FDIC issues FACT Act guidelines mortgagepress.comconsumer fraud, identity theft, legislation, information safeguards
The Federal Deposit Insurance Corporation has released a
financial institutions letter announcing that the federal bank and
thrift regulatory agencies have jointly issued final guidelines
implementing section 216 of the Fair and Accurate Credit
Transactions Act of 2003 (FACT Act). The content of the letter,
issued on Feb. 2, is reprinted below.
Fair and Accurate Credit Transactions Act of 2003
Guidelines requiring the proper disposal of consumer
information
FIL-7-2005
February 2, 2005
The federal bank and thrift regulatory agencies have jointly
issued final guidelines to implement section 216 of the FACT Act.
Section 216 is designed to protect consumers against the risks
associated with identity theft and other types of fraud. The
guidelines require the proper disposal of consumer information.
The FDIC, the Board of Governors of the Federal Reserve System,
the Office of the Comptroller of the Currency and the Office of
Thrift Supervision (agencies) have adopted the final rule to
implement section 216 of the FACT Act. Section 216 of the FACT Act
is designed to protect a consumer against the risks associated with
identity theft and other types of fraud.
Under the final rule, the agencies have amended their
"Guidelines Establishing Standards for Safeguarding Customer
Information," as mandated by the Gramm-Leach-Bliley Act, to require
the proper disposal of consumer information. The guidelines have
been renamed "Interagency Guidelines Establishing Information
Security Standards."
The amendments to the guidelines require each financial
institution to develop and maintain, as part of its information
security program, appropriate controls designed to ensure that it
properly disposes of "consumer information" derived from a consumer
report in a manner consistent with the financial institutions
existing obligation under the guidelines to properly dispose of
customer information. The guidelines direct financial institutions
to assess the risks to their consumer information as well as
customer information by evaluating security measures to control
these risks. Therefore, financial institutions must design their
information security programs to dispose properly of customer
information and consumer information.
Each bank must satisfy these guidelines with respect to the
proper disposal of consumer information by July 1, 2005. Financial
institutions must modify any affected contracts with service
providers no later than July 1, 2006.
Definition of consumer information
"Consumer information" is defined as "any record about an
individual, whether in paper, electronic, or other form that is a
consumer report or is derived from a consumer report and that is
maintained or otherwise possessed by or on behalf of the
institution for a business purpose." "Consumer information" is also
defined to mean "a compilation of such records." The term, however,
excludes from the definition any record that does not identify the
individual. Therefore, the requirement concerning consumer
information does not apply to aggregate information that does not
identify the subjects of the consumer reports.
Definition of service provider
"Service provider" is defined as any person or entity that
maintains, processes or otherwise is permitted access to customer
information or consumer information through its provision of
services directly to the bank. The guidelines direct financial
institutions to require service providers by contract to implement
appropriate measures designed to meet the obligations of the
guidelines regarding the proper disposal of consumer
information.
Michael J. Zamorski, Director
Division of Supervision and Consumer Protection
For a copy of section 216, visit www.fdic.gov.
