Department of the Treasury Federal Reserve System Federal ...

Thursday,

February 1, 2001

Part II

Department of theTreasuryOffice of the Comptroller of theCurrencyOffice of Thrift Supervision

Federal Reserve System

Federal DepositInsurance Corporation12 CFR Part 30, et al.Interagency Guidelines EstablishingStandards for Safeguarding CustomerInformation and Rescission of Year 2000Standards for Safety and Soundness; FinalRule

VerDate 11<MAY>2000 18:01 Jan 31, 2001 Jkt 194001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\01FER2.SGM pfrm01 PsN: 01FER2

8616 Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

1 Section 39 applies only to insure depositoryinstitutions, including insured branches of foreignbanks. The Guidelines, however, will also apply tocertain uninsured institutions, such as bank holdingcompanies, certain nonbank subsidiaries of bankholding companies and insured depositoryinstitutions, and uninsured branches and agenciesof foreign banks. See sections 501 and 505(b) of theG–L–B Act.

2 OTS has placed its information securityguidelines in appendix B to 12 CFR part 570, withthe provisions implementing section 39 of the FDIAct. At the same time, OTS has adopted aregulatory requirement that the institutions OTSregulates comply with the proposed Guidelines.Because information security guidelines are similarto physical security procedures, OTS has includeda provision in 12 CFR part 568, which coversprimarily physical security procedures, requiring

DEPARTMENT OF THE TREASURY

Office of the Comptroller of theCurrency

12 CFR Part 30

[Docket No. 00–35]

RIN 1557–AB84

FEDERAL RESERVE SYSTEM

12 CFR Parts 208, 211, 225, and 263

[Docket No. R–1073]

FEDERAL DEPOSIT INSURANCECORPORATION

12 CFR Parts 308 and 364

RIN 3064–AC39

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Parts 568 and 570

[Docket No. 2000–112]

RIN 1550–AB36

Interagency Guidelines EstablishingStandards for Safeguarding CustomerInformation and Rescission of Year2000 Standards for Safety andSoundness

AGENCIES: The Office of the Comptrollerof the Currency (OCC), Treasury; Boardof Governors of the Federal ReserveSystem (Board); Federal DepositInsurance Corporation (FDIC); andOffice of Thrift Supervision (OTS),Treasury.ACTION: Joint final rule.

SUMMARY: The Office of the Comptrollerof the Currency, Board of Governors ofthe Federal Reserve System, FederalDeposit Insurance Corporation, andOffice of Thrift Supervision(collectively, the Agencies) arepublishing final Guidelines establishingstandards for safeguarding customerinformation that implement sections501 and 505(b) of the Gramm-Leach-Bliley Act (the G–L–B Act or Act).

Section 501 of the G-L-B Act requiresthe Agencies to establish appropriatestandards for the financial institutionssubject to their respective jurisdictionsrelating to administrative, technical, andphysical safeguards for customerrecords and information. As describedin the Act, these safeguards are to:insure the security and confidentialityof customer records and information;protect against any anticipated threatsor hazards to the security or integrity of

such records; and protect againstunauthorized access to or use of suchrecords or information that could resultin substantial harm or inconvenience toany customer. The Agencies are toimplement these standards in the samemanner, to the extent practicable, asstandards prescribed pursuant to section39(a) of the Federal Deposit InsuranceAct (FDI Act). These final Guidelinesimplement the requirements describedabove.

The Agencies previously issuedguidelines establishing Year 2000 safetyand soundness standards for insureddepository institutions pursuant tosection 39 of the FDI Act. Since theevents for which these guidelines wereissued have passed, the Agencies haveconcluded that the guidelines are nolonger necessary and are rescindingthese guidelines.EFFECTIVE DATE: The joint final rule iseffective July 1, 2001.

Applicability date: The Year 2000Standards for Safety and Soundness areno longer applicable as of March 5,2001.

FOR FURTHER INFORMATION CONTACT:

OCC

John Carlson, Deputy Director forBank Technology, (202) 874–5013; orDeborah Katz, Senior Attorney,Legislative and Regulatory ActivitiesDivision, (202) 874–5090.

Board

Heidi Richards, Assistant Director,Division of Banking Supervision andRegulation, (202) 452–2598; StephanieMartin, Managing Senior Counsel, LegalDivision, (202) 452–3198; or Thomas E.Scanlon, Senior Attorney, LegalDivision, (202) 452–3594. For thehearing impaired only, contact JaniceSimms, Telecommunication Device forthe Deaf (TDD) (202) 452–3544, Board ofGovernors of the Federal ReserveSystem, 20th and C Streets, NW,Washington, DC 20551.

FDIC

Thomas J. Tuzinski, ReviewExaminer, Division of Supervision,(202) 898–6748; Jeffrey M. Kopchik,Senior Policy Analyst, Division ofSupervision, (202) 898–3872; or RobertA. Patrick, Counsel, Legal Division,(202) 898–3757.

OTS

Jennifer Dickerson, Manager,Information Technology, ExaminationPolicy, (202) 906–5631; or ChristineHarrington, Counsel, Banking andFinance, Regulations and LegislationDivision, (202) 906–7957.

SUPPLEMENTARY INFORMATION: Thecontents of this preamble are listed inthe following outline:I. BackgroundII. Overview of Comments ReceivedIII. Section-by-Section AnalysisIV. Regulatory Analysis

A. Paperwork Reduction ActB. Regulatory Flexibility ActC. Executive Order 12866D. Unfunded Mandates Act of 1995

I. BackgroundOn November 12, 1999, President

Clinton signed the G–L–B Act (Pub. L.106–102) into law. Section 501, titled‘‘Protection of Nonpublic PersonalInformation’’, requires the Agencies, theNational Credit Union Administration,the Securities and ExchangeCommission, and the Federal TradeCommission to establish appropriatestandards for the financial institutionssubject to their respective jurisdictionsrelating to the administrative, technical,and physical safeguards for customerrecords and information. As stated insection 501, these safeguards are to: (1)Insure the security and confidentialityof customer records and information; (2)protect against any anticipated threatsor hazards to the security or integrity ofsuch records; and (3) protect againstunauthorized access to or use of suchrecords or information that would resultin substantial harm or inconvenience toany customer.

Section 505(b) of the G–L–B Actprovides that these standards are to beimplemented by the Agencies in thesame manner, to the extent practicable,as standards prescribed pursuant tosection 39(a) of the FDI Act.1 Section39(a) of the FDI Act authorizes theAgencies to establish operational andmanagerial standards for insureddepository institutions relative to,among other things, internal controls,information systems, and internal auditsystems, as well as such otheroperational and managerial standards asthe Agencies determine to beappropriate.2


8617Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations

compliance with the Guidelines in appendix B topart 570.

3 In addition to the definitions discussed below,the Board’s Guidelines in 12 CFR parts 208 and 225contain a definition of ‘‘subsidiary’’, whichdescribed the state member bank and bank holdingcompany subsidiaries that are subject to theGuidelines.

4 The OTS version of the Guidelines does notinclude this definition because OTS does notregulate foreign institutions. Paragraph I of the OTSGuidelines has been renumbered accordingly.

6 See 65 FR 35162 (June 1, 2000). Citations to theinteragency Privacy Rule in this preamble are to

Continued

II. Overview of Comments ReceivedOn June 26, 2000, the Agencies

published for comment the proposedInteragency Guidelines EstablishingStandards for Safeguarding CustomerInformation and Rescission of Year 2000Standards for Safety and Soundness inthe Federal Register (65 FR 39472). Thepublic comment period closed August25, 2000. The Agencies collectivelyreceived a total of 206 comments inresponse to the proposal, although manycommenters sent copies of the sameletter to each of the Agencies. Thosecombined comments included 49 frombanks, 7 from savings associations, 60from financial institution holdingcompanies; 50 from financial institutiontrade associations; 33 from otherbusiness entities; and four from stateregulators. The Federal Reserve alsoreceived comments from three FederalReserve Banks.

The Agencies invited comment on allaspects of the proposed Guidelines,including whether the rules should beissued as guidelines or as regulations.Commenters overwhelmingly supportedthe adoption of guidelines, with manycommenters offering suggestions forways to improve the proposedGuidelines as discussed below. Manycommenters cited the benefits offlexibility and the drawbacks ofprescriptive requirements that couldbecome rapidly outdated as a result ofchanges in technology.

The Agencies also requestedcomments on the impact of the proposalon community banks, recognizing thatcommunity banks operate with morelimited resources than largerinstitutions and may present a differentrisk profile. In general, communitybanks urged the Agencies to issueguidelines that are not prescriptive, thatdo not require detailed policies orreporting by banks that share little or noinformation outside the bank, and thatprovide flexibility in the design of aninformation security program. Somecommunity banks indicated that theGuidelines are unnecessary becausethey already have information securityprograms in place. Others requestedclarification of the impact of theGuidelines on banks that do not shareany information in the absence of acustomer’s consent.

In light of the comments received, theAgencies have decided to adopt theGuidelines, with several changes asdiscussed below to respond to thecommenters’ suggestions. Therespective texts of the Agencies’Guidelines are substantively identical.

In directing the Agencies to issuestandards for the protection of customerrecords and information, Congressprovided that the standards apply to allfinancial institutions, regardless of theextent to which they may discloseinformation to affiliated or nonaffiliatedthird parties, electronically transfer datawith customers or third parties, orrecord data electronically. Because therequirements of the Act apply to a broadrange of financial institutions, theAgencies believe that the Guidelinesmust establish appropriate standardsthat allow each institution thediscretion to design an informationsecurity program that suits its particularsize and complexity and the nature andscope of its activities. In manyinstances, financial institutions alreadywill have information security programsthat are consistent with theseGuidelines, because key components ofthe Guidelines were derived fromsecurity-related supervisory guidancepreviously issued by the Agencies andthe Federal Financial InstitutionsExamination Council (FFIEC). In suchsituations, little or no modification to aninstitution’s program will be required.

Below is a section-by-section analysisof the final Guidelines.

III. Section-by-Section Analysis

The discussion that follows applies toeach Agency’s Guidelines.

I. Introduction

Paragraph I. of the proposal set forththe general purpose of the Guidelines,which is to provide guidance to eachfinancial institution in establishing andimplementing administrative, technical,and physical safeguards to protect thesecurity, confidentiality, and integrity ofcustomer information. This paragraphalso set forth the statutory authority forthe Guidelines, including section 39(a)of the FDI Act (12 U.S.C. 1831p–1) andsections 501 and 505(b) of the G–L–BAct (15 U.S.C. 6801 and 6805(b) ). TheAgencies received no comments on thisparagraph, and have adopted it asproposed.

I.A. Scope

Paragraph I.A. of the proposaldescribed the scope of the Guidelines.Each Agency defined specifically thoseentities within its particular scope ofcoverage in this paragraph of theGuidelines.

The Agencies received no commentson the issue of which entities arecovered by the Guidelines, and haveadopted paragraph I.A. as proposed.

I.B. Preservation of Existing AuthorityParagraph I.B. of the proposal made

clear that in issuing these Guidelinesnone of the Agencies is, in any way,limiting its authority to address anyunsafe or unsound practice, violation oflaw, unsafe or unsound condition, orother practice, including any conditionor practice related to safeguardingcustomer information. As noted in thepreamble to the proposal, any actiontaken by any Agency under section 39(a)of the FDI Act and these Guidelines maybe taken independently of, inconjunction with, or in addition to anyother enforcement action available tothe Agency. The Agencies received nocomments on this paragraph, and haveadopted paragraph I.B. as proposed.

I.C.1. DefinitionsParagraph I.C. set forth the definitions

of various terms for purposes of theGuidelines.3 It also stated that termsused in the Guidelines have the samemeanings as set forth in sections 3 and39 of the FDI Act (12 U.S.C. 1813 and1831p–1).

The Agencies received severalcomments on the proposed definitions,and have made certain changes asdiscussed below. The Agencies alsohave reordered proposed paragraph I.C.so that the statement concerning thereliance on sections 3 and 39(a) of theFDI Act is now in paragraph I.C.1., withthe definitions appearing in paragraphsI.C.2.a.-e. The defined terms have beenplaced in alphabetical order in the finalGuidelines.

I.C.2.a. Board of DirectorsThe proposal defined ‘‘board of

directors’’ to mean, in the case of abranch or agency of a foreign bank, themanaging official in charge of thebranch or agency.4 The Agenciesreceived no comments on this proposeddefinition, and have adopted it withoutchange.

I.C.2.b. CustomerThe proposal defined ‘‘customer’’ in

the same way as that term is defined insection l.3(h) of the Agencies’ rulecaptioned ‘‘Privacy of ConsumerFinancial Information’’ (Privacy Rule).5



sections only, leaving blank the citations to the partnumbers used by each agency.

6 The Agencies recognize that ‘‘customer’’ isdefined more broadly under Subtitle B of Title Vof the Act, which, in general, makes it unlawful forany person to obtain or attempt to obtain customerinformation of a financial institution by makingfalse, fictitious, or fraudulent statements. For thepurpose of that subtitle, the term ‘‘customer’’ means‘‘any person (or authorized representative of aperson) to whom the financial institution providesa product or service, including that of acting as afiduciary.’’ (See section 527(1) of the Act.) In lightof the statutory mandate to ‘‘prescribe suchrevisions to such regulations and guidelines as maybe necessary to ensure that such financialinstitutions have policies, procedures, and controlsin place to prevent the unauthorized disclosure ofcustomer financial information’’ (section 525), theAgencies considered modifying these Guidelines tocover other customers, namely, business entitiesand individuals who obtain financial products andservices for purposes other than personal, family, orhousehold purposes. The Agencies have concluded,however, that defining ‘‘customer’’ to accommodatethe range of objectives set forth in Title V of the Actis unnecessary. Instead, the Agencies have includeda new paragraph III.C.1.a, described below, andplan to issue guidance and other revisions to theapplicable regulations, as may be necessary, tosatisfy the requirements of section 525 of the Act.

The Agencies proposed to use thisdefinition in the Guidelines becausesection 501(b) refers to safeguarding thesecurity and confidentiality of‘‘customer’’ information. Given thatCongress used the same term for boththe 501(b) standards and for the sectionsconcerning financial privacy, theAgencies have concluded that it isappropriate to use the same definitionin the Guidelines that was adopted inthe Privacy Rule.

Under the Privacy Rule, a customer isa consumer who has established acontinuing relationship with aninstitution under which the institutionprovides one or more financial productsor services to the consumer to be usedprimarily for personal, family orhousehold purposes. ‘‘Customer’’ doesnot include a business, nor does itinclude a consumer who has notestablished an ongoing relationshipwith a financial institution (e.g., anindividual who merely uses aninstitution’s ATM or applies for a loan).See sectionsl.3(h) and (i) of the PrivacyRule. The Agencies solicited commenton whether the definition of ‘‘customer’’should be broadened to provide acommon information security programfor all types of records under the controlof a financial institution.

The Agencies received manycomments on this definition, almost allof which agreed with the proposeddefinition. Although a few commentersindicated they would apply the samesecurity program to both business andconsumer records, the vast majority ofcommenters supported the use of thesame definition of ‘‘customer’’ in theGuidelines as is used in the PrivacyRule. They observed that the use of theterm ‘‘customer’’ in section 501 of theG–L–B Act, when read in the context ofthe definitions of ‘‘consumer’’ and‘‘customer relationship’’ in section 509,reflects the Congressional intent todistinguish between certain kinds ofconsumers for the information securitystandards and the other privacyprovisions established under subtitle Aof Title V.

The Agencies have concluded that thedefinition of ‘‘customer’’ used in theGuidelines should be consistent withthe definition established insectionl.3(h) of the Privacy Rule. TheAgencies believe, therefore, that themost reasonable interpretation of theapplicable provisions of subtitle A ofTitle V of the Act is that a financialinstitution is obligated to protect thesecurity and confidentiality of thenonpublic personal information of its

consumers with whom it has a customerrelationship. As a practical manner, afinancial institution may also design orimplement its information securityprogram in a manner that encompassesthe records and information of its otherconsumers and its business clients.6

I.C.2.c. Customer Information

The proposal defined ‘‘customerinformation’’ as any records containingnonpublic personal information, asdefined in sectionl.3(n) of the PrivacyRule, about a customer. This includedrecords, data, files, or other informationin paper, electronic, or other form thatare maintained by any service provideron behalf of an institution. Althoughsection 501(b) of the G–L–B Act refersto the protection of both customer‘‘records’’ and ‘‘information’’, for thesake of simplicity, the proposedGuidelines used the term ‘‘customerinformation’’ to encompass bothinformation and records.

The Agencies received severalcomments on this definition. Thecommenters suggested that the proposeddefinition was too broad because itincluded files ‘‘containing’’ nonpublicpersonal information. The Agenciesbelieve, however, that a financialinstitution’s security program mustapply to files that contain nonpublicpersonal information in order toadequately protect the customer’sinformation. In deciding what level ofprotection is appropriate, a financialinstitution may consider the fact that agiven file contains very little nonpublicpersonal information, but that factwould not render the file entirelybeyond the scope of the Guidelines.Accordingly, the Agencies have adopted

a definition of ‘‘customer record’’ that issubstantively the same as the proposeddefinition. The Agencies have, however,deleted the reference to ‘‘data, files, orother information’’ from the finalGuidelines, since each is included inthe term ‘‘records’’ and also is coveredby the reference to ‘‘paper, electronic, orother form’’.

I.C.2.d. Customer Information SystemThe proposal defined ‘‘customer

information system’’ to be electronic orphysical methods used to access,collect, store, use, transmit, or protectcustomer information. The Agenciesreceived a few comments on thisdefinition, mostly from commenterswho stated that it is too broad. TheAgencies believe that the definitionneeds to be sufficiently broad to protectall customer information, wherever theinformation is located within a financialinstitution and however it is used.Nevertheless, the broad scope of thedefinition of ‘‘customer informationsystem’’ should not result in an undueburden because, in other importantrespects, the Guidelines allow a highdegree of flexibility for each institutionto design a security program that suitsits circumstances.

