revising the heading for Appendix B to part 30 entitled 
``Interagency Guidelines Establishing Standards for Safeguarding 
Customer Information'' to read ``Interagency Guidelines Establishing 
Information Security Standards'' wherever it appears in Title 12, 
Chapter 2, part 30;
0
b. Revising paragraph I. Introduction;
0
c. Revising paragraph I.A. by adding a new sentence at the end of the 
paragraph;
0
d. Redesignating paragraphs I.C.2.b. through e. as paragraphs I.C.2.d. 
through g., respectively;
0
e. Adding new paragraphs I.C.2.b. and c., and amending redesignated 
paragraph g.;
0
f. Revising the heading for paragraph II. entitled ``Standards for 
Safeguarding Customer Information'' to read ``Standards for Information 
Security'';
0
g. Removing in paragraph II.B.2. the word ``and'' at the end of the 
sentence;
0
h. Removing in paragraph II.B.3. the period at the end of the sentence 
and replacing it with ``; and;''
0
i. Adding a new paragraph II.B.4.;
0
j. Adding a new paragraph III.C.4.; and
0
k. Adding new paragraphs III.G.3. and 4. to read as follows:

Appendix B to Part 30--Interagency Guidelines Establishing Information 
Security Standards

* * * * *
    I. Introduction
    The Interagency Guidelines Establishing Information Security 
Standards (Guidelines) set forth standards pursuant to section 39 of 
the Federal Deposit Insurance Act (section 39, codified at 12 U.S.C. 
1831p-1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 
and 6805(b) of the Gramm-Leach Bliley Act. These Guidelines address 
standards for developing and implementing administrative, technical, 
and physical safeguards to protect the security, confidentiality, 
and integrity of customer information. These Guidelines also address 
standards with respect to the proper disposal of consumer 
information, pursuant to sections 621 and 628 of the Fair Credit 
Reporting Act (15 U.S.C. 1681s and 1681w).
    A. Scope. * * * The Guidelines also apply to the proper disposal 
of consumer information by or on behalf of such entities.
* * * * *
    C. Definitions. * * *
    2. * * *b. Consumer information means any record about an 
individual, whether in paper, electronic, or other form, that is a 
consumer report or is derived from a consumer report and that is 
maintained or otherwise possessed by or on behalf of the bank for a 
business purpose. Consumer information also means a compilation of 
such records. The term does not include any record that does not 
identify an individual.
    i. Examples. (1) Consumer information includes:
    (A) A consumer report that a bank obtains;
    (B) Information from a consumer report that the bank obtains 
from its affiliate after the consumer has been given a notice and 
has elected not to opt out of that sharing;
    (C) Information from a consumer report that the bank obtains 
about an individual who applies for but does not receive a loan, 
including any loan sought by an individual for a business purpose;
    (D) Information from a consumer report that the bank obtains 
about an individual who guarantees a loan (including a loan to a 
business entity); or
    (E) Information from a consumer report that the bank obtains 
about an employee or prospective employee.
    (2) Consumer information does not include:
    (A) Aggregate information, such as the mean credit score, 
derived from a group of consumer reports; or
    (B) Blind data, such as payment history on accounts that are not 
personally identifiable, that may be used for developing credit 
scoring models or for other purposes.
    c. Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d).
* * * * *
    g. Service provider means any person or entity that maintains, 
processes, or otherwise is permitted access to customer information 
or consumer information through its provision of services directly 
to the bank.
* * * * *

II. * * *

    B. * * *
    4. Ensure the proper disposal of customer information and 
consumer information.

III. * * *

    C. * * *
    4. Develop, implement, and maintain, as part of its information 
security program, appropriate measures to properly dispose of 
customer information and consumer information in accordance with 
each of the requirements of this paragraph III.
* * * * *
    G. Implement the Standards. * * *
    3. Effective date for measures relating to the disposal of 
consumer information. Each bank must satisfy these Guidelines with 
respect to the proper disposal of consumer information by July 1, 
2005.
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., a bank's contracts with its 
service providers that have access to consumer information and that 
may dispose of consumer information, entered into before July 1, 
2005, must comply with the provisions of the Guidelines relating to 
the proper disposal of consumer information by July 1, 2006.
0
3. Add part 41 to read as follows:

PART 41--FAIR CREDIT REPORTING

Subpart A--General Provisions

Sec.
41.1 Purpose.
41.2 [Reserved]
41.3 Definitions.

