[Federal Register Volume 78, Number 247 (Tuesday, December 24, 2013)]
[Rules and Regulations]
[Pages 77557-77563]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-30717]



 ========================================================================
 Rules and Regulations
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains regulatory documents 
 having general applicability and legal effect, most of which are keyed 
 to and codified in the Code of Federal Regulations, which is published 
 under 50 titles pursuant to 44 U.S.C. 1510.
 
 The Code of Federal Regulations is sold by the Superintendent of Documents. 
 Prices of new books are listed in the first FEDERAL REGISTER issue of each 
 week.
 
 ========================================================================
 

  Federal Register / Vol. 78, No. 247 / Tuesday, December 24, 2013 / 
Rules and Regulations  

[[Page 77557]]



FARM CREDIT ADMINISTRATION

12 CFR Parts 602, 618, and 621

RIN 3052-AC76


Releasing Information; General Provisions; Accounting and 
Reporting Requirements; Reports of Accounts and Exposures

AGENCY: Farm Credit Administration.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Farm Credit Administration (FCA, we, or our) issues this 
final rule to establish a regulatory framework for the reliable, 
timely, accurate, and complete reporting of Farm Credit System (System) 
accounts and exposures for examination activities and risk evaluation. 
The final rule specifies the reporting requirements and performance 
responsibilities, including, but not limited to, establishing uniform 
and standard data fields to be collected from all System institutions 
and a disciplined and secure delivery of information. The final rule 
authorizes a Reporting Entity (defined as the Federal Farm Credit Banks 
Funding Corporation (Funding Corporation) or an entity approved by 
FCA), to collect data from all banks and associations and serve as the 
central data repository manager. Additionally, the final rule requires 
all banks and associations to provide data to the Reporting Entity to 
facilitate the collection, enhancement, and reporting of data to FCA.

DATES: Effective Date: This regulation will become effective 30 days 
after publication in the Federal Register during which either or both 
Houses of Congress are in session. We will publish a notice of 
effective date in the Federal Register.
    Compliance Date: All provisions of this regulation require 
compliance on the effective date, except the Reporting Entity's 
requirements under Sec.  621.15(b)(1) through (b)(6). We are delaying 
compliance with these requirements to allow for the development of and 
transition to the System's central data repository. We will publish the 
compliance date for these requirements in the Federal Register.

FOR FURTHER INFORMATION CONTACT:
Susan Coleman, Senior Policy Analyst, Office of Regulatory Policy, Farm 
Credit Administration, McLean, VA 22102-5090, (703) 883-4491, TTY (703) 
883-4056, or
Jane Virga, Senior Counsel, Office of General Counsel, Farm Credit 
Administration, McLean, VA 22102-5090, (703) 883-4020, TTY (703) 883-
4056.

SUPPLEMENTARY INFORMATION:

I. Objectives

    The objectives of this final rule are to:
     Reaffirm FCA's authority to collect data on System 
institution accounts and exposures for examination activities and risk 
evaluation;
     Require all banks and associations to provide data on 
accounts and exposures to the Reporting Entity, for the purposes of 
reporting to FCA; and
     Establish the authority for and responsibilities of the 
Reporting Entity to collect, store, manage, and extrapolate data on 
accounts and exposures for reporting to FCA.

II. Background

    The Farm Credit Act of 1971, as amended (Act),\1\ in pertinent 
part, confers authority on FCA to examine and supervise the 
institutions of the System and authorizes FCA to issue regulations 
implementing the Act's provisions.\2\ Our regulations, including this 
final rule, are intended to ensure the safe and sound operations of 
System institutions. In order to meet FCA's responsibility to ensure 
the safety and soundness of System institutions, we must have reliable, 
timely, accurate, and complete information about each banks' and 
associations' assets and liabilities.
---------------------------------------------------------------------------

    \1\ Public Law 92-181, 85 Stat. 583 (1971), 12 U.S.C. 2001 et 
seq.
    \2\ 12 U.S.C. 2252(a)(8), (9), and (10).
---------------------------------------------------------------------------

    Section 4.12(b)(5) of the Act confirms FCA's authority to request 
information from a System institution for examination and supervision 
and the concurrent obligation of a System institution to provide FCA 
with access to the records of the System institution. This statute 
makes it clear that FCA must have access to all records of a System 
institution and provides that concealment or refusal to provide access 
to such records is the basis for the appointment of a receiver or 
conservator.
    In addition to that statutory authority, another section of the Act 
provides authority to FCA to require the production of System 
institution records. Section 5.9(4) of the Act provides FCA the power 
to require such reports as it deems necessary from System 
institutions.\3\ Additionally, section 5.22A of the Act and Sec.  
621.12(a) of FCA regulations require each System institution to prepare 
and file such reports of condition and performance as may be required 
by FCA. Further clarification is provided in Sec.  621.12(b) of FCA 
regulations, which states that these reports of condition and 
performance must be filed four times a year and may include such 
additional reports as may be necessary to ensure timely, complete, and 
accurate monitoring and evaluation of the affairs, condition, and 
performance of System institutions as determined by the Chief Examiner. 
In addition, Sec.  621.12(c) of FCA regulations requires all reports of 
condition and performance to be submitted electronically in accordance 
with the instructions prescribed by FCA.
---------------------------------------------------------------------------

