77610 Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations
1 69 FR 31913 (June 8, 2004). The Guidelines are
codified at 12 CFR parts 30, app. B (OCC); 208, app.
All written comments will be
available for public inspection during
regular work hours at the 300 7th Street,
SW., address listed above.
FOR FURTHER INFORMATION CONTACT: Sue
Harris-Green, Deputy Director, Multi-
Family Housing Direct Loan Division,
Rural Housing Service, U.S. Department
of Agriculture, Room 1241, South
Building, Stop 0781, 1400
Independence Avenue, SW.,
Washington, DC 20250–0781, telephone
(202) 720–1660.
SUPPLEMENTARY INFORMATION: In the
Federal Register dated November 26,
2004, the Rural Housing Service (RHS)
published an interim final rule which
had the intent of streamlining and
reengineering its regulations, as well as
utilizing several private sector processes
and techniques in the administration of
the origination, management, servicing,
and preservation of its Multi-Family
Housing programs. These programs
include the section 515 Rural Rental
Housing (RRH) loan program, the
section 514/516 Farm Labor Housing
loan and grant program, and the section
521 Rental Assistance (RA) program.
This interim final rule combines the
provisions of the Streamlining and
Consolidation of the sections 514, 515,
516, and 521 Multi-Family Housing
(MFH) Programs Proposed Rule
published on June 2, 2003, and the
Operating Assistance for Off-Farm
Migrant Farmworker Projects Proposed
Rule published on November 2, 2000.
Due to the complex nature of the
changes in the regulation, it is in the
best interest of the public to extend the
period of time in which comments will
be accepted. Initially, the comment
period was to end on December 27,
2004. The revised ending date for the
receipt of comments is now January 26,
2005.
Dated: December 16, 2004.
Gilbert Gonzalez,
Acting Under Secretary, Rural Development.
[FR Doc. 04–28240 Filed 12–27–04; 8:45 am]
BILLING CODE 3410 –XV–U
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
12 CFR Parts 30 and 41
[Docket No. 04–13]
RIN 1557–AC84
FEDERAL RESERVE SYSTEM
12 CFR Parts 208, 211, 222, and 225
[Docket No. R–1199]
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 334 and 364
RIN 3064–AC77
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 568, 570, and 571
[No. 2004–56]
RIN 1550–AB87
Proper Disposal of Consumer
Information Under the Fair and
Accurate Credit Transactions Act of
2003
AGENCIES: Office of the Comptroller of
the Currency, Treasury (OCC); Board of
Governors of the Federal Reserve
System (Board); Federal Deposit
Insurance Corporation (FDIC); and
Office of Thrift Supervision, Treasury
(OTS).
ACTION: Final rule.
SUMMARY: The OCC, Board, FDIC, and
OTS (the Agencies) are adopting a final
rule to implement section 216 of the
Fair and Accurate Credit Transactions
Act of 2003 by amending the
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information. The final rule generally
requires each financial institution to
develop, implement, and maintain, as
part of its existing information security
program, appropriate measures to
properly dispose of consumer
information derived from consumer
reports to address the risks associated
with identity theft.
EFFECTIVE DATE: July 1, 2005.
FOR FURTHER INFORMATION CONTACT:
OCC: Aida Plaza Carter, Director, Bank
Information Technology, (202) 874–
4740; Amy Friend, Assistant Chief
Counsel, (202) 874–5200; or Deborah
Katz, Senior Counsel, Legislative and
Regulatory Activities Division, (202)
874–5090.
Board: Donna L. Parker, Supervisory
Financial Analyst, Division of
Supervision & Regulation, (202) 452–
2614; Joshua H. Kaplan, Attorney, Legal
Division, (202) 452–2249; Minh-Duc T.
Le or Ky Tran-Trong, Senior Attorneys,
Division of Consumer and Community
Affairs, (202) 452–3667.
FDIC: Jeffrey M. Kopchik, Senior
Policy Analyst, Division of Supervision
and Consumer Protection, (202) 898–
3872; Kathryn M. Weatherby,
Examination Specialist, Division of
Supervision and Consumer Protection,
(202) 898–6793; Robert A. Patrick,
Counsel, Legal Division, (202) 898–
3757; Janet V. Norcom, Counsel, Legal
Division, (202) 898–8886.