Subparts B-H--[Reserved]

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  41.80-82  [Reserved]


Sec.  41.83  Disposal of consumer information

    Authority: 12 U.S.C. 1 et seq., 24 (Seventh), 93a, 481, 484, and 
1818; 15 U.S.C. 1681s, 1681w, 6801 and 6805.

Subpart A--General Provisions


Sec.  41.1  Purpose.

    (a) Purpose. The purpose of this part is to establish standards for 
national banks regarding consumer report information. In addition, the 
purpose of

[[Page 77617]]

this part is to specify the extent to which national banks may obtain, 
use, or share certain information. This part also contains a number of 
measures national banks must take to combat consumer fraud and related 
crimes, including identity theft.
    (b) [Reserved]


Sec.  41.2  [Reserved]


Sec.  41.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a)-(d) [Reserved]
    (e) Consumer means an individual.
    (f)-(n) [Reserved]

Subparts B-H--[Reserved]

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  41.80-82  [Reserved]


Sec.  41.83  Disposal of consumer information.

    (a) Definitions as used in this section. (1) Bank means national 
banks, Federal branches and agencies of foreign banks, and their 
respective operating subsidiaries.
    (b) In general. Each bank must properly dispose of any consumer 
information that it maintains or otherwise possesses in accordance with 
the Interagency Guidelines Establishing Information Security Standards, 
as set forth in appendix B to 12 CFR part 30, to the extent that the 
bank is covered by the scope of the Guidelines.
    (c) Rule of construction. Nothing in this section shall be 
construed to:
    (1) Require a bank to maintain or destroy any record pertaining to 
a consumer that is not imposed under any other law; or
    (2) Alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.

    Dated: December 16, 2004.
Julie L. Williams,
Acting Comptroller of the Currency.

Federal Reserve System

12 CFR Chapter II

Authority and Issuance

0
For the reasons set forth in the joint preamble, parts 208, 211, 222, 
and 225 of chapter II of title 12 of the Code of Federal regulations 
are amended as follows:

PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL 
RESERVE SYSTEM (REGULATION H)

0
1. The authority citation for 12 CFR part 208 is revised to read as 
follows:

    Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a, 
371d, 461, 481-486, 601, 611, 1814, 1816, 1820(d)(9), 1823(j), 
1828(o), 1831, 1831o, 1831p-1, 1831r-1, 1831w, 1831x, 1835a, 1882, 
2901-2907, 3105, 3310, 3331-3351, and 3906-3909, 15 U.S.C. 78b, 
78l(b), 78l(g), 78l(i), 78o-4(c)(5), 78q, 78q-1, 78w, 1681s, 1681w, 
6801 and 6805; 31 U.S.C. 5318, 42 U.S.C. 4012a, 4104a, 4104b, 4106, 
and 4128.

0
2. In Sec.  208.3 revise paragraph (d)(1) to read as follows:


Sec.  208.3  Application and conditions for membership in the Federal 
Reserve System.