For these reasons, the Agencies haveadopted the definition of ‘‘customerinformation system’’ largely asproposed. However, the phrase‘‘electronic or physical’’ in the proposalhas been deleted because each isincluded in the term ‘‘any methods’’.The Agencies also have added a specificreference to records disposal in thedefinition of ‘‘customer informationsystem.’’ This is consistent with theproposal’s inclusion of access controlsin the list of items a financial institutionis to consider when establishingsecurity policies and procedures (seediscussion of paragraph III.C.1.a.,below), given that inadequate disposalof records may result in identity theft orother misuse of customer information.Under the final Guidelines, a financialinstitution’s responsibility to safeguardcustomer information continues throughthe disposal process.

I.C.2.e. Service ProviderThe proposal defined a ‘‘service

provider’’ as any person or entity thatmaintains or processes customerinformation for a financial institution,or is otherwise granted access tocustomer information through itsprovision of services to an institution.One commenter urged the Agencies tomodify this definition so that it wouldnot include a financial institution’sattorneys, accountants, and appraisers.Others suggested deleting the phrase ‘‘or



7 Similarly, in the case of a service provider thatis not subject to these Guidelines but is subject tostandards adopted by its primary regulator undersection 501(b) of the G–L–B Act, a financialinstitution may take that fact into considerationwhen deciding what level of oversight isappropriate for that service provider.

8 The term ‘‘subservicer’’ means any person whohas access to an institution’s customer informationthrough its provision of services to the serviceprovider and is not limited to mortgagesubservicers.

9 The appendix provided that the proposedGuidelines would be applicable to customerinformation maintained by or on behalf of bankholding companies and their nonbank subsidiariesor affiliates (except brokers, dealers, personsproviding insurance, investment companies, andinvestment advisors) for which the Board hassupervisory authority. See 65 FR 39484 (June 26,2000).

is otherwise granted access to customerinformation through its provision ofservices to an institution’’.

The Agencies believe that the Actrequires each financial institution toadopt a comprehensive informationsecurity program that is designed toprotect against unauthorized access toor use of customers’ nonpublic personalinformation. Disclosing information to aperson or entity that provides servicesto a financial institution createsadditional risks to the security andconfidentiality of the informationdisclosed. In order to protect againstthese risks, a financial institution musttake appropriate steps to protectinformation that it provides to a serviceprovider, regardless of who the serviceprovider is or how the service providerobtains access. The fact that an entityobtains access to customer informationthrough, for instance, providingprofessional services does not obviatethe need for the financial institution totake appropriate steps to protect theinformation. Accordingly, the Agencieshave determined that, in general, theterm ‘‘service provider’’ should bebroadly defined to encompass a varietyof individuals or companies thatprovide services to the institution.

This does not mean, however, that afinancial institution’s methods foroverseeing its service providerarrangements will be the same for everyprovider. As explained in the discussionof paragraph III.D., a financialinstitution’s oversight responsibilitieswill be shaped by the institution’sanalysis of the risks posed by a givenservice provider. If a service provider issubject to a code of conduct thatimposes a duty to protect customerinformation consistent with theobjectives of these Guidelines, afinancial institution may take that dutyinto account when deciding what levelof oversight it should provide.

Moreover, a financial institution willbe responsible under the finalGuidelines for overseeing its serviceprovider arrangements only when theservice is provided directly to thefinancial institution. The Agenciesclarified this point by amending thedefinition of ‘‘service provider’’ in thefinal Guidelines to state that it appliesonly to a person or entity thatmaintains, processes, or otherwise ispermitted access to customerinformation through its provision ofservices directly to the financialinstitution. Thus, for instance, apayment intermediary involved in thecollection of a check but that has nocorrespondent relationship with afinancial institution would not beconsidered a service provider of that

financial institution under this rule. Bycontrast, a financial institution’scorrespondent bank would beconsidered its service provider.Nevertheless, the financial institutionmay take into account the fact that thecorrespondent bank is itself a financialinstitution that is subject to securitystandards under section 501(b) when itdetermines the appropriate level ofoversight for that service provider.7

In situations where a service providerhires a subservicer,8 the subservicerwould not be a ‘‘service provider’’ underthe final Guidelines. The Agenciesrecognize that it would be inappropriateto impose obligations on a financialinstitution to select and monitorsubservicers in situations where thefinancial institution has no contractualrelationship with that person or entity.When conducting due diligence inselecting its service providers (seediscussion of paragraph III.D., below),however, a financial institution mustdetermine that the service provider hasadequate controls to ensure that thesubservicer will protect the customerinformation in a way that meets theobjectives of these Guidelines.

II. Standards for Safeguarding CustomerInformation

II.A. Information Security ProgramThe proposed Guidelines described

the Agencies’ expectations for thecreation, implementation, andmaintenance of a comprehensiveinformation security program. As notedin the proposal, this program mustinclude administrative, technical, andphysical safeguards appropriate to thesize and complexity of the institutionand the nature and scope of itsactivities.

Several commenters representinglarge and complex organizations wereconcerned that the term‘‘comprehensive information securityprogram’’ required a single and uniformdocument that must apply to allcomponent parts of the organization. Inresponse, the Agencies note that aprogram that includes administrative,technical, and physical safeguards will,in many instances, be composed of morethan one document. Moreover, use ofthis term does not require that all parts

of an organization implement a uniformprogram. However, the Agencies willexpect an institution to coordinate allthe elements of its information securityprogram. Where the elements of theprogram are dispersed throughout theinstitution, management should beaware of these elements and theirlocations. If they are not maintained ona consolidated basis, managementshould have an ability to retrieve thecurrent documents from thoseresponsible for the overall coordinationand ongoing evaluation of the program.

The Board received comment on itsproposal to revise the appendix toRegulation Y regarding the provisionthat would require a bank holdingcompany to ensure that each of itssubsidiaries is subject to acomprehensive information securityprogram.9 This comment urged theBoard to eliminate that provision andargued, in part, that the requirementassumes that a bank holding companyhas the power to impose such controlsupon its subsidiary companies. Thesecommenters recommended, instead, thatthe standards should be limited tocustomer information in the possessionor control of the bank holding company.

Under the Bank Holding CompanyAct of 1956 and the Board’s RegulationY, a subsidiary is presumed to becontrolled directly or indirectly by theholding company. 12 U.S.C. 1841(d); 12CFR 225.2(o). Moreover, the Boardbelieves that a bank holding company isultimately responsible for ensuring thatits subsidiaries comply with thestandards set forth under theseGuidelines. The Board recognizes,however, that a bank holding companymay satisfy its obligations under section501 of the GLB Act through a variety ofmeasures, such as by including asubsidiary within the scope of itsinformation security program or bycausing the subsidiary to implement aseparate information security programin accordance with these Guidelines.

II.B. Objectives

Paragraph II.B. of the proposedGuidelines described the objectives thateach financial institution’s informationsecurity program should be designed toachieve. These objectives tracked theobjectives as stated in section 501(b)(1)–(3), adding only that the security



10 The Agencies note that other regulationsalready require a financial institution to designatea security officer for different purposes. See 12 CFR21.2; 12 CFR 208.61(b).

program is to protect againstunauthorized access that could risk thesafety and soundness of the institution.The Agencies requested comment onwhether there are additional oralternative objectives that should beincluded in the Guidelines.

The Agencies received severalcomments on this proposed paragraph,most of which objected to language that,in the commenters’ view, requiredcompliance with objectives that wereimpossible to meet. Many commentersstated, for instance, that no informationsecurity program can ensure that therewill be no problems with the security orconfidentiality of customer information.Others criticized the objective thatrequired protection against anyanticipated threat or hazard. A fewcommenters questioned the objective ofprotecting against unauthorized accessthat could result in inconvenience to acustomer, while others objected to theaddition of the safety and soundnessstandard noted above.

The Agencies do not believe thestatute mandates a standard of absoluteliability for a financial institution thatexperiences a security breach. Thus, theAgencies have clarified these objectivesby stating that each security program isto be designed to accomplish theobjectives stated. With the oneexception discussed below, theAgencies have otherwise left unchangedthe statement of the objectives, giventhat these objectives are identical tothose set out in the statute.

In response to comments that objectedto the addition of the safety andsoundness standard, the Agencies havedeleted that reference in order to makethe statement of objectives identical tothe objectives identified in the statute.The Agencies believe that risks to thesafety and soundness of a financialinstitution may be addressed throughother supervisory or regulatory means,making it unnecessary to expand thestatement of objectives in thisrulemaking.

Some commenters asked forclarification of a financial institution’sresponsibilities when a customerauthorizes a third party to access thatcustomer’s information. For purposes ofthe Guidelines, access to or use ofcustomer information is not‘‘unauthorized’’ access if it is done withthe customer’s consent. When acustomer gives consent to a third partyto access or use that customer’sinformation, such as by providing thethird party with an account number,PIN, or password, the Guidelines do notrequire the financial institution toprevent such access or monitor the useor redisclosure of the customer’s

information by the third party. Finally,unauthorized access does not meandisclosure pursuant to one of theexceptions in the Privacy Rule.

III. Develop and Implement InformationSecurity Program

III.A. Involve the Board of Directors

Paragraph III.A. of the proposaldescribed the involvement of the boardand management in the developmentand implementation of an informationsecurity program. As explained in theproposal, the board’s responsibilities areto: (1) Approve the institution’s writteninformation security policy andprogram; and (2) oversee efforts todevelop, implement, and maintain aneffective information security program,including reviewing reports frommanagement. The proposal also laid outmanagement’s responsibilities fordeveloping, implementing, andmaintaining the security program.

The Agencies received a number ofcomments regarding the requirement ofboard approval of the informationsecurity program. Some commentersstated that each financial institutionshould be allowed to decide for itselfwhether to obtain board approval of itsprogram. Others suggested that approvalby either a board committee or at theholding company level might beappropriate. Still others suggestedmodifying the Guidelines to requireonly that the board approve the initialinformation security program anddelegate subsequent review andapproval of the program to either acommittee or an individual.

The Agencies believe that a financialinstitution’s overall information securityprogram is critical to the safety andsoundness of the institution. Therefore,the final Guidelines continue to placeresponsibility on an institution’s boardto approve and exercise generaloversight over the program. However,the Guidelines allow the entire board ofa financial institution, or an appropriatecommittee of the board to approve theinstitution’s written security program.In addition, the Guidelines permit theboard to assign specific implementationresponsibilities to a committee or anindividual.

One commenter suggested that theGuidelines be revised to provide that ifa holding company develops, approves,and oversees the information securityprogram that applies to its bank andnonbank subsidiaries, there should beno separate requirement for eachsubsidiary to do the same thing, as longas those subsidiaries agree to abide bythe holding company’s securityprogram. The Agencies agree that

subsidiaries within a holding companycan use the security program developedat the holding company level. However,if subsidiary institutions choose to usea security program developed at theholding company level, the board ofdirectors or an appropriate committee ateach subsidiary institution mustconduct an independent review toensure that the program is suitable andcomplies with the requirementsprescribed by the subsidiary’s primaryregulator. See 12 U.S.C. 505. Once thesubsidiary institution’s board, or acommittee thereof, has approved thesecurity program, it must oversee theinstitution’s efforts to implement andmaintain an effective program.

The Agencies also received commentssuggesting that use of the term‘‘oversee’’ conveyed the notion that aboard is expected to be involved in day-to-day monitoring of the development,implementation, and maintenance of aninformation security program. TheAgencies’ use of the term ‘‘oversee’’ ismeant to convey a board’s conventionalsupervisory responsibilities. Day-to-daymonitoring of any aspect of aninformation security program is amanagement responsibility. The finalGuidelines reflect this by providing thatthe board must oversee the institution’sinformation security program but mayassign specific responsibility for itsimplementation.

The Agencies invited comment onwhether the Guidelines should requirethat the board designate a CorporateInformation Security Officer or otherresponsible individual who would havethe authority, subject to the board’sapproval, to develop and administer theinstitution’s information securityprogram. The Agencies received anumber of comments suggesting that theAgencies should not require the creationof a new position for this purpose. Somefinancial institutions also stated thathiring one or more additional staff forthis purpose would impose a significantburden. The Agencies believe that afinancial institution will not need tocreate a new position with a specifictitle for this purpose, as long as theinstitution has adequate staff in light ofthe risks to its customer information.Regardless of whether new staff areadded, the lines of authority andresponsibility for development,implementation, and administration of afinancial institution’s informationsecurity program need to be welldefined and clearly articulated.10



The proposal identified threeresponsibilities of management in thedevelopment of an information securityprogram. They were to: (1) Evaluate theimpact on a financial institution’ssecurity program of changing businessarrangements and changes to customerinformation systems; (2) documentcompliance with these Guidelines; and(3) keep the board informed of theoverall status of the institution’sinformation security program. A fewcommenters objected to the Agenciesassigning specific tasks to management.These commenters did not object to thetasks per se, but suggested that theAgencies allow an institution’s boardand management to decide who withinthe institution is to carry out the tasks.

The Agencies agree that a financialinstitution is in the best position todetermine who should be assignedspecific roles in implementing theinstitution’s security program.Accordingly, the Agencies have deletedthe separate provision assigning specificroles to management. Theresponsibilities that were contained inthis provision are now included in otherparagraphs of the Guidelines.

III.B. Assess RiskParagraph III.B. of the proposal

described the risk assessment process tobe used in the development of theinformation security program. Under theproposal, a financial institution was toidentify and assess the risks to customerinformation. As part of that assessment,the institution was to determine thesensitivity of the information and thethreats to the institution’s systems. Theinstitution also was to assess thesufficiency of its policies, procedures,systems, and other arrangements inplace to control risk. Finally, theinstitution was to monitor, evaluate, andadjust its risk assessment in light ofchanges in areas identified in theproposal.

The Agencies received severalcomments on these provisions, most ofwhich focused on the requirement thatfinancial institutions do a sensitivityanalysis. One commenter noted that‘‘customer information’’ is defined tomean ‘‘nonpublic personal information’’as defined in the G–L–B Act, and thatthe G–L–B Act provides the same levelof coverage for all nonpublic personalinformation. The commenter stated thatit is therefore unclear how the level ofsensitivity would affect an institution’sobligations with respect to the securityof this information.

While the Agencies agree that allcustomer information requiresprotection, the Agencies believe thatrequiring all institutions to afford the

same degree of protection to allcustomer information may beunnecessarily burdensome in manycases. Accordingly, the final Guidelinescontinue to state that institutions shouldtake into consideration the sensitivity ofcustomer information. Disclosure ofcertain information (such as accountnumbers or access codes) might beparticularly harmful to customers if thedisclosure is not authorized. Individualswho try to breach the institution’ssecurity systems may be likely to targetthis type of information. When suchinformation is housed on systems thatare accessible through publictelecommunications networks, it mayrequire more and different protections,such as encryption, than if it werelocated in a locked file drawer. Toprovide flexibility to respond to thesedifferent security needs in the way mostappropriate, the Guidelines confer uponinstitutions the discretion to determinethe levels of protection necessary fordifferent categories of information.Institutions may treat all customerinformation the same, provided that thelevel of protection is adequate for all theinformation.

Other commenters suggested that therisk assessment requirement be tied toreasonably foreseeable risks. TheAgencies agree that the security programshould be focused on reasonablyforeseeable risks and have amended thefinal Guidelines accordingly.

The final Guidelines make severalother changes to this paragraph toimprove the order of the Guidelines andto eliminate provisions that wereredundant in light of responsibilitiesoutlined elsewhere. For instance, whilethe proposal stated that the riskassessment function included the needto monitor for relevant changes totechnology, sensitivity of customerinformation, and threats to informationsecurity and make adjustments asneeded, that function has beenincorporated into the discussion ofmanaging and controlling risk inparagraphs III.C.3. and III.E.

Thus, under the Guidelines asadopted, a financial institution shouldidentify the reasonably foreseeableinternal and external threats that couldresult in unauthorized disclosure,misuse, alteration, or destruction ofcustomer information or customerinformation systems. Next, the riskassessment should consider thepotential damage that a compromise ofcustomer information from an identifiedthreat would have on the customerinformation, taking into considerationthe sensitivity of the information to beprotected in assessing the potentialdamage. Finally, a financial institution

should conduct an assessment of thesufficiency of existing policies,procedures, customer informationsystems, and other arrangementsintended to control the risks it hasidentified.

III.C. Manage and Control Risk

Paragraph III.C. describes the steps aninstitution should take to manage andthe control risks identified in paragraphIII.B.

Establish policies and procedures(III.C.1.). Paragraph III.C.1 of theproposal described the elements of acomprehensive risk management plandesigned to control identified risks andto achieve the overall objective ofensuring the security andconfidentiality of customer information.It identified eleven factors an institutionshould consider in evaluating theadequacy of its policies and proceduresto effectively manage these risks.

The Agencies received a large numberof comments on this paragraph. Most ofthe comments were based on aperception that every institution wouldhave to adopt every security measurelisted in proposed III.C.1.a.-k. as part ofthe institution’s policies andprocedures. In particular, a number ofcommenters were concerned that theproposed Guidelines would require theencryption of all customer data.

The Agencies did not intend for thesecurity measures listed in paragraphIII.C.1. to be seen as mandatory for allfinancial institutions and for all data.Rather, the Agencies intended only thatan institution would consider whetherthe protections listed were appropriatefor the institution’s particularcircumstances, and, if so, adopt thoseidentified as appropriate. The Agenciescontinue to believe that these elementsmay be adapted by institutions ofvarying sizes, scope of operations, andrisk management structures. Consistentwith that approach, the manner ofimplementing a particular element mayvary from institution to institution. Forexample, while a financial institutionthat offers Internet-based transactionaccounts may conclude that encryptionis appropriate, a different institutionthat processes all data internally anddoes not have a transactional web sitemay consider other kinds of accessrestrictions that are adequate tomaintain the confidentiality of customerinformation. To underscore this point,the final Guidelines have been amendedto state that each financial institutionmust consider whether the securityelements discussed in paragraphsIII.C.1.a.-h. are appropriate for theinstitution and, if so, adopt those



11 Pretext calling is a fraudulent means ofobtaining an individual’s personal information bypersons posing as bank customers.

elements an institution concludes areappropriate.