OTS: Glenn Gimble, Senior Project
Manager, Thrift Policy, (202) 906–7158;
Lewis C. Angel, Senior Project Manager,
Technology Risk Management, (202)
906–5645; Richard Bennett, Counsel
(Banking and Finance), Regulations and
Legislation Division, (202) 906–7409.
SUPPLEMENTARY INFORMATION:
I. Introduction
Section 216 of the Fair and Accurate
Credit Transactions Act of 2003 (FACT
Act or the Act) adds a new section 628
to the Fair Credit Reporting Act (FCRA),
at 15 U.S.C. 1681w, that, in general, is
designed to protect a consumer against
the risks associated with unauthorized
access to information about the
consumer contained in a consumer
report, such as fraud and related crimes
including identity theft. Section 216 of
the Act requires each of the Agencies to
adopt a regulation with respect to the
entities that are subject to its
enforcement authority ‘‘requiring any
person that maintains or otherwise
possesses consumer information, or any
compilation of consumer information,
derived from consumer reports for a
business purpose to properly dispose of
any such information or compilation.’’
Pub. L. 108–159, 117 Stat. 1985–86. The
FACT Act mandates that the Agencies
ensure that their respective regulations
are consistent with the requirements
issued pursuant to the Gramm-Leach-
Bliley Act (GLB Act) (Pub. L. 106–102),
as well as other provisions of Federal
law.
On June 8, 2004, the Agencies
published a proposal to amend the
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information (Guidelines) to require
financial institutions to implement
controls designed to ensure the proper
disposal of ‘‘consumer information’’
within the meaning of section 216.1 A
VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 PO 00000 Frm 00002 Fmt 4700 Sfmt 4700 E:\FR\FM\28DER1.SGM 28DER1
1 69 FR 31913 (June 8, 2004). The Guidelines are
codified at 12 CFR parts 30, app. B (OCC); 208, app.
All written comments will be
available for public inspection during
regular work hours at the 300 7th Street,
SW., address listed above.
FOR FURTHER INFORMATION CONTACT: Sue
Harris-Green, Deputy Director, Multi-
Family Housing Direct Loan Division,
Rural Housing Service, U.S. Department
of Agriculture, Room 1241, South
Building, Stop 0781, 1400
Independence Avenue, SW.,
Washington, DC 20250–0781, telephone
(202) 720–1660.
SUPPLEMENTARY INFORMATION: In the
Federal Register dated November 26,
2004, the Rural Housing Service (RHS)
published an interim final rule which
had the intent of streamlining and
reengineering its regulations, as well as
utilizing several private sector processes
and techniques in the administration of
the origination, management, servicing,
and preservation of its Multi-Family
Housing programs. These programs
include the section 515 Rural Rental
Housing (RRH) loan program, the
section 514/516 Farm Labor Housing
loan and grant program, and the section
521 Rental Assistance (RA) program.
This interim final rule combines the
provisions of the Streamlining and
Consolidation of the sections 514, 515,
516, and 521 Multi-Family Housing
(MFH) Programs Proposed Rule
published on June 2, 2003, and the
Operating Assistance for Off-Farm
Migrant Farmworker Projects Proposed
Rule published on November 2, 2000.
Due to the complex nature of the
changes in the regulation, it is in the
best interest of the public to extend the
period of time in which comments will
be accepted. Initially, the comment
period was to end on December 27,
2004. The revised ending date for the
receipt of comments is now January 26,
2005.
Dated: December 16, 2004.
Gilbert Gonzalez,
Acting Under Secretary, Rural Development.
[FR Doc. 04–28240 Filed 12–27–04; 8:45 am]
BILLING CODE 3410 –XV–U
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
12 CFR Parts 30 and 41
[Docket No. 04–13]
RIN 1557–AC84
FEDERAL RESERVE SYSTEM
12 CFR Parts 208, 211, 222, and 225
[Docket No. R–1199]
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 334 and 364
RIN 3064–AC77
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 568, 570, and 571
[No. 2004–56]
RIN 1550–AB87
Proper Disposal of Consumer
Information Under the Fair and
Accurate Credit Transactions Act of
2003
AGENCIES: Office of the Comptroller of
the Currency, Treasury (OCC); Board of
Governors of the Federal Reserve
System (Board); Federal Deposit
Insurance Corporation (FDIC); and
Office of Thrift Supervision, Treasury
(OTS).