* * * * *
    (d) Conditions of membership. (1) Safety and soundness. Each member 
bank shall at all times conduct its business and exercise its powers 
with due regard to safety and soundness. Each member bank shall comply 
with the Interagency Guidelines Establishing Standards for Safety and 
Soundness prescribed pursuant to section 39 of the FDI Act (12 U.S.C. 
1831p-1), set forth in appendix D-1 to this part, and the Interagency 
Guidelines Establishing Information Security Standards prescribed 
pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 
U.S.C. 6801 and 6805) and section 216 of the Fair and Accurate Credit 
Transactions Act of 2003 (15 U.S.C. 1681w), set forth in appendix D-2 
to this part.
* * * * *
0
3. Amend Appendix D-2 to part 208, as follows:
0
a. The heading for Appendix D-2 to Part 208 entitled ``Interagency 
Guidelines Establishing Standards for Safeguarding Customer 
Information'' is revised to read ``Interagency Guidelines Establishing 
Information Security Standards'' wherever it appears in Title 12, 
chapter 2, part 208;
0
b. In section I., Introduction, a new sentence is added at the end of 
the introductory paragraph.
0
c. In section I.A., Scope, a new sentence is added at the end of the 
paragraph.
0
d. In section I.C.2., paragraphs b. through f. are redesignated as 
paragraphs 2.d. through 2.h., respectively, new paragraphs 2.b. and 
2.c. are added and redesignated paragraph g. is amended.
0
e. In paragraph II. the heading entitled ``Standards for Safeguarding 
Customer Information'' is revised to read ``Standards for Information 
Security''.
0
f. At the end of paragraph II.B.2. the word ``and'' is removed.
0
g. At the end of paragraph II.B.3 the period is removed and replaced 
with ``; and''.
0
h. In section II.B. a new paragraph 4. is added.
0
i. In section III.C., Manage and Control Risk, a new paragraph 4. is 
added.
0
j. In section III.G., Implement the Standards, new paragraphs 3. and 4. 
are added.

Appendix D-2 to Part 208--Interagency Guidelines Establishing 
Information Security Standards

* * * * *
    I. * * *
    * * * These Guidelines also address standards with respect to 
the proper disposal of consumer information, pursuant to sections 
621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 
1681w).
    A. Scope. * * * These Guidelines also apply to the proper 
disposal of consumer information by or on behalf of such entities.
* * * * *
    C. * * *
    2. * * *
    b. Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer 
report or is derived from a consumer report and that is maintained 
or otherwise possessed by or on behalf of the bank for a business 
purpose. Consumer information also means a compilation of such 
records. The term does not include any record that does not identify 
an individual.
    i. Examples. (1) Consumer information includes:
    (A) A consumer report that a bank obtains;
    (B) Information from a consumer report that the bank obtains 
from its affiliate after the consumer has been given a notice and 
has elected not to opt out of that sharing;
    (C) Information from a consumer report that the bank obtains 
about an individual who applies for but does not receive a loan, 
including any loan sought by an individual for a business purpose;
    (D) Information from a consumer report that the bank obtains 
about an individual who guarantees a loan (including a loan to a 
business entity); or
    (E) Information from a consumer report that the bank obtains 
about an employee or prospective employee.
    (2) Consumer information does not include:
    (A) Aggregate information, such as the mean credit score, 
derived from a group of consumer reports; or
    (B) Blind data, such as payment history on accounts that are not 
personally identifiable, that may be used for developing credit 
scoring models or for other purposes.
    c. Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d).
* * * * *
    g. Service provider means any person or entity that maintains, 
processes, or otherwise is permitted access to customer information

[[Page 77618]]

or consumer information through its provision of services directly 
to the bank.
* * * * *
    II. * * *
    B. * * *
    4. Ensure the proper disposal of customer information and 
consumer information.
* * * * *
    III. * * *
    C. * * *
    4. Develop, implement, and maintain, as part of its information 
security program, appropriate measures to properly dispose of 
customer information and consumer information in accordance with 
each of the requirements in this paragraph III.
* * * * *
    G. * * *
    3. Effective date for measures relating to the disposal of 
consumer information. Each bank must satisfy these Guidelines with 
respect to the proper disposal of consumer information by July 1, 
2005.
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., a bank's contracts with its 
service providers that have access to consumer information and that 
may dispose of consumer information, entered into before July 1, 
2005, must comply with the provisions of the Guidelines relating to 
the proper disposal of consumer information by July 1, 2006.

