Title 12
PART 208 APPENDIX
Loan category | Loan-to-value limit (percent) |
---|---|
Raw land | 65 |
Land development | 75 |
Construction: | |
Commercial, multifamily, 1 and other nonresidential | 80 |
1- to 4-family residential | 85 |
Improved property | 85 |
Owner-occupied 1- to 4-family and home equity | ( 2) |
1 Multifamily construction includes condominiums and cooperatives.
2 A loan-to-value limit has not been established for permanent mortgage or home equity loans on owner-occupied, 1- to 4-family residential property. However, for any such loan with a loan-to-value ratio that equals or exceeds 90 percent at origination, an institution should require appropriate credit enhancement in the form of either mortgage insurance or readily marketable collateral.
The supervisory loan-to-value limits should be applied to the underlying property that collateralizes the loan. For loans that fund multiple phases of the same real estate project (e.g., a loan for both land development and construction of an office building), the appropriate loan-to-value limit is the limit applicable to the final phase of the project funded by the loan; however, loan disbursements should not exceed actual development or construction outlays. In situations where a loan is fully cross-collateralized by two or more properties or is secured by a collateral pool of two or more properties, the appropriate maximum loan amount under supervisory loan-to-value limits is the sum of the value of each property, less senior liens, multiplied by the appropriate loan-to-value limit for each property. To ensure that collateral margins remain within the supervisory limits, lenders should redetermine conformity whenever collateral substitutions are made to the collateral pool.
In establishing internal loan-to-value limits, each lender is expected to carefully consider the institution-specific and market factors listed under “Loan Portfolio Management Considerations,” as well as any other relevant factors, such as the particular subcategory or type of loan. For any subcategory of loans that exhibits greater credit risk than the overall category, a lender should consider the establishment of an internal loan-to-value limit for that subcategory that is lower than the limit for the overall category.
The loan-to-value ratio is only one of several pertinent credit factors to be considered when underwriting a real estate loan. Other credit factors to be taken into account are highlighted in the “Underwriting Standards” section above. Because of these other factors, the establishment of these supervisory limits should not be interpreted to mean that loans at these levels will automatically be considered sound.
Loans in Excess of the Supervisory Loan-to-Value LimitsThe agencies recognize that appropriate loan-to-value limits vary not only among categories of real estate loans but also among individual loans. Therefore, it may be appropriate in individual cases to originate or purchase loans with loan-to-value ratios in excess of the supervisory loan-to-value limits, based on the support provided by other credit factors. Such loans should be identified in the institutions's records, and their aggregate amount reported at least quarterly to the institution's board of directors. (See additional reporting requirements described under “Exceptions to the General Policy.”)
The aggregate amount of all loans in excess of the supervisory loan-to-value limits should not exceed 100 percent of total capital. 2 Moreover, within the aggregate limit, total loans for all commercial, agricultural, multifamily or other non-1-to-4 family residential properties should not exceed 30 percent of total capital. An institution will come under increased supervisory scrutiny as the total of such loans approaches these levels.
2 For advanced approaches banks (as defined in 12 CFR 208.41) and, after January 1, 2015, for all state member banks, the term “total capital” refers to that term as defined in subpart A of 12 CFR part 217. For insured state nonmember banks and state savings associations, “total capital” refers to that term defined in subpart A of 12 CFR part 324. For national banks and Federal savings associations, the term “total capital” refers to that term as defined in subpart A of 12 CFR part 3. Prior to January 1, 2015, for state member banks that are not advanced approaches banks (as defined in 12 CFR 208.41), the term “total capital” means “total risk-based capital” as defined in appendix A to 12 CFR part 208. For insured state non-member banks, “total capital” refers to that term described in table I of appendix A to 12 CFR part 325. For national banks, the term “total capital” is defined at 12 CFR 3.2(e). For savings associations, the term “total capital” is defined at 12 CFR 567.5(c).
In determining the aggregate amount of such loans, institutions should: (a) Include all loans secured by the same property if any one of those loans exceeds the supervisory loan-to-value limits; and (b) include the recourse obligation of any such loan sold with recourse. Conversely, a loan should no longer be reported to the directors as part of aggregate totals when reduction in principal or senior liens, or additional contribution of collateral or equity (e.g., improvements to the real property securing the loan), bring the loan-to-value ratio into compliance with supervisory limits.
Excluded TransactionsThe agencies also recognize that there are a number of lending situations in which other factors significantly outweigh the need to apply the supervisory loan-to-value limits. These include:
• Loans guaranteed or insured by the U.S. government or its agencies, provided that the amount of the guaranty or insurance is at least equal to the portion of the loan that exceeds the supervisory loan-to-value limit.
• Loans backed by the full faith and credit of a state government, provided that the amount of the assurance is at least equal to the portion of the loan that exceeds the supervisory loan-to-value limit.