    \3\ Further, under section 5.17(a)(11) of the Act, FCA may 
``[e]xercise such incidental powers as may be necessary or 
appropriate to fulfill its duties and carry out the purposes of 
{the{time}  Act.''
---------------------------------------------------------------------------

    For over a decade, FCA has collected detailed asset reports through 
loan data extracts from System institutions to facilitate examination 
activities and risk evaluation, and shared this data with the Farm 
Credit System Insurance Corporation (FCSIC) on a confidential basis 
subject to an interagency agreement. The need for consistent, 
comprehensive, and comparable data across all System institutions has 
evolved, as the complexity and volume of assets has increased. The 
availability of quality and timely data on accounts and exposures, 
including any loan, lease, letter of credit, derivative, or, any other 
asset, liability, other balance sheet account, or off-balance-sheet 
exposure, has become critical to efficient and effective examination 
activities and risk evaluation. Accordingly, we continue to

[[Page 77558]]

work with the System to collect more comprehensive data submissions and 
enhance the reporting to facilitate the evaluation of changing lending 
risks and conditions.
    An integral component of FCA's and FCSIC's ability to quickly and 
accurately identify and respond to risk is the collection of data on, 
and identification of, shared assets. Shared assets are any account or 
exposure where two or more System institutions have assumed a portion 
of the asset's benefits or risks. On October 3, 2012, the FCA Board 
approved Bookletter BL-065, which describes FCA's expectations that 
each System institution and its board of directors establish and 
implement an automated mechanism to consistently identify shared asset 
exposures. Bookletter BL-065 continues to contain pertinent guidance 
for System institutions. After the central data repository is completed 
by the Reporting Entity, including the implementation of an automated 
mechanism to accurately identify the System's shared asset exposures, 
FCA will evaluate whether to rescind Bookletter BL-065.
    In addition to other objectives, and in order to facilitate the 
identification of shared asset exposures and enable System risk 
assessment, System banks and associations are working with the Funding 
Corporation to create a central data repository to collect and store 
data from all System banks and associations, establish an automated 
mechanism to timely and accurately identify the System's shared asset 
exposures, and report Systemwide accounts and exposures on behalf of 
the System banks and associations to FCA. The Funding Corporation, in 
coordination with the banks and associations, is in the process of 
developing and deploying the central data repository and plans to 
assume the role of the Reporting Entity for the banks' and 
associations' reports of accounts and exposures by yearend 2014.
    We believe the final rule provides a uniform system and process for 
the reporting of accounts and exposures. The final rule reaffirms FCA's 
authority to collect data from the System and communicates the 
authority for, and responsibilities of, the Reporting Entity to collect 
data on behalf of the System banks and associations for delivery to 
FCA. The final rule also confirms FCA's authority to share examination 
reports or other information on System institutions prepared or held by 
FCA with FCSIC, subject to appropriate security and controls.
    The final rule requires the banks, associations, and Reporting 
Entity to establish a system of internal controls over the data. 
Additionally, the banks and associations must establish a data 
governance structure with the Reporting Entity to document the 
responsibilities and accountabilities for the conveyance, storage, and 
uses of the information stored in the central data repository. This 
data governance structure should establish agreement among the banks, 
associations, and Reporting Entity and must be in place prior to the 
first transfer of data to the Reporting Entity.
    During the System's data repository development phase, the banks 
and associations will continue to prepare and submit the reports of 
accounts and exposures to FCA in accordance with the instructions 
prescribed by FCA under Sec.  621.15(a) of this final rule. Upon 
satisfactory demonstration by the Reporting Entity of the ability to 
prepare reliable, timely, complete and accurate reporting of accounts 
and exposures, FCA will accept report(s) of all banks' and 
associations' accounts and exposures from the Reporting Entity, acting 
on behalf of the banks and associations. FCA will establish a delayed 
compliance date for the Reporting Entity's responsibilities under Sec.  
621.15(b)(1) through (b)(6) during the data repository development 
phase.
    FCA understands that the development of the central data repository 
is a necessary precursor to the automated identification and reporting 
of shared exposures. However, FCA expects timely implementation of the 
System's mechanism to identify shared asset exposures as required in 
Sec.  621.15(b)(3) once the data repository is complete. Since the 
identification of shared asset and customer exposures at the System 
level through an automated mechanism is not yet implemented, we will 
establish a delayed compliance date as previously discussed.
    The System's ultimate success of implementing a process for 
reporting shared exposures is dependent upon the cooperation and 
collaboration of the banks, associations, and Reporting Entity. We also 
understand that identification, management, and control of shared 
assets will primarily rest at the bank and association level and will 
be reported by the banks and associations in their quarterly reports. 
However, the responsibility of accumulating the shared assets to the 
shared customer level will primarily rest with the Reporting Entity. As 
such, the Reporting Entity is not only a conduit to submit the banks 
and associations reports of accounts and exposures, but is also 
necessary to establish and report accurate System shared exposures. Due 
to this interdependency, we expect continual and thorough collaboration 
and cooperation to ensure the mechanism to identify shared exposures is 
timely, accurate and complete. The data dictionary and instructions 
will specify the various components of the shared asset identifiers 
such as the shared asset number, the shared customer number and the 
System customer lead. FCA will continue to collaborate with the System 
on the specifics for identifying shared exposures through the data 
dictionary and instructions published on the FCA Web site.
    The final regulation requires the Reporting Entity to notify FCA 
immediately in writing of the following events: (1) If there is a 
breach of information; (2) if there is a request for data from the 
reports of accounts and exposures from non-System entities; or, (3) if 
it is unable to prepare and submit the report(s) of accounts and 
exposures in compliance with the regulation. Additionally, in the event 
of a breach of information, the Reporting Entity must provide immediate 
written notice of the breach to each bank and association concerned.
    The Reporting Entity may request that the banks and associations 
appoint a replacement Reporting Entity to assume the authorities and 
reporting obligations of the Reporting Entity. Additionally, the banks 
and associations at their discretion, and with the approval of the FCA, 
may elect to select a replacement Reporting Entity to assume the 
authorities and reporting obligations of the Reporting Entity.
    The proposed rule, which was published for public comment for 30 
days, generated five comment letters, four of which were generally 
supportive. One comment letter opposed the proposed regulation in its 
entirety. After considering the comments, we now finalize the proposed 
provisions as discussed below.

