13839Federal Register / Vol. 83, No. 63 / Monday, April 2, 2018 / Rules and Regulations
1 Dodd-Frank Wall Street Reform and Consumer
Protection Act, Public Law 111–203, 124 Stat. 1376
(2010) (codified at 12 U.S.C. 5301 et seq.). 2 80 FR 65907 (Oct. 28, 2015).
(b) * * *
(1) For violations that occurred on or
before November 2, 2015, $10,000 per
violation, up to a total of $50,000 per
civil penalty action, in the case of an
individual or small business concern, as
defined in section 3 of the Small
Business Act (15 U.S.C. 632). For
violations that occurred after November
2, 2015 $11,410 per violation, up to a
total of $57,051 per civil penalty action,
in the case of an individual or small
business concern; and
(2) For violations that occurred on or
before November 2, 2015, $10,000 per
violation, up to a total of $400,000 per
civil penalty action, in the case of any
other person. For violations that
occurred after November 2, 2015,
$11,410 per violation, up to a total of
$456,409 per civil penalty action, in the
case of any other person.
(c) * * *
(1) For violations that occurred on or
before November 2, 2015, $10,000 per
violation, up to a total of $50,000 per
civil penalty action, in the case of an
individual or small business concern, as
defined in section 3 of the Small
Business Act (15 U.S.C. 632). For
violations that occurred after November
2, 2015, $13,333 per violation, up to a
total of $66,666 per civil penalty action,
in the case of an individual (except an
airman serving as an airman), or a small
business concern.
(2) For violations that occurred on or
before November 2, 2015, $10,000 per
violation, up to a total of $400,000 per
civil penalty action, in the case of any
other person (except an airman serving
as an airman) not operating an aircraft
for the transportation of passengers or
property for compensation. For
violations that occurred after November
2, 2015, $13,333 per violation, up to a
total of $533,324 per civil penalty
action, in the case of any other person
(except an airman serving as an airman)
not operating an aircraft for the
transportation of passengers or property
for compensation.
(3) For violations that occurred on or
before November 2, 2015, $25,000 per
violation, up to a total of $400,000 per
civil penalty action, in the case of a
person operating an aircraft for the
transportation of passengers or property
for compensation (except an individual
serving as an airman). For violations
that occurred after November 2, 2015,
$33,333 per violation, up to a total of
$533,324 per civil penalty action, in the
case of a person (except an individual
serving as an airman) operating an
aircraft for the transportation of
passengers or property for
compensation.
Dated: March 26, 2018.
Kirstjen M. Nielsen,
Secretary.
[FR Doc. 2018–06486 Filed 3–30–18; 8:45 am]
BILLING CODE 9110–9P–P, 9111–14–P; 9111–28–P,
9110–04–P, 9110–05–P
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 326 and 391
RIN 3064–AE47
Removal of Transferred OTS
Regulations Regarding Minimum
Security Procedures Amendments to
FDIC Regulations
AGENCY: Federal Deposit Insurance
Corporation.
ACTION: Final rule.
SUMMARY: The Federal Deposit
Insurance Corporation (‘‘FDIC’’) is
adopting a final rule to rescind and
remove a part from the Code of Federal
Regulations entitled ‘‘Security
Procedures’’ and to amend FDIC
regulations to make the removed Office
of Thrift Supervision (‘‘OTS’’)
regulations applicable to State savings
associations.
DATES: The final rule is effective on May
2, 2018.
FOR FURTHER INFORMATION CONTACT:
Lauren Whitaker, Senior Attorney,
Consumer Compliance Section, Legal
Division (202) 898–3872; Karen Jones
Currie, Senior Examination Specialist,
Division of Risk Management and
Supervision (202) 898–3981.