• Loans guaranteed or insured by a state, municipal or local government, or an agency thereof, provided that the amount of the guaranty or insurance is at least equal to the portion of the loan that exceeds the supervisory loan-to-value limit, and provided that the lender has determined that the guarantor or insurer has the financial capacity and willingness to perform under the terms of the guaranty or insurance agreement.
• Loans that are to be sold promptly after origination, without recourse, to a financially responsible third party.
• Loans that are renewed, refinanced, or restructured without the advancement of new funds or an increase in the line of credit (except for reasonable closing costs), or loans that are renewed, refinanced, or restructured in connection with a workout situation, either with or without the advancement of new funds, where consistent with safe and sound banking practices and part of a clearly defined and well-documented program to achieve orderly liquidation of the debt, reduce risk of loss, or maximize recovery on the loan.
• Loans that facilitate the sale of real estate acquired by the lender in the ordinary course of collecting a debt previously contracted in good faith.
• Loans for which a lien on or interest in real property is taken as additional collateral through an abundance of caution by the lender (e.g., the institution takes a blanket lien on all or substantially all of the assets of the borrower, and the value of the real property is low relative to the aggregate value of all other collateral).
• Loans, such as working capital loans, where the lender does not rely principally on real estate as security and the extension of credit is not used to acquire, develop, or construct permanent improvements on real property.
• Loans for the purpose of financing permanent improvements to real property, but not secured by the property, if such security interest is not required by prudent underwriting practice.
Exceptions to the General Lending PolicySome provision should be made for the consideration of loan requests from creditworthy borrowers whose credit needs do not fit within the institution's general lending policy. An institution may provide for prudently underwritten exceptions to its lending policies, including loan-to-value limits, on a loan-by-loan basis. However, any exceptions from the supervisory loan-to-value limits should conform to the aggregate limits on such loans discussed above.
The board of directors is responsible for establishing standards for the review and approval of exception loans. Each institution should establish an appropriate internal process for the review and approval of loans that do not conform to its own internal policy standards. The approval of any such loan should be supported by a written justification that clearly sets forth all of the relevant credit factors that support the underwriting decision. The justification and approval documents for such loans should be maintained as a part of the permanent loan file. Each institution should monitor compliance with its real estate lending policy and individually report exception loans of a significant size to its board of directors.
Supervisory Review of Real Estate Lending Policies and PracticesThe real estate lending policies of institutions will be evaluated by examiners during the course of their examinations to determine if the policies are consistent with safe and sound lending practices, these guidelines, and the requirements of the regulation. In evaluating the adequacy of the institution's real estate lending policies and practices, examiners will take into consideration the following factors:
• The nature and scope of the institution's real estate lending activities.
• The size and financial condition of the institution.
• The quality of the institution's management and internal controls.
• The expertise and size of the lending and loan administration staff.
• Market conditions.
Lending policy exception reports will also be reviewed by examiners during the course of their examinations to determine whether the institutions' exceptions are adequately documented and appropriate in light of all of the relevant credit considerations. An excessive volume of exceptions to an institution's real estate lending policy may signal a weakening of its underwriting practices, or may suggest a need to revise the loan policy.
DefinitionsFor the purposes of these Guidelines:
Construction loan means an extension of credit for the purpose of erecting or rehabilitating buildings or other structures, including any infrastructure necessary for development.
Extension of credit or loan means:
(1) The total amount of any loan, line of credit, or other legally binding lending commitment with respect to real property; and
(2) The total amount, based on the amount of consideration paid, of any loan, line of credit, or other legally binding lending commitment acquired by a lender by purchase, assignment, or otherwise.
Improved property loan means an extension of credit secured by one of the following types of real property:
(1) Farmland, ranchland or timberland committed to ongoing management and agricultural production;
(2) 1- to 4-family residential property that is not owner-occupied;
(3) Residential property containing five or more individual dwelling units;
(4) Completed commercial property; or
(5) Other income-producing property that has been completed and is available for occupancy and use, except income-producing owner-occupied 1- to 4-family residential property.
Land development loan means an extension of credit for the purpose of improving unimproved real property prior to the erection of structures. The improvement of unimproved real property may include the laying or placement of sewers, water pipes, utility cables, streets, and other infrastructure necessary for future development.
Loan origination means the time of inception of the obligation to extend credit (i.e., when the last event or prerequisite, controllable by the lender, occurs causing the lender to become legally bound to fund an extension of credit).