ACTION: Final rule.
SUMMARY: The OCC, Board, FDIC, and
OTS (the Agencies) are adopting a final
rule to implement section 216 of the
Fair and Accurate Credit Transactions
Act of 2003 by amending the
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information. The final rule generally
requires each financial institution to
develop, implement, and maintain, as
part of its existing information security
program, appropriate measures to
properly dispose of consumer
information derived from consumer
reports to address the risks associated
with identity theft.
EFFECTIVE DATE: July 1, 2005.
FOR FURTHER INFORMATION CONTACT:
OCC: Aida Plaza Carter, Director, Bank
Information Technology, (202) 874–
4740; Amy Friend, Assistant Chief
Counsel, (202) 874–5200; or Deborah
Katz, Senior Counsel, Legislative and
Regulatory Activities Division, (202)
874–5090.
Board: Donna L. Parker, Supervisory
Financial Analyst, Division of
Supervision & Regulation, (202) 452–
2614; Joshua H. Kaplan, Attorney, Legal
Division, (202) 452–2249; Minh-Duc T.
Le or Ky Tran-Trong, Senior Attorneys,
Division of Consumer and Community
Affairs, (202) 452–3667.
FDIC: Jeffrey M. Kopchik, Senior
Policy Analyst, Division of Supervision
and Consumer Protection, (202) 898–
3872; Kathryn M. Weatherby,
Examination Specialist, Division of
Supervision and Consumer Protection,
(202) 898–6793; Robert A. Patrick,
Counsel, Legal Division, (202) 898–
3757; Janet V. Norcom, Counsel, Legal
Division, (202) 898–8886.
OTS: Glenn Gimble, Senior Project
Manager, Thrift Policy, (202) 906–7158;
Lewis C. Angel, Senior Project Manager,
Technology Risk Management, (202)
906–5645; Richard Bennett, Counsel
(Banking and Finance), Regulations and
Legislation Division, (202) 906–7409.
SUPPLEMENTARY INFORMATION:
I. Introduction
Section 216 of the Fair and Accurate
Credit Transactions Act of 2003 (FACT
Act or the Act) adds a new section 628
to the Fair Credit Reporting Act (FCRA),
at 15 U.S.C. 1681w, that, in general, is
designed to protect a consumer against
the risks associated with unauthorized
access to information about the
consumer contained in a consumer
report, such as fraud and related crimes
including identity theft. Section 216 of
the Act requires each of the Agencies to
adopt a regulation with respect to the
entities that are subject to its
enforcement authority ‘‘requiring any
person that maintains or otherwise
possesses consumer information, or any
compilation of consumer information,
derived from consumer reports for a
business purpose to properly dispose of
any such information or compilation.’’
Pub. L. 108–159, 117 Stat. 1985–86. The
FACT Act mandates that the Agencies
ensure that their respective regulations
are consistent with the requirements
issued pursuant to the Gramm-Leach-
Bliley Act (GLB Act) (Pub. L. 106–102),
as well as other provisions of Federal
law.
On June 8, 2004, the Agencies
published a proposal to amend the
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information (Guidelines) to require
financial institutions to implement
controls designed to ensure the proper
disposal of ‘‘consumer information’’
within the meaning of section 216.1 A
VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 PO 00000 Frm 00002 Fmt 4700 Sfmt 4700 E:\FR\FM\28DER1.SGM 28DER1
77611Federal Register / Vol. 69, No. 248 / Tuesday, December 28, 2004 / Rules and Regulations
D–2 and 225, app. F (Board); 364, app. B (FDIC);
570, app. B (OTS). Citations to the Guidelines omit
references to titles and publications and give only
the appropriate paragraph or section number.