III. Discussion of Comment Letters and Section-by-Section Analysis of 
Final Rule

    The five comment letters we received came from one Farm Credit Bank 
(AgriBank, FCB); three System agricultural credit associations (Farm 
Credit East, ACA, Greenstone Farm Credit Services, ACA, and River 
Valley AgCredit, ACA); and the Farm Credit Council (Council) acting on 
behalf of its membership. These letters contained a number of 
constructive comments that resulted in changes to a number of 
provisions in the proposed rule.

[[Page 77559]]

General Issues

    Four commenters support our efforts to set up a regulatory 
framework, but ask that we continue to cooperate with System 
institutions regarding changes to data submission requirements so that 
an appropriate balance remains between the need to evaluate changing 
lending risks and the cost of regulatory burden to the System. The 
concept of a central data repository has been a collaborative and 
cooperative approach between the System and FCA to ensure all parties' 
needs are adequately met and addressed. We intend to continue to 
collaborate and to provide the banks, associations, and Reporting 
Entity with ample opportunity to provide input on any anticipated 
changes to the data submission requirements or instructions. In our 
response below to comments on certain provisions of the proposed rule, 
we have made some changes to further clarify our intended process for 
changes to data submission requirements and to limit the regulatory 
burden on the System.
    The commenter that opposed the rule in its entirety was concerned 
with sending confidential borrower information to the Reporting Entity. 
We understand and share this concern and believe we have included 
requirements in the regulation to address it. Specifically, the final 
rule requires the Reporting Entity to develop and implement an 
effective system of internal controls over the central data repository 
to ensure the confidentiality of borrower information. In addition, we 
expect the banks and associations to establish a data governance 
structure that documents agreement among the banks, associations, and 
Reporting Entity on the responsibilities and accountabilities for 
information stored in the central data repository. Finally, we also 
require the immediate reporting of any breach of information to FCA and 
each bank and association concerned.
    This commenter is also concerned with the increased cost due to the 
regulation. We believe that the availability of quality and timely data 
on accounts and exposures is paramount to efficient and effective 
examination activities and risk evaluation, as well as the System's own 
risk-management practices. We believe that establishing a central data 
repository, including an automated mechanism to accurately identify 
shared asset exposures, is a prudent expense that provides both FCA and 
the System (including this commenter) with the ability to timely 
evaluate risks and conditions, and respond appropriately.
1. Authority To Promulgate the Regulation
    FCA cited section 5.22A of the Act as the basis to require a System 
institution to submit loan data. A commenter questioned whether section 
5.22A was the proper authority to promulgate this regulation. Although 
the commenter acknowledged FCA's inherent authority to access System 
institution accounts and exposure data for examination activities and 
support the overall process outlined in the proposed regulation, the 
commenter was concerned that we cited an incorrect authority for the 
collection of the data.
    The commenter stated that the proposed rule provides a consolidated 
and efficient approach for submitting data from the System to FCA. 
However, the commenter stated that it is a ``stretch'' to call the 
submission of loan and other similar data at the record level a uniform 
financial report as contemplated in section 5.22A of the Act. The 
commenter asserts that financial reporting means balance sheet, income 
statements, and related supporting schedules, even though FCA has the 
authority to interpret the statute.
    Section 5.22A of the Act requires System institutions to comply 
with FCA's uniform financial reporting instructions. Section 5.22A was 
cited in Bookletter BL-065, which was the genesis for the proposed 
regulation. The Bookletter provides FCA's expectations for System 
institutions to establish and implement an automated mechanism to 
identify and report shared asset exposures. Section 5.22A of the Act 
provides, in pertinent part, that each System institution shall comply 
with uniform financial reporting instructions required by the Farm 
Credit Administration to standardize and facilitate the reporting of 
System data.
    The commenter suggests section 4.12(b)(5) of the Act as authority 
for the regulation. Although we continue to believe that section 5.22A 
of the Act authorizes the regulation, we have included section 
4.12(b)(5) as additional authority. Section 4.12(b)(5) of the Act 
provides that the FCA Board may appoint a conservator or receiver for 
any System institution that does not provide FCA with access to the 
``books, papers, records, or assets of the institution.
    Including this additional authority source should provide the 
balance that the commenter desired and reassurance concerning the types 
of information retained by System institutions. Also, as a technical 
matter, we added section 5.22A of the Act as authority for this 
regulation. We had included a discussion of this section in the 
preamble to the proposed rule but inadvertently omitted it from the 
authority citations.
2. Notice and Comment on Instructions
    The proposed regulation provides that the banks and associations 
submit the reports of accounts and exposures in accordance with the 
instructions provided by FCA. The Council recommended that the rule be 
revised to provide for notice and comment when FCA changes any of its 
instructions on the reports of accounts and exposures. The Council 
asserts that the Administrative Procedure Act, 5 U.S.C. 553 (APA), 
requires that new instructions be subject to the notice and comment 
requirements. Another commenter asserted that the open-ended nature of 
the information collection process in the instructions is inappropriate 
in that it lacks balance and could be burdensome. As discussed below, 
we believe that the APA does not require notice and comment on the 
instructions for the submission of the accounts and exposure data and 
that the instructions will be appropriate.
    The APA establishes, in pertinent part, that an agency must publish 
a proposed rule for notice and comment. By definition, a rule is an 
agency statement of general or particular applicability. A rule does 
not include an agency's ``housekeeping provisions.''
    We do not believe that the instructions for the submission of 
accounts and exposures data are a regulation. The instructions are not 
an agency statement of general or particular applicability. Rather, we 
believe that the instructions are procedural on their face and do not 
change substantive standards for the submission of the data by the 
System institutions. The instructions do not alter the rights or 
interests of the System institutions, although the instructions may 
alter the information and how it is provided to FCA. A procedural rule 
does not become a substantive one for notice and comment purposes 
simply because it arguably imposes a ``burden'' on the System.
    We do, however, intend to continue to engage in comprehensive 
collaboration and communication with the banks, associations, and 
Reporting Entity. We will provide all parties with sufficient time to 
review any proposed changes to the data dictionary and instructions and 
respond to us with any concerns, including the appropriateness of the 
data requirements and any burden.
    In the future, FCA may amend the instructions, including the data 
dictionary, as the System and FCA continue to assess data needs. FCA 
intends to initiate an annual

