Federal Register: June 26, 2000 (Volume 65, Number 123)
DOCID: FR Doc 00-15798
DEPARTMENT OF THE TREASURY
CFR Citation: 12 CFR Part 30
Docket ID: [Docket No. 00-13]
RIN ID: RIN 1557-AB84
NOTICE: Part II
DOCUMENT ACTION: Joint notice of proposed rule making.
FEDERAL RESERVE SYSTEM
DATES: Comments must be received not later than August 25, 2000.
The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision, (collectively, the Agencies) are requesting comment on proposed Guidelines establishing standards for safeguarding customer information published to implement sections 501 and 505(b) of the GrammLeachBliley Act (the GLB Act or Act).
Section 501 of the GLB Act requires the Agencies to establish appropriate standards for the financial institutions subject to their respective jurisdictions relating to administrative, technical, and physical safeguards for customer records and information. These safeguards are intended to: Insure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer. The Agencies are to implement these standards in the same manner, to the extent practicable, as standards prescribed pursuant to section 39(a) of the Federal Deposit Insurance Act (FDI Act). The proposed Guidelines implement the requirements of the GLB Act.
The Agencies previously issued guidelines establishing Year 2000 safety and soundness standards for insured depository institutions pursuant to section 39 of the FDI Act. Since the events for which these guidelines were issued have passed, the Agencies have concluded that the guidelines are no longer necessary and propose to rescind the guidelines as part of this rulemaking.
Department of the Treasury, Office of the Comptroller of the Currency, Office of Thrift Supervision; Federal Reserve System; Federal Deposit Insurance Corporation,
DOCUMENT BODY 2:
12 CFR Parts 208, 211, 225, and 263
[Docket No. R1073]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Parts 308 and 364
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 568 and 570
[Docket No. 200051]
Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness
The contents of this preamble are listed in the following outline:
II. SectionbySection Analysis
III. Regulatory Analysis
A. Paperwork Reduction Act
B. Regulatory Flexibility Act
C. Executive Order 12866
D. Unfunded Mandates Act of 1995
IV. Solicitation of Comments on Use of Plain Language
On November 12, 1999, President Clinton signed the GLB Act (Pub. L. 106102) into law. Section 501, entitled Protection of Nonpublic Personal Information, requires the Agencies and the Securities and Exchange Commission, the National Credit Union Administration, and the Federal Trade Commission to establish appropriate standards for the financial institutions subject to their respective jurisdictions relating to the administrative, technical, and physical safeguards for customer records and information. These safeguards are intended to: (1) Insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer.
Section 505(b) of the GLB Act provides that these standards are
to be implemented by the Agencies in the same manner, to the extent
practicable, as standards prescribed pursuant to section 39(a) of the
FDI Act.\1\ Section 39(a) of the FDI Act authorizes the Agencies to
establish operational and managerial standards for insured depository
institutions relative to, among other things, internal controls,
information systems, and internal audit systems, as well as such other
operational and managerial standards as the Agencies determine to be
appropriate. These standards may be issued as guidelines or
regulations. While this proposal is in the form of guidelines, the
Agencies solicit comment on whether the final standards should be issued in the form of guidelines or as regulations.\2\
\1\ Section 39 applies only to insured depository institutions, including insured branches of foreign banks. The Guidelines, however, will also apply to certain uninsured institutions, such as bank holding companies, certain nonbank subsidiaries of bank holding companies and insured depository institutions, and uninsured branches and agencies of foreign banks. See section 501 and 505(b) of the GLB Act.
\2\ The OTS proposes to place its information security guidelines in Appendix B to 12 CFR part 570, with the provisions implementing section 39 of the FDI Act. At the same time, the OTS proposes a regulatory requirement that the institutions the OTS regulates comply with the proposed guidelines. Because information security guidelines are similar to physical security procedures, the OTS proposes including a provision in 12 CFR part 568, which covers primarily physical security procedures, requiring compliance with the guidelines in Appendix B to part 570.
The proposed Guidelines apply to ``nonpublic personal information'' of ``customers'' as those terms are defined in the Agencies' privacy rules published in accordance with Title V of the GLB Act (the Privacy Rule). See Privacy of Consumer Financial Information, 65 FR 35162 (June 1, 2000).\3\ Under section 503(b)(3) of the GLB Act and the Privacy Rule, financial institutions will be required to disclose their policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information as part of the initial and annual notices to their customers. Key components of the proposed Guidelines were derived from securityrelated supervisory guidance previously issued by the Agencies and the Federal Financial Institutions Examination Council (FFIEC). \3\ Where the Supplementary Information refers to a section of the Privacy Rule, it will preface the common section number with ``__'', as each Agency has a different part number.