PART 211--INTERNATIONAL BANKING OPERATIONS (REGULATION K)

0
4. The authority citation for part 211 is revised to read as follows:

    Authority: 12 U.S.C. 221 et seq., 1818, 1835a, 1841 et seq., 
3101 et seq., and 3901 et seq.; 15 U.S.C. 1681s, 1681w, 6801 and 
6805.

0
5. In Sec.  211.5, revise paragraph (l) to read as follows:


Sec.  211.5  Edge and agreement corporations.

* * * * *
    (l) Protection of customer information and consumer information. An 
Edge or agreement corporation shall comply with the Interagency 
Guidelines Establishing Information Security Standards prescribed 
pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 
U.S.C. 6801 and 6805) and, with respect to the proper disposal of 
consumer information, section 216 of the Fair and Accurate Credit 
Transactions Act of 2003 (15 U.S.C. 1681w), set forth in appendix D-2 
to part 208 of this chapter.
* * * * *

0
6. In Sec.  211.24, revise paragraph (i) to read as follows:


Sec.  211.24  Approval of offices of foreign banks; procedures for 
applications; standards for approval; representative-office activities 
and standards for approval; preservation of existing authority.

* * * * *
    (i) Protection of customer information and consumer information. An 
uninsured state-licensed branch or agency of a foreign bank shall 
comply with the Interagency Guidelines Establishing Information 
Security Standards prescribed pursuant to sections 501 and 505 of the 
Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) and, with respect to 
the proper disposal of consumer information, section 216 of the Fair 
and Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681w), set 
forth in appendix D-2 to part 208 of this chapter.

PART 222--FAIR CREDIT REPORTING (REGULATION V)

0
7. The authority citation for part 222 is revised to read as follows:

    Authority: 15 U.S.C. 1681, 1681b, 1681s, 1681s-2, and 1681w.

0
8. In Sec.  222.1(b)(2)(i) remove the phrase ``paragraph (b)(2)'' and 
add in its place the word ``part''.

0
9. Add a new subpart I to read as follows:

Subparts B-H--[Reserved]

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  222.80-82  [Reserved]


Sec.  222.83  Disposal of consumer information.

    (a) Definitions as used in this section. (1) You means member banks 
of the Federal Reserve System (other than national banks) and their 
respective operating subsidiaries, branches and agencies of foreign 
banks (other than Federal branches, Federal agencies and insured State 
branches of foreign banks), commercial lending companies owned or 
controlled by foreign banks, and organizations operating under section 
25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., 611 et 
seq.).
    (b) In general. You must properly dispose of any consumer 
information that you maintain or otherwise possess in accordance with 
the Interagency Guidelines Establishing Information Security Standards, 
as required under sections 208.3(d) (Regulation H), 211.5(l) and 
211.24(i) (Regulation K) of this chapter, to the extent that you are 
covered by the scope of the Guidelines.
    (c) Rule of construction. Nothing in this section shall be 
construed to:
    (1) Require you to maintain or destroy any record pertaining to a 
consumer that is not imposed under any other law; or
    (2) Alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.

PART 225--BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL 
(REGULATION Y)

0
10. In section 225.4, revise paragraph (h) to read as follows:


Sec.  225.4  Corporate practices.

* * * * *
    (h) Protection of customer information and consumer information. A 
bank holding company shall comply with the Interagency Guidelines 
Establishing Information Security Standards, as set forth in appendix F 
of this part, prescribed pursuant to sections 501 and 505 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 and 6805). A bank holding company 
shall properly dispose of consumer information in accordance with the 
rules set forth at 16 CFR part 682.
* * * * *

0
11. Amend Appendix F to part 225, as follows:
0
a. The heading for Appendix F to Part 225 entitled ``Interagency 
Guidelines Establishing Standards for Safeguarding Customer 
Information'' is revised to read ``Interagency Guidelines Establishing 
Information Security Standards'' wherever it appears in Title 12, 
Chapter 2, Part 225.