The Agencies invited comment on thedegree of detail that should be includedin the Guidelines regarding the riskmanagement program, including whichelements should be specified in theGuidelines, and any other componentsof a risk management program thatshould be listed. With the exception ofthose commenters who thought some orall of the elements of the riskmanagement program were intended tobe mandatory for all financialinstitutions, the comments supportedthe level of detail conveyed in theproposed Guidelines. The Agencieshave adopted the provision regardingmanagement and control of risks withthe changes discussed below. Commentsaddressing proposed security measuresthat have been adopted without changealso are discussed below.

Access rights. The Agencies receiveda number of comments suggesting thatthe reference to ‘‘access rights tocustomer information’’ in paragraphIII.C.1.a. of the proposal could beinterpreted to mean providingcustomers with a right of access tofinancial information. The reference wasintended to refer to limitations onemployee access to customer financialinformation, not to customer access tofinancial information. However, thiselement has been deleted sincelimitations on employee access arecovered adequately in other parts ofparagraph III.C.1. (See discussion of‘‘access controls’’ in paragraph III.C.1.a.of the final Guidelines, below.)

Access controls. Paragraph III.C.1.b. ofthe proposed Guidelines required afinancial institution to considerappropriate access controls whenestablishing its information securitypolicies and procedures. These controlswere intended to address unauthorizedaccess to an institution’s customerinformation by anyone, whether or notemployed by the institution.

The Agencies believe that thiselement sufficiently addresses theconcept of unauthorized access,regardless of who is attempting to obtainaccess. This would cover, for instance,attempts through pretext calling togather information about a financialinstitution’s customers.11 The Agencieshave amended the final Guidelines torefer specifically to pretext calling innew III.C.1.a. The Agencies do notintend for the final Guidelines to requirea financial institution to provide itscustomers with access to information

the institution has gathered. Instead, theprovision in the final Guidelinesaddressing access is limited solely to theissue of preventing unauthorized accessto customer information.

The Agencies have deleted thereference in the proposed paragraphIII.C.1.b. to providing access toauthorized companies. This change wasmade partly in response to commenterswho objected to what they perceived tobe an inappropriate expansion of thescope of the Guidelines to includecompany records and partly inrecognition of the fact that access torecords would be obtained, in any case,only through requests by individuals.The final Guidelines require aninstitution to consider the need foraccess controls in light of theinstitution’s various customerinformation systems and adopt suchcontrols as appropriate.

Dual control procedures. ParagraphIII.C.1.f. of the proposed Guidelinesstated that financial institutions shouldconsider dual control procedures,segregation of duties, and employeebackground checks for employees withresponsibility for, or access to, customerinformation. Most of the comments onthis paragraph focused on dual controlprocedures, which refers to a securitytechnique that uses two or moreseparate persons, operating together toprotect sensitive information. Bothpersons are equally responsible forprotecting the information and neithercan access the information alone.

According to one commenter, dualcontrols are part of normal auditprocedures and did not need to berestated. Other commenters suggestedthat dual control procedures are notalways necessary, implying that theseprocedures are not the norm. TheAgencies recognize that dual-controlprocedures are not necessary for allactivities, but might be appropriate forhigher-risk activities. Given that theGuidelines state only that dual controlprocedures should be considered by afinancial institution and adopted only ifappropriate for the institution, theAgencies have retained a reference todual control procedures in the items tobe considered (paragraph III.C.1.e).

Oversight of servicers. ParagraphIII.C.1.g. of the proposal was deleted.Instead, the final Guidelines consolidatethe provisions related to serviceproviders in paragraph III.D.

Physical hazards and technicalfailures. The paragraphs of the proposedGuidelines addressing protectionagainst destruction due to physicalhazards and technological failures(paragraphs III.C.1.j. and k.,respectively, of the proposal) have been

consolidated in paragraph III.C.1.h. ofthe final Guidelines. The Agenciesbelieve that this change improves clarityand recognizes that disaster recoveryfrom environmental and technologicalfailures often involve the sameconsiderations.

Training (III.C.2.). Paragraph III.C.2. ofthe proposed Guidelines provided thatan institution’s information securityprogram should include a trainingcomponent designed to train employeesto recognize, respond to, and reportunauthorized attempts to obtaincustomer information. The Agenciesreceived several comments suggestingthat this provision directed staff offinancial institutions to report suspectedattempts to obtain customer informationto law enforcement agencies rather thanto the management of the financialinstitution. The Agencies did not intendthat result, and note that nothing in theGuidelines alters other applicablerequirements and procedures forreporting suspicious activities. Forpurposes of these Guidelines, theAgencies believe that, as part of atraining program, staff should be madeaware both of federal reportingrequirements and an institution’sprocedures for reporting suspiciousactivities, including attempts to obtainaccess to customer information withoutproper authority.

The final Guidelines amend theprovision governing training to statethat a financial institution’s informationsecurity program should include atraining component designed toimplement the institution’s informationsecurity policies and procedures. TheAgencies believe that the appropriatefocus for the training should be oncompliance with the institution’ssecurity program generally and not juston the limited aspects identified inproposed III.C.2. The provisionsgoverning reporting have been moved toparagraph III.C.1.g., which addressesresponse programs in general.

Testing (III.C.3.). Paragraph III.C.3. ofthe proposed Guidelines provided thatan information security program shouldinclude regular testing of key controls,systems, and procedures. The proposalprovided that the frequency and natureof the testing should be determined bythe risk assessment and adjusted asnecessary to reflect changes in bothinternal and external conditions. Theproposal also provided that the tests areto be conducted, where appropriate, byindependent third parties or staffindependent of those that develop ormaintain the security program. Finally,the proposal stated that test results areto be reviewed by independent thirdparties or staff independent of those that



conducted the test. The Agenciesrequested comment on whether specifictypes of security tests, such aspenetration tests or intrusion detectiontests, should be required.

The most frequent comment regardingtesting of key controls was that theAgencies should not require specifictests. Commenters noted that becausetechnology changes rapidly, the testsspecified in the Guidelines will becomeobsolete and other tests will become thestandard. Consequently, according tothese commenters, the Guidelinesshould identify areas where testing maybe appropriate without requiring afinancial institution to implement aspecific test or testing procedure.Several commenters noted that periodictesting of information security controlsis a sound idea and is an appropriatestandard for inclusion in theseGuidelines.

The Agencies believe that a variety oftests may be used to ensure the controls,systems, and procedures of theinformation security program workproperly and also recognize that suchtests will progressively change overtime. The Agencies believe that theparticular tests that may be appliedshould be left to the discretion ofmanagement rather than specified inadvance in these Guidelines.Accordingly, the final Guidelines do notrequire a financial institution to applyspecific tests to evaluate the key controlsystems of its information securityprogram.

The Agencies also invited commentregarding the appropriate degree ofindependence that should be specifiedin the Guidelines in connection with thetesting of information security systemsand the review of test results. Theproposal asked whether the tests orreviews of tests be conducted bypersons who are not employees of thefinancial institution. The proposal alsoasked whether employees may conductthe testing or may review test results,and what measures, if any, areappropriate to assure theirindependence.

Some commenters interpreted theproposal as requiring three separateteams of people to provide sufficientindependence to control testing: oneteam to operate the system; a secondteam to test the system; and a third teamto review test results. This approach,they argued, would be too burdensomeand expensive to implement. TheAgencies believe that the critical needfor independence is between those whooperate the systems and those whoeither test them or review the testresults. Therefore, the final Guidelinesnow require that tests should be

conducted or reviewed by persons whoare independent of those who operatethe systems, including the managementof those systems.

Whether a financial institution shoulduse third parties to either conduct testsor review their results depends upon anumber of factors. Some financialinstitutions may have the capability tothoroughly test certain systems in-houseand review the test results but will needthe assistance of third party testers toassess other systems. For example, aninstitution’s internal audit departmentmay be sufficiently trained andindependent for the purposes of testingcertain key controls and providing testresults to decision makers independentof system managers. Some testing maybe conducted by third parties inconnection with the actual installationor modification of a particular program.In each instance, management needs toweigh the benefits of testing and testreview by third parties against its ownresources in this area, both in terms ofexpense and reliability.

Ongoing adjustment of program.Paragraph III.C.4. of the proposalrequired an institution to monitor,evaluate and adjust, as appropriate, theinformation security program in light ofany relevant changes in technology, thesensitivity of its customer information,and internal or external threats toinformation security. This provisionwas previously located in the paragraphtitled ‘‘Manage and Control Risk’’.While there were no comments on thisprovision, the Agencies wanted tohighlight this concept and clarify thatthis provision is applicable to aninstitutions’ entire information securityprogram. Therefore, this provision isnow separately identified as newparagraph III.E. of the final Guidelines,discussed below.

III.D. Oversee Service ProviderArrangements

The Agencies’ proposal addressedservice providers in two provisions. TheAgencies provided that an institutionshould consider contract provisions andoversight mechanisms to protect thesecurity of customer informationmaintained or processed by serviceproviders as one of the proposedelements to be considered inestablishing risk management policiesand procedures (proposed paragraphIII.C.1.g.). Additionally, proposedparagraph III.D. provided that, when aninstitution uses an outsourcingarrangement, the institution wouldcontinue to be responsible forsafeguarding customer information thatit gives to the service provider. Thatproposed paragraph also provided that

the institution must use due diligence inmanaging and monitoring theoutsourcing arrangement to confirm thatits service providers would protectcustomer information consistent withthe Guidelines.

The Agencies requested comment onthe appropriate treatment of outsourcingarrangements, such as whether industrybest practices are available regardingeffective monitoring of service providersecurity precautions, whether serviceproviders accommodate requests forspecific contract provisions regardinginformation security, and, to the extentthat service providers do notaccommodate these requests, whetherfinancial institutions implementeffective information security programs.The Agencies also requested commenton whether institutions would find ithelpful if the Guidelines containedspecific contract provisions requiringservice provider performance standardsin connection with the security ofcustomer information.

The Agencies received one example ofbest practices, but the commenter didnot recommend that they be included inthe Guidelines. While some commenterssuggested that the Guidelines includebest practices, other commenters statedthat, given the various types of financialinstitutions, there could be a variety ofbest industry practices. Anothercommenter stated that best practicescould become minimum requirementsthat result in inappropriate burdens.The Agencies recognize that informationsecurity practices are likely to evolverapidly, and thus believe that it isinappropriate to include best practicesin the final Guidelines.

Commenters were mixed as towhether service providers are receptiveto contract modifications to protectcustomer information. Commenterswere uniform, however, in stating thatan institution’s obligation to monitorservice providers should not include on-site audits by the institution or its agent.The commenters stated that, in additionto the expense for financial institutions,the procedure would place aninordinate burden on many serviceproviders that process customerinformation for multiple institutions.Several commenters noted that theservice providers often contract foraudits of their systems and thatinstitutions should be able to rely uponthose testing procedures. Somecommenters recommended that aninstitution’s responsibility forinformation given to service providersrequire only that the institution enterinto appropriate contractualarrangements. However, commentersalso indicated that requiring specific



12 For additional information concerning how afinancial institution should identify, measure,monitor, and control risks associated with the useof technology, see OCC Bulletin 98–3 concerningtechnology risk management, which may beobtained on the Internet at http://www.occ.treas.gov/ftp/bulletin/98–3.txt.; FederalReserve SR Letter 98–9 on Assessment ofInformation Technology in the Risk-FocusedFrameworks for the Supervision of CommunityBanks and Large Complex Banking Organizations,April 20, 1998, http://www.federalreserve.gov/boarddocs/SRLETTERS/1998/SR9809.HTM; FDICFIL 99–68 concerning risk assessment tools andpractices for information security systems at http://www.fdic.gov/news/news/financial/1999/fil9968.html.; OTS’s CEO Letter 70, Statement onRetail On-Line Personal Computer Banking, (June23, 1997), available at http://www.ots.treas.gov/docs/25070.pdf.

contract provisions would not beconsistent with the development offlexible Guidelines and recommendedagainst the inclusion of specificprovisions.

The Agencies believe that financialinstitutions should enter intoappropriate contracts, but also believethat these contracts, alone, are notsufficient. Therefore, the finalGuidelines, in paragraph III.D., includeprovisions relating to selecting,contracting with, and monitoringservice providers.

The final Guidelines require that aninstitution exercise appropriate duediligence in the selection of serviceproviders. Due diligence should includea review of the measures taken by aservice provider to protect customerinformation. As previously noted in thediscussion of ‘‘service provider’’, it alsoshould include a review of the controlsthe service provider has in place toensure that any subservicer used by theservice provider will be able to meet theobjectives of these Guidelines.

The final Guidelines also require thata financial institution have a contractwith each of its service providers thatrequires each provider to implementappropriate measures designed to meetthe objectives of these Guidelines (asstated in paragraph II.B.). This provisiondoes not require a service provider tohave a security program in place thatcomplies with each paragraph of theseGuidelines. Instead, by stating that aservice provider’s security measuresneed only achieve the objectives of theseGuidelines, the Guidelines provideflexibility for a service provider’sinformation security measures to differfrom the program that a financialinstitution implements. The Agencieshave provided a two-year transitionperiod during which institutions maybring their outsourcing contracts intocompliance. (See discussion ofparagraph III.F.) The Agencies have notincluded model contract language, givenour belief that the precise terms ofservice contracts are best left to theparties involved.

Each financial institution must alsoexercise an appropriate level ofoversight over each of its serviceproviders to confirm that the serviceprovider is implementing the provider’ssecurity measures. The Agencies haveamended the Guidelines as proposed toinclude greater flexibility with regard tothe monitoring of service providers. Afinancial institution need only monitorits outsourcing arrangements if suchoversight is indicated by an institution’sown risk assessment. The Agenciesrecognize that not all outsourcingarrangements will need to be monitored

or monitored in the same fashion. Someservice providers will be financialinstitutions that are directly subject tothese Guidelines or other standardspromulgated by their primary regulatorunder section 501(b). Other serviceproviders may already be subject tolegal and professional standards thatrequire them to safeguard theinstitution’s customer information.Therefore, the final Guidelines permitan institution to do a risk assessmenttaking these factors into account anddetermine for themselves which serviceproviders will need to be monitored.

Even where monitoring is warranted,the Guidelines do not require on-siteinspections. Instead, the Guidelinesstate that this monitoring can beaccomplished, for example, through theperiodic review of the service provider’sassociated audits, summaries of testresults, or equivalent measures of theservice provider. The Agencies expectthat institutions will arrange, whenappropriate, through contracts orotherwise, to receive copies of auditsand test result information sufficient toassure the institution that the serviceprovider implements informationsecurity measures that are consistentwith its contract provisions regardingthe security of customer information.The American Institute of CertifiedPublic Accountants Statement ofAuditing Standards No. 70, captioned‘‘Reports on the Processing ofTransactions by Service Organizations’’(SAS 70 report), is one commonly usedexternal audit tool for service providers.Information contained in an SAS 70report may enable an institution toassess whether its service provider hasinformation security measures that areconsistent with representations made tothe institution during the serviceprovider selection process.

III.E. Adjust the ProgramParagraphs III.B.3 and III.C.4. of the

proposed Guidelines both addressed afinancial institution’s obligations whencircumstances change. Both paragraphIII.B.3. (which set forth management’sresponsibilities with respect to its riskassessment) and paragraph III.C.4.(which focused on the adequacy of aninstitution’s information securityprogram) identified the possible needfor changes to an institution’s programin light of relevant changes totechnology, the sensitivity of customerinformation, and internal or externalthreats to the information security.

The Agencies received no commentsobjecting to the statements in theseparagraphs of the need to adjust afinancial institution’s program ascircumstances change. While the

Agencies have not changed thesubstance of these provisions in thefinal Guidelines, we have, however,made a stylistic change to simplify theGuidelines. The final Guidelinescombine, in paragraph III.E., theprovisions previously stated separately.Consistent with the proposal, thisparagraph provides that each financialinstitution must monitor, evaluate, andadjust its information security programin light of relevant changes intechnology, the sensitivity of itscustomer information, internal orexternal threats to information, and theinstitution’s own changing businessarrangements. This would include ananalysis of risks to customerinformation posed by new technology(and any needed program adjustments)before a financial institution adopts thetechnology in order to determinewhether a security program remainsadequate in light of the new riskspresented.12

III.F. Report to the BoardParagraph III.A.2.c. of the proposal set

out management’s responsibilities forreporting to its board of directors. Aspreviously discussed, the finalGuidelines have removed specificrequirements for management, butinstead allow a financial institution todetermine who within the organizationshould carry out a given responsibility.The board reporting requirement thushas been amended to require that afinancial institution report to its board,and that this report be at least annual.Paragraph III.F. of the final Guidelinessets out this requirement.

The Agencies invited commentregarding the appropriate frequency ofreports to the board, including whetherreports should be monthly, quarterly, orannually. The Agencies received anumber of comments recommendingthat no specific frequency be mandatedby the Guidelines and that eachfinancial institution be permitted toestablish its own reporting period.



13 The RFA defines the term ‘‘small entity’’ in 5U.S.C. 601 by reference to a definition published bythe Small Business Administration (SBA). The SBAhas defined a ‘‘small entity’’ for banking purposesas a national or commercial bank, or savingsinstitution with less than $100 million in assets.See 13 CFR 121.201.

Several commenters stated that if areporting period is required, then itshould be not less than annually unlesssome material event triggers the need foran interim report.

