Skip to main content

Search

Fair Credit Reporting: Amendment History

[63 Fed. Reg. 55,484 (Oct. 15, 1998); 64 Fed. Reg. 66,705 (Nov. 29, 1999); 66 Fed. Reg. 8634 (Feb. 1, 2001); 69 Fed. Reg. 77,617 (Dec. 28, 2004); 70 Fed. Reg. 15,753 (Mar. 29, 2005); 71 Fed. Reg. 5780 (Feb. 3, 2006); 79 Fed. Reg. 37,166 (July 1, 2014)]

Fair Credit Reporting: I. BACKGROUND

This Guidance25 interprets section 501(b) of the Gramm-Leach-Bliley Act (“GLBA”) and the Interagency Guidelines Establishing Information Security Standards (the “Security Guidelines”)26 and describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Fair Credit Reporting: II. RESPONSE PROGRAM

Millions of Americans, throughout the country, have been victims of identity theft.31 Identity thieves misuse personal information they obtain from a number of sources, including financial institutions, to perpetrate identity theft. Therefore, financial institutions should take preventative measures to safeguard customer information against attempts to gain unauthorized access to the information.

Fair Credit Reporting: III. CUSTOMER NOTICE

Financial institutions have an affirmative duty to protect their customers’ information against unauthorized access or use. Notifying customers of a security incident involving the unauthorized access or use of the customer’s information in accordance with the standard set forth below is a key part of that duty. Timely notification of customers is important to manage an institution’s reputation risk.

Fair Credit Reporting: Amendment History

[63 Fed. Reg. 55,484 (Oct. 15, 1998); 64 Fed. Reg. 66,705 (Nov. 29, 1999); 66 Fed. Reg. 8634 (Feb. 1, 2001); 69 Fed. Reg. 77,617 (Dec. 28, 2004); 70 Fed. Reg. 15,753 (Mar. 29, 2005); 71 Fed. Reg. 5780 (Feb. 3, 2006); 79 Fed. Reg. 37,166 (July 1, 2014)]

* * *

Fair Credit Reporting: 12 C.F.R. § 211.5 Edge and agreement corporations.

* * *

(l) Protection of customer information and consumer information. An Edge or agreement corporation shall comply with the Interagency Guidelines Establishing Information Security Standards prescribed pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) and, with respect to the proper disposal of consumer information, section 216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681w), set forth in appendix D-2 to part 208 of this chapter.

Fair Credit Reporting: 12 C.F.R. § 225.4 Corporate practices.

* * *

(h) Protection of customer information and consumer information. A bank holding company shall comply with the Interagency Guidelines Establishing Information Security Standards, as set forth in appendix F of this part, prescribed pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805). A bank holding company shall properly dispose of consumer information in accordance with the rules set forth at 16 CFR part 682.

Fair Credit Reporting: Table of Contents

I. Introduction

A. Scope

B. Preservation of Existing Authority

C. Definitions

II. Standards for Safeguarding Customer Information

A. Information Security Program

B. Objectives

III. Development and Implementation of Customer Information Security Program

A. Involve the Board of Directors

B. Assess Risk

C. Manage and Control Risk

D. Oversee Service Provider Arrangements

E. Adjust the Program

F. Report to the Board

G. Implement the Standards

Fair Credit Reporting: I. Introduction

These Interagency Guidelines Establishing Information Security Standards (Guidelines) set forth standards pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805). These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

Fair Credit Reporting: II. Standards for Safeguarding Customer Information

A. Information Security Program. Each bank holding company shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank holding company and the nature and scope of its activities. While all parts of the bank holding company are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.