    By order of the Board of Governors of the Federal Reserve 
System, December 16, 2004.
Jennifer J. Johnson,
Secretary of the Board.

Federal Deposit Insurance Corporation

12 CFR Chapter III

Authority and Issuance

0
For the reasons set forth in the joint preamble, the Federal Deposit 
Insurance Corporation amends parts 334 and 364 of chapter III of title 
12 of the Code of Federal Regulations to read as follows:

PART 334--FAIR CREDIT REPORTING

Subparts A-H--[Reserved]

0
1. The authority citation for part 334 reads as follows:

    Authority: 12 U.S.C. 1818 and 1819 (Tenth); 15 U.S.C. 1681b, 
1681s, and 1681w.


0
2. Add a new subpart I to read as follows:
Subpart I--Duties of Users of Consumer Reports Regarding Identity Theft
Sec.

[[Page 77619]]

334.80-334.82 [Reserved]
334.83 Disposal of consumer information.

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  334.80-334.82  [Reserved]


Sec.  334.83  Disposal of consumer information.

    (a) In general. You must properly dispose of any consumer 
information that you maintain or otherwise possess in accordance with 
the Interagency Guidelines Establishing Information Security Standards, 
as set forth in appendix B to part 364 of this chapter, prescribed 
pursuant to section 216 of the Fair and Accurate Credit Transactions 
Act of 2003 (15 U.S.C. 1681w) and section 501(b) of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801(b)), to the extent the Guidelines are 
applicable to you.
    (b) Rule of construction. Nothing in this section shall be 
construed to:
    (1) Require you to maintain or destroy any record pertaining to a 
consumer that is not imposed under any other law; or
    (2) Alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.

PART 364--STANDARDS FOR SAFETY AND SOUNDNESS

0
3. The authority citation for part 364 is revised to read as follows:

    Authority: 12 U.S.C. 1819(Tenth), 1831p-1; 15 U.S.C. 1681s, 
1681w, 6801(b), 6805(b)(1).


0
4. Revise Sec.  364.101(b) to read as follows:


Sec.  364.101  Standards for safety and soundness.

* * * * *
    (b) Interagency Guidelines Establishing Information Security 
Standards. The Interagency Guidelines Establishing Information Security 
Standards prescribed pursuant to section 39 of the Federal Deposit 
Insurance Act (12 U.S.C. 1831p-1), and sections 501 and 505(b) of the 
Gramm-Leach-Bliley Act (15 U.S.C. 6801, 6805(b)), and with respect to 
the proper disposal of consumer information requirements pursuant to 
section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w), as set 
forth in appendix B to this part, apply to all insured state nonmember 
banks, insured state licensed branches of foreign banks, and any 
subsidiaries of such entities (except brokers, dealers, persons 
providing insurance, investment companies, and investment advisers).

0
5. In Appendix B to part 364:
0
a. The heading for Appendix B to part 364 entitled ``Interagency 
Guidelines Establishing Standards for Safeguarding Customer 
Information'' is revised to read ``Interagency Guidelines Establishing 
Information Security Standards'' wherever it appears in Title 12, 
Chapter 2, part 364.
0
b. In the Introduction, the first sentence is revised and a new 
sentence is added at the end of the introductory paragraph.
0
c. In section I.A., Scope, the first sentence is revised.
0
d. In section I.C.2., Definitions, paragraphs 2.b. through 2.e. are 
redesignated as paragraphs 2.d. through 2.g., respectively, new 
paragraphs 2.b. and 2.c. are added and redesignated paragraph g. is 
revised.
0
e. In paragraph II. the heading entitled ``Standards for Safeguarding 
Customer Information'' is revised to read ``Standards for Information 
Security''.
0
f. At the end of paragraph II.B.2. the word ``and'' is removed.
0
g. At the end of paragraph II.B.3 the period is removed and replaced 
with ``; and''.
0
h. In section II.B. a new paragraph 4. is added.
0
i. In section III.C., Manage and Control Risk, a new paragraph 4. is 
added.