2 Individual consumers and organizations
representing consumers submitted comments on the
proposed rule issued by the Federal Trade
Commission (FTC), which was substantively similar
to the Agencies’ proposal. 69 FR 21388 (April 20,
2004); see http://www.ftc.gov/os/comments/
disposal/index.htm. The Agencies have reviewed
these and other comments submitted to the FTC in
connection with this final rule.
3 66 FR 8616 (Feb. 1, 2001).
4 Guidelines, II.B.
5 See generally, III.B. and III.C.
6 See 66 FR 8618. (‘‘Under the final Guidelines,
a financial institution’s responsibility to safeguard
customer information continues through the
disposal process.’’)
7 The Agencies are renaming the ‘‘Interagency
Guidelines Establishing Standards for Safeguarding
Customer Information’’ to read ‘‘Interagency
Guidelines Establishing Standards for Information
Security’’ to make clear that the Guidelines
encompass the disposal of consumer information.
total of 68 comments on the proposal
were submitted to the Agencies, some of
which were submitted to more than one
of the Agencies. Most of these
comments were submitted by financial
institutions and associations that
represent them. A few comments were
submitted by trade associations from the
information destruction industry.2
In general, commenters expressed
support for the Agencies’ proposal
because the new requirements would
allow financial institutions sufficient
latitude to adopt controls that suit their
particular circumstances. Commenters
offered revisions to several aspects of
the proposal, notably the definitions
and compliance deadlines, and the
Agencies have considered each of these
suggestions.
The Agencies also proposed to amend
their respective regulations that
implement the FCRA by adding a new
provision setting forth the duties of
users of consumer reports regarding
identity theft. The proposed provision
would require a financial institution to
properly dispose of consumer
information in accordance with the
standards set forth in the Guidelines.
The Agencies also proposed to amend
their respective FCRA regulations by
incorporating a rule of construction,
which generally provides that the duty
to properly dispose of consumer
information shall not be construed to
require a financial institution to
maintain or destroy any record
pertaining to a consumer that is not
imposed under any other law or alter
any requirement under any other law to
maintain or destroy such a record. This
rule of construction closely tracks
section 628(b) of the FCRA, as added by
section 216 of the FACT Act. In general,
commenters supported the Agencies’
proposal to amend their FCRA
regulations and, in particular, urged the
Agencies to retain the rule of
construction in the final rule.
In accordance with section 216 of the
Act, the Agencies have consulted with
the FTC, the National Credit Union
Administration, and the Securities and
Exchange Commission to ensure that, to
the extent possible, the rules adopted by
the respective agencies are consistent
and comparable.
II. Background
On February 1, 2001, the Agencies
issued the Guidelines pursuant to
sections 501 and 505 of the GLB Act (15
U.S.C. 6801 and 6805).3 The Guidelines
establish standards relating to the
development and implementation of
administrative, technical, and physical
safeguards to protect the security,
confidentiality, and integrity of
customer information. The Guidelines
apply to the financial institutions
subject to the Agencies’ respective
jurisdictions. As mandated by section
501(b) of the GLB Act, the Guidelines
require each financial institution to
develop a written information security
program that is designed to: (1) Ensure
the security and confidentiality of
customer information; (2) protect
against any anticipated threats or
hazards to the security or integrity of
such information; and (3) protect against
unauthorized access to or use of such
information that could result in
substantial harm or inconvenience to
any customer.4 The Guidelines direct
financial institutions to assess the risks
to their customer information and
customer information systems and, in
turn, implement appropriate security
measures to control those risks.5 For
example, under the risk-assessment
framework currently imposed by the
Guidelines, each financial institution
must evaluate whether the controls the
institution has developed sufficiently
protect its customer information from
unauthorized access, misuse, or
alteration when the institution disposes
of the information.6
III. Proper Disposal of Consumer
Information and Customer Information
To implement section 216 of the
FACT Act, the Agencies are adopting
amendments to the Guidelines 7 that
require each financial institution to
develop and maintain, as part of its
information security program,
appropriate controls designed to ensure
that the institution properly disposes of
‘‘consumer information.’’ The
amendments to the Guidelines generally
require a financial institution to
properly dispose of ‘‘consumer
information’’ derived from a consumer
report in a manner consistent with a
financial institution’s existing
obligations under the Guidelines to
properly dispose of customer
information. Although the Guidelines
currently address an institution’s
obligations to properly dispose of
customer information, the amendments
now state this obligation more directly
and combine it with the new
requirement to properly dispose of
consumer information.