The texts of the Agencies' proposed Guidelines are substantively identical. The Agencies request comment on all aspects of the proposed Guidelines as well as comment on the specific provisions and issues highlighted in the sectionbysection analysis below. Those commenters who believe that the proposed Guidelines would impose undue burdens on financial institutions should identify which parts of the Guidelines they believe impose excessive burdens and describe the burdens. Those commenters should also discuss either: (1) Alternative methods that would accomplish the same purpose; or (2) why the intended purpose is unnecessary or should be modified.
The Agencies also seek comments on the impact of this proposal on community banks. The Agencies recognize that community banks operate with more limited resources than larger institutions and may present a different risk profile. Thus, in addition to reviewing comments, each Agency will endeavor to assess the potential impact and burden that the proposal may impose on community banks during the comment period. The Agencies also specifically request comment on the impact of this proposal on community banks' current resources and available personnel with the requisite expertise. Commenters should discuss whether (1) The standards are reasonable and realistic for community banks, and (2) whether the goals of the proposed regulation could be achieved, for community banks, through an alternative approach. Based on the comments received, the Agencies will consider whether there is a need to develop a compliance guide for community banks and other smaller institutions in conjunction with the final Guidelines.
As proposed, the Guidelines will appear as an appendix to each Agency's Standards for Safety and Soundness. For the OCC those regulations appear at 12 CFR part 30; for the Board at 12 CFR part 208; for the FDIC at 12 CFR part 364; and for the OTS at 12 CFR part 570. The Board is also amending 12 CFR parts 211 and 225 to apply the Guidelines to other institutions that it supervises.
The Agencies will apply the rules already in place to require the submission of a compliance plan in appropriate circumstances. For the OCC those regulations appear at 12 CFR part 30; for the Board at 12 CFR part 263; for the FDIC at 12 CFR part 308, subpart R; and for the OTS at 12 CFR part 570. This proposal makes conforming changes to the regulatory text of these parts.
Rescission of Year 2000 Standards for Safety and Soundness. The Agencies previously issued guidelines establishing Year 2000 safety and soundness standards for insured depository institutions pursuant to section 39 of the FDI Act. Because the events for which these guidelines were issued have passed, the Agencies have concluded that the guidelines are no longer necessary and propose to rescind the guidelines as part of this rulemaking. These guidelines appear for the OCC at 12 CFR part 30, appendix B and C; for the Board at 12 CFR part 208, appendix D2; for the FDIC at 12 CFR part 364, appendix B; and for the OTS at 12 CFR part 570, appendix B. The Agencies request comment on whether the rescission of these appendices is appropriate.
II. SectionbySection Analysis
The discussion that follows applies to each of the Agencies' proposed Guidelines.
Appendix __ to Part __Interagency Guidelines Establishing
Standards for Safeguarding Customer Information
Proposed paragraph I. sets forth the general purpose of the proposed Guidelines, which is to provide guidance to each financial institution in establishing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. This paragraph also sets forth the statutory authority for the proposed Guidelines, including section 39(a) of the FDI Act (12 U.S.C. 1831p1) and sections 501 and 505(b) of the GLB Act (15 U.S.C. 6801 and 6805(b) ).
Paragraph I.A. describes the scope of the proposed Guidelines. Each Agency defines specifically those entities within its particular scope of coverage in this paragraph of the proposed Guidelines. \4\ \4\ While the OTS generally regulates savings and loan holding companies under the Home Owners Loan Act (12 U.S.C. 1461 et seq.), a different Federal functional regulator, a state insurance authority, or the Federal Trade Commission may establish standards for safeguarding customer information as to that holding company under section 505 of the GLB Act, depending on the nature of the holding company's activities.
I.B. Preservation of Existing Authority
Paragraph I.B. makes clear that in issuing these proposed Guidelines none of the Agencies is, in any way, limiting its authority to address any unsafe or unsound practice, violation of law, unsafe or unsound condition, or other practice, including any condition or practice related to safeguarding customer information. Any action taken by any Agency under section 39(a) of the FDI Act and these Guidelines may be taken independently of, in conjunction with, or in addition to any other enforcement action available to the Agency.
Paragraph I.C. sets forth the definitions of various terms for purposes of the proposed Guidelines. \5\
\5\ In addition to the definitions discussed below, the Board's guidelines in 12 CFR parts 208 and 225 contain a definition of ``subsidiary,'' which describes the state member bank and bank holding company subsidiaries that are subject to the Guidelines. I.C.1. In General
Paragraph I.C.1. provides that terms used in the proposed Guidelines have the same meanings as set forth in sections 3 and 39(a) of the FDI Act (12 U.S.C. 1813 and 1831p1), except to the extent that the definition of the term is modified in the proposed Guidelines or where the context requires otherwise.