0
j. In section III.G, Implement the Standards, new paragraphs 3. and 4. 
are added.

Appendix B to Part 364--Interagency Guidelines Establishing Information 
Security Standards

* * * * *
    I. Introduction
    The Interagency Guidelines Establishing Information Security 
Standards (Guidelines) set forth standards pursuant to section 39 of 
the Federal Deposit Insurance Act, 12 U.S.C. 1831p-1, and sections 
501 and 505(b), 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-
Bliley Act. * * * These Guidelines also address standards with 
respect to the proper disposal of consumer information pursuant to 
sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 
1681s and 1681w).
    A. Scope. The Guidelines apply to customer information 
maintained by or on behalf of, and to the disposal of consumer 
information by or on behalf of, entities over which the Federal 
Deposit Insurance Corporation (FDIC) has authority. * * *
* * * * *
    I. * * *
    C. * * *
    2. * * *
    b. Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer 
report or is derived from a consumer report and that is maintained 
or otherwise possessed by or on behalf of the bank for a business 
purpose. Consumer information also means a compilation of such 
records. The term does not include any record that does not 
personally identify an individual.
    i. Examples: (1) Consumer information includes:
    (A) A consumer report that a bank obtains;
    (B) information from a consumer report that the bank obtains 
from its affiliate after the consumer has been given a notice and 
has elected not to opt out of that sharing;
    (C) information from a consumer report that the bank obtains 
about an individual who applies for but does not receive a loan, 
including any loan sought by an individual for a business purpose;
    (D) information from a consumer report that the bank obtains 
about an individual who guarantees a loan (including a loan to a 
business entity); or
    (E) information from a consumer report that the bank obtains 
about an employee or prospective employee.
    (2) Consumer information does not include:
    (A) aggregate information, such as the mean score, derived from 
a group of consumer reports; or
    (B) blind data, such as payment history on accounts that are not 
personally identifiable, that may be used for developing credit 
scoring models or for other purposes.
    c. Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d).
* * * * *
    g. Service provider means any person or entity that maintains, 
processes, or otherwise is permitted access to customer information 
or consumer information through its provision of services directly 
to the bank.
* * * * *
    II. * * *
    B. Objectives. * * *
    4. Ensure the proper disposal of customer information and 
consumer information.
    III. * * *
    C. * * *
    4. Develop, implement, and maintain, as part of its information 
security program, appropriate measures to properly dispose of 
customer information and consumer information in accordance with 
each of the requirements of this paragraph III.
    III. * * *
    G. * * *
    3. Effective date for measures relating to the disposal of 
consumer information. Each bank must satisfy these Guidelines with 
respect to the proper disposal of consumer information by July 1, 
2005.
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., a bank's contracts with its 
service providers that have access to consumer information and that 
may dispose of consumer information, entered into before July 1, 
2005, must comply with the provisions of the Guidelines relating to 
the proper disposal of consumer information by July 1, 2006.

    By order of the Board of Directors.

    Dated at Washington, DC this 7th day of December, 2004.

[[Page 77620]]

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.

Office of Thrift Supervision

12 CFR Chapter V

Authority and Issuance

0
For the reasons set forth in the joint preamble, the Office of Thrift 
Supervision amends chapter V of title 12 of the Code of Federal 
Regulations by amending parts 568 and 570 and adding a new part 571 as 
follows:

PART 568--SECURITY PROCEDURES

0
1. The authority citation for part 568 is revised to read as follows:

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).


0
2. Revise the part heading for part 568 to read as shown above.

0
3. Revise the first sentence of Sec.  568.1(a) to read as follows:


Sec.  568.1  Authority, purpose, and scope.