SUPPLEMENTARY INFORMATION: Part 391,
subpart A, was included in the
regulations that were transferred to the
FDIC from the Office of Thrift
Supervision (‘‘OTS’’) on July 21, 2011,
in connection with the implementation
of applicable provisions of title III of the
Dodd-Frank Wall Street Reform and
Consumer Protection Act (‘‘Dodd-Frank
Act’’).1 With the exception of one
provision (§ 391.5) the requirements for
State savings associations in part 391,
subpart A, are substantively identical to
the requirements in the FDIC’s 12 CFR
part 326 (‘‘part 326’’), which is entitled
‘‘Minimum Security Procedures.’’ The
one exception directs savings
associations to comply with appendix B
to subpart B of Interagency Guidelines
Establishing Information Security
Standards (Interagency Guidelines)
contained in FDIC rules at part 364,
appendix B. The FDIC previously
revised part 364 to make the Interagency
Guidelines applicable to both State
nonmember banks and State savings
associations.2
The FDIC is adopting a final rule
(‘‘Final Rule’’) to rescind in its entirety
part 391, subpart A and to modify the
scope of part 326 to include State
savings associations to conform to and
reflect the scope of the FDIC’s current
supervisory responsibilities as the
appropriate Federal banking agency.
The FDIC is also adding definitions of
‘‘FDIC-supervised insured depository
institution or institution’’ and ‘‘State
savings association.’’ Upon removal of
part 391, subpart A, the Security
Procedures, regulations applicable for
all insured depository institutions for
which the FDIC has been designated the
appropriate Federal banking agency will
be found at 12 CFR part 326.
I. Background
The Dodd-Frank Act
The Dodd-Frank Act provided for a
substantial reorganization of the
regulation of State and Federal savings
associations and their holding
companies. Beginning July 21, 2011, the
transfer date established by section 311
of the Dodd-Frank Act, codified at 12
U.S.C. 5411, the powers, duties, and
functions formerly performed by the
OTS were divided among the FDIC, as
to State savings associations, the Office
of the Comptroller of the Currency
(‘‘OCC’’), as to Federal savings
associations, and the Board of
Governors of the Federal Reserve
System (‘‘FRB’’), as to savings and loan
holding companies. Section 316(b) of
the Dodd-Frank Act, codified at 12
U.S.C. 5414(b), provides the manner of
treatment for all orders, resolutions,
determinations, regulations, and
advisory materials that had been issued,
made, prescribed, or allowed to become
effective by the OTS. This section
provides that if such materials were in
effect on the day before the transfer
date, they continue to be in effect and
are enforceable by or against the
appropriate successor agency until they
are modified, terminated, set aside, or
superseded in accordance with
applicable law by such successor
agency, by any court of competent
jurisdiction, or by operation of law.
Section 316(c) of the Dodd-Frank Act,
codified at 12 U.S.C. 5414(c), further
directed the FDIC and the OCC to
consult with one another and to publish
a list of the continued OTS regulations
that would be enforced by the FDIC and
VerDate Sep<11>2014 16:23 Mar 30, 2018 Jkt 244001 PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 E:\FR\FM\02APR1.SGM 02APR1
daltland on DSKBBV9HB2PROD with RULES
1 Dodd-Frank Wall Street Reform and Consumer
Protection Act, Public Law 111–203, 124 Stat. 1376
(2010) (codified at 12 U.S.C. 5301 et seq.). 2 80 FR 65907 (Oct. 28, 2015).
(b) * * *
(1) For violations that occurred on or
before November 2, 2015, $10,000 per
violation, up to a total of $50,000 per
civil penalty action, in the case of an
individual or small business concern, as
defined in section 3 of the Small
Business Act (15 U.S.C. 632). For
violations that occurred after November
2, 2015 $11,410 per violation, up to a
total of $57,051 per civil penalty action,
in the case of an individual or small
business concern; and
(2) For violations that occurred on or
before November 2, 2015, $10,000 per
violation, up to a total of $400,000 per
civil penalty action, in the case of any
other person. For violations that
occurred after November 2, 2015,
$11,410 per violation, up to a total of
$456,409 per civil penalty action, in the
case of any other person.
(c) * * *
(1) For violations that occurred on or
before November 2, 2015, $10,000 per
violation, up to a total of $50,000 per
civil penalty action, in the case of an
individual or small business concern, as
defined in section 3 of the Small
Business Act (15 U.S.C. 632). For
violations that occurred after November
2, 2015, $13,333 per violation, up to a
total of $66,666 per civil penalty action,
in the case of an individual (except an
airman serving as an airman), or a small
business concern.