The Agencies expect that in all cases,management will provide its board (orthe appropriate board committee) awritten report on the informationsecurity program consistent with theGuidelines at least annually.Management of financial institutionswith more complex information systemsmay find it necessary to provideinformation to the board (or acommittee) on a more frequent basis.Similarly, more frequent reporting willbe appropriate whenever a materialevent affecting the system occurs or amaterial modification is made to thesystem. The Agencies expect that thecontent of these reports will vary foreach financial institution, dependingupon the nature and scope of itsactivities as well as the differentcircumstances that it will confront as itimplements and maintains its program.

III.G. Implement the StandardsParagraph III.E. of the proposal

described the timing requirements forthe implementation of these standards.It provided that each financialinstitution is to take appropriate steps tofully implement an information securityprogram pursuant to these Guidelinesby July 1, 2001.

The Agencies received severalcomments suggesting that the proposedeffective date be extended for a periodof 12 to 18 months because financialinstitutions are currently involved inefforts to meet the requirements of thefinal Privacy Rule by the compliancedeadline, July 1, 2001. The Agenciesbelieve that the dates for fullcompliance with these Guidelines andthe Privacy Rule should coincide.Financial institutions are required, aspart of their initial privacy notices, todisclose their policies and practiceswith respect to protecting theconfidentiality and security ofnonpublic personal information. See§l.6(a)(8). Each Agency has providedin the appendix to its Privacy Rule thata financial institution may satisfy thisdisclosure requirement by advising itscustomers that the institution maintainsphysical, electronic, and proceduralsafeguards that comply with federalstandards to guard customers’nonpublic personal information. Seeappendix A–7. The Agencies believethat this disclosure will be meaningfulonly if the final Guidelines are effectivewhen the disclosure is made. If theeffective date of these Guidelines isextended beyond July 1, 2001, then a

financial institution may be placed inthe position of providing an initialnotice regarding confidentiality andsecurity and thereafter amending theprivacy policy to accurately refer to thefederal standards once they becameeffective. For these reasons, theAgencies have retained July 1, 2001, asthe effective date for these Guidelines.

However, the Agencies have includeda transition rule for contracts withservice providers. The transition rule,which parallels a similar provision inthe Privacy Rule, provides a two-yearperiod for grandfathering existingcontracts. Thus a contract entered intoon or before the date that is 30 days afterpublication of the final Guidelines inthe Federal Register satisfies theprovisions of this part until July 1, 2003,even if the contract does not includeprovisions delineating the servicer’sduties and responsibilities to protectcustomer information described inparagraph III.D.

Location of Guidelines: Theseguidelines have been published as anappendix to each Agency’s Standardsfor Safety and Soundness. For the OCC,those regulations appear at 12 CFR part30; for the Board, at 12 CFR part 208;for the FDIC, at 12 CFR part 364; and forthe OTS, at 12 CFR part 570. The Boardalso is amending 12 CFR parts 211 and225 to apply the Guidelines to otherinstitutions that it supervises.

The Agencies will apply the rulesalready in place to require thesubmission of a compliance plan inappropriate circumstances. For the OCC,those regulations appear at 12 CFR part30; for the Board at 12 CFR part 263; forthe FDIC at 12 CFR part 308, subpart R;and for the OTS at 12 CFR part 570. Thefinal rules make conforming changes tothe regulatory text of these parts.

Rescission of Year 2000 Standards forSafety and Soundness: The Agenciespreviously issued guidelinesestablishing Year 2000 safety andsoundness standards for insureddepository institutions pursuant tosection 39 of the FDI Act. Because theevents for which these standards wereissued have passed, the Agencies haveconcluded that the guidelines are nolonger necessary and proposed torescind the standards as part of thisrulemaking. The Agencies requestedcomment on whether rescission of thesestandards is appropriate. Thosecommenters responding to this requestwere unanimous in recommending therescission of the Year 2000 Standards,and the Agencies have rescinded thesestandards. These standards appeared forthe OCC at 12 CFR part 30, appendix Band C; for the Board at 12 CFR part 208,appendix D–2; for the FDIC at 12 CFR

part 364, appendix B; and for the OTSat 12 CFR part 570, appendix B.Accordingly, the Agencies herebyrescind the Year 2000 Standards forSafety and Soundness, effective thirty(30) days after the publication date ofthis notice of the joint final rule.

IV. Regulatory Analysis

A. Paperwork Reduction Act

The Agencies have determined thatthis rule does not involve a collection ofinformation pursuant to the provisionsof the Paperwork Reduction Act (44U.S.C. 3501 et seq.).

B. Regulatory Flexibility Act

OCC: Under the Regulatory FlexibilityAct (RFA), the OCC must either providea Final Regulatory Flexibility Analysis(FRFA) with these final Guidelines orcertify that the final Guidelines ‘‘willnot, if promulgated’’, have a significanteconomic impact on a substantialnumber of small entities.13 The OCC hasevaluated the effects of these Guidelineson small entities and is providing thefollowing FRFA.

Although the OCC specifically soughtcomment on the costs to small entitiesof establishing and operatinginformation security programs, nocommenters provided specific costinformation. Instead, commentersconfirmed the OCC’s conclusion thatmost if not all institutions already haveinformation security programs in place,because the standards reflect goodbusiness practices and existing OCC andFFIEC guidance. Some commentsindicated, however, that institutionswill have to formalize or enhance theirinformation security programs.Accordingly, the OCC consideredcertifying, under section 605(b) of theRFA, that these Guidelines will not havea significant economic impact on asubstantial number of small entities.However, given that the guidancepreviously issued by the OCC and theFFIEC is not completely identical to theGuidelines being adopted in thisrulemaking, the Guidelines are likely tohave some impact on all affectedinstitutions. While the OCC believesthat this impact will not be substantialin the case of most small entities, wenevertheless have prepared thefollowing FRFA.



1. Reasons for Final ActionThe OCC is issuing these Guidelines

under section 501(b) of the G–L–B Act.Section 501(b) requires the OCC topublish standards for financialinstitutions subject to its jurisdictionrelating to administrative, technical andphysical standards to: (1) insure thesecurity and confidentiality of customerrecords and information; (2) protectagainst any anticipated threats orhazards to the security or integrity ofsuch records; and (3) protect againstunauthorized access to or use of suchrecords or information which couldresult in substantial harm orinconvenience to any customer.

2. Objectives of and Legal Basis for FinalAction

The objectives of the Guidelines aredescribed in the SupplementaryInformation section above. The legalbases for the Guidelines are: 12 U.S.C.93a, 1818, 1831p–1, and 3102(b) and 15USC 6801 and 6805(b)(1).

3. Small Entities to Which the Rule WillApply

The OCC’s final Guidelines will applyto approximately 2300 institutions,including national banks, federalbranches and federal agencies of foreignbanks, and certain subsidiaries of suchentities. The OCC estimates thatapproximately 1125 of these institutionsare small institutions with assets lessthan $100 million.

4. Projected Reporting, Recordkeeping,and Other Compliance Requirements;Skills Required

The Guidelines do not require anyreports to the OCC, however, theyrequire all covered institutions todevelop and implement a writteninformation security program comprisedof several elements. Institutions mustassess the risks to their customerinformation and adopt appropriatemeasures to control those risks.Institutions must then test these securitymeasures and adjust their informationsecurity programs in light of anyrelevant changes. In addition,institutions must use appropriate duediligence in selecting service providers,and require service providers, bycontract, to implement appropriatesecurity measures. The Guidelines alsorequire institutions to monitor theirservice providers, where appropriate, toconfirm they have met their contractualobligations. Finally, the Guidelinesrequire the board of directors or anappropriate committee of the board ofeach institution to approve theinstitution’s information securityprogram and to oversee its

implementation. To facilitate boardoversight, the institution must provideto the board or to the board committeea report, at least annually, describingthe overall status of the institution’sinformation security program and theinstitution’s compliance with theGuidelines.

Because the information securityprogram described above reflectsexisting supervisory guidance, the OCCbelieves that most institutions alreadyhave the expertise to develop,implement, and maintain the program.However, if they have not already doneso, institutions will have to retain theservices of someone capable of assessingthreats to the institution’s customerinformation. Institutions that lack anadequate information security programalso will have to have personnel capableof developing, implementing and testingsecurity measures to address thesethreats. Institutions that use serviceproviders may require legal skills todraft appropriate language for contractswith service providers.

5. Public Comment and SignificantAlternatives

The OCC did not receive any publiccomment on its initial regulatoryflexibility analysis, although it didreceive comments on the proposedGuidelines, and on the impact of theGuidelines on small entities inparticular. The comments received bythe OCC and the other Agencies arediscussed at length in thesupplementary information above.While some commenters suggested thatthe OCC exempt small institutionsaltogether, the OCC has no authorityunder the statute to do so. Thediscussion below reviews the changesadopted in the final Guidelines that willminimize the economic impact of theGuidelines on all businesses.

The OCC carefully consideredcomments from small entities thatencouraged the Agencies to issueguidelines that are not overlyprescriptive, that provide flexibility inthe design of an information securityprogram, but that still provide smallentities with some guidance. Afterconsidering these comments, the OCCdetermined that it is appropriate toissue the standards as Guidelines thatallow each institution the discretion todesign an information security programthat suits its particular size andcomplexity and the nature and scope ofits activities. The OCC consideredissuing broader Guidelines that wouldonly identify objectives to be achievedwhile leaving it up to each institution todecide what steps it should take toensure that it meets these objectives.

However, the OCC concluded that suchbroad guidance ultimately would be lesshelpful than would be guidelines thatcombine the flexibility sought bycommenters with meaningful guidanceon factors that an institution shouldconsider and steps that the institutionshould take. The OCC also consideredthe utility of more prescriptiveguidelines, but rejected that approachout of concern that it likely would bemore burdensome, could interfere withinnovation, and could imposerequirements that would beinappropriate in a given situation.While the Guidelines are not overlydetailed, they provide guidance byestablishing the process an institutionwill need to follow in order to protectits customer information and byidentifying security measures that arelikely to have the greatest applicabilityto national banks in general.

Most commenters supported the useof the more narrow definition of‘‘customer’’ in the Guidelines as is usedin the Privacy Rule rather than a broaddefinition that would apply to allrecords under the control of a financialinstitution. Commenters maintainedthat two different definitions would beconfusing and also inconsistent with theuse of the term ‘‘customer’’ in section501 of the G–L–B Act. The OCCconsidered using the broader definition,but determined that informationsecurity could be addressed morebroadly through other vehicles. For thesake of consistency, the final Guidelinesadopt the narrower definition and applyonly to records of consumers who haveestablished a continuing relationshipwith an institution under which theinstitution provides one or morefinancial products or services to theconsumer to be used primarily forpersonal, family or household purposes,the definition used in the Privacy Rule.

Many commenters criticized the listof proposed objectives for each financialinstitution’s information securityprogram which generally reflected thestatutory objectives in section 501(b).According to these comments, theobjectives were stated in a manner thatmade them absolute, unachievable, andtherefore burdensome. The finalGuidelines have been drafted to clarifythese objectives by stating that eachsecurity program is to be ‘‘designed’’ toaccomplish the objectives stated.

Commenters wanted boardinvolvement in the development andimplementation of an informationsecurity program left to the discretion ofthe financial institution. Commentersalso asked the OCC to clarify that theboard may delegate to a committeeresponsibility for involvement in the



institution’s security program. While thefinal Guidelines as drafted continue toplace responsibility on an institution’sboard to approve and exercise generaloversight over the program, they nowclarify that a committee of the boardmay approve the institution’s writtensecurity program. In addition, theGuidelines permit the board to assignspecific implementation responsibilitiesto a committee or an individual.

The OCC considered requiring aninstitution to designate a CorporateSecurity Officer. However, the agencyagreed with commenters that a financialinstitution is in the best position todetermine who should be assignedspecific roles in implementing theinstitution’s security program.Therefore, the Guidelines do notinclude this requirement.

The proposal identifying varioussecurity measures that an institutionshould consider in evaluating theadequacy of its policies and procedureswas criticized by many commenters.These commenters misinterpreted thelist of measures and believed eachmeasure to be mandatory. Small entitiescommented that these measures wereoverly comprehensive and burdensome.As discussed previously in thepreamble, the OCC did not intend tosuggest that every institution mustadopt every one of the measures. Tohighlight the OCC’s intention that aninstitution must determine for itselfwhich measures will be appropriate forits own risk profile, the final Guidelinesnow clearly state that each financialinstitution must consider whether thesecurity elements listed are appropriatefor the institution and, if so, adopt thoseelements an institution concludes areappropriate.

Commenters noted that testing couldbe burdensome and costly, especiallyfor small entities. The OCC consideredmandating specific tests, but determinedthat with changes in technology, suchtests could become obsolete. Therefore,the final Guidelines permit managementto exercise its discretion to determinethe frequency and types of tests thatneed to be conducted. The OCCconsidered required testing or thereview of tests to be conducted byoutside auditors. The OCC determinedthat these duties could be performedeffectively by an institution’s own staff,if staff selected is sufficientlyindependent. Therefore, the Guidelinespermit financial institutions todetermine for themselves whether to usethird parties to either conduct tests orreview their results or to use staffindependent of those that develop ormaintain the institution’s securityprogram.

Many commenters objected toprovisions in the proposal requiringinstitutions to monitor their serviceproviders. Commenters asserted that itwould be burdensome to require themto monitor the activities of their serviceproviders and that information securityof service providers should be handledthrough contractual arrangements. Thefinal Guidelines include greaterflexibility with regard to the monitoringof service providers than was providedin the proposal. The final Guidelinesrecognize that some service providerswill be financial institutions that aredirectly subject to these Guidelines orother standards promulgated undersection 501(b) and that other serviceproviders may already be subject tolegal and professional standards thatrequire them to safeguard theinstitution’s customer information.Therefore, the final Guidelines permitan institution to do a risk assessmenttaking these factors into account and todetermine for themselves which serviceproviders will need to be monitored.Where monitoring is warranted, theGuidelines now specify that monitoringcan be accomplished, for example,through the periodic review of theservice provider’s associated audits,summaries of test results, or equivalentmeasures of the service provider.

In addition, after considering thecomments about contracts with serviceproviders and the effective date of theGuidelines, the OCC also adopted atransition rule, similar to a provision inthe Privacy Rule, that grandfathersexisting contracts for a two-year period.

One commenter requested thatsmaller community banks be givenadditional time to comply with theGuidelines because having to complywith the new Privacy Rule and theseGuidelines will put a strain on theresources of smaller banks. The OCCconsidered this request but did notchange the effective date of theGuidelines given the importance ofsafeguarding customer information. Inaddition, most institutions already haveinformation security programs in place,and the OCC has addressed this concernby adding flexibility to the finalGuidelines in a variety of other areas asdescribed above.

Board: The Regulatory Flexibility Act(5 U.S.C. 604) requires an agency topublish a final regulatory flexibilityanalysis when promulgating a final rulethat was subject to notice and comment.

Need for and objectives of Guidelines:As discussed above, these Guidelinesimplement section 501 of the GLB Act.The objective of the Guidelines is toestablish standards for financialinstitutions that are subject to the

Board’s jurisdiction to protect thesecurity and confidentiality of theircustomers’ information. In particular,the Guidelines require those financialinstitutions to implement acomprehensive written informationsecurity program that includes:

(1) Assessing the reasonablyforeseeable internal and external threatsthat could result in unauthorizeddisclosure, misuse, alteration, ordestruction of customer information;

(2) Adopting security measures thatthe financial institution concludes areappropriate for it; and

(3) Overseeing its arrangements withits service provider(s).

Comments on the initial regulatoryflexibility analysis: Although fewcommenters addressed the initialregulatory flexibility analysisspecifically, many commentersaddressed the regulatory burdens thatwere discussed in that analysis. Severalcommenters noted that certain aspectsof the proposal may tax thecomparatively limited resources ofsmall institutions, yet few commentersquantified the potential costs ofcompliance. The comments received bythe Board and the other Agencies werediscussed in the supplementaryinformation above. Those commentsthat are closely related to regulatoryburden are highlighted below:

The Board requested comment on thescope of the term ‘‘customer’’ forpurposes of the Guidelines. Manycommenters opposed expanding theproposed scope of the Guidelines toapply to information about businesscustomers and consumers who have notestablished continuing relationshipswith the financial institution. Thecommenters stated that an expandedscope would impose higher costs ofdeveloping an information securityprogram and would be inconsistent withthe use of the term ‘‘customer’’ insection 501 of the GLB Act and theAgencies’ Privacy Rule. As explained inthe supplementary information above,the Board has defined ‘‘customer’’ in thefinal Guidelines in the same way as thatterm is defined in section l.3(h) of theAgencies’ Privacy Rule.

Many commenters urged the Board toreduce the level of detail about thekinds of measures that would berequired to implement an informationsecurity program under the proposedGuidelines. Commenters argued, forinstance, that requiring particulartesting procedures of security systemswould make the standards too onerousfor those institutions for which otherkinds of tests and audits would be moresuitable. In a similar vein, somecommenters proposed that the Board



should issue examples that wouldillustrate the kinds of security measuresthat, if adopted, would constitutecompliance with the Guidelines.

The Board believes that manycommenters may have misinterpretedthe intent of the original proposalregarding the particular safeguards thatwould be expected. The provision thatrequires each financial institution toconsider a variety of security measureshas been redrafted in an effort to clarifythat the institution must determine foritself which measures will beappropriate to its own risk profile.Although an institution is required toconsider each of the security measureslisted in paragraph III.C.1., it is notobligated to incorporate any particularsecurity measures or particular testingprocedures into its information securityprogram. Rather, the institution mayadopt those measures and use thosetests that it concludes are appropriate.The Board is mindful that institutions’operations will vary in their complexityand scope of activities and presentdifferent risk profiles to their customerinformation. Accordingly, the Board hasnot established definitive securitymeasures that, if adopted, wouldconstitute compliance with theGuidelines.