Fair Credit Reporting: III. Development and Implementation of Information Security Program

A. Involve the Board of Directors. The board of directors or an appropriate committee of the board of each bank holding company shall:

1. Approve the bank holding company’s written information security program; and

2. Oversee the development, implementation, and maintenance of the bank holding company’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

Fair Credit Reporting: Amendment History

[66 Fed. Reg. 8636 (Feb. 1, 2001); 69 Fed. Reg. 77,618 (Dec. 28, 2004); 70 Fed. Reg. 15,753 (Mar. 29, 2005); 71 Fed. Reg. 5780 (Feb. 3, 2006); 79 Fed. Reg. 37,167 (July 1, 2014)]

Fair Credit Reporting: I. Background

This Guidance40 interprets section 501(b) of the Gramm-Leach-Bliley Act (“GLBA”) and the Interagency Guidelines Establishing Information Security Standards (the “Security Guidelines”)41 and describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Fair Credit Reporting: II. Response Program

Millions of Americans, throughout the country, have been victims of identity theft.46 Identity thieves misuse personal information they obtain from a number of sources, including financial institutions, to perpetrate identity theft. Therefore, financial institutions should take preventative measures to safeguard customer information against attempts to gain unauthorized access to the information.

Fair Credit Reporting: III. Customer Notice

Financial institutions have an affirmative duty to protect their customers’ information against unauthorized access or use. Notifying customers of a security incident involving the unauthorized access or use of the customer’s information in accordance with the standard set forth below is a key part of that duty. Timely notification of customers is important to manage an institution’s reputation risk.

Fair Credit Reporting: Amendment History

[66 Fed. Reg. 8636 (Feb. 1, 2001); 69 Fed. Reg. 77,618 (Dec. 28, 2004); 70 Fed. Reg. 15,753 (Mar. 29, 2005); 71 Fed. Reg. 5780 (Feb. 3, 2006); 79 Fed. Reg. 37,167 (July 1, 2014)]

Fair Credit Reporting: 12 C.F.R. § 364.101 Standards for safety and soundness.

(a) General standards. The Interagency Guidelines Establishing Standards for Safety and Soundness prescribed pursuant to section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1), as set forth as appendix A to this part, apply to all insured state nonmember banks and to state-licensed insured branches of foreign banks, that are subject to the provisions of section 39 of the Federal Deposit Insurance Act.

Fair Credit Reporting: TABLE OF CONTENTS

I. Introduction

A. Scope

B. Preservation of Existing Authority

C. Definitions

II. Standards for Safeguarding Customer Information

A. Information Security Program

B. Objectives

III. Development and Implementation of Customer Information Security Program

A. Involve the Board of Directors

B. Assess Risk

C. Manage and Control Risk

D. Oversee Service Provider Arrangements

E. Adjust the Program

F. Report to the Board

G. Implement the Standards

Fair Credit Reporting: I. INTRODUCTION

The Interagency Guidelines Establishing Information Security Standards (Guidelines) set forth standards pursuant to section 39 of the Federal Deposit Insurance Act, 12 U.S.C. 1831p-1, and sections 501 and 505(b), 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

Fair Credit Reporting: II. STANDARDS FOR INFORMATION SECURITY

A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.

B. Objectives. A bank’s information security program shall be designed to:

Fair Credit Reporting: III. DEVELOPMENT AND IMPLEMENTATION OF INFORMATION SECURITY PROGRAM

A. Involve the Board of Directors. The board of directors or an appropriate committee of the board of each bank shall:

1. Approve the bank’s written information security program; and

2. Oversee the development, implementation, and maintenance of the bank’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

B. Assess Risk. Each bank shall:

Fair Credit Reporting: Amendment History

[63 Fed. Reg. 55,484, 55,486 (Oct. 15, 1998); 64 Fed. Reg. 66,706 (Nov. 29, 1999); 66 Fed. Reg. 8638 (Feb. 1, 2001); 69 Fed. Reg. 77,610 (Dec. 28, 2004); 70 Fed. Reg. 15,736 (Mar. 29, 2005); 71 Fed. Reg. 5780 (Feb. 3, 2006)]

Fair Credit Reporting: I. BACKGROUND

This Guidance55 interprets section 501(b) of the Gramm-Leach-Bliley Act (“GLBA”) and the Interagency Guidelines Establishing Information Security Standards (the “Security Guidelines”)56 and describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Fair Credit Reporting: II. RESPONSE PROGRAM

Millions of Americans, throughout the country, have been victims of identity theft.61 Identity thieves misuse personal information they obtain from a number of sources, including financial institutions, to perpetrate identity theft. Therefore, financial institutions should take preventative measures to safeguard customer information against attempts to gain unauthorized access to the information.