(2) For violations that occurred on or
before November 2, 2015, $10,000 per
violation, up to a total of $400,000 per
civil penalty action, in the case of any
other person (except an airman serving
as an airman) not operating an aircraft
for the transportation of passengers or
property for compensation. For
violations that occurred after November
2, 2015, $13,333 per violation, up to a
total of $533,324 per civil penalty
action, in the case of any other person
(except an airman serving as an airman)
not operating an aircraft for the
transportation of passengers or property
for compensation.
(3) For violations that occurred on or
before November 2, 2015, $25,000 per
violation, up to a total of $400,000 per
civil penalty action, in the case of a
person operating an aircraft for the
transportation of passengers or property
for compensation (except an individual
serving as an airman). For violations
that occurred after November 2, 2015,
$33,333 per violation, up to a total of
$533,324 per civil penalty action, in the
case of a person (except an individual
serving as an airman) operating an
aircraft for the transportation of
passengers or property for
compensation.
Dated: March 26, 2018.
Kirstjen M. Nielsen,
Secretary.
[FR Doc. 2018–06486 Filed 3–30–18; 8:45 am]
BILLING CODE 9110–9P–P, 9111–14–P; 9111–28–P,
9110–04–P, 9110–05–P
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 326 and 391
RIN 3064–AE47
Removal of Transferred OTS
Regulations Regarding Minimum
Security Procedures Amendments to
FDIC Regulations
AGENCY: Federal Deposit Insurance
Corporation.
ACTION: Final rule.
SUMMARY: The Federal Deposit
Insurance Corporation (‘‘FDIC’’) is
adopting a final rule to rescind and
remove a part from the Code of Federal
Regulations entitled ‘‘Security
Procedures’’ and to amend FDIC
regulations to make the removed Office
of Thrift Supervision (‘‘OTS’’)
regulations applicable to State savings
associations.
DATES: The final rule is effective on May
2, 2018.
FOR FURTHER INFORMATION CONTACT:
Lauren Whitaker, Senior Attorney,
Consumer Compliance Section, Legal
Division (202) 898–3872; Karen Jones
Currie, Senior Examination Specialist,
Division of Risk Management and
Supervision (202) 898–3981.
SUPPLEMENTARY INFORMATION: Part 391,
subpart A, was included in the
regulations that were transferred to the
FDIC from the Office of Thrift
Supervision (‘‘OTS’’) on July 21, 2011,
in connection with the implementation
of applicable provisions of title III of the
Dodd-Frank Wall Street Reform and
Consumer Protection Act (‘‘Dodd-Frank
Act’’).1 With the exception of one
provision (§ 391.5) the requirements for
State savings associations in part 391,
subpart A, are substantively identical to
the requirements in the FDIC’s 12 CFR
part 326 (‘‘part 326’’), which is entitled
‘‘Minimum Security Procedures.’’ The
one exception directs savings
associations to comply with appendix B
to subpart B of Interagency Guidelines
Establishing Information Security
Standards (Interagency Guidelines)
contained in FDIC rules at part 364,
appendix B. The FDIC previously
revised part 364 to make the Interagency
Guidelines applicable to both State
nonmember banks and State savings
associations.2
The FDIC is adopting a final rule
(‘‘Final Rule’’) to rescind in its entirety
part 391, subpart A and to modify the
scope of part 326 to include State
savings associations to conform to and
reflect the scope of the FDIC’s current
supervisory responsibilities as the
appropriate Federal banking agency.
The FDIC is also adding definitions of
‘‘FDIC-supervised insured depository
institution or institution’’ and ‘‘State
savings association.’’ Upon removal of
part 391, subpart A, the Security
Procedures, regulations applicable for
all insured depository institutions for
which the FDIC has been designated the
appropriate Federal banking agency will
be found at 12 CFR part 326.