The Board asked for comments onseveral issues related to the appropriatesecurity standards pertaining to aninstitution’s arrangements with itsservice providers. As discussed above,many comments addressed these issuesand, notably, objected to a provisionthat would require an institution tomonitor its service providers throughon-site audits. Several commentersnoted that the service providers oftencontract for audits of their systems andargued that an institution should be ableto rely upon those testing procedures.Commenters also recommended that aninstitution’s responsibility forinformation given to service providersrequire only that the institution enterinto appropriate contractualarrangements. The Board has modifiedthe Guidelines to clarify an institution’sresponsibilities with respect to serviceproviders. The Board has not designeda standard that would require afinancial institution to conduct an on-site audit of its service provider’ssecurity program. Instead, the Boardadopted a standard that requires aninstitution to monitor its serviceprovider to confirm that it has satisfiedits contractual obligations, dependingupon the institution’s risk assessment.In the course of conducting its riskassessment and determining whichservice providers will need to bemonitored, an institution may take into

account the fact that some of its serviceproviders may be financial institutionsthat are directly subject to theseGuidelines or other standardspromulgated by their primary regulatorunder section 501(b). Furthermore, afterconsidering the comments aboutcontracts with service providers and theeffective date of the Guidelines, theBoard also adopted a transition rule,which parallels a similar provision inthe Privacy Rule, that provides a two-year period for grandfathering existingcontracts.

Many commenters addressed theburdens that would be imposed by theproposal due to the effective date andurged the Board to extend the proposedJuly 1, 2001, effective date for periodranging from one to two years. Most ofthese commenters argued thatcomplying with the proposedGuidelines by July 1, 2001, would placea considerable burden on theirbusinesses, particularly because theGuidelines would mandate changes tocomputer software, employee training,and compliance systems. As discussedabove, the Board believes that the datesfor full compliance with theseGuidelines and the Privacy Rule shouldcoincide. Financial institutions arerequired, as part of their initial privacynotices, to describe their policies andpractices with respect to protecting theconfidentiality and security ofnonpublic personal information (12 CFR216.6). The Board believes that if theeffective date of these Guidelines isextended beyond July 1, 2001, then afinancial institution may be placed inthe position of providing an initialnotice regarding confidentiality andsecurity and thereafter amending theprivacy policy to accurately refer to thefederal standards once they becameeffective. Accordingly, the Board hasadopted the proposed effective date ofJuly 1, 2001.

Institutions covered. The Board’s finalGuidelines will apply to approximately9,500 institutions, including statemember banks, bank holding companiesand certain of their nonbanksubsidiaries or affiliates, state uninsuredbranches and agencies of foreign banks,commercial lending companies ownedor controlled by foreign banks, and Edgeand Agreement corporations. The Boardestimates that over 4,500 of theinstitutions are small institutions withassets less than $100 million.

New compliance requirements. Thefinal Guidelines contain newcompliance requirements for all coveredinstitutions, many of which arecontained in existing supervisoryguidance and examination procedures.Nonetheless, each must develop and

implement a written informationsecurity program. As part of thatprogram, institutions will be required toassess the reasonably foreseeable risks,taking into account the sensitivity ofcustomer information, and assess thesufficiency of policies and proceduresin place to control those risks.Institutions that use third party serviceproviders to process customerinformation must exercise appropriatedue diligence in selecting them, requirethem by contract to implementappropriate measures designed to meetthe objectives of these Guidelines, anddepending upon the institution’s riskassessment, monitor them to confirmthat they have satisfied their contractualobligations. As part of its compliancemeasures, an institution may need totrain its employees or hire individualswith professional skills suitable toimplementing the policies andprocedures of its information securityprogram, such as those skills necessaryto test or review tests of its securitymeasures. Some institutions mayalready have programs that meet theserequirements, but others may not.

Minimizing impact on smallinstitutions. The Board believes therequirements of the Act and theseGuidelines may create additionalburden for some small institutions. TheGuidelines apply to all coveredinstitutions, regardless of size. The Actdoes not provide the Board with theauthority to exempt a small institutionfrom the requirement of implementingadministrative, technical, and physicalsafeguards to protect the security andconfidentiality of customer information.Although the Board could developdifferent guidelines depending on thesize and complexity of a financialinstitution, the Board believes thatdiffering treatment would not beappropriate, given that one of the statedpurposes of the Act is to protect theconfidentiality and security ofcustomers’ nonpublic personalinformation.

The Board believes that thecompliance burden is minimized forsmall institutions because theGuidelines expressly allow institutionsto develop security measures that are‘‘appropriate to the size and complexityof the [institution]’’. The Guidelines donot mandate any particular policies,procedures, or security measures for anyinstitution other than generalrequirements, such as to ‘‘train staff’’ or‘‘monitor its service providers toconfirm that they have satisfied their[contractual] obligations’’. The Boardbelieves that the final Guidelines vest asmall institution with a broad degree ofdiscretion to design and implement an



14 The RFA defines the term ‘‘small entity’’ in 5U.S.C. 601 by reference to definitions published bythe Small Business Administration (SBA). The SBAhas defined a ‘‘small entity’’ for banking purposesas a national or commercial bank, or savingsinstitution with less than $100 million in assets.See 13 CFR 121.201.

information security program that suitsits own organizational structure and riskprofile.

FDIC: The Regulatory Flexibility Act(5 U.S.C. 601–612) (RFA) requires,subject to certain exceptions, thatfederal agencies prepare an initialregulatory flexibility analysis (IRFA)with a proposed rule and a finalregulatory flexibility analysis (FRFA)with a final rule, unless the agencycertifies that the rule will not have asignificant economic impact on asubstantial number of small entities.14

At the time of issuance of the proposedGuidelines, the FDIC could not makesuch a determination for certification.Therefore, the FDIC issued an IRFApursuant to section 603 of the RFA.After reviewing the commentssubmitted in response to the proposedGuidelines, the FDIC believes that itdoes not have sufficient information todetermine whether the final Guidelineswould have a significant economicimpact on a substantial number of smallentities. Hence, pursuant to section 604of the RFA, the FDIC provides thefollowing FRFA.

This FRFA incorporates the FDIC’sinitial findings, as set forth in the IRFA;addresses the comments submitted inresponse to the IRFA; and describes thesteps the FDIC has taken in the finalrule to minimize the impact on smallentities, consistent with the objectivesof the Gramm-Leach-Bliley Act (G–L–BAct). Also, in accordance with section212 of the Small Business RegulatoryEnforcement Fairness Act of 1996(Public Law 104–121), in the near futurethe FDIC will issue a compliance guideto assist small entities in complyingwith these Guidelines.

Small Entities to Which the GuidelinesWill Apply

The final Guidelines will apply to allFDIC-insured state-nonmember banks,regardless of size, including those withassets of under $100 million. As ofSeptember 2000, there were 3,331 smallbanks out of a total of 5,130 FDIC-insured state-nonmember banks withassets of under $100 million. Title V,Subtitle A, of the GLBA does notprovide either an exception for smallbanks or statutory authority upon whichthe FDIC could provide such anexception in the Guidelines.

Statement of the Need and Objectives ofthe Rule

The final Guidelines implement theprovisions of Title V, Subtitle A, Section501 of the GLBA addressing standardsfor safeguarding customer information.Section 501 requires the Agencies topublish standards for financialinstitutions relating to administrative,technical, and physical standards to:

Insure the security and confidentiality ofcustomer records and information.

Protect against any anticipated threats orhazards to the security or integrity of suchrecords.

Protect against unauthorized access to oruse of such records or information, whichcould result in substantial harm orinconvenience to any customer.

The final Guidelines do not representany change in the policies of the FDIC;rather they implement the G–L–B Actrequirement to provide appropriatestandards relating to the security andconfidentiality of customer records.

Summary of Significant Issues Raisedby the Public Comments; Description ofSteps the Agency Has Taken inResponse to the Comments to Minimizethe Significant Economic Impact onSmall Entities.

In the IRFA, the FDIC specificallyrequested information on whether smallentities would be required to amendtheir operations in order to comply withthe final Guidelines and the costs forsuch compliance. The FDIC alsorequested comment or information onthe costs of establishing informationsecurity programs. The FDIC also soughtcomment on any significant alternatives,consistent with the G–L–B Act thatwould minimize the impact on smallentities. The FDIC received a total of 63comment letters. However, none of thecomment letters specifically addressedthe initial regulatory flexibility actsection of the proposed Guidelines.Instead, many commenters, representingbanks of various sizes, addressed theregulatory burdens in connection withtheir discussion of specific Guidelineprovisions.

The FDIC has sought to minimize theburden on all businesses, includingsmall entities, in promulgating this finalGuidelines. The statute does notauthorize the FDIC to create exemptionsfrom the G–L–B Act based on aninstitution’s asset size. However, theFDIC carefully considered commentsregarding alternatives designed tominimize the economic and overallburden of complying with the finalGuidelines. The discussion belowreviews some of the significant changesadopted in the final Guidelines toaccomplish this purpose.

1. Issue the Rule as Guidelines orRegulations. The FDIC sought commenton whether to issue the rule asGuidelines or as regulations. All thecomment letters stated that the ruleshould be issued in the form ofGuidelines. Some community banksstated that the Guidelines wereunnecessary because they already haveinformation security programs in placebut would prefer Guidelines toregulations. The commentary supportedthe use of Guidelines because guidelinestypically provide more flexibility thanregulations. Since technology changesrapidly, Guidelines would allowinstitutions to adapt to a changingenvironment more quickly thanregulations, which may becomeoutdated. The FDIC has issued thesestandards as Guidelines. The finalGuidelines establish standards that willallow each institution the flexibility todesign an information security programto accommodate its particular level ofcomplexity and scope of activities.

2. Definition of Customer. In theproposed Guidelines, the FDIC defined‘‘customer’’ in the same manner as inthe Privacy Rule. A ‘‘customer’’ isdefined as a consumer who hasestablished a continuing relationshipwith an institution under which theinstitution provides one or morefinancial products or services to theconsumer to be used primarily forpersonal, family, or householdpurposes. This definition does notinclude a business or a consumer whodoes not have an ongoing relationshipwith a financial institution. Almost allof the comments received by the FDICagreed with the proposed definition andagreed that the definition should not beexpanded to provide a commoninformation security program for alltypes of records under the control of afinancial institution. The Guidelineswill apply only to consumer records asdefined by the Privacy Rule, notbusiness records. This will allow for aconsistent interpretation of the term‘‘customer’’ between the Guidelines andthe Privacy Rule.

3. Involvement of the Bank’s Board ofDirectors. The FDIC sought comment onhow frequently management shouldreport to the board of directorsconcerning the bank’s informationsecurity program. Most of the commentletters stated that the final Guidelinesshould not dictate how frequently thebank reports to the board of directorsand that the bank should havediscretion in this regard. The commentletters clearly conveyed a preference tonot have a reporting requirement.However, if there was to be one,commenters suggested that it be annual.



The Agencies have amended theGuidelines to require that a bank reportat least annually to its board ofdirectors. However, more frequentreporting will be necessary if a materialevent affecting the information securitysystem occurs or if materialmodifications are made to the system.

4. Designation of CorporateInformation Security Officer. TheAgencies considered whether theGuidelines should require that thebank’s board of directors designate a‘‘Corporate Information SecurityOfficer’’ with the responsibility todevelop and administer the bank’sinformation security program. Most ofthe comment letters requested that thisrequirement not be adopted becauseadding a new personnel position wouldbe financially burdensome. The FDICagrees that a new position with aspecific title is not necessary. The finalGuidelines do, however, require that theauthority for the development,implementation, and administration ofthe bank’s information security programbe clearly expressed although notassigned to a particular individual.

5. Managing and Controlling Risk.Many comments focused on the elevenfactors in the proposed Guidelines thatbanks should consider when evaluatingthe adequacy of their informationsecurity programs. The Agencies did notintend to mandate the security measureslisted in section III.C. of the proposedGuidelines for all banks and all data.Instead the Agencies believe thesecurity measures should be followed asappropriate for each bank’s particularcircumstances. Some concern wasexpressed that the proposed Guidelinesrequired encryption of all customerinformation. The FDIC believes that abank that has Internet-based transactionaccounts or a transactional Web sitemay decide that encryption isappropriate, but a bank that processesall data internally may need differentaccess restrictions. While a bank is toconsider each element in section III.C.in the design of its information securityprogram, this is less burdensome than arequirement to include each elementlisted that section.

The proposed Guidelines providedthat institutions train employees torecognize, respond to, and reportsuspicious attempts to obtain customerinformation directly to law enforcementagencies and regulatory agencies. Somecomment letters stated that suspiciousactivity should be reported tomanagement, not directly to lawenforcement agencies and regulatoryagencies. The FDIC believes employeesshould be made aware of federalreporting requirements and an

institution’s procedures for reportingsuspicious activity. However, theGuidelines have been amended to allowfinancial institutions to decide who is tofile a report to law enforcementagencies, consistent with otherapplicable regulations.

A significant number of commentsstated that the FDIC should not requirespecific tests to ensure the security andconfidentiality of customer information.Some comments stated that periodictesting is appropriate. The finalGuidelines do not specify particulartests but provide that managementshould decide on the appropriatetesting. Also, the final Guidelinesrequire tests to be conducted orreviewed by people independent ofthose who operate the systems. Further,banks must review their serviceprovider’s security program todetermine that it is consistent with theGuidelines. However, the finalGuidelines do not require on-siteinspections.

6. Effective Date. The effective datefor the final Guidelines is July 1, 2001.As discussed in the section-by-sectionanalysis, many of the comment lettersurged the FDIC to extend the effectivedate of the Guidelines, particularlysince this is the effective date forcomplying with the Privacy Rule.Several of the comments suggested theproposed effective date be extended for12 to 18 months. However, the FDICbelieves that the effective date for theGuidelines and the Privacy Rule shouldcoincide. The Privacy Rule requires afinancial institution to disclose to itscustomers that the bank maintainsphysical, electronic, and proceduralsafeguards to protect customers’nonpublic personal information.Appendix A of the Privacy Ruleprovides that this disclosure may referto these federal guidelines. This is onlymeaningful if the final Guidelines forsafeguarding customer information areeffective when the disclosure is made.The Guidelines do provide a transitionrule for contracts with serviceproviders—essentially allowing a two-year compliance period for serviceprovider contracts. A contract enteredinto on or before March 5, 2001, satisfiesthe provisions of this part until July 1,2003, even if the contract does notinclude provisions delineating theservicer’s duties and responsibilities toprotect customer information describedin section III.D. This additional timewill allow financial institutions to makeall necessary changes to serviceprovider contracts and to comply withthis segment of the Guidelines.

Summary of the Agency Assessment ofIssues Raised in Public Comments

Most of the comment letters did notdiscuss actual compliance costs forimplementing the provisions of theGuidelines. Some commenters statedthat their bank has an establishedinformation security program and thatinformation security is a customarybusiness practice. The new complianceand reporting requirements will createadditional costs for some institutions.These costs include: (1) Training staff;(2) monitoring outsourcing agreements;(3) performing due diligence beforecontracting with a service provider; (4)testing security systems; and (5)adjusting security programs due totechnology changes. The comments didnot provide data from which the FDICcould quantify the cost of implementingthe requirements of the GLBA. Thecompliance costs will vary amonginstitutions.

Description/Estimate of Small EntitiesTo Which the Guidelines Will Apply

The Guidelines will apply toapproximately 3,300 FDIC insured Statenonmember banks that are small entities(assets less than $100 million) asdefined in the RFA.

Description of Projected Reporting,Record-Keeping, and Other ComplianceRequirements

The final Guidelines containstandards for the protection of customerrecords and information that apply to allFDIC-insured state-nonmember banks.Institutions will be required to reportannually to the bank’s board of directorsconcerning the bank’s informationsecurity program. Institutions will needto develop a training program that isdesigned to implement the institution’sinformation security policies andprocedures. An institution’s informationsecurity system will be tested to ensurethe controls and procedures of theprogram work properly. However, thefinal Guidelines do not specify whatparticular tests the bank shouldundertake. The final Guidelines statethat the tests are to be conducted orreviewed by persons who areindependent of those who operate thesystems. Institutions will have toexercise due diligence in the selectionof service providers to ensure that thebank’s customer information will beprotected consistent with theseGuidelines. And institutions will haveto monitor these service providerarrangements to confirm that theinstitution’s customer information isprotected, which may be accomplishedby reviewing service provider audits



15 U.S.C. 604(a).

16 For purposes of the Regulatory Flexibility Act,a small savings association is one with less than$100 million in assets. 13 CFR 121.201 (Division H).There are approximately 487 such small savingsassociations, approximately 97 of which havesubsidiaries.

and summaries of test results. Also,institutions will need to adjust theirsecurity program as technology changes.

The types of professional skills withinthe institution necessary to prepare thereport to the board would include anunderstanding of the institution’sinformation security program, a level oftechnical knowledge of the hardwareand software systems to evaluate testresults recommending substantialmodifications; and the ability toevaluate and report on the institution’ssteps to oversee service providerarrangements.

OTS: The Regulatory Flexibility Act(RFA),15 requires OTS to prepare a finalregulatory flexibility analysis with thesefinal Guidelines unless the agencycertifies that the rule will not have asignificant economic impact on asubstantial number of small entities.OTS has evaluated the effects theseGuidelines will have on small entities.In issuing proposed Guidelines, OTSspecifically sought comment on thecosts of establishing and operatinginformation security programs, but nocommenters provided specific costinformation. Institutions cannot yetknow how they will implement theirinformation security programs andtherefore have difficulty quantifying theassociated costs. The Director of OTSconsidered certifying, under section605(b) of the RFA, that these guidelineswill not have a significant economicimpact on a substantial number of smallentities. However, because OTS cannotquantify the impact the Guidelines willhave on small entities, and in theinterests of thoroughness, OTS does notcertify that the Guidelines will not havea significant economic impact on asubstantial number of small entities.Instead, OTS has prepared the followingfinal regulatory flexibility analysis.