I.C.2. Customer Information
Proposed paragraph I.C.2. defines customer information. Customer information includes any records, data, files, or other information containing nonpublic personal information, as defined in section __.3(n) of the Privacy Rule, about a customer. This includes records in paper, electronic, or any other form that are within the control of a financial institution or that are maintained by any service provider on behalf of an institution. Although the GLB Act uses both the terms ``records'' and ``information,'' for the sake of simplicity, in the proposed Guidelines the term ``customer information'' encompasses all customer records.
Section 501(b) refers to safeguarding the security and confidentiality of ``customer'' information. The term ``customer'' is also used in other sections of Title V of the GLB Act and has been defined by the Agencies in the Privacy Rule interpreting these sections to include those consumers who have a customer relationship with the institution. This term does not cover business customers, or consumers who have not established an ongoing relationship with a financial institution (e.g. those that merely use an institution's ATM or apply for a loan). See sections __.3(h) and (i) of the Privacy Rule.
The Agencies propose defining ``customer'' for purposes of the Guidelines consistently with the Privacy Rule. However, the Agencies have considered whether the scope of the Guidelines should apply to records regarding all consumers, the institution's consumer and business clients, or all of an institution's records. The Agencies solicit comment on whether a broader definition would change the information security program that an institution would implement, or, whether, as a practical matter, institutions would respond to the Guidelines by implementing an information security program for all types of records under their control rather than segregating ``customer'' records for special treatment.
Proposed paragraph I.C.3. defines customer. Customer would include any customer of an institution as defined in section __.3(h) of the Privacy Rule. A customer is a consumer who has established a continuing relationship with an institution under which the institution provides one or more financial products or services to the consumer to be used primarily for personal, family or household purposes.
I.C.4. Service Provider
Proposed paragraph I.C.4. defines a service provider as any person or entity that maintains or processes customer information on behalf of an institution, or is otherwise granted access to customer information through its provision of services to an institution.
I.C.5. Board of Directors
Proposed paragraph I.C.5. defines board of directors to mean, in
the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency. \6\
\6\ The OTS version of the guidelines does not include this definition because the OTS does not regulate foreign institutions. Section I of the OTS guidelines has been renumbered accordingly. I.C.6. Customer Information System
Proposed paragraph I.C.6. defines customer information system to be
electronic or physical methods used to access, collect, store, use, transmit and protect customer information.
II. Standards for Safeguarding Customer Information
II.A. Information Security Program
The proposed Guidelines describe the Agencies' expectations for the creation, implementation, and maintenance of an information security program. This program must include administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. The proposed Guidelines describe the oversight role of the board of directors in this process and management's continuing duty to evaluate and report to the board on the overall status of this program. The four steps in this process require an institution to: (1) Identify and assess the risks that may threaten customer information; (2) develop a written plan containing policies and procedures to manage and control these risks; (3) implement and test the plan; and (4) adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security. The proposed Guidelines also set forth an institution's responsibility for overseeing outsourcing arrangements. II.B. Objectives
Proposed paragraph II.B. describes the objectives for an information security program to ensure the security and
confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of customer information that could either: (1) Result in substantial harm or inconvenience to any customer; or (2) present a safety and soundness risk to the institution. For purposes of the Guidelines, unauthorized access to or use of customer information does not include access to or use of customer information with the customer's consent. The Agencies request comment on whether there are additional or alternative objectives that should be included in the Guidelines.
III. Develop and Implement Information Security Program
III.A. Involve the Board of Directors and Management
Proposed paragraph III.A. describes the involvement of the board and management in the development and implementation of an information security program. The board's responsibilities are to: (1) Approve the institution's written information security policy and program that complies with these Guidelines; and (2) oversee efforts to develop, implement, and maintain an effective information security program, including the regular review of management reports.
The three responsibilities for management in the development of an information security program are to: (1) Evaluate the impact on the institution's security program of changing business arrangements (e.g. mergers and acquisitions, alliances and joint ventures, outsourcing arrangements), and changes to customer information systems; (2) document compliance with these Guidelines; and (3) keep the board informed of the current status of the institution's information security program, e.g., report to the board on a regular basis on the overall status of the information security program, including material matters related to: Risk assessment; risk management and control decisions; results of testing; attempted or actual security breaches or violations and responsive actions taken by management; and any recommendations for improvements to the information security program.