I. Background
The Dodd-Frank Act
The Dodd-Frank Act provided for a
substantial reorganization of the
regulation of State and Federal savings
associations and their holding
companies. Beginning July 21, 2011, the
transfer date established by section 311
of the Dodd-Frank Act, codified at 12
U.S.C. 5411, the powers, duties, and
functions formerly performed by the
OTS were divided among the FDIC, as
to State savings associations, the Office
of the Comptroller of the Currency
(‘‘OCC’’), as to Federal savings
associations, and the Board of
Governors of the Federal Reserve
System (‘‘FRB’’), as to savings and loan
holding companies. Section 316(b) of
the Dodd-Frank Act, codified at 12
U.S.C. 5414(b), provides the manner of
treatment for all orders, resolutions,
determinations, regulations, and
advisory materials that had been issued,
made, prescribed, or allowed to become
effective by the OTS. This section
provides that if such materials were in
effect on the day before the transfer
date, they continue to be in effect and
are enforceable by or against the
appropriate successor agency until they
are modified, terminated, set aside, or
superseded in accordance with
applicable law by such successor
agency, by any court of competent
jurisdiction, or by operation of law.
Section 316(c) of the Dodd-Frank Act,
codified at 12 U.S.C. 5414(c), further
directed the FDIC and the OCC to
consult with one another and to publish
a list of the continued OTS regulations
that would be enforced by the FDIC and
VerDate Sep<11>2014 16:23 Mar 30, 2018 Jkt 244001 PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 E:\FR\FM\02APR1.SGM 02APR1
daltland on DSKBBV9HB2PROD with RULES
13840 Federal Register / Vol. 83, No. 63 / Monday, April 2, 2018 / Rules and Regulations
3 76 FR 39247 (July 6, 2011).
4 76 FR 47652 (Aug. 5, 2011).
5 12 U.S.C. 1882.
6 34 FR 618 (January 16, 1969); 34 FR 621
(January 16, 1969).
7 56 FR 29565 (June 28, 1991); 56 FR 13579 (April
3, 1991).
8 66 FR 8616 (Feb. 1, 2001).
9 Id. at footnote 2.
10 80 FR 65903 (Oct. 28, 2015).
the OCC, respectively. On June 14, 2011,
the FDIC’s Board of Directors approved
a ‘‘List of OTS Regulations to be
Enforced by the OCC and the FDIC
Pursuant to the Dodd-Frank Wall Street
Reform and Consumer Protection Act.’’
This list was published by the FDIC and
the OCC as a Joint Notice in the Federal
Register on July 6, 2011.3
Although section 312(b)(2)(B)(i)(II) of
the Dodd-Frank Act, codified at 12
U.S.C. 5412(b)(2)(B)(i)(II), granted the
OCC rulemaking authority relating to
both State and Federal savings
associations, nothing in the Dodd-Frank
Act affected the FDIC’s existing
authority to issue regulations under the
FDI Act and other laws as the
‘‘appropriate Federal banking agency’’
or under similar statutory terminology.
Section 312(c) of the Dodd-Frank Act
amended the definition of ‘‘appropriate
Federal banking agency’’ contained in
section 3(q) of the FDI Act, 12 U.S.C.
1813(q), to add State savings
associations to the list of entities for
which the FDIC is designated as the
‘‘appropriate Federal banking agency.’’
As a result, when the FDIC acts as the
designated ‘‘appropriate Federal
banking agency’’ (or under similar
terminology) for State savings
associations, as it does here, the FDIC is
authorized to issue, modify, and rescind
regulations involving such associations,
as well as for State nonmember banks
and insured branches of foreign banks.
As noted, on June 14, 2011, pursuant
to this authority, the FDIC’s Board of
Directors reissued and redesignated
certain transferring regulations of the
former OTS. These transferred OTS
regulations were published as new FDIC
regulations in the Federal Register on
August 5, 2011.4 When it republished
the transferred OTS regulations as new
FDIC regulations, the FDIC specifically
noted that its staff would evaluate the
transferred OTS rules, and might later
recommend incorporating the
transferred OTS regulations into other
FDIC rules, amending them, or
rescinding them as appropriate.