A. Reasons for Final Action

OTS issues these Guidelines pursuantto section 501 of the G-L-B Act. Asdescribed in this preamble and in thenotice of proposed action, section 501requires OTS to publish standards forthe thrift industry relating toadministrative, technical, and physicalsafeguards to: (1) Insure the security andconfidentiality of customer records andinformation; (2) protect against anyanticipated threats or hazards to thesecurity or integrity of such records, and(3) protect against unauthorized accessto or use of such records or informationwhich could result in the substantialharm or inconvenience to any customer.

B. Objectives of and Legal Basis forFinal Action

The objectives of the Guidelines aredescribed in the SupplementaryInformation section above. The legalbases for the final action are: section 501of the G-L-B Act; section 39 of the FDIAct; and sections 2, 4, and 5 of theHome Owners’ Loan Act (12 U.S.C.1462, 1463, and 1464).

C. Description of Entities To WhichFinal Action Will Apply

These Guidelines will apply to allsavings associations whose deposits areFDIC insured, and subsidiaries of suchsavings associations, except subsidiariesthat are brokers, dealers, personsproviding insurance, investmentcompanies, and investment advisers.16

D. Projected Reporting, Recordkeeping,and Other Compliance Requirements;Skills Required

The Guidelines do not require anyreports to OTS. As discussed more fullyabove, they do require institutions tohave a written information securityprogram, and to make an appropriatereport to the board of directors, or aboard committee, at least annually. TheGuidelines require institutions toestablish an information securityprogram, if they do not already haveone. The Guidelines require institutionsto assess the risks to their customersecurity and to adopt appropriatemeasures to control those risks.Institutions must also test the keycontrols, commensurate with the risks.Institutions must use appropriate duediligence in selecting outside serviceproviders, and require service providers,by contract, to implement appropriatesecurity measures. Finally, whereappropriate, the Guidelines requireinstitutions to monitor their serviceproviders.

Professional skills, such as skills ofcomputer hardware and software, willbe necessary to assess informationsecurity needs, and to design andimplement an information securityprogram. The particular skills neededwill be commensurate with the nature ofeach institution’s system, i.e. more skillswill be needed in institutions withsophisticated and extensivecomputerization. As a result, smallentities with less extensivecomputerization are likely to have lessburdensome compliance needs thanlarge entities. Institutions that use

outside service providers may requirelegal skills to draft appropriate languagefor contracts with service providers.

E. Public Comment and SignificantAlternatives

OTS did not receive any publiccomment on its initial regulatoryflexibility analysis, although it didreceive comments on the proposal ingeneral, and on the Guidelines’ impacton small entities in particular. OTSaddresses these below.

OTS has considered publishingstandards using only the broad languagein section 501(b) of the G–L–B Act, assupported by one commenter. TheAgencies rejected this alternative infavor of more comprehensiveGuidelines. Using only the generalstatutory language would permitinstitutions maximum flexibility inimplementing information securityprotections and would not putinstitutions at a competitivedisadvantage with respect to institutionsnot subject to the same securitystandards. However, using the statutorylanguage alone would not provideenough guidance to institutions aboutwhat risks need to be addressed or whattypes of protections are appropriate.Small institutions in particular mayneed guidance in this area. One tradeassociation that represents communitybanks commented that institutions needguidance to determine what level ofinformation security the Agencies willlook for, and that community banks inparticular need guidance in this area.OTS believes that the alternative itchose, more comprehensive standards,provides helpful guidance withoutsacrificing flexibility.

OTS has also considered thealternative of defining ‘‘serviceprovider’’ more narrowly than in theproposed Guidelines to reduceregulatory burden. The Guidelinesrequire a financial institution to takeappropriate steps to protect customerinformation provided to a serviceprovider. Due to limited resources,small institutions may need tooutsource a disproportionately largernumber of functions than largeinstitutions outsource, and accordinglyhave a greater need for serviceproviders. Thus, the burdens associatedwith service providers may fall moreheavily on small institutions than onlarge institutions. But the risks toinformation security do not necessarilyvary depending on a service provider’sidentity. Rather, they vary depending onthe type and volume of information towhich a service provider has access, thesafeguards it has in place, and what theservice provider does with the



information. Basing the requirements asto service providers on a serviceprovider’s identity would notnecessarily focus protections on areas ofrisk. For this reason, the finalGuidelines focus the protectionsregarding service providers on the risksinvolved rather than on the serviceprovider’s identity. This approachshould provide the necessaryprotections without unnecessary burdenon small institutions.

OTS reviewed the alternative ofrequiring an institution’s board ofdirectors to designate a CorporateInformation Security Officer who wouldhave authority, with approval by theboard, to develop and administer theinstitution’s information securityprogram. However, ultimately, theagencies rejected the idea of havingfinancial institutions create a newposition to fulfill this purpose. Instead,the Guidelines allow financialinstitutions the flexibility to determinewho should be assigned specific roles inimplementing the institution’s securityprogram. As a result, small institutionswill be relieved of a potential burden.

The final Guidelines incorporate newprovisions not in the proposedGuidelines designed to add flexibility toassist all institutions, large and small.For example, the final Guidelines,unlike the proposal, do not specifyparticular tasks for management.Instead, the final Guidelines allow eachinstitution the flexibility to decide foritself the most efficient allocation of itspersonnel. Similarly, the finalGuidelines allow institutions to delegateboard duties to board committees.Additionally, in the final guidelines theAgencies removed the requirement thatinformation security programs ‘‘shall* * * ensure’’ the security andconfidentiality of customer information.Instead, the guidelines say the program‘‘shall be designed to * * * ensure’’ thesecurity and confidentiality of customerinformation. The final Guidelinesfurther incorporate more flexibility thanthe proposal concerning testing systems.The proposal required third parties ofstaff independent of those who maintainthe program to test it, and required thirdparties or staff independent of thetesters to review test results. To addflexibility, the final Guidelines moresimply require staff or third partiesindependent of those who develop ormaintain the programs to conduct orreview the tests. These changes shouldserve to reduce the burden of theGuidelines.

C. Executive Order 12866The Comptroller of the Currency and

the Office of Thrift Supervision have

determined that this rule does notconstitute a ‘‘significant regulatoryaction’’ for the purposes of ExecutiveOrder 12866. The OCC and OTS areissuing the Guidelines in accordancewith the requirements of Sections 501and 505(b) of the G–L–B Act and notunder their own authority. Even absentthe requirements of the G–L–B Act, ifthe OCC and OTS had issued the ruleunder their own authority, the rulewould not constitute a ‘‘significantregulatory action’’ for purposes ofExecutive Order 12866.

The standards established by theGuidelines are very flexible and alloweach institution the discretion to havean information security program thatsuits its particular size , complexity andthe nature and scope of its activities.Further, the standards reflect goodbusiness practices and guidancepreviously issued by the OCC, OTS, andthe FFIEC. Accordingly, most if not allinstitutions already have informationsecurity programs in place that areconsistent with the Guidelines. In suchcases, little or no modification to aninstitution’s program will be required.

D. Unfunded Mandates Act of 1995Section 202 of the Unfunded

Mandates Reform Act of 1995, 2 U.S.C.1532 (Unfunded Mandates Act),requires that an agency prepare abudgetary impact statement beforepromulgating any rule likely to result ina federal mandate that may result in theexpenditure by state, local, and tribalgovernments, in the aggregate, or by theprivate sector, of $100 million or morein any one year. If a budgetary impactstatement is required, section 205 of theUnfunded Mandates Act also requiresthe agency to identify and consider areasonable number of regulatoryalternatives before promulgating therule. However, an agency is not requiredto assess the effects of its regulatoryactions on the private sector to theextent that such regulations incorporaterequirements specifically set forth inlaw. 2 U.S.C. 1531.

The OCC and OTS believe that mostinstitutions already have established aninformation security program because itis a sound business practice that alsohas been addressed in existingsupervisory guidance. Therefore, theOCC and OTS have determined that theGuidelines will not result inexpenditures by state, local, and tribalgovernments, in the aggregate, or by theprivate sector, of $100 million or morein any one year. Accordingly, the OCCand OTS have not prepared a budgetaryimpact statement or specificallyaddressed the regulatory alternativesconsidered.

List of Subjects

12 CFR Part 30

Banks, banking, Consumer protection,National banks, Privacy, Reporting andrecordkeeping requirements.

12 CFR Part 208

Banks, banking, Consumer protection,Federal Reserve System, Foreignbanking, Holding companies,Information, Privacy, Reporting andrecordkeeping requirements.

12 CFR Part 211

Exports, Federal Reserve System,Foreign banking, Holding companies,Investments, Privacy, Reporting andrecordkeeping requirements.

12 CFR Part 225

Administrative practice andprocedure, Banks, banking, FederalReserve System, Holding companies,Privacy, Reporting and recordkeepingrequirements, Securities.

12 CFR Part 263

Administrative practice andprocedure, Claims, Crime, Equal accessin justice, Federal Reserve System,Lawyers, Penalties.

12 CFR Part 308

Administrative practice andprocedure, Banks, banking, Claims,Crime, Equal access of justice, Lawyers,Penalties, State nonmember banks.

12 CFR Part 364

Administrative practice andprocedure, Bank deposit insurance,Banks, banking, Reporting andrecordkeeping requirements, Safety andsoundness.

12 CFR Part 568

Reporting and recordkeepingrequirements, Savings associations,Security measures. Consumerprotection, Privacy, Savingsassociations.

12 CFR Part 570

Consumer protection, Privacy,Savings associations.

Office of the Comptroller of theCurrency

12 CFR Chapter I

Authority and Issuance

For the reasons set forth in the jointpreamble, part 30 of the chapter I of title12 of the Code of Federal Regulations isamended as follows:



PART 30—SAFETY AND SOUNDNESSSTANDARDS

1. The authority citation for part 30 isrevised to read as follows:

Authority: 12 U.S.C. 93a, 1818, 1831–p,3102(b); 15 U.S.C. 6801, 6805(b)(1).

2. Revise § 30.1 to read as follows:

§ 30.1 Scope.(a) The rules set forth in this part and

the standards set forth in appendices Aand B to this part apply to nationalbanks and federal branches of foreignbanks, that are subject to the provisionsof section 39 of the Federal DepositInsurance Act (section 39)(12 U.S.C.1831p–1).

(b) The standards set forth inappendix B to this part also apply touninsured national banks, federalbranches and federal agencies of foreignbanks, and the subsidiaries of anynational bank, federal branch or federalagency of a foreign bank (except brokers,dealers, persons providing insurance,investment companies and investmentadvisers). Violation of these standardsmay be an unsafe and unsound practicewithin the meaning of 12 U.S.C. 1818.

3. In § 30.2, revise the last sentence toread as follows:

§ 30.2 Purpose.* * * The Interagency Guidelines

Establishing Standards for Safety andSoundness are set forth in appendix Ato this part, and the InteragencyGuidelines Establishing Standards forSafeguarding Customer Information areset forth in appendix B to this part.

4. In § 30.3, revise paragraph (a) toread as follows:

§ 30.3 Determination and notification offailure to meet safety and soundnessstandard and request for compliance plan.

(a) Determination. The OCC may,based upon an examination, inspection,or any other information that becomesavailable to the OCC, determine that abank has failed to satisfy the safety andsoundness standards contained in theInteragency Guidelines EstablishingStandards for Safety and Soundness setforth in appendix A to this part, and theInteragency Guidelines EstablishingStandards for Safeguarding CustomerInformation set forth in appendix B tothis part.* * * * *

5. Revise appendix B to part 30 toread as follows:

Appendix B to Part 30—InteragencyGuidelines Establishing Standards ForSafeguarding Customer Information

Table of Contents

I. Introduction

A. ScopeB. Preservation of Existing AuthorityC. Definitions

II. Standards for Safeguarding CustomerInformationA. Information Security ProgramB. Objectives

III. Development and Implementation ofCustomer Information Security ProgramA. Involve the Board of DirectorsB. Assess RiskC. Manage and Control RiskD. Oversee Service Provider ArrangementsE. Adjust the ProgramF. Report to the BoardG. Implement the Standards

I. Introduction

The Interagency Guidelines EstablishingStandards for Safeguarding CustomerInformation (Guidelines) set forth standardspursuant to section 39 of the Federal DepositInsurance Act (section 39, codified at 12U.S.C. 1831p–1), and sections 501 and505(b), codified at 15 U.S.C. 6801 and6805(b), of the Gramm-Leach-Bliley Act.These Guidelines address standards fordeveloping and implementingadministrative, technical, and physicalsafeguards to protect the security,confidentiality, and integrity of customerinformation.

A. Scope. The Guidelines apply tocustomer information maintained by or onbehalf of entities over which the OCC hasauthority. Such entities, referred to as ‘‘thebank,’’ are national banks, federal branchesand federal agencies of foreign banks, andany subsidiaries of such entities (exceptbrokers, dealers, persons providinginsurance, investment companies, andinvestment advisers).

B. Preservation of Existing Authority.Neither section 39 nor these Guidelines inany way limit the authority of the OCC toaddress unsafe or unsound practices,violations of law, unsafe or unsoundconditions, or other practices. The OCC maytake action under section 39 and theseGuidelines independently of, in conjunctionwith, or in addition to, any otherenforcement action available to the OCC.

C. Definitions. 1. Except as modified in theGuidelines, or unless the context otherwiserequires, the terms used in these Guidelineshave the same meanings as set forth insections 3 and 39 of the Federal DepositInsurance Act (12 U.S.C. 1813 and 1831p–1).

2. For purposes of the Guidelines, thefollowing definitions apply:

a. Board of directors, in the case of abranch or agency of a foreign bank, means themanaging official in charge of the branch oragency.

b. Customer means any customer of thebank as defined in § 40.3(h) of this chapter.

c. Customer information means any recordcontaining nonpublic personal information,as defined in § 40.3(n) of this chapter, abouta customer, whether in paper, electronic, orother form, that is maintained by or on behalfof the bank.

d. Customer information systems meansany methods used to access, collect, store,use, transmit, protect, or dispose of customerinformation.

e. Service provider means any person orentity that maintains, processes, or otherwiseis permitted access to customer informationthrough its provision of services directly tothe bank.


A. Information Security Program. Eachbank shall implement a comprehensivewritten information security program thatincludes administrative, technical, andphysical safeguards appropriate to the sizeand complexity of the bank and the natureand scope of its activities. While all parts ofthe bank are not required to implement auniform set of policies, all elements of theinformation security program must becoordinated.

B. Objectives. A bank’s informationsecurity program shall be designed to:

1. Ensure the security and confidentialityof customer information;

2. Protect against any anticipated threats orhazards to the security or integrity of suchinformation; and

3. Protect against unauthorized access to oruse of such information that could result insubstantial harm or inconvenience to anycustomer.

III. Development and Implementation ofInformation Security Program

A. Involve the Board of Directors. Theboard of directors or an appropriatecommittee of the board of each bank shall:

1. Approve the bank’s written informationsecurity program; and

2. Oversee the development,implementation, and maintenance of thebank’s information security program,including assigning specific responsibility forits implementation and reviewing reportsfrom management.

B. Assess Risk. Each bank shall:1. Identify reasonably foreseeable internal

and external threats that could result inunauthorized disclosure, misuse, alteration,or destruction of customer information orcustomer information systems.

2. Assess the likelihood and potentialdamage of these threats, taking intoconsideration the sensitivity of customerinformation.

3. Assess the sufficiency of policies,procedures, customer information systems,and other arrangements in place to controlrisks.

C. Manage and Control Risk. Each bankshall:

1. Design its information security programto control the identified risks, commensuratewith the sensitivity of the information as wellas the complexity and scope of the bank’sactivities. Each bank must consider whetherthe following security measures areappropriate for the bank and, if so, adoptthose measures the bank concludes areappropriate:

a. Access controls on customer informationsystems, including controls to authenticateand permit access only to authorizedindividuals and controls to preventemployees from providing customerinformation to unauthorized individuals whomay seek to obtain this information throughfraudulent means.



b. Access restrictions at physical locationscontaining customer information, such asbuildings, computer facilities, and recordsstorage facilities to permit access only toauthorized individuals;

c. Encryption of electronic customerinformation, including while in transit or instorage on networks or systems to whichunauthorized individuals may have access;

d. Procedures designed to ensure thatcustomer information system modificationsare consistent with the bank’s informationsecurity program;

e. Dual control procedures, segregation ofduties, and employee background checks foremployees with responsibilities for or accessto customer information;

f. Monitoring systems and procedures todetect actual and attempted attacks on orintrusions into customer informationsystems;

g. Response programs that specify actionsto be taken when the bank suspects or detectsthat unauthorized individuals have gainedaccess to customer information systems,including appropriate reports to regulatoryand law enforcement agencies; and

h. Measures to protect against destruction,loss, or damage of customer information dueto potential environmental hazards, such asfire and water damage or technologicalfailures.

2. Train staff to implement the bank’sinformation security program.

3. Regularly test the key controls, systemsand procedures of the information securityprogram. The frequency and nature of suchtests should be determined by the bank’s riskassessment. Tests should be conducted orreviewed by independent third parties orstaff independent of those that develop ormaintain the security programs.

D. Oversee Service Provider Arrangements.Each bank shall:

1. Exercise appropriate due diligence inselecting its service providers;

2. Require its service providers by contractto implement appropriate measures designedto meet the objectives of these Guidelines;and

3. Where indicated by the bank’s riskassessment, monitor its service providers toconfirm that they have satisfied theirobligations as required by section D.2. Aspart of this monitoring, a bank should reviewaudits, summaries of test results, or otherequivalent evaluations of its serviceproviders.

E. Adjust the Program. Each bank shallmonitor, evaluate, and adjust, as appropriate,the information security program in light ofany relevant changes in technology, thesensitivity of its customer information,internal or external threats to information,and the bank’s own changing businessarrangements, such as mergers andacquisitions, alliances and joint ventures,outsourcing arrangements, and changes tocustomer information systems.