Loan-to-value or loan-to-value ratio means the percentage or ratio that is derived at the time of loan origination by dividing an extension of credit by the total value of the property(ies) securing or being improved by the extension of credit plus the amount of any readily marketable collateral and other acceptable collateral that secures the extension of credit. The total amount of all senior liens on or interests in such property(ies) should be included in determining the loan-to-value ratio. When mortgage insurance or collateral is used in the calculation of the loan-to-value ratio, and such credit enhancement is later released or replaced, the loan-to-value ratio should be recalculated.
Other acceptable collateral means any collateral in which the lender has a perfected security interest, that has a quantifiable value, and is accepted by the lender in accordance with safe and sound lending practices. Other acceptable collateral should be appropriately discounted by the lender consistent with the lender's usual practices for making loans secured by such collateral. Other acceptable collateral includes, among other items, unconditional irrevocable standby letters of credit for the benefit of the lender.
Owner-occupied, when used in conjunction with the term 1- to 4-family residential property means that the owner of the underlying real property occupies at least one unit of the real property as a principal residence of the owner.
Readily marketable collateral means insured deposits, financial instruments, and bullion in which the lender has a perfected interest. Financial instruments and bullion must be salable under ordinary circumstances with reasonable promptness at a fair market value determined by quotations based on actual transactions, on an auction or similarly available daily bid and ask price market. Readily marketable collateral should be appropriately discounted by the lender consistent with the lender's usual practices for making loans secured by such collateral.
Value means an opinion or estimate, set forth in an appraisal or evaluation, whichever may be appropriate, of the market value of real property, prepared in accordance with the agency's appraisal regulations and guidance. For loans to purchase an existing property, the term “value” means the lesser of the actual acquisition cost or the estimate of value.
1- to 4-family residential property means property containing fewer than five individual dwelling units, including manufactured homes permanently affixed to the underlying property (when deemed to be real property under state law).
[57 FR 62896, 62900, Dec. 31, 1992; 58 FR 4460, Jan. 14, 1993; 63 FR 58621, Nov. 2, 1998; 78 FR 62284, Oct. 11, 2013]Appendix D-1 to Part 208 - Interagency Guidelines Establishing Standards for Safety and Soundness
12:2.0.1.1.9.11.3.6.13 : Appendix D
Appendix D-1 to Part 208 - Interagency Guidelines Establishing Standards for Safety and Soundness Table of Contents I. IntroductionA. Preservation of existing authority.
B. Definitions.
II. Operational and Managerial StandardsA. Internal controls and information systems.
B. Internal audit system.
C. Loan documentation.
D. Credit underwriting.
E. Interest rate exposure.
F. Asset growth.
G. Asset quality.
H. Earnings.
I. Compensation, fees and benefits.
III. Prohibition on Compensation That Constitutes an Unsafe and Unsound PracticeA. Excessive compensation.
B. Compensation leading to material financial loss.
I. Introductioni. Section 39 of the Federal Deposit Insurance Act 1 (FDI Act) requires each Federal banking agency (collectively, the agencies) to establish certain safety and soundness standards by regulation or by guideline for all insured depository institutions. Under section 39, the agencies must establish three types of standards: (1) Operational and managerial standards; (2) compensation standards; and (3) such standards relating to asset quality, earnings, and stock valuation as they determine to be appropriate.
1 Section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1) was added by section 132 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), Pub. L. 102-242, 105 Stat. 2236 (1991), and amended by section 956 of the Housing and Community Development Act of 1992, Pub. L. 102-550, 106 Stat. 3895 (1992) and section 318 of the Riegle Community Development and Regulatory Improvement Act of 1994, Pub. L. 103-325, 108 Stat. 2160 (1994).
ii. Section 39(a) requires the agencies to establish operational and managerial standards relating to: (1) Internal controls, information systems and internal audit systems, in accordance with section 36 of the FDI Act (12 U.S.C. 1831m); (2) loan documentation; (3) credit underwriting; (4) interest rate exposure; (5) asset growth; and (6) compensation, fees, and benefits, in accordance with subsection (c) of section 39. Section 39(b) requires the agencies to establish standards relating to asset quality, earnings, and stock valuation that the agencies determine to be appropriate.
iii. Section 39(c) requires the agencies to establish standards prohibiting as an unsafe and unsound practice any compensatory arrangement that would provide any executive officer, employee, director, or principal shareholder of the institution with excessive compensation, fees or benefits and any compensatory arrangement that could lead to material financial loss to an institution. Section 39(c) also requires that the agencies establish standards that specify when compensation is excessive.
iv. If an agency determines that an institution fails to meet any standard established by guideline under subsection (a) or (b) of section 39, the agency may require the institution to submit to the agency an acceptable plan to achieve compliance with the standard. In the event that an institution fails to submit an acceptable plan within the time allowed by the agency or fails in any material respect to implement an accepted plan, the agency must, by order, require the institution to correct the deficiency. The agency may, and in some cases must, take other supervisory actions until the deficiency has been corrected.
