1. FRRS Home
  2. Guidance
  4. Interagency Guidelines Establishing Information Security Standards for State Member Banks

Federal Reserve Regulatory Service

Subscribe
3-1571

PRIVACY—Interagency Guidelines Establishing Information Security Standards*

  • I.
    Introduction
    • A.
      Scope
    • B.
      Preservation of existing authority
    • C.
      Definitions
  • II.
    Standards for safeguarding customer information
    • A.
      Information security program
    • B.
      Objectives
  • III.
    Development and implementation of customer information security program
    • A.
      Involve the board of directors
    • B.
      Assess risk
    • C.
      Manage and control risk
    • D.
      Oversee service provider arrangements
    • E.
      Adjust the program
    • F.
      Report to the Board
    • G.
      Implement the standards
I. Introduction
These Interagency Guidelines Establishing Information Security Standards (guidelines) set forth standards pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 USC 6801 and 6805), in the same manner, to the extent practicable, as standards prescribed pursuant to section 39 of the Federal Deposit Insurance Act (12 USC 1831p-1). These guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These guidelines also address standards with respect to the proper disposal of consumer information by or on behalf of such entities.
A. Scope
The guidelines apply to customer information maintained by or on behalf of state member banks (banks) and their nonbank subsidiaries, except for brokers, dealers, persons providing insurance, investment companies, and investment advisors. Pursuant to sections 211.9 and 211.24 of this chapter, these guidelines also apply to customer information maintained by or on behalf of Edge corporations, agreement corporations, and uninsured state-licensed branches or agencies of a foreign bank. These guidelines also apply to proper disposal of consumer information by or on behalf of such entities.
B. Preservation of Existing Authority
Neither section 39 nor these guidelines in any way limit the authority of the Board to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. The Board may take action under section 39 and these guidelines independently of, in conjunction with, or in addition to, any other enforcement action available to the Board.
C. Definitions
1. Except as modified in the guidelines, or unless the context otherwise requires, the terms used in these guidelines have the same meanings as set forth in sections 3 and 39 of the Federal Deposit Insurance Act (12 USC 1813 and 1831p-1).
2.  For purposes of the guidelines, the following definitions apply.
a. Board of directors, in the case of a branch or agency of a foreign bank, means the managing official in charge of the branch or agency.
b. Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the bank for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual.
i. Examples.
(1) Consumer information includes—
(A) a consumer report that a bank obtains;
(B) information from a consumer report that the bank obtains from its affiliate after the consumer has been given a notice and has elected not to opt out of that sharing;
(C) information from a consumer report that the bank obtains about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose;
(D) information from a consumer report that the bank obtains about an individual who guarantees a loan (including a loan to a business entity); or
(E) information from a consumer report that the bank obtains about an employee or prospective employee.
(2) Consumer information does not include—
(A) aggregate information, such as the mean credit score, derived from a group of consumer reports; or
(B) blind data, such as payment history on accounts that are not personally identifiable, that may be used for developing credit scoring models or for other purposes.
c. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 USC 1681a(d).
d. Customer means any customer of the bank as defined in section 1016.3(i) of this chapter.
e. Customer information means any record containing nonpublic personal information, as defined in section 1016.3(p) of this chapter, about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the bank.
f. Customer information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.
g. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to the bank.
h. Subsidiary means any company controlled by a bank, except a broker, dealer, person providing insurance, investment company, investment advisor, insured depository institution, or subsidiary of an insured depository institution.
II. Standards for Information Security A. Information Security Program
Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. A bank also shall ensure that each of its subsidiaries is subject to a comprehensive information security program. The bank may fulfill this requirement either by including a subsidiary within the scope of the bank’s comprehensive information security program or by causing the subsidiary to implement a separate comprehensive information security program in accordance with the standards and procedures in sections II and III of this appendix that apply to banks.
B. Objectives
A bank’s information security program shall be designed to—
  • 1.
    ensure the security and confidentiality of customer information;
  • 2.
    protect against any anticipated threats or hazards to the security or integrity of such information;
  • 3.
    protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and
  • 4.
    ensure the proper disposal of customer information and consumer information.
III. Development and Implementation of Information Security Program A. Involve the Board of Directors
The board of directors or an appropriate committee of the board of each bank shall—
  • 1.
    approve the bank’s written information security program; and
  • 2.
    oversee the development, implementation, and maintenance of the bank’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management.
B. Assess Risk
Each bank shall—
  • 1.
    identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;
  • 2.
    assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and
  • 3.
    assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.
C. Manage and Control Risk
Each bank shall—
  • 1.
    Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank’s activities. Each bank must consider whether the following security measures are appropriate for the bank and, if so, adopt those measures the bank concludes are appropriate: 
    • a.
      access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means
    • b.
      access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals
    • c.
      encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access
    • d.
      procedures designed to ensure that customer information system modifications are consistent with the bank’s information security program
    • e.
      dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information
    • f.
      monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems
    • g.
      response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies
    • h.
      measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures
  • 2.
    Train staff to implement the bank’s information security program
  • 3.
    Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank’s risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
  • 4.
    Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements in this paragraph III.
D. Oversee Service Provider Arrangements
Each bank shall—
  • 1.
    exercise appropriate due diligence in selecting its service providers;
  • 2.
    require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines; and
  • 3.
    where indicated by the bank’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers.
E. Adjust the Program
Each bank shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the bank’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.
F. Report to the Board
Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank’s compliance with these guidelines. The reports should discuss material matters related to its program, addressing issues such as risk assessment; risk management and control decisions; service-provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.
G. Implement the Standards
1. Effective date. Each bank must implement an information security program pursuant to these guidelines by July 1, 2001.
2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a contract that a bank has entered into with a service provider to perform services for it or functions on its behalf satisfies the provisions of section III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as the bank entered into the contract on or before March 2, 2001.
3. Effective date for measures relating to the disposal of consumer information. Each bank must satisfy these Guidelines with respect to the proper disposal of consumer information by July 1, 2005.
4. Exception for existing agreements with service providers relating to the disposal of consumer information. Notwithstanding the requirement in paragraph III.G.3., a bank’s contracts with its service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must comply with the provisions of the guidelines relating to the proper disposal of consumer information by July 1, 2006.
Supplement A—Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice
See 3-1572.
12 CFR 208, appendix D-2.
*
See also the small-entity compliance guide at 3-1572.1.