The Agencies have incorporated this
new requirement into the Guidelines by:
(1) Adding a definition of ‘‘consumer
information,’’ including illustrations of
the information covered by the new
term; (2) adding an objective (in
paragraph II) regarding the proper
disposal of customer information and
consumer information; and (3) adding a
provision (in paragraph III) that requires
a financial institution to implement
appropriate measures to properly
dispose of customer information and
consumer information in accordance
with each of the requirements in
paragraph III.
The final rule requires each financial
institution to implement the appropriate
measures to properly dispose of
‘‘consumer information’’ by July 1,
2005. The Agencies believe that any
changes to an institution’s existing
information security program likely will
be minimal because many of the
measures that an institution already
uses to dispose of ‘‘customer
information’’ can be adapted to properly
dispose of ‘‘consumer information.’’
Nevertheless, a few of the comments
noted that the proposed period for
compliance would be relatively short in
light of the work required to locate and
track all ‘‘consumer information’’ in a
financial institution’s existing
information systems. Accordingly, the
Agencies have determined that financial
institutions should be afforded a six-
month period to adjust their systems
and controls.
A discussion of each proposed
amendment to the Guidelines and the
addition of cross-references to the
Guidelines in the Agencies’ FCRA
regulations follows.
Consumer Information
The proposal defined ‘‘consumer
information’’ to mean ‘‘any record about
an individual, whether in paper,
electronic, or other form, that is a
consumer report or is derived from a
consumer report and that is maintained
or otherwise possessed by or on behalf
of the [institution] for a business
VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 PO 00000 Frm 00003 Fmt 4700 Sfmt 4700 E:\FR\FM\28DER1.SGM 28DER1
D–2 and 225, app. F (Board); 364, app. B (FDIC);
570, app. B (OTS). Citations to the Guidelines omit
references to titles and publications and give only
the appropriate paragraph or section number.
2 Individual consumers and organizations
representing consumers submitted comments on the
proposed rule issued by the Federal Trade
Commission (FTC), which was substantively similar
to the Agencies’ proposal. 69 FR 21388 (April 20,
2004); see http://www.ftc.gov/os/comments/
disposal/index.htm. The Agencies have reviewed
these and other comments submitted to the FTC in
connection with this final rule.
3 66 FR 8616 (Feb. 1, 2001).
4 Guidelines, II.B.
5 See generally, III.B. and III.C.
6 See 66 FR 8618. (‘‘Under the final Guidelines,
a financial institution’s responsibility to safeguard
customer information continues through the
disposal process.’’)
7 The Agencies are renaming the ‘‘Interagency
Guidelines Establishing Standards for Safeguarding
Customer Information’’ to read ‘‘Interagency
Guidelines Establishing Standards for Information
Security’’ to make clear that the Guidelines
encompass the disposal of consumer information.
total of 68 comments on the proposal
were submitted to the Agencies, some of
which were submitted to more than one
of the Agencies. Most of these
comments were submitted by financial
institutions and associations that
represent them. A few comments were
submitted by trade associations from the
information destruction industry.2
In general, commenters expressed
support for the Agencies’ proposal
because the new requirements would
allow financial institutions sufficient
latitude to adopt controls that suit their
particular circumstances. Commenters
offered revisions to several aspects of
the proposal, notably the definitions
and compliance deadlines, and the
Agencies have considered each of these
suggestions.
The Agencies also proposed to amend
their respective regulations that
implement the FCRA by adding a new
provision setting forth the duties of
users of consumer reports regarding
identity theft. The proposed provision
would require a financial institution to
properly dispose of consumer
information in accordance with the
standards set forth in the Guidelines.
The Agencies also proposed to amend
their respective FCRA regulations by
incorporating a rule of construction,
which generally provides that the duty
to properly dispose of consumer
information shall not be construed to
require a financial institution to
maintain or destroy any record
pertaining to a consumer that is not
imposed under any other law or alter
any requirement under any other law to
maintain or destroy such a record. This
rule of construction closely tracks
section 628(b) of the FCRA, as added by
section 216 of the FACT Act. In general,
commenters supported the Agencies’
proposal to amend their FCRA
regulations and, in particular, urged the
Agencies to retain the rule of
construction in the final rule.
