Thursday,
February 1, 2001
Part II
Department of the
Treasury
Office of the Comptroller of the
Currency
Office of Thrift Supervision
Federal Reserve System
Federal Deposit
Insurance Corporation
12 CFR Part 30, et al.
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information and Rescission of Year 2000
Standards for Safety and Soundness; Final
Rule
VerDate 11<MAY>2000 18:01 Jan 31, 2001 Jkt 194001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\01FER2.SGM pfrm01 PsN: 01FER2
February 1, 2001
Part II
Department of the
Treasury
Office of the Comptroller of the
Currency
Office of Thrift Supervision
Federal Reserve System
Federal Deposit
Insurance Corporation
12 CFR Part 30, et al.
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information and Rescission of Year 2000
Standards for Safety and Soundness; Final
Rule
VerDate 11<MAY>2000 18:01 Jan 31, 2001 Jkt 194001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\01FER2.SGM pfrm01 PsN: 01FER2
8616 Federal Register / Vol. 66, No. 22 / Thursday, February 1, 2001 / Rules and Regulations
1 Section 39 applies only to insure depository
institutions, including insured branches of foreign
banks. The Guidelines, however, will also apply to
certain uninsured institutions, such as bank holding
companies, certain nonbank subsidiaries of bank
holding companies and insured depository
institutions, and uninsured branches and agencies
of foreign banks. See sections 501 and 505(b) of the
G–L–B Act.
2 OTS has placed its information security
guidelines in appendix B to 12 CFR part 570, with
the provisions implementing section 39 of the FDI
Act. At the same time, OTS has adopted a
regulatory requirement that the institutions OTS
regulates comply with the proposed Guidelines.
Because information security guidelines are similar
to physical security procedures, OTS has included
a provision in 12 CFR part 568, which covers
primarily physical security procedures, requiring
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
12 CFR Part 30
[Docket No. 00–35]
RIN 1557–AB84
FEDERAL RESERVE SYSTEM
12 CFR Parts 208, 211, 225, and 263
[Docket No. R–1073]
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 308 and 364
RIN 3064–AC39
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 568 and 570
[Docket No. 2000–112]
RIN 1550–AB36
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information and Rescission of Year
2000 Standards for Safety and
Soundness
AGENCIES: The Office of the Comptroller
of the Currency (OCC), Treasury; Board
of Governors of the Federal Reserve
System (Board); Federal Deposit
Insurance Corporation (FDIC); and
Office of Thrift Supervision (OTS),
Treasury.
ACTION: Joint final rule.
SUMMARY: The Office of the Comptroller
of the Currency, Board of Governors of
the Federal Reserve System, Federal
Deposit Insurance Corporation, and
Office of Thrift Supervision
(collectively, the Agencies) are
publishing final Guidelines establishing
standards for safeguarding customer
information that implement sections
501 and 505(b) of the Gramm-Leach-
Bliley Act (the G–L–B Act or Act).
Section 501 of the G-L-B Act requires
the Agencies to establish appropriate
standards for the financial institutions
subject to their respective jurisdictions
relating to administrative, technical, and
physical safeguards for customer
records and information. As described
in the Act, these safeguards are to:
insure the security and confidentiality
of customer records and information;
protect against any anticipated threats
or hazards to the security or integrity of
such records; and protect against
unauthorized access to or use of such
records or information that could result
in substantial harm or inconvenience to
any customer. The Agencies are to
implement these standards in the same
manner, to the extent practicable, as
standards prescribed pursuant to section
39(a) of the Federal Deposit Insurance
Act (FDI Act). These final Guidelines
implement the requirements described
above.
The Agencies previously issued
guidelines establishing Year 2000 safety
and soundness standards for insured
depository institutions pursuant to
section 39 of the FDI Act. Since the
events for which these guidelines were
issued have passed, the Agencies have
concluded that the guidelines are no
longer necessary and are rescinding
these guidelines.
EFFECTIVE DATE: The joint final rule is
effective July 1, 2001.
Applicability date: The Year 2000
Standards for Safety and Soundness are
no longer applicable as of March 5,
2001.
FOR FURTHER INFORMATION CONTACT:
OCC
John Carlson, Deputy Director for
Bank Technology, (202) 874–5013; or
Deborah Katz, Senior Attorney,
Legislative and Regulatory Activities
Division, (202) 874–5090.