v. The agencies have adopted amendments to their rules and regulations to establish deadlines for submission and review of compliance plans. 2
2 For the Office of the Comptroller of the Currency, these regulations appear at 12 CFR Part 30; for the Board of Governors of the Federal Reserve System, these regulations appear at 12 CFR Part 263; for the Federal Deposit Insurance Corporation, these regulations appear at 12 CFR Part 308, subpart R, and for the Office of Thrift Supervision, these regulations appear at 12 CFR Part 570.
vi. The following Guidelines set out the safety and soundness standards that the agencies use to identify and address problems at insured depository institutions before capital becomes impaired. The agencies believe that the standards adopted in these Guidelines serve this end without dictating how institutions must be managed and operated. These standards are designed to identify potential safety and soundness concerns and ensure that action is taken to address those concerns before they pose a risk to the deposit insurance funds.
A. Preservation of Existing AuthorityNeither section 39 nor these Guidelines in any way limits the authority of the agencies to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. Action under section 39 and these Guidelines may be taken independently of, in conjunction with, or in addition to any other enforcement action available to the agencies. Nothing in these Guidelines limits the authority of the FDIC pursuant to section 38(i)(2)(F) of the FDI Act (12 U.S.C. 1831(o)) and Part 325 of title 12 of the Code of Federal Regulations.
B. Definitions1. In general. For purposes of these Guidelines, except as modified in the Guidelines or unless the context otherwise requires, the terms used have the same meanings as set forth in sections 3 and 39 of the FDI Act (12 U.S.C. 1813 and 1831p-1).
2. Board of directors, in the case of a state-licensed insured branch of a foreign bank and in the case of a federal branch of a foreign bank, means the managing official in charge of the insured foreign branch.
3. Compensation means all direct and indirect payments or benefits, both cash and non-cash, granted to or for the benefit of any executive officer, employee, director, or principal shareholder, including but not limited to payments or benefits derived from an employment contract, compensation or benefit agreement, fee arrangement, perquisite, stock option plan, postemployment benefit, or other compensatory arrangement.
4. Director shall have the meaning described in 12 CFR 215.2(c). 3
3 In applying these definitions for savings associations, pursuant to 12 U.S.C. 1464, savings associations shall use the terms “savings association” and “insured savings association” in place of the terms “member bank” and “insured bank”.
5. Executive officer shall have the meaning described in 12 CFR 215.2(d). 4
4 See footnote 3 in section I.B.4. of this appendix.
6. Principal shareholder shall have the meaning described in 12 CFR 215.2(l). 5
5 See footnote 3 in section I.B.4. of this appendix.
II. Operational and Managerial StandardsA. Internal controls and information systems. An institution should have internal controls and information systems that are appropriate to the size of the institution and the nature, scope and risk of its activities and that provide for:
1. An organizational structure that establishes clear lines of authority and responsibility for monitoring adherence to established policies;
2. Effective risk assessment;
3. Timely and accurate financial, operational and regulatory reports;
4. Adequate procedures to safeguard and manage assets; and
5. Compliance with applicable laws and regulations.
B. Internal audit system. An institution should have an internal audit system that is appropriate to the size of the institution and the nature and scope of its activities and that provides for:
1. Adequate monitoring of the system of internal controls through an internal audit function. For an institution whose size, complexity or scope of operations does not warrant a full scale internal audit function, a system of independent reviews of key internal controls may be used;
2. Independence and objectivity;
3. Qualified persons;
4. Adequate testing and review of information systems;
5. Adequate documentation of tests and findings and any corrective actions;
6. Verification and review of management actions to address material weaknesses; and
7. Review by the institution's audit committee or board of directors of the effectiveness of the internal audit systems.
C. Loan documentation. An institution should establish and maintain loan documentation practices that:
1. Enable the institution to make an informed lending decision and to assess risk, as necessary, on an ongoing basis;
2. Identify the purpose of a loan and the source of repayment, and assess the ability of the borrower to repay the indebtedness in a timely manner;
3. Ensure that any claim against a borrower is legally enforceable;
4. Demonstrate appropriate administration and monitoring of a loan; and
5. Take account of the size and complexity of a loan.
D. Credit underwriting. An institution should establish and maintain prudent credit underwriting practices that:
1. Are commensurate with the types of loans the institution will make and consider the terms and conditions under which they will be made;
2. Consider the nature of the markets in which loans will be made;
3. Provide for consideration, prior to credit commitment, of the borrower's overall financial condition and resources, the financial responsibility of any guarantor, the nature and value of any underlying collateral, and the borrower's character and willingness to repay as agreed;
4. Establish a system of independent, ongoing credit review and appropriate communication to management and to the board of directors;
5. Take adequate account of concentration of credit risk; and
6. Are appropriate to the size of the institution and the nature and scope of its activities.
E. Interest rate exposure. An institution should:
1. Manage interest rate risk in a manner that is appropriate to the size of the institution and the complexity of its assets and liabilities; and
2. Provide for periodic reporting to management and the board of directors regarding interest rate risk with adequate information for management and the board of directors to assess the level of risk.