In accordance with section 216 of the
Act, the Agencies have consulted with
the FTC, the National Credit Union
Administration, and the Securities and
Exchange Commission to ensure that, to
the extent possible, the rules adopted by
the respective agencies are consistent
and comparable.
II. Background
On February 1, 2001, the Agencies
issued the Guidelines pursuant to
sections 501 and 505 of the GLB Act (15
U.S.C. 6801 and 6805).3 The Guidelines
establish standards relating to the
development and implementation of
administrative, technical, and physical
safeguards to protect the security,
confidentiality, and integrity of
customer information. The Guidelines
apply to the financial institutions
subject to the Agencies’ respective
jurisdictions. As mandated by section
501(b) of the GLB Act, the Guidelines
require each financial institution to
develop a written information security
program that is designed to: (1) Ensure
the security and confidentiality of
customer information; (2) protect
against any anticipated threats or
hazards to the security or integrity of
such information; and (3) protect against
unauthorized access to or use of such
information that could result in
substantial harm or inconvenience to
any customer.4 The Guidelines direct
financial institutions to assess the risks
to their customer information and
customer information systems and, in
turn, implement appropriate security
measures to control those risks.5 For
example, under the risk-assessment
framework currently imposed by the
Guidelines, each financial institution
must evaluate whether the controls the
institution has developed sufficiently
protect its customer information from
unauthorized access, misuse, or
alteration when the institution disposes
of the information.6
III. Proper Disposal of Consumer
Information and Customer Information
To implement section 216 of the
FACT Act, the Agencies are adopting
amendments to the Guidelines 7 that
require each financial institution to
develop and maintain, as part of its
information security program,
appropriate controls designed to ensure
that the institution properly disposes of
‘‘consumer information.’’ The
amendments to the Guidelines generally
require a financial institution to
properly dispose of ‘‘consumer
information’’ derived from a consumer
report in a manner consistent with a
financial institution’s existing
obligations under the Guidelines to
properly dispose of customer
information. Although the Guidelines
currently address an institution’s
obligations to properly dispose of
customer information, the amendments
now state this obligation more directly
and combine it with the new
requirement to properly dispose of
consumer information.
The Agencies have incorporated this
new requirement into the Guidelines by:
(1) Adding a definition of ‘‘consumer
information,’’ including illustrations of
the information covered by the new
term; (2) adding an objective (in
paragraph II) regarding the proper
disposal of customer information and
consumer information; and (3) adding a
provision (in paragraph III) that requires
a financial institution to implement
appropriate measures to properly
dispose of customer information and
consumer information in accordance
with each of the requirements in
paragraph III.
The final rule requires each financial
institution to implement the appropriate
measures to properly dispose of
‘‘consumer information’’ by July 1,
2005. The Agencies believe that any
changes to an institution’s existing
information security program likely will
be minimal because many of the
measures that an institution already
uses to dispose of ‘‘customer
information’’ can be adapted to properly
dispose of ‘‘consumer information.’’
Nevertheless, a few of the comments
noted that the proposed period for
compliance would be relatively short in
light of the work required to locate and
track all ‘‘consumer information’’ in a
financial institution’s existing
information systems. Accordingly, the
Agencies have determined that financial
institutions should be afforded a six-
month period to adjust their systems
and controls.
A discussion of each proposed
amendment to the Guidelines and the
addition of cross-references to the
Guidelines in the Agencies’ FCRA
regulations follows.
Consumer Information
The proposal defined ‘‘consumer
information’’ to mean ‘‘any record about
an individual, whether in paper,
electronic, or other form, that is a
consumer report or is derived from a
consumer report and that is maintained
or otherwise possessed by or on behalf
of the [institution] for a business
VerDate jul<14>2003 17:38 Dec 27, 2004 Jkt 205001 PO 00000 Frm 00003 Fmt 4700 Sfmt 4700 E:\FR\FM\28DER1.SGM 28DER1