[[Page 77560]]

collaborative review of the data dictionary and corresponding 
instructions and provide any details on recommended changes to all 
parties in order to receive their comments and input prior to 
initiating any changes. This will ensure the System has the opportunity 
to provide adequate input to changes in the data submission 
requirements and in developing instructions on System data collection 
and storage. FCA plans to inform System institutions of proposed 
changes to the instructions and allow System institutions ample time to 
respond to any changes on the content of information to be provided or 
on the appropriate method of delivering information to the Reporting 
Entity or FCA. We believe that this process provides adequate balance 
to ensure that the information collected is appropriate for examination 
activities and risk analysis. However, exigent circumstances could 
mandate more frequent changes to the instructions, with or without 
System input.
    The process we have discussed is consistent with the existing 
process for issuing instructions for providing ``Uniform Call 
Reports.'' We continue to believe, as first stated in Bookletter BL-065 
that ``[c]ollaboration by the System will improve the mechanisms and 
disciplines necessary to effectively assess and report shared-asset 
risks in a timely, complete and accurate manner.'' We have confidence 
that this approach balances the needs of FCA to collect uniform and 
standardized data for examination and risk analysis with the needs of 
System institutions to collect the data needed and used for business or 
risk management purposes. Additionally, to clarify an additional 
comment on this topic, FCA's instructions on the data submission 
requirements apply uniformly to all banks and associations.
3. Effective Date
    Several of the commenters requested that we carefully consider the 
effective date of this regulation to ensure the System institutions 
have sufficient time to comply with the requirements. This regulation 
will become effective 30 days after publication in the Federal Register 
during which either or both Houses of Congress are in session. FCA will 
establish a delayed compliance date for the Reporting Entity's 
requirements under Sec.  621.15(b)(1) through (b)(6) of the rule to 
allow for the development of and transition to the System's central 
data repository. Accordingly, the compliance date for Sec.  
621.15(b)(1) through (b)(6) requirements will be published separately 
in the Federal Register. All other sections and requirements of the 
regulation require compliance on the effective date of the regulation.
    As discussed in the preamble, we expect the banks and associations 
to continue preparing and submitting the reports of accounts and 
exposures to FCA under the current established data dictionary and 
instructions prescribed by FCA. This current submission of data will 
continue until such time as the Reporting Entity completes the 
development and implementation of the central data repository and 
satisfactorily demonstrates the ability to prepare and deliver to FCA 
reliable, timely, complete and accurate reporting of accounts and 
exposures, including the identification of shared asset exposures. When 
this occurs, FCA will accept report(s) of all banks' and associations' 
accounts and exposures from the Reporting Entity, acting on behalf of 
the banks and associations. FCA understands that the identification of 
shared asset and customer exposures at the System level is not yet 
implemented and therefore, as stated previously, a delayed compliance 
date will be established for these requirements of the rule.