One of the OTS rules transferred to
the FDIC governed OTS oversight of
minimum security devices and
procedures for State savings
associations. The OTS rule, formerly
found at 12 CFR part 568, was
transferred to the FDIC with only
nominal changes, and is now found in
the FDIC’s rules at part 391, subpart A,
entitled ‘‘Security Procedures.’’ Before
the transfer of the OTS rules and
continuing today, the FDIC’s rules
contained part 326, subpart A, entitled
‘‘Minimum Security Procedures,’’ a rule
governing FDIC oversight of security
devices and procedures to discourage
burglaries, robberies, and larcenies, and
assist law enforcement in the
identification and apprehension of those
who commit such crimes with respect to
insured depository institutions for
which the FDIC has been designated the
appropriate Federal banking agency.
One provision in part 391, subpart A,
namely § 391.5, is not contained in part
326, subpart A. It directs savings
associations and certain subsidiaries to
comply with the Interagency Guidelines
Establishing Information Security
Standards, which were adopted jointly
by the OTS and the FDIC and other
banking agencies, and are contained in
appendix B to part 364 in FDIC
regulations.
After careful review and comparison
of part 391, subpart A, and part 326, the
FDIC is adopting a Final Rule to rescind
part 391, subpart A, because, as
discussed below, it is substantively
redundant to existing part 326, and
simultaneously finalizes the technical
conforming edits to the FDIC’s existing
rule.
FDIC’s Existing 12 CFR Part 326 and
Former OTS’s Part 568 (Transferred to
FDIC’s Part 391, Subpart A)
Section 3 of the Bank Protection Act
of 1968 directed the appropriate Federal
banking agencies and the OTS’
predecessor, the Federal Home Loan
Bank Board (‘‘FHLBB’’), to establish
minimum security standards for banks
and savings associations, at reasonable
cost, to serve as a deterrent to robberies,
burglaries, and larcenies, and to assist
law enforcement in identifying and
prosecuting persons who commit such
acts.5 In the initial rulemakings, the
agencies consulted and cooperated with
each other to promote a goal of
uniformity where practicable. The
initial minimum security rules were
simultaneously issued in January 1969
and were substantively the same.6
In 1991, the minimum security rules
were substantially revised to reduce
unnecessary specificity, remove
obsolete requirements, and place greater
responsibility on the boards of directors
of insured financial institutions for
establishing and ensuring the
implementation and maintenance of
security programs and procedures. The
former FHLBB rules at 12 CFR part 563a
were redesignated as 12 CFR part 568 by
the OTS. The OTS rules remained
substantively the same as the FDIC’s
rules in part 326, subpart A.7
In 2001, the FDIC, other Federal
banking agencies, and the OTS issued
Interagency Guidelines for Safeguarding
Customer Information pursuant to
section 501 of the Gramm Leach Bliley
Act (‘‘Protection of Nonpublic Personal
Information’’).8 At the same time, the
OTS added a provision at the end of its
security procedures rules at section
568.5 directing saving associations and
certain subsidiaries to comply with
appendix B to the Interagency
Guidelines. In a preamble footnote, the
OTS indicated that the reason for the
additional provision to its minimum
security rules was ‘‘[b]ecause
information security guidelines are
similar to physical security
procedures.’’ 9 In 2004, following
enactment of the Fair and Accurate
Credit Transactions Act (FACT Act), the
OTS, FDIC, and other banking agencies
revised the Interagency Guidelines for
Safeguarding Customer Information and
renamed them the Interagency
Guidelines for Establishing Information
Security Standards. The Interagency
Guidelines were located in the FDIC
rules at part 364. In 2015, the FDIC
amended part 364 to, among other
reasons, make it applicable to State
savings associations.10 After careful
comparison of the FDIC’s part 326,
subpart A, with the transferred OTS rule
in part 391, subpart A, the FDIC has
concluded that the transferred OTS
rules governing minimum security
procedures are substantively redundant.
Based on the foregoing, the FDIC is
adopting a Final Rule to rescind and
remove from the Code of Federal
Regulations the transferred OTS rules
located at part 391, subpart A, and to
make technical amendments to part 326,
subpart A, to incorporate State savings
associations.
