The federal bank and thrift regulatory agencies have jointly issued final guidelines to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 is designed to protect consumers against the risks associated with identity theft and other types of fraud. The guidelines require the proper disposal of consumer information.
The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (agencies) have adopted the attached final rule to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 of the FACT Act is designed to protect a consumer against the risks associated with identity theft and other types of fraud.
Under the final rule, the agencies have amended their "Guidelines Establishing Standards for Safeguarding Customer Information," as mandated by the Gramm-Leach-Bliley Act, to require the proper disposal of consumer information. The guidelines have been renamed "Interagency Guidelines Establishing Information Security Standards."
The amendments to the guidelines require each financial institution to develop and maintain, as part of its information security program, appropriate controls designed to ensure that it properly disposes of "consumer information" derived from a consumer report in a manner consistent with the financial institutionís existing obligation under the guidelines to properly dispose of customer information. The guidelines direct financial institutions to assess the risks to their consumer information as well as customer information by evaluating security measures to control these risks. Therefore, financial institutions must design their information security programs to dispose properly of customer information and consumer information.
Each bank must satisfy these guidelines with respect to the proper disposal of consumer information by July 1, 2005. Financial institutions must modify any affected contracts with service providers no later than July 1, 2006.
Definition of Consumer Information
"Consumer information" is defined as "any record about an individual, whether in paper, electronic, or other form that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the institution for a business purpose." "Consumer information" is also defined to mean "a compilation of such records." The term, however, excludes from the definition any record that does not identify the individual. Therefore, the requirement concerning consumer information does not apply to aggregate information that does not identify the subjects of the consumer reports.
Definition of Service Provider
"Service provider" is defined as any person or entity that maintains, processes or otherwise is permitted access to customer information or consumer information through its provision of services directly to the bank. The guidelines direct financial institutions to require service providers by contract to implement appropriate measures designed to meet the obligations of the guidelines regarding the proper disposal of consumer information.
||Michael J. Zamorski
Division of Supervision and Consumer Protection