F. Report to the Board. Each bank shallreport to its board or an appropriatecommittee of the board at least annually.This report should describe the overall statusof the information security program and thebank’s compliance with these Guidelines.The reports should discuss material matters

related to its program, addressing issues suchas: risk assessment; risk management andcontrol decisions; service providerarrangements; results of testing; securitybreaches or violations and management’sresponses; and recommendations for changesin the information security program.

G. Implement the Standards. 1. Effectivedate. Each bank must implement aninformation security program pursuant tothese Guidelines by July 1, 2001.

2. Two-year grandfathering of agreementswith service providers. Until July 1, 2003, acontract that a bank has entered into with aservice provider to perform services for it orfunctions on its behalf satisfies theprovisions of section III.D., even if thecontract does not include a requirement thatthe servicer maintain the security andconfidentiality of customer information, aslong as the bank entered into the contract onor before March 5, 2001.

6. Appendix C to part 30 is removed.Dated: December 21, 2000.

John D. Hawke, Jr.,Comptroller of the Currency.

Federal Reserve System

12 CFR Chapter II


For the reasons set forth in the jointpreamble, parts 208, 211, 225, and 263of chapter II of title 12 of the Code ofFederal Regulations are amended asfollows:

PART 208—MEMBERSHIP OF STATEBANKING INSTITUTIONS IN THEFEDERAL RESERVE SYSTEM(REGULATION H)

1. The authority citation for 12 CFRpart 208 is revised to read as follows:

Authority: 12 U.S.C. 24, 36, 92a, 93a,248(a), 248(c), 321–338a, 371d, 461, 481–486,601, 611, 1814, 1816, 1818, 1820(d)(9),1823(j), 1828(o), 1831, 1831o, 1831p–1,1831r–1, 1835a, 1882, 2901–2907, 3105,3310, 3331–3351, and 3906–3909; 15 U.S.C.78b, 78l(b), 78l(g), 78l(i), 78o–4(c)(5), 78q,78q–1, 78w, 6801, and 6805; 31 U.S.C. 5318;42 U.S.C. 4012a, 4104a, 4104b, 4106, and4128.

2. Amend § 208.3 to revise paragraph(d)(1) to read as follows:

§ 208.3 Application and conditions formembership in the Federal Reserve System.

* * * * *(d) Conditions of membership. (1)

Safety and soundness. Each memberbank shall at all times conduct itsbusiness and exercise its powers withdue regard to safety and soundness.Each member bank shall comply withthe Interagency Guidelines EstablishingStandards for Safety and Soundnessprescribed pursuant to section 39 of theFDI Act (12 U.S.C. 1831p–1), set forth inappendix D–1 to this part, and theInteragency Guidelines Establishing

Standards for Safeguarding CustomerInformation prescribed pursuant tosections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and6805), set forth in appendix D–2 to thispart.* * * * *

3. Revise appendix D–2 to read asfollows:

Appendix D–2 To Part 208—Interagency Guidelines EstablishingStandards For Safeguarding CustomerInformation

Table of ContentsI. Introduction




I. IntroductionThese Interagency Guidelines

Establishing Standards for SafeguardingCustomer Information (Guidelines) setforth standards pursuant to sections 501and 505 of the Gramm-Leach-Bliley Act(15 U.S.C. 6801 and 6805), in the samemanner, to the extent practicable, asstandards prescribed pursuant to section39 of the Federal Deposit Insurance Act(12 U.S.C. 1831p–1). These Guidelinesaddress standards for developing andimplementing administrative, technical,and physical safeguards to protect thesecurity, confidentiality, and integrity ofcustomer information.

A. Scope. The Guidelines apply tocustomer information maintained by oron behalf of state member banks (banks)and their nonbank subsidiaries, exceptfor brokers, dealers, persons providinginsurance, investment companies, andinvestment advisors. Pursuant to§§ 211.9 and 211.24 of this chapter,these guidelines also apply to customerinformation maintained by or on behalfof Edge corporations, agreementcorporations, and uninsured state-licensed branches or agencies of aforeign bank.

B. Preservation of Existing Authority.Neither section 39 nor these Guidelinesin any way limit the authority of theBoard to address unsafe or unsoundpractices, violations of law, unsafe orunsound conditions, or other practices.The Board may take action under



section 39 and these Guidelinesindependently of, in conjunction with,or in addition to, any other enforcementaction available to the Board.

C. Definitions.1. Except as modified in the

Guidelines, or unless the contextotherwise requires, the terms used inthese Guidelines have the samemeanings as set forth in sections 3 and39 of the Federal Deposit Insurance Act(12 U.S.C. 1813 and 1831p–1).


a. Board of directors, in the case of abranch or agency of a foreign bank,means the managing official in charge ofthe branch or agency.

b. Customer means any customer ofthe bank as defined in § 216.3(h) of thischapter.

c. Customer information means anyrecord containing nonpublic personalinformation, as defined in § 216.3(n) ofthis chapter, about a customer, whetherin paper, electronic, or other form, thatis maintained by or on behalf of thebank.

d. Customer information systemsmeans any methods used to access,collect, store, use, transmit, protect, ordispose of customer information.

e. Service provider means any personor entity that maintains, processes, orotherwise is permitted access tocustomer information through itsprovision of services directly to thebank.

f. Subsidiary means any companycontrolled by a bank, except a broker,dealer, person providing insurance,investment company, investmentadvisor, insured depository institution,or subsidiary of an insured depositoryinstitution.

II. Standards for SafeguardingCustomer Information

A. Information Security Program.Each bank shall implement acomprehensive written informationsecurity program that includesadministrative, technical, and physicalsafeguards appropriate to the size andcomplexity of the bank and the natureand scope of its activities. While allparts of the bank are not required toimplement a uniform set of policies, allelements of the information securityprogram must be coordinated. A bankalso shall ensure that each of itssubsidiaries is subject to acomprehensive information securityprogram. The bank may fulfill thisrequirement either by including asubsidiary within the scope of thebank’s comprehensive informationsecurity program or by causing thesubsidiary to implement a separate

comprehensive information securityprogram in accordance with thestandards and procedures in sections IIand III of this appendix that apply tobanks.


1. Ensure the security andconfidentiality of customer information;

2. Protect against any anticipatedthreats or hazards to the security orintegrity of such information; and

3. Protect against unauthorized accessto or use of such information that couldresult in substantial harm orinconvenience to any customer.

III. Development and Implementationof Information Security Program

A. Involve the Board of Directors. Theboard of directors or an appropriatecommittee of the board of each bankshall:

1. Approve the bank’s writteninformation security program; and

2. Oversee the development,implementation, and maintenance of thebank’s information security program,including assigning specificresponsibility for its implementationand reviewing reports frommanagement.

B. Assess Risk. Each bank shall:1. Identify reasonably foreseeable

internal and external threats that couldresult in unauthorized disclosure,misuse, alteration, or destruction ofcustomer information or customerinformation systems.

2. Assess the likelihood and potentialdamage of these threats, taking intoconsideration the sensitivity ofcustomer information.

3. Assess the sufficiency of policies,procedures, customer informationsystems, and other arrangements inplace to control risks.

C. Manage and Control Risk. Eachbank shall:

1. Design its information securityprogram to control the identified risks,commensurate with the sensitivity ofthe information as well as thecomplexity and scope of the bank’sactivities. Each bank must considerwhether the following security measuresare appropriate for the bank and, if so,adopt those measures the bankconcludes are appropriate:

a. Access controls on customerinformation systems, including controlsto authenticate and permit access onlyto authorized individuals and controlsto prevent employees from providingcustomer information to unauthorizedindividuals who may seek to obtain thisinformation through fraudulent means.

b. Access restrictions at physicallocations containing customer

information, such as buildings,computer facilities, and records storagefacilities to permit access only toauthorized individuals;

c. Encryption of electronic customerinformation, including while in transitor in storage on networks or systems towhich unauthorized individuals mayhave access;

d. Procedures designed to ensure thatcustomer information systemmodifications are consistent with thebank’s information security program;

e. Dual control procedures,segregation of duties, and employeebackground checks for employees withresponsibilities for or access to customerinformation;

f. Monitoring systems and proceduresto detect actual and attempted attackson or intrusions into customerinformation systems;

g. Response programs that specifyactions to be taken when the banksuspects or detects that unauthorizedindividuals have gained access tocustomer information systems,including appropriate reports toregulatory and law enforcementagencies; and

h. Measures to protect againstdestruction, loss, or damage of customerinformation due to potentialenvironmental hazards, such as fire andwater damage or technological failures.


3. Regularly test the key controls,systems and procedures of theinformation security program. Thefrequency and nature of such testsshould be determined by the bank’s riskassessment. Tests should be conductedor reviewed by independent thirdparties or staff independent of those thatdevelop or maintain the securityprograms.

D. Oversee Service ProviderArrangements. Each bank shall:

1. Exercise appropriate due diligencein selecting its service providers;

2. Require its service providers bycontract to implement appropriatemeasures designed to meet theobjectives of these Guidelines; and

3. Where indicated by the bank’s riskassessment, monitor its serviceproviders to confirm that they havesatisfied their obligations as required byparagraph D.2. As part of thismonitoring, a bank should reviewaudits, summaries of test results, orother equivalent evaluations of itsservice providers.

E. Adjust the Program. Each bankshall monitor, evaluate, and adjust, asappropriate, the information securityprogram in light of any relevant changesin technology, the sensitivity of its



customer information, internal orexternal threats to information, and thebank’s own changing businessarrangements, such as mergers andacquisitions, alliances and jointventures, outsourcing arrangements, andchanges to customer informationsystems.

F. Report to the Board. Each bankshall report to its board or anappropriate committee of the board atleast annually. This report shoulddescribe the overall status of theinformation security program and thebank’s compliance with theseGuidelines. The reports should discussmaterial matters related to its program,addressing issues such as: riskassessment; risk management andcontrol decisions; service providerarrangements; results of testing; securitybreaches or violations andmanagement’s responses; andrecommendations for changes in theinformation security program.

G. Implement the Standards.1. Effective date. Each bank must

implement an information securityprogram pursuant to these Guidelinesby July 1, 2001.

2. Two-year grandfathering ofagreements with service providers. UntilJuly 1, 2003, a contract that a bank hasentered into with a service provider toperform services for it or functions onits behalf satisfies the provisions ofsection III.D., even if the contract doesnot include a requirement that theservicer maintain the security andconfidentiality of customer information,as long as the bank entered into thecontract on or before March 5, 2001.

PART 211—INTERNATIONALBANKING OPERATIONS(REGULATION K)

4. The authority citation for part 211is revised to read as follows:

Authority: 12 U.S.C. 221 et seq., 1818,1835a, 1841 et seq., 3101 et seq., and 3901et seq.; 15 U.S.C. 6801 and 6805.

5. Add new § 211.9 to read as follows:

§ 211.9 Protection of customerinformation.

An Edge or agreement corporationshall comply with the InteragencyGuidelines Establishing Standards forSafeguarding Customer Informationprescribed pursuant to sections 501 and505 of the Gramm-Leach-Bliley Act (15U.S.C. 6801 and 6805), set forth inappendix D–2 to part 208 of thischapter.

6. In § 211.24, add new paragraph (i)to read as follows:

§ 211.24 Approval of offices of foreignbanks; procedures for applications;standards for approval; representative-office activities and standards for approval;preservation of existing authority; reportsof crimes and suspected crimes;government securities sales practices.

* * * * *(i) Protection of customer information.

An uninsured state-licensed branch oragency of a foreign bank shall complywith the Interagency GuidelinesEstablishing Standards for SafeguardingCustomer Information prescribedpursuant to sections 501 and 505 of theGramm-Leach-Bliley Act (15 U.S.C.6801 and 6805), set forth in appendixD–2 to part 208 of this chapter.

PART 225—BANK HOLDINGCOMPANIES AND CHANGE IN BANKCONTROL (REGULATION Y)


Authority: 12 U.S.C. 1817(j)(13), 1818,1828(o), 1831i, 1831p–1, 1843(c)(8), 1844(b),1972(1), 3106, 3108, 3310, 3331–3351, 3907,and 3909; 15 U.S.C. 6801 and 6805.

8. In § 225.1, add new paragraph(c)(16) to read as follows:

§ 225.1 Authority, purpose, and scope.

* * * * *(c) * * *(16) Appendix F contains the

Interagency Guidelines EstablishingStandards for Safeguarding CustomerInformation.

9. In § 225.4, add new paragraph (h)to read as follows:

§ 225.4 Corporate practices.

* * * * *(h) Protection of nonpublic personal

information. A bank holding company,including a bank holding company thatis a financial holding company, shallcomply with the Interagency GuidelinesEstablishing Standards for SafeguardingCustomer Information, as set forth inappendix F of this part, prescribedpursuant to sections 501 and 505 of theGramm-Leach-Bliley Act (15 U.S.C.6801 and 6805).

10. Add new appendix F to read asfollows:

Appendix F To Part 225—InteragencyGuidelines Establishing Standards ForSafeguarding Customer Information

Table of Contents

I. IntroductionA. ScopeB. Preservation of Existing AuthorityC. Definitions



I. IntroductionThese Interagency Guidelines Establishing

Standards for Safeguarding CustomerInformation (Guidelines) set forth standardspursuant to sections 501 and 505 of theGramm-Leach-Bliley Act (15 U.S.C. 6801 and6805) . These Guidelines address standardsfor developing and implementingadministrative, technical, and physicalsafeguards to protect the security,confidentiality, and integrity of customerinformation.

A. Scope. The Guidelines apply tocustomer information maintained by or onbehalf of bank holding companies and theirnonbank subsidiaries or affiliates (exceptbrokers, dealers, persons providinginsurance, investment companies, andinvestment advisors), for which the Boardhas supervisory authority.

B. Preservation of Existing Authority.These Guidelines do not in any way limit theauthority of the Board to address unsafe orunsound practices, violations of law, unsafeor unsound conditions, or other practices.The Board may take action under theseGuidelines independently of, in conjunctionwith, or in addition to, any otherenforcement action available to the Board.




b. Customer means any customer of thebank holding company as defined in§ 216.3(h) of this chapter.

c. Customer information means any recordcontaining nonpublic personal information,as defined in § 216.3(n) of this chapter, abouta customer, whether in paper, electronic, orother form, that is maintained by or on behalfof the bank holding company.


e. Service provider means any person orentity that maintains, processes, or otherwiseis permitted access to customer informationthrough its provision of services directly tothe bank holding company.

f. Subsidiary means any companycontrolled by a bank holding company,except a broker, dealer, person providinginsurance, investment company, investmentadvisor, insured depository institution, orsubsidiary of an insured depositoryinstitution.




A. Information Security Program. Eachbank holding company shall implement acomprehensive written information securityprogram that includes administrative,technical, and physical safeguardsappropriate to the size and complexity of thebank holding company and the nature andscope of its activities. While all parts of thebank holding company are not required toimplement a uniform set of policies, allelements of the information security programmust be coordinated. A bank holdingcompany also shall ensure that each of itssubsidiaries is subject to a comprehensiveinformation security program. The bankholding company may fulfill thisrequirement either by including a subsidiarywithin the scope of the bank holdingcompany’s comprehensive informationsecurity program or by causing the subsidiaryto implement a separate comprehensiveinformation security program in accordancewith the standards and procedures insections II and III of this appendix that applyto bank holding companies.

B. Objectives. A bank holding company’sinformation security program shall bedesigned to:





A. Involve the Board of Directors. Theboard of directors or an appropriatecommittee of the board of each bank holdingcompany shall:

1. Approve the bank holding company’swritten information security program; and

2. Oversee the development,implementation, and maintenance of thebank holding company’s information securityprogram, including assigning specificresponsibility for its implementation andreviewing reports from management.

B. Assess Risk. Each bank holdingcompany shall:

1. Identify reasonably foreseeable internaland external threats that could result inunauthorized disclosure, misuse, alteration,or destruction of customer information orcustomer information systems.



C. Manage and Control Risk. Each bankholding company shall:

1. Design its information security programto control the identified risks, commensuratewith the sensitivity of the information as wellas the complexity and scope of the bankholding company’s activities. Each bank

holding company must consider whether thefollowing security measures are appropriatefor the bank holding company and, if so,adopt those measures the bank holdingcompany concludes are appropriate:




d. Procedures designed to ensure thatcustomer information system modificationsare consistent with the bank holdingcompany’s information security program;



g. Response programs that specify actionsto be taken when the bank holding companysuspects or detects that unauthorizedindividuals have gained access to customerinformation systems, including appropriatereports to regulatory and law enforcementagencies; and


2. Train staff to implement the bankholding company’s information securityprogram.

3. Regularly test the key controls, systemsand procedures of the information securityprogram. The frequency and nature of suchtests should be determined by the bankholding company’s risk assessment. Testsshould be conducted or reviewed byindependent third parties or staffindependent of those that develop ormaintain the security programs.

D. Oversee Service Provider Arrangements.Each bank holding company shall:



3. Where indicated by the bank holdingcompany’s risk assessment, monitor itsservice providers to confirm that they havesatisfied their obligations as required byparagraph D.2. As part of this monitoring, abank holding company should review audits,summaries of test results, or other equivalentevaluations of its service providers.

E. Adjust the Program. Each bank holdingcompany shall monitor, evaluate, and adjust,

as appropriate, the information securityprogram in light of any relevant changes intechnology, the sensitivity of its customerinformation, internal or external threats toinformation, and the bank holding company’sown changing business arrangements, suchas mergers and acquisitions, alliances andjoint ventures, outsourcing arrangements,and changes to customer informationsystems.

F. Report to the Board. Each bank holdingcompany shall report to its board or anappropriate committee of the board at leastannually. This report should describe theoverall status of the information securityprogram and the bank holding company’scompliance with these Guidelines. Thereports should discuss material mattersrelated to its program, addressing issues suchas: risk assessment; risk management andcontrol decisions; service providerarrangements; results of testing; securitybreaches or violations and management’sresponses; and recommendations for changesin the information security program.

G. Implement the Standards.1. Effective date. Each bank holding

company must implement an informationsecurity program pursuant to theseGuidelines by July 1, 2001.