    (a) This part is issued by the Office of Thrift Supervision (OTS) 
under section 3 of the Bank Protection Act of 1968 (12 U.S.C 1882), 
sections 501 and 505(b)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 
6801 and 6805(b)(1)), and sections 621 and 628 of the Fair Credit 
Reporting Act (15 U.S.C. 1681s and 1681w). * * *
* * * * *
0
4. Revise Sec.  568.5 to read as follows:


Sec.  568.5  Protection of customer information.

    Savings associations and their subsidiaries (except brokers, 
dealers, persons providing insurance, investment companies, and 
investment advisers) must comply with the Interagency Guidelines 
Establishing Information Security Standards set forth in appendix B to 
part 570 of this chapter.

PART 570--SAFETY AND SOUNDNESS GUIDELINES AND COMPLIANCE PROCEDURES

0
6. The authority citation for part 570 is revised to read as follows:

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).


0
7. Amend Sec.  570.1(b) by removing the phrase ``Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information'' and 
adding the phrase ``Interagency Guidelines Establishing Information 
Security Standards'' in its place.

0
8. Amend Sec.  570.1(c) by removing the phrase ``Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information, and 
adding the phrase ``Interagency Guidelines Establishing Information 
Security Standards'' in its place.

0
9. Amend Sec.  570.2(a) by removing the phrase ``Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information'' and 
adding the phrase ``Interagency Guidelines Establishing Information 
Security Standards'' in its place.

0
10. Amend Appendix B to part 570 by:
0
a. Revising the heading;
0
b. Revising the introductory paragraph of section I. Introduction;
0
c. Adding a new sentence to the end of paragraph I.A. Scope;
0
d. Redesignating paragraphs 2.a. through 2.d. of paragraph I.C.2. 
Definitions as paragraphs 2.c. through 2.f., respectively, adding new 
paragraphs 2.a. and 2.b., and amending redesignated paragraph f.;
0
e. Revising the heading for section II.;
0
f. Removing the word ``and'' at the end of paragraph II.B.2.;
0
g. Removing the period at the end of paragraph II.B.3 and replacing it 
with ``; and'';
0
h. Adding a new paragraph II.B.4.;
0
i. Adding a new paragraph 4. to paragraph III.C. Manage and Control 
Risk; and
0
j. Adding new paragraphs 3. and 4. to paragraph III.G. Implement the 
Standards.

Appendix B to Part 570--Interagency Guidelines Establishing Information 
Security Standards

* * * * *
    I. Introduction
    The Interagency Guidelines Establishing Information Security 
Standards (Guidelines) set forth standards pursuant to section 39(a) 
of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1), and 
sections 501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 
6801 and 6805(b)). These Guidelines address standards for developing 
and implementing administrative, technical, and physical safeguards 
to protect the security, confidentiality, and integrity of customer 
information. These Guidelines also address standards with respect to 
the proper disposal of consumer information, pursuant to sections 
621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 
1681w).
    A. Scope. * * * These Guidelines also apply to the proper 
disposal of consumer information by or on behalf of such entities.
* * * * *
    C. Definitions. * * *
    2. * * *
    a. Consumer information means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer 
report or is derived from a consumer report and that is maintained 
or otherwise possessed by you or on your behalf for a business 
purpose. Consumer information also means a compilation of such 
records. The term does not include any record that does not identify 
an individual.
    i. Examples. (1) Consumer information includes:
    (A) A consumer report that a savings association obtains;
    (B) Information from a consumer report that you obtain from your 
affiliate after the consumer has been given a notice and has elected 
not to opt out of that sharing;
    (C) Information from a consumer report that you obtain about an 
individual who applies for but does not receive a loan, including 
any loan sought by an individual for a business purpose;
    (D) Information from a consumer report that you obtain about an 
individual who guarantees a loan (including a loan to a business 
entity); or
    (E) Information from a consumer report that you obtain about an 
employee or prospective employee.
    (2) Consumer information does not include:
    (A) Aggregate information, such as the mean credit score, 
derived from a group of consumer reports; or
    (B) Blind data, such as payment history on accounts that are not 
personally identifiable, that may be used for developing credit 
scoring models or for other purposes.
    b. Consumer report has the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681a(d).
* * * * *
    f. Service provider means any person or entity that maintains, 
processes, or otherwise is permitted access to customer information 
or consumer information, through its provision of services directly 
to you.