F. Asset growth. An institution's asset growth should be prudent and consider:
1. The source, volatility and use of the funds that support asset growth;
2. Any increase in credit risk or interest rate risk as a result of growth; and
3. The effect of growth on the institution's capital.
G. Asset quality. An insured depository institution should establish and maintain a system that is commensurate with the institution's size and the nature and scope of its operations to identify problem assets and prevent deterioration in those assets. The institution should:
1. Conduct periodic asset quality reviews to identify problem assets;
2. Estimate the inherent losses in those assets and establish reserves that are sufficient to absorb estimated losses;
3. Compare problem asset totals to capital;
4. Take appropriate corrective action to resolve problem assets;
5. Consider the size and potential risks of material asset concentrations; and
6. Provide periodic asset reports with adequate information for management and the board of directors to assess the level of asset risk.
H. Earnings. An insured depository institution should establish and maintain a system that is commensurate with the institution's size and the nature and scope of its operations to evaluate and monitor earnings and ensure that earnings are sufficient to maintain adequate capital and reserves. The institution should:
1. Compare recent earnings trends relative to equity, assets, or other commonly used benchmarks to the institution's historical results and those of its peers;
2. Evaluate the adequacy of earnings given the size, complexity, and risk profile of the institution's assets and operations;
3. Assess the source, volatility, and sustainability of earnings, including the effect of nonrecurring or extraordinary income or expense;
4. Take steps to ensure that earnings are sufficient to maintain adequate capital and reserves after considering the institution's asset quality and growth rate; and
5. Provide periodic earnings reports with adequate information for management and the board of directors to assess earnings performance.
I. Compensation, fees and benefits. An institution should maintain safeguards to prevent the payment of compensation, fees, and benefits that are excessive or that could lead to material financial loss to the institution.
III. Prohibition on Compensation That Constitutes an Unsafe and Unsound Practice A. Excessive CompensationExcessive compensation is prohibited as an unsafe and unsound practice. Compensation shall be considered excessive when amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director, or principal shareholder, considering the following:
1. The combined value of all cash and non-cash benefits provided to the individual;
2. The compensation history of the individual and other individuals with comparable expertise at the institution;
3. The financial condition of the institution;
4. Comparable compensation practices at comparable institutions, based upon such factors as asset size, geographic location, and the complexity of the loan portfolio or other assets;
5. For postemployment benefits, the projected total cost and benefit to the institution;
6. Any connection between the individual and any fraudulent act or omission, breach of trust or fiduciary duty, or insider abuse with regard to the institution; and
7. Any other factors the agencies determines to be relevant.
B. Compensation Leading to Material Financial LossCompensation that could lead to material financial loss to an institution is prohibited as an unsafe and unsound practice.
[60 FR 35678, 35682, July 10, 1995, as amended by Reg. H, 61 FR 43951, Aug. 27, 1996]Appendix D-2 to Part 208 - Interagency Guidelines Establishing Information Security Standards
12:2.0.1.1.9.11.3.6.14 : Appendix D
Appendix D-2 to Part 208 - Interagency Guidelines Establishing Information Security Standards Table of Contents I. Introduction A. Scope B. Preservation of Existing Authority C. Definitions II. Standards for Safeguarding Customer Information A. Information Security Program B. Objectives III. Development and Implementation of Customer Information Security Program A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program F. Report to the Board G. Implement the Standards I. IntroductionThese Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) set forth standards pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805), in the same manner, to the extent practicable, as standards prescribed pursuant to section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1). These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These Guidelines also address standards with respect to the proper disposal of consumer information, pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w).
A. Scope. The Guidelines apply to customer information maintained by or on behalf of state member banks (banks) and their nonbank subsidiaries, except for brokers, dealers, persons providing insurance, investment companies, and investment advisors. Pursuant to §§ 211.9 and 211.24 of this chapter, these guidelines also apply to customer information maintained by or on behalf of Edge corporations, agreement corporations, and uninsured state-licensed branches or agencies of a foreign bank. These Guidelines also apply to the proper disposal of consumer information by or on behalf of such entities.
B. Preservation of Existing Authority. Neither section 39 nor these Guidelines in any way limit the authority of the Board to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. The Board may take action under section 39 and these Guidelines independently of, in conjunction with, or in addition to, any other enforcement action available to the Board.