The Agencies specifically invite comment regarding the appropriate frequency of reports to the board. Should the Guidelines specify reporting intervalsmonthly, quarterly, annually? How regularly should management report to the board regarding the institution's information security program and why are these intervals appropriate? Should the Guidelines require that the board designate a Corporate Information Security Officer or other responsible individual who would have the authority, subject to the board's approval, to develop and administer the institution's information security program?
III.B. Assess Risk
Proposed paragraph III.B. describes the risk assessment process that should be developed as part of the information security program in order to meet the objectives of the Guidelines. First, a financial institution should identify and assess risks that may threaten the security, confidentiality, or integrity of customer information, whether in storage, processing, or transit. The risk assessment should be made in light of an institution's size, scope of operations, and technology. Institutions should determine the sensitivity of customer information to be protected as part of this analysis.
Next, a financial institution should conduct an assessment of the sufficiency of existing policies, procedures, customer information systems, and other arrangements intended to control the risks it has identified. Finally, the financial institution should monitor, evaluate, and adjust its risk assessment, taking into consideration any technological or other changes or the sensitivity of the information. III.C. Manage and Control Risk
Proposed paragraph III.C. describes the elements of a comprehensive
risk management plan designed to control identified risks and to
achieve the overall objective of ensuring the security and
confidentiality of customer information. It identifies the factors an
institution should consider in evaluating the adequacy of its policies
and procedures to effectively manage these risks commensurate with the
sensitivity of the information as well as the complexity and scope of
the institution and its activities. In establishing the policies and procedures, each institution should consider appropriate:
a. Access rights to customer information;
b. Access controls on customer information systems, including controls to authenticate and grant access only to authorized individuals and companies;
c. Access restrictions at locations containing customer information, such as buildings, computer facilities, and records storage facilities;
d. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;
e. Procedures to confirm that customer information system modifications are consistent with the institution's information security program;
f. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;
g. Contract provisions and oversight mechanisms to protect the security of customer information maintained or processed by service providers;
h. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;
i. Response programs that specify actions to be taken when unauthorized access to customer information systems is suspected or detected;
j. Protection against destruction of customer information due to potential physical hazards, such as fire and water damage; and
k. Response programs to preserve the integrity and security of customer information in the event of computer or other technological failure, including, where appropriate, reconstructing lost or damaged customer information.
The Agencies intend that these elements accommodate institutions of varying sizes, scope of operations, and risk management structures. The Agencies invite comment on the degree of detail that should be included in the Guidelines regarding the risk management program, which elements should be specified in the Guidelines, and any other components of a risk management program that should be included.
The Guidelines also provide that an institution's information security program should include a training component designed to teach employees to recognize and respond to fraudulent attempts to obtain customer information and, where appropriate, to report any attempts to regulatory and law enforcement agencies.
The information security program also should include regular
testing of systems to confirm that an institution and its service
providers control identified risks and achieve the objectives to ensure
the security and confidentiality of customer information. The tests
should be verified by an independent third party or staff independent
of those who conducted the test. Tests should be documented. [[Page 39476]]
The frequency and nature of the testing should be determined by the risk assessment and adjusted as necessary to reflect changes in the internal and external conditions. The Agencies request comment on whether specific types of security tests, such as penetration tests or intrusion detections tests, should be required.
The Agencies invite comment regarding the appropriate degree of independence that should be specified in the Guidelines in connection with the testing of information security systems and the review of test results. Should the tests or reviews of tests be conducted by persons who are not employees of the financial institution? If employees may conduct the testing or may review test results, what measures, if any, are appropriate to assure their independence?
Finally, the Guidelines describe the need for an ongoing process of monitoring, evaluation, and adjustment of the information security program in light of any relevant changes in technology, the sensitivity of customer information, and internal or external threats to information security.
III.D. Oversee Outsourcing Arrangements
Proposed paragraph III.D. addresses outsourcing. An institution should exercise appropriate due diligence in managing and monitoring its outsourcing arrangements to confirm that its service providers have implemented an effective information security program to protect customer information and customer information systems consistent with these Guidelines.
The Agencies welcome comments on the appropriate treatment of outsourcing arrangements. For example, are industry best practices available regarding effective monitoring of service provider security precautions? Do service providers accommodate requests for specific contract provisions regarding information security? To the extent that service providers do not accommodate these requests, how do financial institutions implement effective information security programs? Should these Guidelines contain specific contract provisions requiring service provider performance standards in connection with the security of customer information?
III.E. Implement the Standards
Proposed paragraph III.E. describes the timing requirements for the
implementation of these standards. Each financial institution is to
take appropriate steps to fully implement an information security program pursuant to these Guidelines by July 1, 2001.
III. Regulatory Analysis
A. Paperwork Reduction Act