II. Standards for Information Security * * *

    B. Objectives. * * *
    4. Ensure the proper disposal of customer information and 
consumer information.
    III. * * *
    C. Manage and Control Risk. * * *
    4. Develop, implement, and maintain, as part of your information 
security program, appropriate measures to properly dispose of 
customer information and consumer information in accordance with 
each of the requirements in this paragraph III.
* * * * *
    G. Implement the Standards. * * *
    3. Effective date for measures relating to the disposal of 
consumer information. You must satisfy these Guidelines with respect 
to the proper disposal of consumer information by July 1, 2005.
    4. Exception for existing agreements with service providers 
relating to the disposal of consumer information. Notwithstanding 
the requirement in paragraph III.G.3., your contracts with service 
providers that have access to consumer information and that may 
dispose of consumer information, entered into before July 1, 2005, 
must comply with the provisions of the Guidelines relating to the 
proper disposal of consumer information by July 1, 2006.

[[Page 77621]]


0
11. Add a new part 571 to read as follows:

PART 571--FAIR CREDIT REPORTING

Subpart A--General Provisions
Sec.
571.1 Purpose and scope.
571.2 [Reserved]
571.3 Definitions.
Subparts B-H [Reserved]
Subpart I--Duties of Users of Consumer Reports Regarding Identity Theft
571.80-82 [Reserved]
Sec.  571.83 Disposal of consumer information.

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).

Subpart A--General Provisions


Sec.  571.1  Purpose and scope.

    (a) Purpose. The purpose of this part is to establish standards 
regarding consumer report information. In addition, the purpose of this 
part is to specify the extent to which you may obtain, use, or share 
certain information. This part also contains a number of measures you 
must take to combat consumer fraud and related crimes, including 
identity theft.
    (b) Scope.
    (1) [Reserved]
    (2) Institutions covered. (i) Except as otherwise provided in this 
paragraph (b)(2), this part applies to savings associations whose 
deposits are insured by the Federal Deposit Insurance Corporation (and 
federal savings association operating subsidiaries in accordance with 
Sec.  559.3(h)(1) of this chapter).
    (ii) [Reserved]
    (iii) [Reserved]


Sec.  571.2  [Reserved]


Sec.  571.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a)-(d) [Reserved]
    (e) Consumer means an individual.
    (f)-(n) [Reserved]
    (o) You means savings associations whose deposits are insured by 
the Federal Deposit Insurance Corporation and federal savings 
association operating subsidiaries.

Subparts B-H [Reserved]

Subpart I--Duties of Users of Consumer Reports Regarding Identity 
Theft


Sec.  571.80-82  [Reserved]


Sec.  571.83  Disposal of consumer information.

    (a) In general. You must properly dispose of any consumer 
information that you maintain or otherwise possess in accordance with 
the Interagency Guidelines Establishing Information Security Standards, 
as set forth in appendix B to part 570, to the extent that you are 
covered by the scope of the Guidelines.
    (b) Rule of construction. Nothing in this section shall be 
construed to:
    (1) Require you to maintain or destroy any record pertaining to a 
consumer that is not imposed under any other law; or
    (2) Alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.

    By the Office of Thrift Supervision,

    Dated: November 30, 2004.
James E. Gilleran,
Director.
[FR Doc. 04-27962 Filed 12-27-04; 8:45 am]
BILLING CODE 4819-13-P;6210-10-P;6714-01-P;6720-01-P