Specific Issues

1. Sharing Data on Third-Party Systems or With Contractors [new Sec.  
602.2(c)]
    The proposed rule would establish a confidentiality and data 
security agreement requirement between FCA and FCSIC when accounts and 
exposures data is shared between the two agencies.\4\
---------------------------------------------------------------------------

    \4\ Section 5.59(a)(5) of the Act provides that FCSIC, to the 
extent practicable, shall use the personnel and resources of FCA to 
minimize duplication of effort and to reduce costs. Under section 
5.59(b), if the FCSIC Board considers it necessary to examine an 
insured System bank or a System association or any System 
institution in receivership, it may use FCA examiners to conduct the 
examination using reports and other information on the System 
institution prepared or held by FCA. If the FCSIC Board determines 
that such reports or information are not adequate to enable FCSIC to 
carry out the duties of FCSIC under section 5.59(b), it may request 
FCA to examine or to obtain other information from or about the 
System institution and provide FCSIC the resulting examination 
report or such other information. See also section 5.19(d) of the 
Act.
---------------------------------------------------------------------------

    The Council and another commenter stated they were extremely 
concerned over: (1) The security of FCA or FCSIC storing accounts and 
exposures data on third-party systems; and (2) FCSIC providing the data 
to third-party contractors or vendors. They recommended we update the 
regulatory language to ensure that FCSIC cannot release the data to a 
vendor or any other third party and that the data must remain on FCA or 
FCSIC systems at all times.
    We understand and share the commenters' concerns with data 
security. However, we believe that the Sec.  602.2(c) requirement for a 
confidentiality and data security agreement between FCA and FCSIC 
adequately ensures the integrity, confidentiality, and security of the 
data. Safeguarding borrower information is of paramount importance to 
the System and FCA.
    As to the comment concerning providing access to contractors, the 
interagency agreement between FCA and FCSIC governs and protects 
borrower data in any form and includes restrictions on sharing the data 
with contractors. These safeguards are appropriate for this type of 
data and provide FCA and FCISC the necessary access to the information 
while protecting it from unauthorized access and use. We also note that 
pursuant to Federal statute, FCA does not waive any privilege by 
sharing information with FCSIC. See 12 U.S.C. 1821(t).
2. Bank and Association Certification Requirement [new Sec.  
621.15(a)(2)]
    The proposed rule would require each bank and association to 
provide a written certification that the data submitted ``has been 
prepared in accordance with all applicable regulations and 
instructions, and is a true and accurate record of the data maintained 
in the bank's or association's database, to the best of its knowledge 
and belief.''
    The Council and other commenters suggested revising the 
certification requirement of the banks and associations to avoid the 
possible interpretation that FCA is prescribing what data a System 
institution maintains in its database. The Council asked for 
clarification that the term ``complete'' apply only to data that a bank 
and association has available electronically. In addition, one 
commenter stated that they are unable to certify that all of the actual 
information in their records, regarding any particular borrower, is 
fully accurate at any point in time because it is borrower provided.
    In order to address these concerns, we have modified the language 
in the final rule as requested to require that System institutions 
certify that their submissions are a ``true and accurate record of the 
data maintained by the bank or association, to the best of its 
knowledge and belief.'' Furthermore, we intended that each bank's and 
association's certification apply to the data submitted in its 
report(s) of

[[Page 77561]]