Board
Heidi Richards, Assistant Director,
Division of Banking Supervision and
Regulation, (202) 452–2598; Stephanie
Martin, Managing Senior Counsel, Legal
Division, (202) 452–3198; or Thomas E.
Scanlon, Senior Attorney, Legal
Division, (202) 452–3594. For the
hearing impaired only, contact Janice
Simms, Telecommunication Device for
the Deaf (TDD) (202) 452–3544, Board of
Governors of the Federal Reserve
System, 20th and C Streets, NW,
Washington, DC 20551.
FDIC
Thomas J. Tuzinski, Review
Examiner, Division of Supervision,
(202) 898–6748; Jeffrey M. Kopchik,
Senior Policy Analyst, Division of
Supervision, (202) 898–3872; or Robert
A. Patrick, Counsel, Legal Division,
(202) 898–3757.
OTS
Jennifer Dickerson, Manager,
Information Technology, Examination
Policy, (202) 906–5631; or Christine
Harrington, Counsel, Banking and
Finance, Regulations and Legislation
Division, (202) 906–7957.
SUPPLEMENTARY INFORMATION: The
contents of this preamble are listed in
the following outline:
I. Background
II. Overview of Comments Received
III. Section-by-Section Analysis
IV. Regulatory Analysis
A. Paperwork Reduction Act
B. Regulatory Flexibility Act
C. Executive Order 12866
D. Unfunded Mandates Act of 1995
I. Background
On November 12, 1999, President
Clinton signed the G–L–B Act (Pub. L.
106–102) into law. Section 501, titled
‘‘Protection of Nonpublic Personal
Information’’, requires the Agencies, the
National Credit Union Administration,
the Securities and Exchange
Commission, and the Federal Trade
Commission to establish appropriate
standards for the financial institutions
subject to their respective jurisdictions
relating to the administrative, technical,
and physical safeguards for customer
records and information. As stated in
section 501, these safeguards are to: (1)
Insure the security and confidentiality
of customer records and information; (2)
protect against any anticipated threats
or hazards to the security or integrity of
such records; and (3) protect against
unauthorized access to or use of such
records or information that would result
in substantial harm or inconvenience to
any customer.
Section 505(b) of the G–L–B Act
provides that these standards are to be
implemented by the Agencies in the
same manner, to the extent practicable,
as standards prescribed pursuant to
section 39(a) of the FDI Act.1 Section
39(a) of the FDI Act authorizes the
Agencies to establish operational and
managerial standards for insured
depository institutions relative to,
among other things, internal controls,
information systems, and internal audit
systems, as well as such other
operational and managerial standards as
the Agencies determine to be
appropriate.2
VerDate 11<MAY>2000 18:01 Jan 31, 2001 Jkt 194001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:\FR\FM\01FER2.SGM pfrm01 PsN: 01FER2
1 Section 39 applies only to insure depository
institutions, including insured branches of foreign
banks. The Guidelines, however, will also apply to
certain uninsured institutions, such as bank holding
companies, certain nonbank subsidiaries of bank
holding companies and insured depository
institutions, and uninsured branches and agencies
of foreign banks. See sections 501 and 505(b) of the
G–L–B Act.
2 OTS has placed its information security
guidelines in appendix B to 12 CFR part 570, with
the provisions implementing section 39 of the FDI
Act. At the same time, OTS has adopted a
regulatory requirement that the institutions OTS
regulates comply with the proposed Guidelines.
Because information security guidelines are similar
to physical security procedures, OTS has included
a provision in 12 CFR part 568, which covers
primarily physical security procedures, requiring
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
12 CFR Part 30
[Docket No. 00–35]
RIN 1557–AB84
FEDERAL RESERVE SYSTEM
12 CFR Parts 208, 211, 225, and 263
[Docket No. R–1073]
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 308 and 364
RIN 3064–AC39
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 568 and 570
[Docket No. 2000–112]
RIN 1550–AB36
Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information and Rescission of Year
2000 Standards for Safety and
Soundness
AGENCIES: The Office of the Comptroller
of the Currency (OCC), Treasury; Board
of Governors of the Federal Reserve
System (Board); Federal Deposit
Insurance Corporation (FDIC); and
Office of Thrift Supervision (OTS),
Treasury.
ACTION: Joint final rule.
SUMMARY: The Office of the Comptroller
of the Currency, Board of Governors of
the Federal Reserve System, Federal
Deposit Insurance Corporation, and
Office of Thrift Supervision
(collectively, the Agencies) are
publishing final Guidelines establishing
standards for safeguarding customer
information that implement sections
501 and 505(b) of the Gramm-Leach-
Bliley Act (the G–L–B Act or Act).