C. Definitions.
1. Except as modified in the Guidelines, or unless the context otherwise requires, the terms used in these Guidelines have the same meanings as set forth in sections 3 and 39 of the Federal Deposit Insurance Act (12 U.S.C. 1813 and 1831p-1).
2. For purposes of the Guidelines, the following definitions apply:
a. Board of directors, in the case of a branch or agency of a foreign bank, means the managing official in charge of the branch or agency.
b. Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the bank for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual.
i. Examples. (1) Consumer information includes:
(A) A consumer report that a bank obtains;
(B) Information from a consumer report that the bank obtains from its affiliate after the consumer has been given a notice and has elected not to opt out of that sharing;
(C) Information from a consumer report that the bank obtains about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose;
(D) Information from a consumer report that the bank obtains about an individual who guarantees a loan (including a loan to a business entity); or
(E) Information from a consumer report that the bank obtains about an employee or prospective employee.
(2) Consumer information does not include:
(A) Aggregate information, such as the mean credit score, derived from a group of consumer reports; or
(B) Blind data, such as payment history on accounts that are not personally identifiable, that may be used for developing credit scoring models or for other purposes.
c. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d).
d. Customer means any customer of the bank as defined in § 1016.3(i) of this chapter.
e. Customer information means any record containing nonpublic personal information, as defined in § 1016.3(p) of this chapter, about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the bank.
f. Customer information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.
g. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to the bank.
h. Subsidiary means any company controlled by a bank, except a broker, dealer, person providing insurance, investment company, investment advisor, insured depository institution, or subsidiary of an insured depository institution.
II. Standards for Information SecurityA. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. A bank also shall ensure that each of its subsidiaries is subject to a comprehensive information security program. The bank may fulfill this requirement either by including a subsidiary within the scope of the bank's comprehensive information security program or by causing the subsidiary to implement a separate comprehensive information security program in accordance with the standards and procedures in sections II and III of this appendix that apply to banks.
B. Objectives. A bank's information security program shall be designed to:
1. Ensure the security and confidentiality of customer information;
2. Protect against any anticipated threats or hazards to the security or integrity of such information;
3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and
4. Ensure the proper disposal of customer information and consumer information.
III. Development and Implementation of Information Security ProgramA. Involve the Board of Directors. The board of directors or an appropriate committee of the board of each bank shall:
1. Approve the bank's written information security program; and
2. Oversee the development, implementation, and maintenance of the bank's information security program, including assigning specific responsibility for its implementation and reviewing reports from management.
B. Assess Risk. Each bank shall:
1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.
2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.
3. Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.
C. Manage and Control Risk. Each bank shall:
1. Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank's activities. Each bank must consider whether the following security measures are appropriate for the bank and, if so, adopt those measures the bank concludes are appropriate:
a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
b. Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;
c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;
d. Procedures designed to ensure that customer information system modifications are consistent with the bank's information security program;
e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;
f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;
g. Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and
h. Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.
2. Train staff to implement the bank's information security program.
3. Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
4. Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements in this paragraph III.
D. Oversee Service Provider Arrangements. Each bank shall:
1. Exercise appropriate due diligence in selecting its service providers;
2. Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and
3. Where indicated by the bank's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers.
E. Adjust the Program. Each bank shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the bank's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.
F. Report to the Board. Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank's compliance with these Guidelines. The reports should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program.
G. Implement the Standards.
1. Effective date. Each bank must implement an information security program pursuant to these Guidelines by July 1, 2001.
2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a contract that a bank has entered into with a service provider to perform services for it or functions on its behalf satisfies the provisions of section III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as the bank entered into the contract on or before March 5, 2001.
3. Effective date for measures relating to the disposal of consumer information. Each bank must satisfy these Guidelines with respect to the proper disposal of consumer information by July 1, 2005.
4. Exception for existing agreements with service providers relating to the disposal of consumer information. Notwithstanding the requirement in paragraph III.G.3., a bank's contracts with its service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must comply with the provisions of the Guidelines relating to the proper disposal of consumer information by July 1, 2006.
Supplement A to Appendix D-2 to Part 208 - Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice I. BackgroundThis Guidance 1 interprets section 501(b) of the Gramm-Leach-Bliley Act (“GLBA”) and the Interagency Guidelines Establishing Information Security Standards (the “Security Guidelines”) 2 and describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer. The scope of, and definitions of terms used in, this Guidance are identical to those of the Security Guidelines. For example, the term “customer information” is the same term used in the Security Guidelines, and means any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, maintained by or on behalf of the institution.
1 This Guidance is being jointly issued by the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).
2 12 CFR part 30, app. B (OCC); 12 CFR part 208, app. D-2 and part 225, app. F (Board); 12 CFR part 364, app. B (FDIC); and 12 CFR part 570, app. B (OTS). The “Interagency Guidelines Establishing Information Security Standards” were formerly known as “The Interagency Guidelines Establishing Standards for Safeguarding Customer Information.”