accounts and exposures and available in its databases.
3. Reporting Entity Certification Requirement [new Sec.  621.15(b)(4)]
    The proposed rule provides, in pertinent part, that the Reporting 
Entity must certify ``that the information provided in the report of 
each bank's and association's accounts and exposures has been prepared 
in accordance with all applicable regulations and instructions and 
accurately represents the information provided to it by the banks and 
associations.''
    The Council suggested revising the Reporting Entity's certification 
requirement. It believes the certification by the banks and 
associations is sufficient to ensure that the information in the report 
complies with the instructions.
    While we agree that the Reporting Entity does not need to certify 
that the banks and associations have complied with the instructions, 
the Reporting Entity is responsible for certifying its compliance with 
the instructions, particularly as they relate to the establishment and 
implementation of an automated mechanism to identify shared asset 
exposures. To address these comments, we have modified the language in 
the final rule to clarify that the Reporting Entity needs to certify 
that the report accurately represents the information provided to it by 
the banks and associations and that the Reporting Entity has complied 
with the requirements of Sec.  621.15(b).
4. Reporting Entity Notification if Unable To Prepare and Submit Report 
[new Sec.  621.15(b)(6)]
    The proposed rule provides, in pertinent part, that the Reporting 
Entity must ``[n]otify the Farm Credit Administration if it is unable 
to prepare and submit the quarterly report of accounts and exposures in 
compliance with the requirements of this section.''
    The Council requests that this provision be deleted. It believes 
that it is inappropriate to require the Reporting Entity to notify FCA 
when an individual institution fails to comply with the data submission 
requirements.
    FCA did not intend to hold the Reporting Entity responsible for 
notifying FCA of institution compliance or noncompliance with reporting 
responsibilities. Rather, FCA wants to be notified if the Reporting 
Entity is unable to submit the quarterly report to FCA for any reason, 
such as technical difficulties or if the accounts and exposures report 
to FCA from the Reporting Entity does not contain all banks' and 
associations' reports. In order to address the Council's concern, we 
have modified the language in the final rule to clarify that the 
Reporting Entity needs to notify FCA if it is unable to submit the 
quarterly report in compliance with the Reporting Entity's 
responsibilities as set forth in Sec.  621.15(b)(1) through (b)(3).
5. Information Breach [new Sec.  621.15(b)(7)]
    The proposed rule provides, in pertinent part, that the Reporting 
Entity would be required to immediately notify FCA and each concerned 
bank and association if there is a breach of information. Each bank and 
association would then determine whether any notice of the breach to 
any of its borrowers was required under applicable laws and 
regulations. The bank and association would be responsible for 
providing such notification to its borrowers. We defined ``breach of 
information'' to mean ``unauthorized acquisition of or access to the 
central data repository, any quarterly reports of accounts and 
exposures or any other information received pursuant to Sec.  
621.15(a)(1).''
    Commenters raised several issues regarding these proposed 
requirements. They were concerned with the Reporting Entity providing 
written notice ``immediately'' to FCA and each bank and association 
concerned, if there is an information breach. Commenters asked that the 
term ``immediately'' be revised to allow a greater time to report, such 
as 3 business days. Also, commenters requested that we delete the 
language in Sec.  621.15(b)(7)(ii) that the concerned bank and 
association determine whether any notice of the breach to any of its 
borrowers is required under applicable laws and regulations and, if so, 
that they are responsible for providing such notification. Commenters 
believe the language is not needed because the banks and associations 
are already required to comply with applicable laws and regulations. 
The commenters also requested that FCA clarify that the definition of 
``breach'' refers only to situations in which data has been actually 
accessed by an unauthorized person.
    FCA does not believe it appropriate to allow more time to report a 
security breach. FCA continues to believe that the report must be made 
``immediately'' because the extreme sensitivity of the data maintained 
in the central data repository makes it urgent to communicate an 
information breach. The term ``immediately'' in this context means 
without delay or at once. As to the deletion of the language in Sec.  
621.15(b)(7)(ii), we agree with the comment and have not included the 
specific language in this provision of the final rule. As noted in the 
proposed rule, the Reporting Entity is only responsible for notifying 
FCA and the bank and association concerned of any information breach. 
The bank or association concerned must comply with applicable laws and 
regulations regarding information security and should consider and 
follow best practices.
    Finally, in order to address the concern about the definition of 
``breach,'' we have modified Sec.  621.15(b)(7)(iii). In doing so, we 
do not believe ``breach'' should be limited to the occasion where data 
has actually been accessed by an unauthorized person. Instead, the 
modified definition is intended to capture attempts by unauthorized 
persons to access data and unauthorized possession of data.

IV. Regulatory Flexibility Act

    Pursuant to section 605(b) of the Regulatory Flexibility Act (5 
U.S.C. 601 et seq.), FCA hereby certifies that the final rule would not 
have a significant economic impact on a substantial number of small 
entities. Each of the banks in the Farm Credit System, considered 
together with its affiliated associations, has assets and annual income 
in excess of the amounts that would qualify them as small entities. 
Therefore, Farm Credit System institutions are not ``small entities'' 
as defined in the Regulatory Flexibility Act.

List of Subjects

12 CFR Part 602

    Courts, Freedom of information, Government employees.

12 CFR Part 618

    Agriculture, Archives and records, Banks, banking, Insurance, 
Reporting and recordkeeping requirements, Rural areas, Technical 
assistance.

12 CFR Part 621

    Accounting, Agriculture, Banks, banking, Penalties, Reporting and 
recordkeeping requirements, Rural areas.
    For the reasons stated in the preamble, parts 602, 618 and 621 of 
chapter VI, title 12 of the Code of Federal Regulations, are amended as 
follows:

[[Page 77562]]

PART 602--RELEASING INFORMATION

0
1. The authority citation for part 602 is revised to read as follows:

    Authority:  Secs. 5.9, 5.17, 5.59 of the Farm Credit Act (12 
U.S.C. 2243, 2252, 2277a-8); 5 U.S.C 301, 552; 12 U.S.C. 1821(t); 52 
FR 10012; E.O. 12600; 52 FR 23781, 3 CFR 1987, p. 235.

0
2. Section 602.2 is amended by:
0
a. Revising the heading;
0
b. Redesignating existing paragraph (c) as paragraph (d); and
0
c. Adding new paragraph (c) to read as follows:


Sec.  602.2  Disclosing reports of examination and other non-public 
information.