Section 501 of the G-L-B Act requires
the Agencies to establish appropriate
standards for the financial institutions
subject to their respective jurisdictions
relating to administrative, technical, and
physical safeguards for customer
records and information. As described
in the Act, these safeguards are to:
insure the security and confidentiality
of customer records and information;
protect against any anticipated threats
or hazards to the security or integrity of
such records; and protect against
unauthorized access to or use of such
records or information that could result
in substantial harm or inconvenience to
any customer. The Agencies are to
implement these standards in the same
manner, to the extent practicable, as
standards prescribed pursuant to section
39(a) of the Federal Deposit Insurance
Act (FDI Act). These final Guidelines
implement the requirements described
above.
The Agencies previously issued
guidelines establishing Year 2000 safety
and soundness standards for insured
depository institutions pursuant to
section 39 of the FDI Act. Since the
events for which these guidelines were
issued have passed, the Agencies have
concluded that the guidelines are no
longer necessary and are rescinding
these guidelines.
EFFECTIVE DATE: The joint final rule is
effective July 1, 2001.
Applicability date: The Year 2000
Standards for Safety and Soundness are
no longer applicable as of March 5,
2001.
FOR FURTHER INFORMATION CONTACT:
OCC
John Carlson, Deputy Director for
Bank Technology, (202) 874–5013; or
Deborah Katz, Senior Attorney,
Legislative and Regulatory Activities
Division, (202) 874–5090.
Board
Heidi Richards, Assistant Director,
Division of Banking Supervision and
Regulation, (202) 452–2598; Stephanie
Martin, Managing Senior Counsel, Legal
Division, (202) 452–3198; or Thomas E.
Scanlon, Senior Attorney, Legal
Division, (202) 452–3594. For the
hearing impaired only, contact Janice
Simms, Telecommunication Device for
the Deaf (TDD) (202) 452–3544, Board of
Governors of the Federal Reserve
System, 20th and C Streets, NW,
Washington, DC 20551.
FDIC
Thomas J. Tuzinski, Review
Examiner, Division of Supervision,
(202) 898–6748; Jeffrey M. Kopchik,
Senior Policy Analyst, Division of
Supervision, (202) 898–3872; or Robert
A. Patrick, Counsel, Legal Division,
(202) 898–3757.
OTS
Jennifer Dickerson, Manager,
Information Technology, Examination
Policy, (202) 906–5631; or Christine
Harrington, Counsel, Banking and
Finance, Regulations and Legislation
Division, (202) 906–7957.
SUPPLEMENTARY INFORMATION: The
contents of this preamble are listed in
the following outline:
I. Background
II. Overview of Comments Received
III. Section-by-Section Analysis
IV. Regulatory Analysis
A. Paperwork Reduction Act
B. Regulatory Flexibility Act
C. Executive Order 12866
D. Unfunded Mandates Act of 1995
I. Background
On November 12, 1999, President
Clinton signed the G–L–B Act (Pub. L.
106–102) into law. Section 501, titled
‘‘Protection of Nonpublic Personal
Information’’, requires the Agencies, the
National Credit Union Administration,
the Securities and Exchange
Commission, and the Federal Trade
Commission to establish appropriate
standards for the financial institutions
subject to their respective jurisdictions
relating to the administrative, technical,
and physical safeguards for customer
records and information. As stated in
section 501, these safeguards are to: (1)
Insure the security and confidentiality
of customer records and information; (2)
protect against any anticipated threats
or hazards to the security or integrity of
such records; and (3) protect against
unauthorized access to or use of such
records or information that would result
in substantial harm or inconvenience to
any customer.
Section 505(b) of the G–L–B Act
provides that these standards are to be
implemented by the Agencies in the
same manner, to the extent practicable,
as standards prescribed pursuant to
section 39(a) of the FDI Act.1 Section
39(a) of the FDI Act authorizes the
Agencies to establish operational and
managerial standards for insured
depository institutions relative to,
among other things, internal controls,
information systems, and internal audit
systems, as well as such other
operational and managerial standards as
the Agencies determine to be
appropriate.2
VerDate 11<MAY>2000 18:01 Jan 31, 2001 Jkt 194001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:\FR\FM\01FER2.SGM pfrm01 PsN: 01FER2