|BOARD OF GOVERNORS
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551
|DIVISION OF BANKING
SUPERVISION AND REGULATION
|SR 01-15 (SUP)
May 31, 2001
The federal banking agencies jointly issued guidelines establishing standards for safeguarding customer information (Guidelines), which will become effective July 1, 2001.1 A copy of the Federal Register notice is attached. The Guidelines implement section 501 of the Gramm-Leach-Bliley Act, which requires the agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer records and information. The Guidelines were issued by the Federal Reserve as appendices to Regulations H and Y, and apply to customer information maintained by state member banks, bank holding companies, Edge and agreement corporations, and uninsured state-licensed branches and agencies of foreign banks.
The Guidelines require institutions to establish an information security program to assess and control risks to customer information. Under the Guidelines, each institution may implement an information security program appropriate to its size and complexity and the nature and scope of its operations. The board of directors should oversee an institution's efforts to develop, implement, and maintain an effective information security program and approve written information security policies and programs.
The Guidelines outline specific security measures that banking organizations should consider in implementing a security program based on the size and complexity of their operations. Training and testing are also critical components of an effective information security program. The Guidelines specifically require financial institutions to oversee their service provider arrangements in order to protect the security of customer information maintained or processed by service providers.
The Federal Reserve recognizes that banking organizations are highly sensitive to the importance of safeguarding customer information and the need to maintain effective information security programs. Existing examination procedures and supervisory processes already address information security. As a result, most banking organizations should not need to implement new controls and procedures.
Examiners should assess compliance with the Guidelines during each safety and soundness examination or examination cycle (which may include targeted reviews of information technology) subsequent to the July 1, 2001 effective date of the Guidelines and monitor ongoing compliance as needed during the risk-focused examination process. Material instances of non-compliance should be noted in the report of examination. The attached guidance was developed to assist examiners in documenting a financial institution's compliance with the Guidelines.
Reserve Banks are asked to distribute this guidance to banking organizations supervised by the Federal Reserve in their districts. If you have any questions regarding this letter, please contact Mike Wallas, Supervisory Financial Analyst, (202) 452-2081 or Heidi Richards, Assistant Director, (202) 452-2598.
SR letters | 2001