* * * * *
    (c) Disclosure to the Farm Credit System Insurance Corporation. 
Without waiving any privilege or limiting any of the requirements of 
section 5.59 of the Farm Credit Act of 1971, as amended, we may 
disclose reports of examination and other examination and non-public 
information, including data from reports of System accounts and 
exposures received pursuant to Sec.  621.15 of this chapter, to the 
Farm Credit System Insurance Corporation pursuant to confidentiality 
and data security agreements executed between the agencies.
* * * * *

PART 618--GENERAL PROVISIONS

0
3. The authority citation for part 618 continues to read as follows:

    Authority:  Secs. 1.5, 1.11, 1.12, 2.2, 2.4, 2.5, 2.12, 3.1, 
3.7, 4.12, 4.13A, 4.25, 4.29, 5.9, 5.10, 5.17, of the Farm Credit 
Act (12 U.S.C. 2013, 2019, 2020, 2073, 2075, 2076, 2093, 2122, 2128, 
2183, 2200, 2211, 2218, 2243, 2244, 2252.


Sec.  618.8300  [Amended]

0
4. Section 618.8300 is amended by removing the words ``as authorized in 
the following paragraphs'' and adding in their place, the words ``as 
authorized by Farm Credit Administration regulations (Sec. Sec.  
618.8300 through 618.8330)''.

0
5. Section 618.8310 is amended by adding a new paragraph (c) to read as 
follows:


Sec.  618.8310  Lists of borrowers and stockholders.

* * * * *
    (c) In connection with preparing and submitting an electronic 
report of all System accounts and exposures to the Farm Credit 
Administration in accordance with the requirements of Sec.  621.15 of 
this chapter, each bank and association may provide information from 
its lists of borrowers and stockholders to the Reporting Entity as 
defined in Sec.  621.2 of this chapter.

0
6. Section 618.8320 is amended by adding a new paragraph (b)(10) to 
read as follows:


Sec.  618.8320  Data regarding borrowers and loan applicants.

* * * * *
    (b) * * *
    (10) In connection with preparing and submitting an electronic 
report of all System accounts and exposures to the Farm Credit 
Administration in accordance with the requirements of Sec.  621.15 of 
this chapter, each bank and association may provide data on its 
accounts and exposures to the Reporting Entity as defined in Sec.  
621.2 of this chapter.
* * * * *

PART 621--ACCOUNTING AND REPORTING REQUIREMENTS

0
7. The authority citation for part 621 is revised to read as follows:

    Authority:  Secs. 4.12(b)(5), 5.17, 5.22A, 8.11 of the Farm 
Credit Act (12 U.S.C. 2183, 2252, 2257a, 2279aa-11); sec. 514 of 
Pub. L. 102-552.


0
8. Section 621.2 is amended by:
0
a. Redesignating paragraph (a) as paragraph (b), paragraph (b) as 
paragraph (d), and paragraphs (c) through (i) as paragraphs (f) through 
(l), respectively; and
0
b. Adding new paragraphs (a), (c), (e), (m) and (n) to read as follows:


Sec.  621.2  Definitions.

    (a) Accounts and exposures means data related to any loan, lease, 
letter of credit, derivative, or, any other asset, liability, other 
balance sheet account, or off-balance-sheet exposure of a System 
institution.
* * * * *
    (c) Banks and associations mean all Farm Credit Banks, Agricultural 
credit banks, and associations.
* * * * *
    (e) Central data repository means a central data warehouse that 
electronically collects and stores current and historical data and is 
created by integrating data from one or more disparate sources.
* * * * *
    (m) Reporting entity means the Federal Farm Credit Banks Funding 
Corporation, or other entity approved by the Farm Credit 
Administration.
    (n) Shared asset means any account or exposure where two or more 
Farm Credit institutions have assumed a portion of the asset's benefits 
or risks. An institution's share in the asset may be established 
through means such as syndications, participation agreements, 
assignments, or other arrangements with System entities.

0
9. Revise the heading of subpart D to read as follows:

Subpart D--Reports of Condition and Performance and Accounts and 
Exposures

0
10. Section 621.12 is amended by revising the heading to read as 
follows:


Sec.  621.12  Reports of condition and performance.

* * * * *

0
11. Add a new Sec.  621.15 to subpart D to read as follows:


Sec.  621.15  Reports of accounts and exposures.

    (a) Responsibilities of banks and associations for preparing and 
submitting reports. The banks and associations must prepare and submit 
an accurate and complete report of all bank and association accounts 
and exposures electronically to the Farm Credit Administration pursuant 
to the requirements of this part. In order to accomplish such 
submission, each bank and association must:
    (1) Prepare and submit an accurate and complete report of its 
accounts and exposures electronically to the Reporting Entity:
    (i) In accordance with the instructions prescribed by the Farm 
Credit Administration, or as may be required by the Farm Credit 
Administration; and
    (ii) Within 20 calendar days after each quarter-end date, and at 
such other times as the Farm Credit Administration may require.
    (2) Submit to the Farm Credit Administration and the Reporting 
Entity a written certification that the information provided in the 
report of accounts and exposures has been prepared in accordance with 
all applicable regulations and instructions, and is a true and accurate 
record of the data maintained by the bank or association, to the best 
of its knowledge and belief. The reports shall be certified by the 
officer of the reporting bank or association named for that purpose by 
action of the reporting bank's or association's board of directors. If 
the board of directors of the bank or association has not acted to name 
an officer to certify to the accuracy of its reports of accounts and 
exposures, then the reports shall be certified by the president or 
chief executive officer of the reporting bank or association. In the 
event the bank or association learns of