II. The Proposed Rule
Regarding the functions of the former
OTS that were transferred to the FDIC,
section 316(b)(3) of the Dodd-Frank Act,
12 U.S.C. 5414(b)(3), in pertinent part,
provides that the former OTS’s
regulations will be enforceable by the
FDIC until they are modified,
terminated, set aside, or superseded in
accordance with applicable law. After
reviewing the rules currently found in
part 391, subpart A, the FDIC issued a
Notice of Proposed Rulemaking (‘‘NPR’’
or ‘‘Proposed Rule’’), which proposed to
VerDate Sep<11>2014 16:23 Mar 30, 2018 Jkt 244001 PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 E:\FR\FM\02APR1.SGM 02APR1
daltland on DSKBBV9HB2PROD with RULES
3 76 FR 39247 (July 6, 2011).
4 76 FR 47652 (Aug. 5, 2011).
5 12 U.S.C. 1882.
6 34 FR 618 (January 16, 1969); 34 FR 621
(January 16, 1969).
7 56 FR 29565 (June 28, 1991); 56 FR 13579 (April
3, 1991).
8 66 FR 8616 (Feb. 1, 2001).
9 Id. at footnote 2.
10 80 FR 65903 (Oct. 28, 2015).
the OCC, respectively. On June 14, 2011,
the FDIC’s Board of Directors approved
a ‘‘List of OTS Regulations to be
Enforced by the OCC and the FDIC
Pursuant to the Dodd-Frank Wall Street
Reform and Consumer Protection Act.’’
This list was published by the FDIC and
the OCC as a Joint Notice in the Federal
Register on July 6, 2011.3
Although section 312(b)(2)(B)(i)(II) of
the Dodd-Frank Act, codified at 12
U.S.C. 5412(b)(2)(B)(i)(II), granted the
OCC rulemaking authority relating to
both State and Federal savings
associations, nothing in the Dodd-Frank
Act affected the FDIC’s existing
authority to issue regulations under the
FDI Act and other laws as the
‘‘appropriate Federal banking agency’’
or under similar statutory terminology.
Section 312(c) of the Dodd-Frank Act
amended the definition of ‘‘appropriate
Federal banking agency’’ contained in
section 3(q) of the FDI Act, 12 U.S.C.
1813(q), to add State savings
associations to the list of entities for
which the FDIC is designated as the
‘‘appropriate Federal banking agency.’’
As a result, when the FDIC acts as the
designated ‘‘appropriate Federal
banking agency’’ (or under similar
terminology) for State savings
associations, as it does here, the FDIC is
authorized to issue, modify, and rescind
regulations involving such associations,
as well as for State nonmember banks
and insured branches of foreign banks.
As noted, on June 14, 2011, pursuant
to this authority, the FDIC’s Board of
Directors reissued and redesignated
certain transferring regulations of the
former OTS. These transferred OTS
regulations were published as new FDIC
regulations in the Federal Register on
August 5, 2011.4 When it republished
the transferred OTS regulations as new
FDIC regulations, the FDIC specifically
noted that its staff would evaluate the
transferred OTS rules, and might later
recommend incorporating the
transferred OTS regulations into other
FDIC rules, amending them, or
rescinding them as appropriate.
One of the OTS rules transferred to
the FDIC governed OTS oversight of
minimum security devices and
procedures for State savings
associations. The OTS rule, formerly
found at 12 CFR part 568, was
transferred to the FDIC with only
nominal changes, and is now found in
the FDIC’s rules at part 391, subpart A,
entitled ‘‘Security Procedures.’’ Before
the transfer of the OTS rules and
continuing today, the FDIC’s rules
contained part 326, subpart A, entitled
‘‘Minimum Security Procedures,’’ a rule
governing FDIC oversight of security
devices and procedures to discourage
burglaries, robberies, and larcenies, and
assist law enforcement in the
identification and apprehension of those
who commit such crimes with respect to
insured depository institutions for
which the FDIC has been designated the
appropriate Federal banking agency.