A. Interagency Security GuidelinesSection 501(b) of the GLBA required the Agencies to establish appropriate standards for financial institutions subject to their jurisdiction that include administrative, technical, and physical safeguards, to protect the security and confidentiality of customer information. Accordingly, the Agencies issued Security Guidelines requiring every financial institution to have an information security program designed to:
1. Ensure the security and confidentiality of customer information;
2. Protect against any anticipated threats or hazards to the security or integrity of such information; and
3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
B. Risk Assessment and Controls1. The Security Guidelines direct every financial institution to assess the following risks, among others, when developing its information security program:
a. Reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;
b. The likelihood and potential damage of threats, taking into consideration the sensitivity of customer information; and
c. The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. 3
3 See Security Guidelines, III.B.
2. Following the assessment of these risks, the Security Guidelines require a financial institution to design a program to address the identified risks. The particular security measures an institution should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, the financial institution is required to consider the specific security measures enumerated in the Security Guidelines, 4 and adopt those that are appropriate for the institution, including:
4 See Security Guidelines, III.C.
a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means;
b. Background checks for employees with responsibilities for access to customer information; and
c. Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies. 5
5 See Security Guidelines, III.C.
C. Service ProvidersThe Security Guidelines direct every financial institution to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. 6
6 See Security Guidelines, II.B. and III.D. Further, the Agencies note that, in addition to contractual obligations to a financial institution, a service provider may be required to implement its own comprehensive information security program in accordance with the Safeguards Rule promulgated by the Federal Trade Commission (“FTC”), 16 CFR part 314.
II. Response ProgramMillions of Americans, throughout the country, have been victims of identity theft. 7 Identity thieves misuse personal information they obtain from a number of sources, including financial institutions, to perpetrate identity theft. Therefore, financial institutions should take preventative measures to safeguard customer information against attempts to gain unauthorized access to the information. For example, financial institutions should place access controls on customer information systems and conduct background checks for employees who are authorized to access customer information. 8 However, every financial institution should also develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems 9 that occur nonetheless. A response program should be a key part of an institution's information security program. 10 The program should be appropriate to the size and complexity of the institution and the nature and scope of its activities.
7 The FTC estimates that nearly 10 million Americans discovered they were victims of some form of identity theft in 2002. See The Federal Trade Commission, Identity Theft Survey Report, (September 2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.
8 Institutions should also conduct background checks of employees to ensure that the institution does not violate 12 U.S.C. 1829, which prohibits an institution from hiring an individual convicted of certain criminal offenses or who is subject to a prohibition order under 12 U.S.C. 1818(e)(6).
9 Under the Guidelines, an institution's customer information systems consist of all of the methods used to access, collect, store, use, transmit, protect, or dispose of customer information, including the systems maintained by its service providers. See Security Guidelines, I.C.2.d (I.C.2.c for OTS).
10 See FFIEC Information Technology Examination Handbook, Information Security Booklet, Dec. 2002 available at http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm. Federal Reserve SR 97-32, Sound Practice Guidance for Information Security for Networks, Dec. 4, 1997; OCC Bulletin 2000-14, “Infrastructure Threats - Intrusion Risks” (May 15, 2000), for additional guidance on preventing, detecting, and responding to intrusions into financial institution computer systems.
In addition, each institution should be able to address incidents of unauthorized access to customer information in customer information systems maintained by its domestic and foreign service providers. Therefore, consistent with the obligations in the Guidelines that relate to these arrangements, and with existing guidance on this topic issued by the Agencies, 11 an institution's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.
11 See Federal Reserve SR Ltr. 00-04, Outsourcing of Information and Transaction Processing, Feb. 9, 2000; OCC Bulletin 2001-47, “Third-Party Relationships Risk Management Principles,” Nov. 1, 2001; FDIC FIL 68-99, Risk Assessment Tools and Practices for Information System Security, July 7, 1999; OTS Thrift Bulletin 82a, Third Party Arrangements, Sept. 1, 2004.