2. Two-year grandfathering of agreementswith service providers. Until July 1, 2003, acontract that a bank holding company hasentered into with a service provider toperform services for it or functions on itsbehalf satisfies the provisions of sectionIII.D., even if the contract does not includea requirement that the servicer maintain thesecurity and confidentiality of customerinformation, as long as the bank holdingcompany entered into the contract on orbefore March 5, 2001.

PART 263—RULES OF PRACTICE FORHEARINGS


Authority: 5 U.S.C. 504; 12 U.S.C. 248,324, 504, 505, 1817(j), 1818, 1828(c), 1831o,1831p–1, 1847(b), 1847(d), 1884(b),1972(2)(F), 3105, 3107, 3108, 3907, 3909; 15U.S.C. 21, 78o–4, 78o–5, 78u–2, 6801, 6805;and 28 U.S.C. 2461 note.

12. Amend § 263.302 to reviseparagraph (a) to read as follows:

§ 263.302 Determination and notification offailure to meet safety and soundnessstandard and request for compliance plan.

(a) Determination. The Board may,based upon an examination, inspection,or any other information that becomesavailable to the Board, determine that abank has failed to satisfy the safety andsoundness standards contained in theInteragency Guidelines EstablishingStandards for Safety and Soundness orthe Interagency Guidelines EstablishingStandards for Safeguarding CustomerInformation, set forth in appendices D–1 and D–2 to part 208 of this chapter,respectively.* * * * *



By order of the Board of Governors of theFederal Reserve System, January 4, 2001.Jennifer J. Johnson,Secretary of the Board.

Federal Deposit Insurance Corporation

12 CFR Chapter III


For the reasons set forth in the jointpreamble, parts 308 and 364 of chapterIII of title 12 of the Code of FederalRegulations are amended as follows:

PART 308—RULES OF PRACTICE ANDPROCEDURE


Authority: 5 U.S.C. 504, 554–557; 12U.S.C. 93(b), 164, 505, 1815(e), 1817, 1818,1820, 1828, 1829, 1829b, 1831i, 1831o,1831p–1, 1832(c), 1884(b), 1972, 3102,3108(a), 3349, 3909, 4717; 15 U.S.C. 78(h)and (i), 78o–4(c), 78o–5, 78q–1, 78s, 78u,78u–2, 78u–3 and 78w; 6801(b), 6805(b)(1),28 U.S.C. 2461 note; 31 U.S.C. 330, 5321; 42U.S.C. 4012a; Sec. 3100(s), Pub. L. 104–134,110 Stat. 1321–358.

1. Amend § 308.302 to reviseparagraph (a) to read as follows:

§ 308.302 Determination and notification offailure to meet a safety and soundnessstandard and request for compliance plan.

(a) Determination. The FDIC may,based upon an examination, inspectionor any other information that becomesavailable to the FDIC, determine that abank has failed to satisfy the safety andsoundness standards set out in part 364of this chapter and in the InteragencyGuidelines Establishing Standards forSafety and Soundness in appendix Aand the Interagency GuidelinesEstablishing Standards for SafeguardingCustomer Information in appendix B topart 364 of this chapter.* * * * *

PART 364—STANDARDS FOR SAFETYAND SOUNDNESS


Authority: 12 U.S.C. 1819(Tenth), 1831p–1; 15 U.S.C. 6801(b), 6805(b)(1).

3. Amend § 364.101 to reviseparagraph (b) to read as follows:

§ 364.101 Standards for safety andsoundness.

* * * * *(b) Interagency Guidelines

Establishing Standards for SafeguardingCustomer Information. The InteragencyGuidelines Establishing Standards forSafeguarding Customer Informationprescribed pursuant to section 39 of theFederal Deposit Insurance Act (12

U.S.C. 1831p–1) and sections 501 and505(b) of the Gramm-Leach-Bliley Act(15 U.S.C. 6801, 6805(b)), as set forth inappendix B to this part, apply to allinsured state nonmember banks, insuredstate licensed branches of foreign banks,and any subsidiaries of such entities(except brokers, dealers, personsproviding insurance, investmentcompanies, and investment advisers).


Appendix B to Part 364—InteragencyGuidelines Establishing Standards forSafeguarding Customer Information

Table of ContentsI. Introduction




I. IntroductionThe Interagency Guidelines Establishing

Standards for Safeguarding CustomerInformation (Guidelines) set forth standardspursuant to section 39 of the Federal DepositInsurance Act (section 39, codified at 12U.S.C. 1831p–1), and sections 501 and505(b), codified at 15 U.S.C. 6801 and6805(b), of the Gramm-Leach-Bliley Act.These Guidelines address standards fordeveloping and implementingadministrative, technical, and physicalsafeguards to protect the security,confidentiality, and integrity of customerinformation.

A. Scope. The Guidelines apply tocustomer information maintained by or onbehalf of entities over which the FederalDeposit Insurance Corporation (FDIC) hasauthority. Such entities, referred to as ‘‘thebank’’ are banks insured by the FDIC (otherthan members of the Federal ReserveSystem), insured state branches of foreignbanks, and any subsidiaries of such entities(except brokers, dealers, persons providinginsurance, investment companies, andinvestment advisers).

B. Preservation of Existing Authority.Neither section 39 nor these Guidelines inany way limit the authority of the FDIC toaddress unsafe or unsound practices,violations of law, unsafe or unsoundconditions, or other practices. The FDIC maytake action under section 39 and theseGuidelines independently of, in conjunctionwith, or in addition to, any otherenforcement action available to the FDIC.

C. Definitions. 1. Except as modified in theGuidelines, or unless the context otherwise

requires, the terms used in these Guidelineshave the same meanings as set forth insections 3 and 39 of the Federal DepositInsurance Act (12 U.S.C. 1813 and 1831p–1).



b. Customer means any customer of thebank as defined in § 332.3(h) of this chapter.

c. Customer information means any recordcontaining nonpublic personal information,as defined in § 332.3(n) of this chapter, abouta customer, whether in paper, electronic, orother form, that is maintained by or on behalfof the bank.


e. Service provider means any person orentity that maintains, processes, or otherwiseis permitted access to customer informationthrough its provision of services directly tothe bank.


A. Information Security Program. Eachbank shall implement a comprehensivewritten information security program thatincludes administrative, technical, andphysical safeguards appropriate to the sizeand complexity of the bank and the natureand scope of its activities. While all parts ofthe bank are not required to implement auniform set of policies, all elements of theinformation security program must becoordinated.






A. Involve the Board of Directors. Theboard of directors or an appropriatecommittee of the board of each bank shall:

1. Approve the bank’s written informationsecurity program; and

2. Oversee the development,implementation, and maintenance of thebank’s information security program,including assigning specific responsibility forits implementation and reviewing reportsfrom management.

B. Assess Risk.Each bank shall:1. Identify reasonably foreseeable internal






C. Manage and Control Risk. Each bankshall:

1. Design its information security programto control the identified risks, commensuratewith the sensitivity of the information as wellas the complexity and scope of the bank’sactivities. Each bank must consider whetherthe following security measures areappropriate for the bank and, if so, adoptthose measures the bank concludes areappropriate:




d. Procedures designed to ensure thatcustomer information system modificationsare consistent with the bank’s informationsecurity program;



g. Response programs that specify actionsto be taken when the bank suspects or detectsthat unauthorized individuals have gainedaccess to customer information systems,including appropriate reports to regulatoryand law enforcement agencies; and



3. Regularly test the key controls, systemsand procedures of the information securityprogram. The frequency and nature of suchtests should be determined by the bank’s riskassessment. Tests should be conducted orreviewed by independent third parties orstaff independent of those that develop ormaintain the security programs.

D. Oversee Service Provider Arrangements.Each bank shall:



3. Where indicated by the bank’s riskassessment, monitor its service providers toconfirm that they have satisfied their

obligations as required by paragraph D.2. Aspart of this monitoring, a bank should reviewaudits, summaries of test results, or otherequivalent evaluations of its serviceproviders.

E. Adjust the Program. Each bank shallmonitor, evaluate, and adjust, as appropriate,the information security program in light ofany relevant changes in technology, thesensitivity of its customer information,internal or external threats to information,and the bank’s own changing businessarrangements, such as mergers andacquisitions, alliances and joint ventures,outsourcing arrangements, and changes tocustomer information systems.

F. Report to the Board. Each bank shallreport to its board or an appropriatecommittee of the board at least annually.This report should describe the overall statusof the information security program and thebank’s compliance with these Guidelines.The report, which will vary depending uponthe complexity of each bank’s programshould discuss material matters related to itsprogram, addressing issues such as: riskassessment; risk management and controldecisions; service provider arrangements;results of testing; security breaches orviolations, and management’s responses; andrecommendations for changes in theinformation security program.

G. Implement the Standards. 1. Effectivedate. Each bank must implement aninformation security program pursuant tothese Guidelines by July 1, 2001.

2. Two-year grandfathering of agreementswith service providers. Until July 1, 2003, acontract that a bank has entered into with aservice provider to perform services for it orfunctions on its behalf, satisfies theprovisions of paragraph III.D., even if thecontract does not include a requirement thatthe servicer maintain the security andconfidentiality of customer information aslong as the bank entered into the contract onor before March 5, 2001.

By order of the Board of Directors.Dated at Washington, D.C., this 21st day of

December, 2000.Federal Deposit Insurance Corporation.Robert E. Feldman,Executive Secretary.

Office of Thrift Supervision

12 CFR Chapter V


For the reasons set forth in the jointpreamble, parts 568 and 570 of chapterV of title 12 of the Code of Federalregulations are amended as follows:

PART 568—SECURITY PROCEDURES

1. The authority citation of part 568is revised to read as follows:

Authority: Secs. 2–5, 82 Stat. 294–295 (12U.S.C. 1881–1984); 12 U.S.C. 1831p-1; 15U.S.C. 6801, 6805(b)(1).

2. Amend § 568.1 by revisingparagraph (a) to read as follows:

§ 568.1 Authority, purpose, and scope.

(a) This part is issued by the Office ofThrift Supervision (OTS) pursuant tosection 3 of the Bank Protection Act of1968 (12 U.S.C. 1882), and sections 501and 505(b)(1) of the Gramm-Leach-Bliley Act (12 U.S.C. 6801, 6805(b)(1)).This part is applicable to savingsassociations. It requires each savingsassociation to adopt appropriatesecurity procedures to discouragerobberies, burglaries, and larcenies andto assist in the identification andprosecution of persons who commitsuch acts. Section 568.5 of this part isapplicable to savings associations andtheir subsidiaries (except brokers,dealers, persons providing insurance,investment companies, and investmentadvisers). Section 568.5 of this partrequires covered institutions to establishand implement appropriateadministrative, technical, and physicalsafeguards to protect the security,confidentiality, and integrity ofcustomer information.* * * * *

3. Add new § 568.5 to read as follows:

§ 568.5 Protection of customerinformation.

Savings associations and theirsubsidiaries (except brokers, dealers,persons providing insurance,investment companies, and investmentadvisers) must comply with theInteragency Guidelines EstablishingStandards for Safeguarding CustomerInformation prescribed pursuant tosections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and6805), set forth in appendix B to part570 of this chapter.

PART 570—SUBMISSION AND REVIEWOF SAFETY AND SOUNDNESSCOMPLIANCE PLANS AND ISSUANCEOF ORDERS TO CORRECT SAFETYAND SOUNDNESS DEFICIENCIES

4. Amend § 570.1 by adding asentence at the end of paragraph (a) andrevising the last sentence of paragraph(b) to read as follows:

§ 570.1 Authority, purpose, scope andpreservation of existing authority.

(a) * * *Appendix B to this part isfurther issued under sections 501(b) and505 of the Gramm-Leach-Bliley Act(Pub. L. 106–102, 113 Stat. 1338 (1999)).

(b)* * *Interagency GuidelinesEstablishing Standards for SafeguardingCustomer Information are set forth inappendix B to this part.* * * * *

5. Amend § 570.2 by revisingparagraph (a) to read as follows:



§ 570.2 Determination and notification offailure to meet safety and soundnessstandards and request for compliance plan.

(a) Determination. OTS may, basedupon an examination, inspection, or anyother information that becomesavailable to OTS, determine that asavings association has failed to satisfythe safety and soundness standardscontained in the Interagency GuidelinesEstablishing Standards for Safety andSoundness as set forth in appendix A tothis part or the Interagency GuidelinesEstablishing Standards for SafeguardingCustomer Information as set forth inappendix B to this part.* * * * *


Appendix B to Part 570—InteragencyGuidelines Establishing Standards forSafeguarding Customer Information

Table of Contents

I. IntroductionA. ScopeB. Preservation of Existing AuthorityC. Definitions



I. Introduction

The Interagency Guidelines EstablishingStandards for Safeguarding CustomerInformation (Guidelines) set forth standardspursuant to section 39 of the Federal DepositInsurance Act (section 39, codified at 12U.S.C. 1831p–1), and sections 501 and505(b), codified at 15 U.S.C. 6801 and6805(b), of the Gramm-Leach-Bliley Act.These Guidelines address standards fordeveloping and implementingadministrative, technical, and physicalsafeguards to protect the security,confidentiality, and integrity of customerinformation.

A. Scope. The Guidelines apply tocustomer information maintained by or onbehalf of entities over which OTS hasauthority. For purposes of this appendix,these entities are savings associations whosedeposits are FDIC-insured and anysubsidiaries of such savings associations,except brokers, dealers, persons providinginsurance, investment companies, andinvestment advisers. This appendix refers tosuch entities as ‘‘you’.

B. Preservation of Existing Authority.Neither section 39 nor these Guidelines inany way limit OTS’s authority to addressunsafe or unsound practices, violations oflaw, unsafe or unsound conditions, or other

practices. OTS may take action under section39 and these Guidelines independently of, inconjunction with, or in addition to, any otherenforcement action available to OTS.



a. Customer means any of your customersas defined in § 573.3(h) of this chapter.

b. Customer information means any recordcontaining nonpublic personal information,as defined in § 573.3(n) of this chapter, abouta customer, whether in paper, electronic, orother form, that you maintain or that ismaintained on your behalf.

c. Customer information systems meansany methods used to access, collect, store,use, transmit, protect, or dispose of customerinformation.

d. Service provider means any person orentity that maintains, processes, or otherwiseis permitted access to customer informationthrough its provision of services directly toyou.


A. Information Security Program. You shallimplement a comprehensive writteninformation security program that includesadministrative, technical, and physicalsafeguards appropriate to your size andcomplexity and the nature and scope of youractivities. While all parts of yourorganization are not required to implement auniform set of policies, all elements of yourinformation security program must becoordinated.

B. Objectives. Your information securityprogram shall be designed to:





A. Involve the Board of Directors. Yourboard of directors or an appropriatecommittee of the board shall:

1. Approve your written informationsecurity program; and

2. Oversee the development,implementation, and maintenance of yourinformation security program, includingassigning specific responsibility for itsimplementation and reviewing reports frommanagement.

B. Assess Risk. You shall:1. Identify reasonably foreseeable internal


2. Assess the likelihood and potentialdamage of these threats, taking into

consideration the sensitivity of customerinformation.


C. Manage and Control Risk. You shall:1. Design your information security

program to control the identified risks,commensurate with the sensitivity of theinformation as well as the complexity andscope of your activities. You must considerwhether the following security measures areappropriate for you and, if so, adopt thosemeasures you conclude are appropriate:




d. Procedures designed to ensure thatcustomer information system modificationsare consistent with your information securityprogram;



g. Response programs that specify actionsfor you to take when you suspect or detectthat unauthorized individuals have gainedaccess to customer information systems,including appropriate reports to regulatoryand law enforcement agencies; and


2. Train staff to implement yourinformation security program.

3. Regularly test the key controls, systemsand procedures of the information securityprogram. The frequency and nature of suchtests should be determined by your riskassessment. Tests should be conducted orreviewed by independent third parties orstaff independent of those that develop ormaintain the security programs.

D. Oversee Service Provider Arrangements.You shall:

1. Exercise appropriate due diligence inselecting your service providers;

2. Require your service providers bycontract to implement appropriate measuresdesigned to meet the objectives of theseGuidelines; and

3. Where indicated by your riskassessment, monitor your service providersto confirm that they have satisfied their



obligations as required by paragraph D.2. Aspart of this monitoring, you should reviewaudits, summaries of test results, or otherequivalent evaluations of your serviceproviders.

E. Adjust the Program. You shall monitor,evaluate, and adjust, as appropriate, theinformation security program in light of anyrelevant changes in technology, thesensitivity of your customer information,internal or external threats to information,and your own changing businessarrangements, such as mergers andacquisitions, alliances and joint ventures,outsourcing arrangements, and changes tocustomer information systems.

F. Report to the Board. You shall report toyour board or an appropriate committee of

the board at least annually. This reportshould describe the overall status of theinformation security program and yourcompliance with these Guidelines. Thereports should discuss material mattersrelated to your program, addressing issuessuch as: risk assessment; risk managementand control decisions; service providerarrangements; results of testing; securitybreaches or violations and management’sresponses; and recommendations for changesin the information security program.

G. Implement the Standards. 1. Effectivedate. You must implement an informationsecurity program pursuant to theseGuidelines by July 1, 2001.

2. Two-year grandfathering of agreementswith service providers. Until July 1, 2003, a

contract that you have entered into with aservice provider to perform services for youor functions on your behalf satisfies theprovisions of paragraph III.D., even if thecontract does not include a requirement thatthe servicer maintain the security andconfidentiality of customer information, aslong as you entered into the contract on orbefore March 5, 2001.

Dated: December 19, 2000.By the Office of Thrift Supervision.

Ellen Seidman,Director.[FR Doc. 01–1114 Filed 1–31–01; 8:45 am]BILLING CODE 4810–33–P; 6210–01–P; 6714–01–P;6720–01–P


Date post:	02-Oct-2021
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Department of the Treasury Federal Reserve System Federal ...

Documents