Each depositor insured to at least $250,000 per insured bank



Home > News & Events > Financial Institution Letters




Financial Institution Letters

Fair and Accurate Credit Transactions Act of 2003
Guidelines Requiring the Proper Disposal of Consumer Information
FIL-7-2005
February 2, 2005


Summary: The federal bank and thrift regulatory agencies have jointly issued final guidelines to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 is designed to protect consumers against the risks associated with identity theft and other types of fraud. The guidelines require the proper disposal of consumer information.

Highlights:
  • The FACT Act requires any financial institution that maintains or otherwise possesses consumer information derived from consumer reports to properly dispose of it.
  • To implement section 216 of the FACT Act, the banking and thrift regulatory agencies have amended their "Guidelines Establishing Standards for Safeguarding Customer Information," and renamed them "Interagency Guidelines Establishing Information Security Standards," to require the proper disposal of consumer information.
  • The new guidelines will take effect on July 1, 2005.
Continuation of FIL-7-2005

Distribution:
FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:
Chief Executive Officer
Chief Information Officer
Compliance Officer
Legal Counsel

Related Topics:
Interagency Guidelines Establishing Standards for Safeguarding of Customer Information
FFIEC Information Security Handbook issued January 2003

Attachment:
Federal Register, December 28, 2004, pages 77610-77621

Federal Register, December 28, 2004, pages 77610-77621 - PDF 102k (PDF Help)

Contact:
Jeffrey Kopchik, Senior Policy Analyst, on (202) 898-3872;
Kathryn Weatherby, Examination Specialist, on (202) 898-6793;
or Robert Patrick, Counsel, on (202) 898-8886

Printable Format:
FIL-7-2005 - PDF 33k (PDF Help)

Note:
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/news/financial/2005/index.html.

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html.

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).



Financial Institution Letters
FIL-7-2005
February 2, 2005

Fair and Accurate Credit Transactions Act of 2003
Guidelines Requiring the Proper Disposal of Consumer Information

The federal bank and thrift regulatory agencies have jointly issued final guidelines to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 is designed to protect consumers against the risks associated with identity theft and other types of fraud. The guidelines require the proper disposal of consumer information.

The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (agencies) have adopted the attached final rule to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 of the FACT Act is designed to protect a consumer against the risks associated with identity theft and other types of fraud.

Under the final rule, the agencies have amended their "Guidelines Establishing Standards for Safeguarding Customer Information," as mandated by the Gramm-Leach-Bliley Act, to require the proper disposal of consumer information. The guidelines have been renamed "Interagency Guidelines Establishing Information Security Standards."

The amendments to the guidelines require each financial institution to develop and maintain, as part of its information security program, appropriate controls designed to ensure that it properly disposes of "consumer information" derived from a consumer report in a manner consistent with the financial institutionís existing obligation under the guidelines to properly dispose of customer information. The guidelines direct financial institutions to assess the risks to their consumer information as well as customer information by evaluating security measures to control these risks. Therefore, financial institutions must design their information security programs to dispose properly of customer information and consumer information.

Each bank must satisfy these guidelines with respect to the proper disposal of consumer information by July 1, 2005. Financial institutions must modify any affected contracts with service providers no later than July 1, 2006.

Definition of Consumer Information

"Consumer information" is defined as "any record about an individual, whether in paper, electronic, or other form that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the institution for a business purpose." "Consumer information" is also defined to mean "a compilation of such records." The term, however, excludes from the definition any record that does not identify the individual. Therefore, the requirement concerning consumer information does not apply to aggregate information that does not identify the subjects of the consumer reports.

Definition of Service Provider

"Service provider" is defined as any person or entity that maintains, processes or otherwise is permitted access to customer information or consumer information through its provision of services directly to the bank. The guidelines direct financial institutions to require service providers by contract to implement appropriate measures designed to meet the obligations of the guidelines regarding the proper disposal of consumer information.

Michael J. Zamorski
Director
Division of Supervision and Consumer Protection



Last Updated 2/02/2005 communications@fdic.gov