A. Components of a Response Program1. At a minimum, an institution's response program should contain procedures for the following:
a. Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;
b. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below;
c. Consistent with the Agencies' Suspicious Activity Report (“SAR”) regulations, 12 notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;
12 An institution's obligation to file a SAR is set out in the Agencies' SAR regulations and Agency guidance. See 12 CFR 21.11 (national banks, Federal branches and agencies); 12 CFR 208.62 (State member banks); 12 CFR 211.5(k) (Edge and agreement corporations); 12 CFR 211.24(f) (uninsured State branches and agencies of foreign banks); 12 CFR 225.4(f) (bank holding companies and their nonbank subsidiaries); 12 CFR part 353 (State non-member banks); and 12 CFR 563.180 (savings associations). National banks must file SARs in connection with computer intrusions and other computer crimes. See OCC Bulletin 2000-14, “Infrastructure Threats - Intrusion Risks” (May 15, 2000); Advisory Letter 97-9, “Reporting Computer Related Crimes” (November 19, 1997) (general guidance still applicable though instructions for new SAR form published in 65 FR 1229, 1230 (January 7, 2000)). See also Federal Reserve SR 01-11, Identity Theft and Pretext Calling, Apr. 26, 2001; SR 97-28, Guidance Concerning Reporting of Computer Related Crimes by Financial Institutions, Nov. 6, 1997; FDIC FIL 48-2000, Suspicious Activity Reports, July 14, 2000; FIL 47-97, Preparation of Suspicious Activity Reports, May 6, 1997; OTS CEO Memorandum 139, Identity Theft and Pretext Calling, May 4, 2001; CEO Memorandum 126, New Suspicious Activity Report Form, July 5, 2000; http://www.ots.treas.gov/BSA (for the latest SAR form and filing instructions required by OTS as of July 1, 2003).
d. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; 13 and
13 See FFIEC Information Technology Examination Handbook, Information Security Booklet, Dec. 2002, pp. 68-74.
e. Notifying customers when warranted.
2. Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution's service providers, it is the responsibility of the financial institution to notify the institution's customers and regulator. However, an institution may authorize or contract with its service provider to notify the institution's customers or regulator on its behalf.
III. Customer NoticeFinancial institutions have an affirmative duty to protect their customers' information against unauthorized access or use. Notifying customers of a security incident involving the unauthorized access or use of the customer's information in accordance with the standard set forth below is a key part of that duty. Timely notification of customers is important to manage an institution's reputation risk. Effective notice also may reduce an institution's legal risk, assist in maintaining good customer relations, and enable the institution's customers to take steps to protect themselves against the consequences of identity theft. When customer notification is warranted, an institution may not forgo notifying its customers of an incident because the institution believes that it may be potentially embarrassed or inconvenienced by doing so.
A. Standard for Providing NoticeWhen a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. However, the institution should notify its customers as soon as notification will no longer interfere with the investigation.
1. Sensitive Customer InformationUnder the Guidelines, an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information because this type of information is most likely to be misused, as in the commission of identity theft. For purposes of this Guidance, sensitive customer information means a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number.
2. Affected CustomersIf a financial institution, based upon its investigation, can determine from its logs or other data precisely which customers' information has been improperly accessed, it may limit notification to those customers with regard to whom the institution determines that misuse of their information has occurred or is reasonably possible. However, there may be situations where the institution determines that a group of files has been accessed improperly, but is unable to identify which specific customers' information has been accessed. If the circumstances of the unauthorized access lead the institution to determine that misuse of the information is reasonably possible, it should notify all customers in the group.
B. Content of Customer Notice1. Customer notice should be given in a clear and conspicuous manner. The notice should describe the incident in general terms and the type of customer information that was the subject of unauthorized access or use. It also should generally describe what the institution has done to protect the customers' information from further unauthorized access. In addition, it should include a telephone number that customers can call for further information and assistance. 14 The notice also should remind customers of the need to remain vigilant over the next twelve to twenty-four months, and to promptly report incidents of suspected identity theft to the institution. The notice should include the following additional items, when appropriate:
14 The institution should, therefore, ensure that it has reasonable policies and procedures in place, including trained personnel, to respond appropriately to customer inquiries and requests for assistance.
a. A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;
b. A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer's consumer reports to put the customer's creditors on notice that the customer may be a victim of fraud;
c. A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;
d. An explanation of how the customer may obtain a credit report free of charge; and
e. Information about the availability of the FTC's online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the customer to report any incidents of identity theft to the FTC, and should provide the FTC's Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft. 15
15 Currently, the FTC Web site for the ID Theft brochure and the FTC Hotline phone number are http://www.consumer.gov/idtheft and 1-877-IDTHEFT. The institution may also refer customers to any materials developed pursuant to section 151(b) of the FACT Act (educational materials developed by the FTC to teach the public how to prevent identity theft).
2. The Agencies encourage financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies.
C. Delivery of Customer NoticeCustomer notice should be delivered in any manner designed to ensure that a customer can reasonably be expected to receive it. For example, the institution may choose to contact all customers affected by telephone or by mail, or by electronic mail for those customers for whom it has a valid e-mail address and who have agreed to receive communications electronically.
[Reg. H, 66 FR 8634, Feb. 1, 2001, as amended at 69 FR 77617, Dec. 28, 2004; 70 FR 15753, Mar. 29, 2005; 71 FR 5780, Feb. 3, 2006; 79 FR 37166, July 1, 2014]