[[Page 77563]]

a material error or misstatement in the information submitted to the 
Reporting Entity, it must notify the Reporting Entity and the Farm 
Credit Administration immediately of the error or misstatement and 
prepare and submit corrected information as soon as practicable.
    (3) Respond promptly to any questions by the Reporting Entity 
related to information provided under this section in connection with 
the preparation of a report of accounts and exposures, including any 
data required to establish, implement and maintain consistent, 
accurate, and complete shared asset identification and reporting of 
shared asset exposures to the Farm Credit Administration.
    (4) Develop, implement, and maintain an effective system of 
internal controls over the data included in the report of accounts and 
exposures, including controls for maintaining the confidentiality of 
borrower information. The system of internal controls, at a minimum, 
must comply with the requirements of applicable Farm Credit 
Administration regulations, including Sec.  618.8430 of this chapter.
    (b) Responsibilities of the Reporting Entity for preparing and 
submitting reports. The Reporting Entity must:
    (1) Collect, store, and manage the information submitted to it by 
each bank and association under the requirements of this section in a 
central data repository in accordance with Farm Credit Administration 
regulations and prescribed instructions.
    (2) Prepare and submit an electronic quarterly report of the 
accounts and exposures of all banks and associations to the Farm Credit 
Administration in accordance with the instructions prescribed by the 
Farm Credit Administration or as may be required by the Farm Credit 
Administration.
    (3) Establish, implement, and maintain an automated mechanism to 
ensure the reliable, timely, accurate and consistent identification of 
the banks' and associations' shared asset exposures, and report these 
exposures and the shared asset identifiers in the electronic quarterly 
report of accounts and exposures to the Farm Credit Administration. In 
connection with establishing and implementing the automated shared 
asset identification mechanism, the Reporting Entity may provide the 
banks and associations information from the central data repository to 
identify and report shared asset exposures.
    (4) Submit to the Farm Credit Administration a written 
certification that the information provided to the Farm Credit 
Administration in the report of accounts and exposures of all banks and 
associations accurately represents the information provided to it by 
the banks and associations and that the Reporting Entity has complied 
with the requirements of Sec.  621.15(b). The reports shall be 
certified by the president or chief executive officer of the Reporting 
Entity. In the event the Reporting Entity learns of a material error or 
misstatement in the information submitted to the Farm Credit 
Administration, it must notify the Farm Credit Administration 
immediately of the error or misstatement and prepare and submit 
corrected information as soon as practicable.
    (5) Develop, implement, and maintain an effective system of 
internal controls over the central data repository, including controls 
for maintaining the confidentiality of borrower information. The system 
of internal controls, at a minimum, must comply with the requirements 
of applicable Farm Credit Administration regulations, including Sec.  
618.8430 of this chapter and require that the Reporting Entity:
    (i) Develop policies and procedures to ensure that the information 
submitted in the report of accounts and exposures to the Farm Credit 
Administration is complete and consistent with the information 
submitted to the Reporting Entity from the banks and associations under 
Sec.  621.15(a); and
    (ii) Specify procedures for monitoring any material corrections or 
adjustments, in a timely manner, and provide timely notification and 
resubmission of the report of accounts and exposures to the Farm Credit 
Administration.
    (6) Notify the Farm Credit Administration if it is unable to 
prepare and submit the quarterly report of accounts and exposures in 
compliance with the requirements of Sec.  621.15(b)(1) through (b)(3). 
The notification:
    (i) Must be signed by the chief executive officer, or person in an 
equivalent position, and submitted to the Farm Credit Administration as 
soon as the Reporting Entity becomes aware of its inability to comply;
    (ii) Must explain the reasons for its inability to prepare and 
submit the report; and
    (iii) May include a request that the Farm Credit Administration 
extend the due date for the quarterly report of accounts and exposures.
    (7) In the event there is a breach of information, immediately 
provide written notice of the breach to:
    (i) The Farm Credit Administration; and
    (ii) Each bank and association concerned;
    (iii) For the purposes of this section, ``breach of information'' 
means any actual or attempted unauthorized access, possession, use, 
disclosure, disruption, modification, or destruction of information in 
the central data repository, any reports of accounts and exposures, or 
any other information received pursuant to Sec.  621.15(a)(1).
    (8) Notify the Farm Credit Administration in writing of any request 
for data contained in the reports of accounts and exposures that are 
not explicitly allowed for in Sec.  618.8320(b) of this chapter.

    Dated: December 18, 2013.
Dale L. Aultman,
 Secretary, Farm Credit Administration Board.
[FR Doc. 2013-30717 Filed 12-23-13; 8:45 am]
BILLING CODE 6705-01-P