One provision in part 391, subpart A,
namely § 391.5, is not contained in part
326, subpart A. It directs savings
associations and certain subsidiaries to
comply with the Interagency Guidelines
Establishing Information Security
Standards, which were adopted jointly
by the OTS and the FDIC and other
banking agencies, and are contained in
appendix B to part 364 in FDIC
regulations.
After careful review and comparison
of part 391, subpart A, and part 326, the
FDIC is adopting a Final Rule to rescind
part 391, subpart A, because, as
discussed below, it is substantively
redundant to existing part 326, and
simultaneously finalizes the technical
conforming edits to the FDIC’s existing
rule.
FDIC’s Existing 12 CFR Part 326 and
Former OTS’s Part 568 (Transferred to
FDIC’s Part 391, Subpart A)
Section 3 of the Bank Protection Act
of 1968 directed the appropriate Federal
banking agencies and the OTS’
predecessor, the Federal Home Loan
Bank Board (‘‘FHLBB’’), to establish
minimum security standards for banks
and savings associations, at reasonable
cost, to serve as a deterrent to robberies,
burglaries, and larcenies, and to assist
law enforcement in identifying and
prosecuting persons who commit such
acts.5 In the initial rulemakings, the
agencies consulted and cooperated with
each other to promote a goal of
uniformity where practicable. The
initial minimum security rules were
simultaneously issued in January 1969
and were substantively the same.6
In 1991, the minimum security rules
were substantially revised to reduce
unnecessary specificity, remove
obsolete requirements, and place greater
responsibility on the boards of directors
of insured financial institutions for
establishing and ensuring the
implementation and maintenance of
security programs and procedures. The
former FHLBB rules at 12 CFR part 563a
were redesignated as 12 CFR part 568 by
the OTS. The OTS rules remained
substantively the same as the FDIC’s
rules in part 326, subpart A.7
In 2001, the FDIC, other Federal
banking agencies, and the OTS issued
Interagency Guidelines for Safeguarding
Customer Information pursuant to
section 501 of the Gramm Leach Bliley
Act (‘‘Protection of Nonpublic Personal
Information’’).8 At the same time, the
OTS added a provision at the end of its
security procedures rules at section
568.5 directing saving associations and
certain subsidiaries to comply with
appendix B to the Interagency
Guidelines. In a preamble footnote, the
OTS indicated that the reason for the
additional provision to its minimum
security rules was ‘‘[b]ecause
information security guidelines are
similar to physical security
procedures.’’ 9 In 2004, following
enactment of the Fair and Accurate
Credit Transactions Act (FACT Act), the
OTS, FDIC, and other banking agencies
revised the Interagency Guidelines for
Safeguarding Customer Information and
renamed them the Interagency
Guidelines for Establishing Information
Security Standards. The Interagency
Guidelines were located in the FDIC
rules at part 364. In 2015, the FDIC
amended part 364 to, among other
reasons, make it applicable to State
savings associations.10 After careful
comparison of the FDIC’s part 326,
subpart A, with the transferred OTS rule
in part 391, subpart A, the FDIC has
concluded that the transferred OTS
rules governing minimum security
procedures are substantively redundant.
Based on the foregoing, the FDIC is
adopting a Final Rule to rescind and
remove from the Code of Federal
Regulations the transferred OTS rules
located at part 391, subpart A, and to
make technical amendments to part 326,
subpart A, to incorporate State savings
associations.
II. The Proposed Rule
Regarding the functions of the former
OTS that were transferred to the FDIC,
section 316(b)(3) of the Dodd-Frank Act,
12 U.S.C. 5414(b)(3), in pertinent part,
provides that the former OTS’s
regulations will be enforceable by the
FDIC until they are modified,
terminated, set aside, or superseded in
accordance with applicable law. After
reviewing the rules currently found in
part 391, subpart A, the FDIC issued a
Notice of Proposed Rulemaking (‘‘NPR’’
or ‘‘Proposed Rule’’), which proposed to
VerDate Sep<11>2014 16:23 Mar 30, 2018 Jkt 244001 PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 E:\FR\FM\02APR1.SGM 02APR1
daltland on DSKBBV9HB2PROD with RULES